- Email: [email protected]
A new perspective on firewalls
October 1995
Network Security
A New Perspective on Firewalls E. Eugene Schultz SRI International No topic seems to have captured the fancy of information security professionals as has the topic of firewails. Firewails are commonly defined as security barriers between an internal network and other networks external to that network. The topic of firewalls is not only disproportionately represented in the agenda of information security conferences and workshops but is the focus of a number of net groups (e.g. Firewails Digest) that generate a prolific number of postings. indeed, firewails are receiving so much attention today that it is difficult to imagine anything new that could be said. Corporations offering information security services now routinely advertise ‘state-of-the-art’ consulting in firewaii design and evaluation. Intruders have increasingly focused their attention on attacking networks rather than individual systems per se. Networks are at risk, but networks that connect to the Internet are particularly at risk. Securing every individual system within a network so that no system could be successfully attacked is impossible - and if it were possible, the financial cost would in most cases be prohibitive. Firewalls provide a practical, generally affordable solution to network security problems by preventing a large proportion of attacks on individual systems. Equally importantly, firewalls have undergone a ‘trial-by-fire’ over the years. They have in this respect proven themselves by preventing network attacks, or at least they have almost always worked if configured properly. The fundamental concept underlying a firewall is that traffic going through the gate of a network can be screened or regulated to allow or disallow connections and service requests according to
01995 Elsevier Science Ltd
certain criteria. A properly configured firewall thus provides a critical leverage point in a network security strategy by allowing security administrators to govern what comes in (and perhaps also what goes out) at a single location within a network. A properly configured firewall also hides information (such as host identities and structures of internal networks) that perpetrators could use to attack the network. Firewalls are in many respects a major cornerstone in the security strategies of many corporations and institutions. Firewall implementations are becoming ubiquitous. Although firewalls were initially employed more in the government and military arenas than in other areas, corporations now routinely use them to connect to the Internet. Firewalls do not solve all Internet security problems, but they have been effective in protecting corporate computing resources from unauthorized remote access (vandals seeking to break in) via the Internet flrowbridge, 1995),
Most of the major Internet-capable corporations I have dealt with use some kind of firewall or multiple firewalls to protect valuable data and services within internal networks. Universities, which for years have been the bastions of open computing, are increasingly employing firewalls to increase security, Even some companies that are not Internet-capable use firewalls to protect against unauthorized access between subnets. The topic of firewalls also generates a plethora of controversies. Two conflicting views: “All that is not expressly allowed is prohibited” and ‘All that is not expressly prohibited is allowed”, are frequently debated among firewall zealots. Other clashing opinions concern issues such as whether circuit-level firewalls are better than application-firewalls (Cheswick and Bellovin, 1994), how network infrastructures should be designed to maximize the value of firewails, which particular services should be allowed and disallowed, how much security should be present at the gate versus the individual host level, how much reduction in throughput can be traded for how much increased security how much logging should be turned on and inspected, and so forth. Although the resulting debate has produced an interesting and useful range of ideas, it has frequently deteriorated into nit-picking. When a large proportion of the debate amounts to nit-picking, the debate ceases to be productive. In this respect, the firewall debate is approaching the point of being non-productive. Considering, in addition, the many conflicting claims of vendors regarding what the various commercially available firewalls can and cannot do, the firewall arena is
13
October 7995
Network Secufitv
beginning to be “covered by a smokescreen ” . In jumping on the firewalls bandwagon, people are being led down a primrose path, so to speak, without realizing what they are getting into. We need ’ a new perspective - a perspective that will serve as an impetus toward increased usefulness and efficiency of firewall solutions, In addition to avoiding gross mistakes in firewall design, implementation, and maintenance. This article offers such a perspective the perspective based on concern regarding the smokescreen surrounding firewall issues. What are the real costs and liabilities of using firewalls? How should firewalls fit into a strategic security strategy? How must firewalls change to keep pace with security requirements in the future? Firewalls not only comprise a nice addition to our arsenal of network security tools but are in most respects a major breakthrough, As effective as firewalls can be, however, they are beset with numerous limitations. They can slow network throughput considerably and constitute a single point of failure (because if the firewall goes down, traffic can’t pass through the gate). Firewalls are by no means foolproof (although having one is generally better than not having one). Incidents in which network attackers have bypassed a firewall or attacked the firewall directly, then modified it, are becoming more commonplace. But we have known about firewall limitations for years and can probably live with most of them without network security being unduly affected The widespread use of firewalls has, however, created a problem of greater magnitude than the sum of these and any other limitations,
14
because it promotes overconfidence in firewalls, leading to faulty views (and corresponding implementations) of network security, When an organization installs a firewall, knowing that the firewall is in place often creates a false sense of security. Although the tlrewall may have considerable value in repelling remote attacks, It may not be nearly as effective as the organization for which it has been installed believes. Some commercial flrewalls are, for example, liffle more than glorified packet tllters, hardly better than choke routers. Packet filters screen traffic according to intended destination port but do not provide the gramilarity needed to control remote connections to most network services. One either allows a service or does not, rather than controlling the way the external user can access the service and/or application through a proxy or circuit connection, Packet filters thus allow numerous avenues of attack, requiring that the services and applications themselves be secure at each destination host (which is typically an arduous task). Numerous other weaknesses in firewalls can also exist unknown to the over-enthusiastic new purchaser of a firewall. Worse yet, the vendor or whoever has installed the firewall frequently does not test it very thoroughly once it is in place. When I first began testing firewalls, I ca!led a number of commercial firewall providers and asked how they tested the firewalls they installed. I was surprised by their answers, the most frequent being that they used portscan. a simple script that tests whether or not each port is open or closed, to ensure that
ports that should be closed were indeed closed. Although running portscan is better than doing nothing to test a firewall, determining whether or not a port is open does not provide a thorough test of the firewall’s security capability On the other hand, detecting whether available services can be attacked provides a better test because some ports will have to be left open and the services provided through these ports may or may not be secure. The customer nevertheless Is likely to experience considerable relief when the vendor who had recently run portscan on a newly installed firewall announces that the firewall has just been tested and is secure. We should not feel so confident about our firewalls passing installers’tests until we learn more about the nature of these tests and are confident that they have been sufficiently rigorous, Most firewalled networks also have routes that bypass firewall defences. Marcus Ranum (Ranum, 1995) correctly states that direct links between a machine within a firewalled network and a machine in another network without any firewall can allow direct access to the former without the benefit of a firewall, even though the intended access route to the former machine is through a firewall. This kind of leakage can occur even when the nature of the connection between these two machines is very limited (e.g. only providing mail services). Users frustrated by firewall-imposed performance limitations may, in addition, create unintended, unapproved access routes that bypass firewalls. These users can establish dial-up IP access to one or more hosts within the network protected by the
01995 Elsevier Science Ltd
October 1995
firewall. Over-confidence in the effectiveness of firewalls can leave system and network administrators unmotivated to discover access routes that circumvent the security perimeter a firewall is supposed to establish. We must remember that unless the only’ remote access route into a network is through a properly designed and installed firewall, that network is not much more secure than if no firewall were in place. Even if a firewall has no leakage, the network protected by the firewall is likely to be subjected to growing risk every day the firewall is in operation. Network intruders are becoming increasingly adept at defeating firewall defences. No matter what some firewall product marketers claim, network intruders have compromised most major firewall products numerous times by determining which vendor’s firewall has been installed, then running scripts that exploit that particular firewall. The fact that at least one vendor has appealed to the hacker community to ‘test’ its firewall product has lamentably only increased the likelihood that hackers will defeat that product in addition to other vendors’ products, This misguided appeal motivated by the desire for marketing publicity has only increased the sense of challenge, curiosity, and perceived self-importance associated with attacking firewalls within the hacker community For these reasons, then, a firewall that works well today may not work so well tomorrow. Many vendors may grudgingly accept this view in private, but many network administrators and users who rely on firewalls to protect their networks have not yet come to grips with it. Again, complacency caused by
01995 Elsevier Science Ltd
Network Security
over-confidence in flrewalls can inhibit recognition of this reality, We need to understand that unless our firewalls’ security features are constantly upgraded, firewall security is subject to the principle of negative entropy. Another faulty perception, resulting in part from the current popularity of firewalls, is the view that “the bad guys are out there and the good guys (i.e. employees and trusted contractors) are in here, so we must be safe.” Ironically, many whose networks are not firewalled have not had firewalls installed because they are convinced (largely because of crime statistics) that the insider attack is the major threat facing organizations in today’s computing environment. Yet those whose networks are firewalled often have focused so intensively on the external threat that they have overlooked the internal threat! Firewalls can be effective in establishing a security perimeter to control external access to any point within that perimeter but ineffective in providing security control within any particular security perimeter. If an attacker, for example, using a machine within a network or screened subnetwork attempts to gain unauthorized access to another machine within the same security perimeter, the firewall for that network or subnetwork can do nothing to prevent the at-tack. Again, we need a new, more realistic perspective on firewalls - one in which the security perimeter is viewed as a barrier only to external, not internal, access, Information security solutions are typically not cheap, yet resources are limited. The amount of network security leverage provided in addition to the typically limited
resources available for security solutions tempt network administrators and management to pursue the notion of using a single solution - a ‘plug and play’ solution that, once in place, requires little if any additional resources, Firewalls. however, provide anything but this kind of solution, in that they require considerable maintenance if they are to function properly from a security standpoint. Carefully reading and analyzing firewall logs, for example, is a labour-intensive activity, Discovering attempted and successful attacks should prompt network administrators and management to modify the flrewall policy (and, consequently the firewall configuration itself) appropriately The feedback obtained should enable the firewall to “stay in tune” with the threat environment. During the course of firewall testing, however, I have rarely had clients who detect even massive amounts of intrusion attempts, Seldom do corporations modify their firewall policies when new, highly security-dependent business applications appear within corporate networks, even though these applications might dictate a thorough revision of these policies. In addition, many hidden costs are associated with firewalls, as indicated in this recent network posting (Rogers, 1995): “If you’re looking for hidden costs you’ll probably find what you’re looking for. I don’t see how anyone could believe that there would not be some additional work load expected. After all, you are putting a very restrictive device in the middle of a lot of software and traffic.
15
October 7995
Network Security
Some issues I’ve had to deal with on a proxy firewall: If you debug an E-mail problem, you’ll be looking at the log files on the firewall. Of course you’ve turned off the ability to login as root except at the console so you tind yourself walking to the console a lot.
0
NNTP traffic across the firewall. In the case of PSI we had to deal with their requirement of different send and receive site which meant additional plug gateways and extra software changes in INN. PCs on your network will hang TCP connections on the firewall (bad software, bad stacks.. ,) You’ll be looking at traffic flow volume and speed. Can’t use UDP across your firewall, so you’ll be dealing with traceroute, ping, time, and other useful TCP/IP protocols not flowing the way you’re used to. DNS configuration will get a little harder. Will you be running DNS on the firewall and thereby forcing routine root access to it or. ,. Separation of inside and outside networks, probably using the same domain. Showing your users how to deal with using a proxy in all their favouriie software. Finding Unix software that either has proxy on or off so that allowing HTTP access to local servers means that they loop through the firewall to do so.. ,” Firewalls are by no means any kind of ‘free ride’. People who use firewalls need to realize that the firewalls require considerable effort, and that
16
reading the logs and revising the firewall configuration is an essential component of a successful rewall defence strategy. Perhaps the most disconcerting misconception regarding firewalls is that the current generation of firewalls are sufficient for Internet security and security in other environmentsToday’s firewalls, according to this view, are about as good as they can be. The firewall as we know it today is located at a fixed location within a network infrastructure, working according to predefined rules (ala access control lists and/or proxy mechanisms). This increases not only the vulnerability of the firewall to attack but also forces us to rethink how we handle incidents when we discover that a firewall is being attacked. The firewall, in a sense, serves the function that a fort did to keep out invaders during the last century and before. Yet George Patton, a general for the United States in World War II, reportedly said that forts are monuments to those ignorant enough to build them. Warfare has changed substantially over the last century, and mobility and surprise rather than setting defences at a fixed location are now critical to success. This analogy applies to firewalls. People who design and implement firewalls often focus on meeting technical requirements based on today’s needs at the expense of anticipating security needs of the future. True, many attackers will be deterred if current generation firewalls meet security requirements. Other attackers will, however, quickly learn that the network they are trying to attack is firewalled and where in the infrastructure the firewall is located. The firewall thus serves as a fixed
target of attack, giving added meaning to the term ‘bastion host’. Furthermore, if a network administrator learns that a host within a network is being attacked, that person can easily shut that host down or disconnect it from the network if he or she so wishes. To shut down or disconnect a firewall under attack is, in contrast, an invitation to disaster, The firewall must continue to run, thereby being subjected in all likelihood to scores of further attacks (if the attacker $0 desires). Because most network attacks are now automated rather than interactive (Schultz, 1995). many thousands of attacks can occur within an interval of a few minutes. The threat to the firewall is thus greatly escalated. We need, then, to understand that a firewall is not only a single point of failure from the standpoint of networking but it is a single point of focus for network attackers because it is a fixed barrier at a stationary point within a network topology What will firewalls of the future need to be like? They must be more dynamic than they currently are. They must be capable of adapting, of promptly adjusting a firewall security policy based on discovery of attack patterns. One goal in developing tirewalls of the future should be to have firewall configurations be table-driven, allowing changes in firewall configuration to be made more conveniently and with less mystery than many current firewall products allow. Better yet, firewalls of the future should couple firewall policy and firewall configuration. so that changing a policy produces corresponding changes in configuration. Firewalls of the future should be able to check their own
01995 Elsevier Science Ltd
October
Network Security
I995
integrity, much like a tripwire, so that unauthorized changes cannot occur (or are at least extremely unlikely to occur). We may no longer be able to afford the luxury of having firewalls placed at a fixed point in a network’s infrastructure. Firewalls of the future may need to become more like network agents, capable of distributing themselves where they are needed (and in all likelihood moving themselves when they are attacked). These firewalls should be able to govern not only traffic originating from outside the network in which they are located, but also traffic originating from within. Finally firewalls must make the process of reading and analyzing logged data less cumbersome.
Conclusion Despite numerous limitations, firewalls are a strong network security control measure. The proverbial smokescreen
surrounding the firewalls arena is unfortunately very occlusive, so those who employ firewalls or who consider employing firewalls must learn what these devices can and cannot do. Learning what they cannot do is at least as important as learning what they can do. The proverbial smokescreen now needs to dissipate - to clear the misconceptions about firewalls that serve as an obstacle to gaining the maximum benefit from them and to establishing effective network security practices.
References Cheswick, W.R. and Bellovin, SM., 1994. Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley Reading. Ranum, M.J., 1995. How Not to Build a Firewall. Computer Security Journal, Vol. 1 I (I), 1995,pp. l-70. Rogers, R., 1995. Posting on com.security.unix, August 12,
Physical layer Network Security: What your LAN can do for you D.W. Banes The basic simplicity and ease of use of local Area Networks (LANs) has produced an explosive growth in connectivity over the past few years so that today they have become an integral part of most business organizations. This growth has been in spite of some fundamental problems that the technology highlights in the area of security. However, these issues have almost been totally ignored in the past mainly because of a lack of understanding of the issues rather than complacency. More reliance is being made on electronic media for our work, word processing, project management and finance all rely heavily on Personal Computers (PCs) and for
01995
Elsevier Science Ltd
network file access. A loss at any point, disk failure, network failure etc. can be catastrophic - productivity in a NetWare environment plummets if the network isn’t
1995. (Cited with Mr Rogers’ permission.) Schultz E.E., 1995. The State of the Hack. Paper presented at 25th International Information Integrity, Institute Forum, Brussels, Belgium, June 1995. Schultz E.E.and Longstaff, T.A., 1995. Internet Sniffer Attacks. In Proceedings of the 18th National Computer Security Conference, 1995. Trowbridge, D., 1995. Firewalls Frustrate Vandals Seeking to Break In. Computer Technology Review, Vol. 15 (7). 1995, pp. 1,6,8. This paper was presented by Or Schultz at Compsec ‘95 international the lzfh Wortd Conference on Computer SecuriQ Audit and Control, Queen Elizabeth II Conference Centre, Westminster, London, UK, 25-27 October 1995.
available for even an hour. The PC itself was originally intended for private use but now is increasingly being networked. In many cases little or no procedures are put in place, so much so that a common requirement for network management is simple inventory control. Generally there is little or no understanding of exactly what equipment is present, how it is connected and who it belongs to. One of the factors that is little understood and the main feature that allows L4Ns to be so simple is also its biggest security flaw. The broadcast nature of LANs means that traffic transmitted on the network must pass by all stations that are connected to the same physical LAN so that the sender has to have no knowledge of the location of
17
Network Security
A New Perspective on Firewalls E. Eugene Schultz SRI International No topic seems to have captured the fancy of information security professionals as has the topic of firewails. Firewails are commonly defined as security barriers between an internal network and other networks external to that network. The topic of firewalls is not only disproportionately represented in the agenda of information security conferences and workshops but is the focus of a number of net groups (e.g. Firewails Digest) that generate a prolific number of postings. indeed, firewails are receiving so much attention today that it is difficult to imagine anything new that could be said. Corporations offering information security services now routinely advertise ‘state-of-the-art’ consulting in firewaii design and evaluation. Intruders have increasingly focused their attention on attacking networks rather than individual systems per se. Networks are at risk, but networks that connect to the Internet are particularly at risk. Securing every individual system within a network so that no system could be successfully attacked is impossible - and if it were possible, the financial cost would in most cases be prohibitive. Firewalls provide a practical, generally affordable solution to network security problems by preventing a large proportion of attacks on individual systems. Equally importantly, firewalls have undergone a ‘trial-by-fire’ over the years. They have in this respect proven themselves by preventing network attacks, or at least they have almost always worked if configured properly. The fundamental concept underlying a firewall is that traffic going through the gate of a network can be screened or regulated to allow or disallow connections and service requests according to
01995 Elsevier Science Ltd
certain criteria. A properly configured firewall thus provides a critical leverage point in a network security strategy by allowing security administrators to govern what comes in (and perhaps also what goes out) at a single location within a network. A properly configured firewall also hides information (such as host identities and structures of internal networks) that perpetrators could use to attack the network. Firewalls are in many respects a major cornerstone in the security strategies of many corporations and institutions. Firewall implementations are becoming ubiquitous. Although firewalls were initially employed more in the government and military arenas than in other areas, corporations now routinely use them to connect to the Internet. Firewalls do not solve all Internet security problems, but they have been effective in protecting corporate computing resources from unauthorized remote access (vandals seeking to break in) via the Internet flrowbridge, 1995),
Most of the major Internet-capable corporations I have dealt with use some kind of firewall or multiple firewalls to protect valuable data and services within internal networks. Universities, which for years have been the bastions of open computing, are increasingly employing firewalls to increase security, Even some companies that are not Internet-capable use firewalls to protect against unauthorized access between subnets. The topic of firewalls also generates a plethora of controversies. Two conflicting views: “All that is not expressly allowed is prohibited” and ‘All that is not expressly prohibited is allowed”, are frequently debated among firewall zealots. Other clashing opinions concern issues such as whether circuit-level firewalls are better than application-firewalls (Cheswick and Bellovin, 1994), how network infrastructures should be designed to maximize the value of firewails, which particular services should be allowed and disallowed, how much security should be present at the gate versus the individual host level, how much reduction in throughput can be traded for how much increased security how much logging should be turned on and inspected, and so forth. Although the resulting debate has produced an interesting and useful range of ideas, it has frequently deteriorated into nit-picking. When a large proportion of the debate amounts to nit-picking, the debate ceases to be productive. In this respect, the firewall debate is approaching the point of being non-productive. Considering, in addition, the many conflicting claims of vendors regarding what the various commercially available firewalls can and cannot do, the firewall arena is
13
October 7995
Network Secufitv
beginning to be “covered by a smokescreen ” . In jumping on the firewalls bandwagon, people are being led down a primrose path, so to speak, without realizing what they are getting into. We need ’ a new perspective - a perspective that will serve as an impetus toward increased usefulness and efficiency of firewall solutions, In addition to avoiding gross mistakes in firewall design, implementation, and maintenance. This article offers such a perspective the perspective based on concern regarding the smokescreen surrounding firewall issues. What are the real costs and liabilities of using firewalls? How should firewalls fit into a strategic security strategy? How must firewalls change to keep pace with security requirements in the future? Firewalls not only comprise a nice addition to our arsenal of network security tools but are in most respects a major breakthrough, As effective as firewalls can be, however, they are beset with numerous limitations. They can slow network throughput considerably and constitute a single point of failure (because if the firewall goes down, traffic can’t pass through the gate). Firewalls are by no means foolproof (although having one is generally better than not having one). Incidents in which network attackers have bypassed a firewall or attacked the firewall directly, then modified it, are becoming more commonplace. But we have known about firewall limitations for years and can probably live with most of them without network security being unduly affected The widespread use of firewalls has, however, created a problem of greater magnitude than the sum of these and any other limitations,
14
because it promotes overconfidence in firewalls, leading to faulty views (and corresponding implementations) of network security, When an organization installs a firewall, knowing that the firewall is in place often creates a false sense of security. Although the tlrewall may have considerable value in repelling remote attacks, It may not be nearly as effective as the organization for which it has been installed believes. Some commercial flrewalls are, for example, liffle more than glorified packet tllters, hardly better than choke routers. Packet filters screen traffic according to intended destination port but do not provide the gramilarity needed to control remote connections to most network services. One either allows a service or does not, rather than controlling the way the external user can access the service and/or application through a proxy or circuit connection, Packet filters thus allow numerous avenues of attack, requiring that the services and applications themselves be secure at each destination host (which is typically an arduous task). Numerous other weaknesses in firewalls can also exist unknown to the over-enthusiastic new purchaser of a firewall. Worse yet, the vendor or whoever has installed the firewall frequently does not test it very thoroughly once it is in place. When I first began testing firewalls, I ca!led a number of commercial firewall providers and asked how they tested the firewalls they installed. I was surprised by their answers, the most frequent being that they used portscan. a simple script that tests whether or not each port is open or closed, to ensure that
ports that should be closed were indeed closed. Although running portscan is better than doing nothing to test a firewall, determining whether or not a port is open does not provide a thorough test of the firewall’s security capability On the other hand, detecting whether available services can be attacked provides a better test because some ports will have to be left open and the services provided through these ports may or may not be secure. The customer nevertheless Is likely to experience considerable relief when the vendor who had recently run portscan on a newly installed firewall announces that the firewall has just been tested and is secure. We should not feel so confident about our firewalls passing installers’tests until we learn more about the nature of these tests and are confident that they have been sufficiently rigorous, Most firewalled networks also have routes that bypass firewall defences. Marcus Ranum (Ranum, 1995) correctly states that direct links between a machine within a firewalled network and a machine in another network without any firewall can allow direct access to the former without the benefit of a firewall, even though the intended access route to the former machine is through a firewall. This kind of leakage can occur even when the nature of the connection between these two machines is very limited (e.g. only providing mail services). Users frustrated by firewall-imposed performance limitations may, in addition, create unintended, unapproved access routes that bypass firewalls. These users can establish dial-up IP access to one or more hosts within the network protected by the
01995 Elsevier Science Ltd
October 1995
firewall. Over-confidence in the effectiveness of firewalls can leave system and network administrators unmotivated to discover access routes that circumvent the security perimeter a firewall is supposed to establish. We must remember that unless the only’ remote access route into a network is through a properly designed and installed firewall, that network is not much more secure than if no firewall were in place. Even if a firewall has no leakage, the network protected by the firewall is likely to be subjected to growing risk every day the firewall is in operation. Network intruders are becoming increasingly adept at defeating firewall defences. No matter what some firewall product marketers claim, network intruders have compromised most major firewall products numerous times by determining which vendor’s firewall has been installed, then running scripts that exploit that particular firewall. The fact that at least one vendor has appealed to the hacker community to ‘test’ its firewall product has lamentably only increased the likelihood that hackers will defeat that product in addition to other vendors’ products, This misguided appeal motivated by the desire for marketing publicity has only increased the sense of challenge, curiosity, and perceived self-importance associated with attacking firewalls within the hacker community For these reasons, then, a firewall that works well today may not work so well tomorrow. Many vendors may grudgingly accept this view in private, but many network administrators and users who rely on firewalls to protect their networks have not yet come to grips with it. Again, complacency caused by
01995 Elsevier Science Ltd
Network Security
over-confidence in flrewalls can inhibit recognition of this reality, We need to understand that unless our firewalls’ security features are constantly upgraded, firewall security is subject to the principle of negative entropy. Another faulty perception, resulting in part from the current popularity of firewalls, is the view that “the bad guys are out there and the good guys (i.e. employees and trusted contractors) are in here, so we must be safe.” Ironically, many whose networks are not firewalled have not had firewalls installed because they are convinced (largely because of crime statistics) that the insider attack is the major threat facing organizations in today’s computing environment. Yet those whose networks are firewalled often have focused so intensively on the external threat that they have overlooked the internal threat! Firewalls can be effective in establishing a security perimeter to control external access to any point within that perimeter but ineffective in providing security control within any particular security perimeter. If an attacker, for example, using a machine within a network or screened subnetwork attempts to gain unauthorized access to another machine within the same security perimeter, the firewall for that network or subnetwork can do nothing to prevent the at-tack. Again, we need a new, more realistic perspective on firewalls - one in which the security perimeter is viewed as a barrier only to external, not internal, access, Information security solutions are typically not cheap, yet resources are limited. The amount of network security leverage provided in addition to the typically limited
resources available for security solutions tempt network administrators and management to pursue the notion of using a single solution - a ‘plug and play’ solution that, once in place, requires little if any additional resources, Firewalls. however, provide anything but this kind of solution, in that they require considerable maintenance if they are to function properly from a security standpoint. Carefully reading and analyzing firewall logs, for example, is a labour-intensive activity, Discovering attempted and successful attacks should prompt network administrators and management to modify the flrewall policy (and, consequently the firewall configuration itself) appropriately The feedback obtained should enable the firewall to “stay in tune” with the threat environment. During the course of firewall testing, however, I have rarely had clients who detect even massive amounts of intrusion attempts, Seldom do corporations modify their firewall policies when new, highly security-dependent business applications appear within corporate networks, even though these applications might dictate a thorough revision of these policies. In addition, many hidden costs are associated with firewalls, as indicated in this recent network posting (Rogers, 1995): “If you’re looking for hidden costs you’ll probably find what you’re looking for. I don’t see how anyone could believe that there would not be some additional work load expected. After all, you are putting a very restrictive device in the middle of a lot of software and traffic.
15
October 7995
Network Security
Some issues I’ve had to deal with on a proxy firewall: If you debug an E-mail problem, you’ll be looking at the log files on the firewall. Of course you’ve turned off the ability to login as root except at the console so you tind yourself walking to the console a lot.
0
NNTP traffic across the firewall. In the case of PSI we had to deal with their requirement of different send and receive site which meant additional plug gateways and extra software changes in INN. PCs on your network will hang TCP connections on the firewall (bad software, bad stacks.. ,) You’ll be looking at traffic flow volume and speed. Can’t use UDP across your firewall, so you’ll be dealing with traceroute, ping, time, and other useful TCP/IP protocols not flowing the way you’re used to. DNS configuration will get a little harder. Will you be running DNS on the firewall and thereby forcing routine root access to it or. ,. Separation of inside and outside networks, probably using the same domain. Showing your users how to deal with using a proxy in all their favouriie software. Finding Unix software that either has proxy on or off so that allowing HTTP access to local servers means that they loop through the firewall to do so.. ,” Firewalls are by no means any kind of ‘free ride’. People who use firewalls need to realize that the firewalls require considerable effort, and that
16
reading the logs and revising the firewall configuration is an essential component of a successful rewall defence strategy. Perhaps the most disconcerting misconception regarding firewalls is that the current generation of firewalls are sufficient for Internet security and security in other environmentsToday’s firewalls, according to this view, are about as good as they can be. The firewall as we know it today is located at a fixed location within a network infrastructure, working according to predefined rules (ala access control lists and/or proxy mechanisms). This increases not only the vulnerability of the firewall to attack but also forces us to rethink how we handle incidents when we discover that a firewall is being attacked. The firewall, in a sense, serves the function that a fort did to keep out invaders during the last century and before. Yet George Patton, a general for the United States in World War II, reportedly said that forts are monuments to those ignorant enough to build them. Warfare has changed substantially over the last century, and mobility and surprise rather than setting defences at a fixed location are now critical to success. This analogy applies to firewalls. People who design and implement firewalls often focus on meeting technical requirements based on today’s needs at the expense of anticipating security needs of the future. True, many attackers will be deterred if current generation firewalls meet security requirements. Other attackers will, however, quickly learn that the network they are trying to attack is firewalled and where in the infrastructure the firewall is located. The firewall thus serves as a fixed
target of attack, giving added meaning to the term ‘bastion host’. Furthermore, if a network administrator learns that a host within a network is being attacked, that person can easily shut that host down or disconnect it from the network if he or she so wishes. To shut down or disconnect a firewall under attack is, in contrast, an invitation to disaster, The firewall must continue to run, thereby being subjected in all likelihood to scores of further attacks (if the attacker $0 desires). Because most network attacks are now automated rather than interactive (Schultz, 1995). many thousands of attacks can occur within an interval of a few minutes. The threat to the firewall is thus greatly escalated. We need, then, to understand that a firewall is not only a single point of failure from the standpoint of networking but it is a single point of focus for network attackers because it is a fixed barrier at a stationary point within a network topology What will firewalls of the future need to be like? They must be more dynamic than they currently are. They must be capable of adapting, of promptly adjusting a firewall security policy based on discovery of attack patterns. One goal in developing tirewalls of the future should be to have firewall configurations be table-driven, allowing changes in firewall configuration to be made more conveniently and with less mystery than many current firewall products allow. Better yet, firewalls of the future should couple firewall policy and firewall configuration. so that changing a policy produces corresponding changes in configuration. Firewalls of the future should be able to check their own
01995 Elsevier Science Ltd
October
Network Security
I995
integrity, much like a tripwire, so that unauthorized changes cannot occur (or are at least extremely unlikely to occur). We may no longer be able to afford the luxury of having firewalls placed at a fixed point in a network’s infrastructure. Firewalls of the future may need to become more like network agents, capable of distributing themselves where they are needed (and in all likelihood moving themselves when they are attacked). These firewalls should be able to govern not only traffic originating from outside the network in which they are located, but also traffic originating from within. Finally firewalls must make the process of reading and analyzing logged data less cumbersome.
Conclusion Despite numerous limitations, firewalls are a strong network security control measure. The proverbial smokescreen
surrounding the firewalls arena is unfortunately very occlusive, so those who employ firewalls or who consider employing firewalls must learn what these devices can and cannot do. Learning what they cannot do is at least as important as learning what they can do. The proverbial smokescreen now needs to dissipate - to clear the misconceptions about firewalls that serve as an obstacle to gaining the maximum benefit from them and to establishing effective network security practices.
References Cheswick, W.R. and Bellovin, SM., 1994. Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley Reading. Ranum, M.J., 1995. How Not to Build a Firewall. Computer Security Journal, Vol. 1 I (I), 1995,pp. l-70. Rogers, R., 1995. Posting on com.security.unix, August 12,
Physical layer Network Security: What your LAN can do for you D.W. Banes The basic simplicity and ease of use of local Area Networks (LANs) has produced an explosive growth in connectivity over the past few years so that today they have become an integral part of most business organizations. This growth has been in spite of some fundamental problems that the technology highlights in the area of security. However, these issues have almost been totally ignored in the past mainly because of a lack of understanding of the issues rather than complacency. More reliance is being made on electronic media for our work, word processing, project management and finance all rely heavily on Personal Computers (PCs) and for
01995
Elsevier Science Ltd
network file access. A loss at any point, disk failure, network failure etc. can be catastrophic - productivity in a NetWare environment plummets if the network isn’t
1995. (Cited with Mr Rogers’ permission.) Schultz E.E., 1995. The State of the Hack. Paper presented at 25th International Information Integrity, Institute Forum, Brussels, Belgium, June 1995. Schultz E.E.and Longstaff, T.A., 1995. Internet Sniffer Attacks. In Proceedings of the 18th National Computer Security Conference, 1995. Trowbridge, D., 1995. Firewalls Frustrate Vandals Seeking to Break In. Computer Technology Review, Vol. 15 (7). 1995, pp. 1,6,8. This paper was presented by Or Schultz at Compsec ‘95 international the lzfh Wortd Conference on Computer SecuriQ Audit and Control, Queen Elizabeth II Conference Centre, Westminster, London, UK, 25-27 October 1995.
available for even an hour. The PC itself was originally intended for private use but now is increasingly being networked. In many cases little or no procedures are put in place, so much so that a common requirement for network management is simple inventory control. Generally there is little or no understanding of exactly what equipment is present, how it is connected and who it belongs to. One of the factors that is little understood and the main feature that allows L4Ns to be so simple is also its biggest security flaw. The broadcast nature of LANs means that traffic transmitted on the network must pass by all stations that are connected to the same physical LAN so that the sender has to have no knowledge of the location of
17