- Email: [email protected]
Internet firewalls
FEATURE
Internet Firewalls
There are three g e n e r a l l y a c c e p t e d types o f firewalls on Internet connections: packet filtering, circuit gateways and application gateways.
Bill Hancock
t seems that every company I know of wants to connect to the Internet these days. They all are starting to seem to understand the benefits and capabilities of the Internet and the facilities that are available on the network. Universally, though, either through experience or through institutional paranoia, there is the cry for Internet security firewalls to help protect corporate networks.
I
Firstly, the question that needs to be raised is: what, exactly, is an Internet firewall? Basically, firewalls are products that allow the systems or network manager to restrict access to components on the network. There are various types of products which claim to be firewalls and which clearly do not apply. One sad part about firewalls is that the terminology is much like the word 'virus': what is a firewall and what is not a firewall is subject to much interpretation by the vendor and the consumer. At the most basic level, a firewall is a packet filter facility that can restrict the flow of packets to and from a n e t w o r k via a set of rules i m p l e m e n t e d in an interconnection device. Examples of this might be a filtering router
"What is a firewall and what is not a firewall is subject to much interpretation by the vendor and the consumer," m
~
m
m m
unit that is capable of restrictingwhich packets can be transmitted and w h i c h
ones
can
be
received from an Internet connection based upon packet addresses (source and destination), specific IP transport protocol type, etc. Other types of firewalls might include intelligent port and socket (application) filters, session-level (user) filters and a variety of other types of filtering tools that restrict traffic flow. From these definitions, it is plain that a firewall is frequently a sum of many different components that work together to block transmission and reception of traffic.
Computer Fraud & Security December 1998 3723/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved
Packet filter firewalls Packet filter firewalls consist of enhanced routers with command-driven filter components. In this scenario, the network manager 'tells' the router via terminal c o m m a n d s or a p r o g r a m m i n g interface what types of packet conditions it is to filter from access to the internal network from the Internet or vice versa. P a c k e t f i l t e r i n g firewalls cannot be on wimpy machines -only truly sturdy hardware need apply. The performance of the firewall will degrade, big-time, as more filters and conditional filter handling are set up. Packet filtering, however, does not handle certain types of transactions on a network that are context-sensitive (i.e. many packets are required to do something, which, taken as a whole, means a certain condition has occurred that may not be a happy situation).
"The performance of the firewall will degrade, big-time, as more filters and conditional filter handling are set up"
Circuit gateways Circuit gateway firewalls typically involve the session set-up b e t w e e n systems and the associated user security options usually part of a connection set-up. For instance, a circuit gateway might check user IDs and passwords for a connection request. Other types of circuit firewalls might implement proxy connection authorization or other types of authentication services. Circuit firewalls are also responsible for logging who came from where and went to what, which is not trivial.
Application gateways A p p l i c a t i o n firewalls are p r o g r a m specific. An example might be a TELNET firewall facility that provides security facilities, full p a c k e t c o n t e n t
11
FEATURE scanning, session management, session capturing and other facilities. This type of firewall is specific to a particular IP application, T E L N E T , and is usually much more secure than packet and address filtering in a router as it m i g h t not o n l y worry about user IDs, passwords and proxies, but it also might consider applicationspecific access metho d s and s e c u r i t y issues. Many application firewalls contain circuit firewall facilities for specific application types and this can increase the security of the connection quite substantially.
"There is no such thing as a cheap firewall"
There is no such thing as a cheap firewall. In the implementations of firewalls, there are the obvious costs (hardware, software) and the not so obvious costs (maintenance of filters and rules, administrative costs, loss of services due to security violation potential, training etc.). A firewall is never an automatic thing and must be set up for proper functionality in an environment. Not all things work well with firewalls a they can cause performance problems for users of the firewall as well as application restrictions that may not work well for corporate goals. Since firewall requirements from company to company vary dramatically, there are many situations where more than one product from more than one vendor is required to properly provide firewall facilities. A router with packet filters would be almost a necessity for each site. A user terminal security facility for TELNET users is also necessary, but there is not a router made that can provide all the sophisticated security facilities for terminal traffic as well as provide swift routing facilities. As a result, these two f u n c t i o n s alone result in different systems for control and access.
a reasonable level, there is little hope of properly s e t t i n g up a p a c k e t f i l t e r f a c i l i t y . H o w m u c h technical knowledge is required varies from firewall to firewall, but none are exactly straightforward and clear to set up. In almost all situations, no matter how mature and well written the firewall software is, t h e r e are a m y r i a d of a d m i n i s t r a t i v e t a s k s involved. Even with fairly decent firewalls for Internet access, there are situations when left to their own, that will cause defeat of the firewalls. For instance, tunnelling of a protocol in a protocol can be difficult, if not i m p o s s i b l e , to filter and control. S o m e sites, for purely political reasons, will not allow restrictions on certain applications that a l l o w r e m o t e Internet users to gain access to critical data about a site that may be used to exploit the network. There are plenty of other situations, but it is important to note that firewalls are not forever and may be d e f e a t e d f r o m time to time even in the best of environments.
"Firewalls are not forever and may be defeated from time to time even in the best of environments."
"If one does not understand TCP/IP to a reasonable level, there is little hope of properly setting up a packet filter facility."
One of the problems of firewall implementation is the need for some technical expertise to set the firewall(s) up. If one does not understand TCP/IP to
12
Should you have a series of firewalls? Absolutely - the more the merrier and the greater the chance of picking up someone 'doing the dirty' to the network and its resources. In practically all situations, having firewalls is infinitely cheaper than not having them and spending a great amount of time and energy stopping n e t w o r k scum from a c c e s s i n g y o u r network.
Internet firewalls are useful and beneficial. I have never seen any one product that provides all the facilities that I consider necessary for total security from and to the Internet. However, careful selection and integration of the product sets available for Internet firewalls can result in a good firewall set up and better access and tracking of Internet activities.
Computer Fraud & Security December 19983 3723/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved
Internet Firewalls
There are three g e n e r a l l y a c c e p t e d types o f firewalls on Internet connections: packet filtering, circuit gateways and application gateways.
Bill Hancock
t seems that every company I know of wants to connect to the Internet these days. They all are starting to seem to understand the benefits and capabilities of the Internet and the facilities that are available on the network. Universally, though, either through experience or through institutional paranoia, there is the cry for Internet security firewalls to help protect corporate networks.
I
Firstly, the question that needs to be raised is: what, exactly, is an Internet firewall? Basically, firewalls are products that allow the systems or network manager to restrict access to components on the network. There are various types of products which claim to be firewalls and which clearly do not apply. One sad part about firewalls is that the terminology is much like the word 'virus': what is a firewall and what is not a firewall is subject to much interpretation by the vendor and the consumer. At the most basic level, a firewall is a packet filter facility that can restrict the flow of packets to and from a n e t w o r k via a set of rules i m p l e m e n t e d in an interconnection device. Examples of this might be a filtering router
"What is a firewall and what is not a firewall is subject to much interpretation by the vendor and the consumer," m
~
m
m m
unit that is capable of restrictingwhich packets can be transmitted and w h i c h
ones
can
be
received from an Internet connection based upon packet addresses (source and destination), specific IP transport protocol type, etc. Other types of firewalls might include intelligent port and socket (application) filters, session-level (user) filters and a variety of other types of filtering tools that restrict traffic flow. From these definitions, it is plain that a firewall is frequently a sum of many different components that work together to block transmission and reception of traffic.
Computer Fraud & Security December 1998 3723/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved
Packet filter firewalls Packet filter firewalls consist of enhanced routers with command-driven filter components. In this scenario, the network manager 'tells' the router via terminal c o m m a n d s or a p r o g r a m m i n g interface what types of packet conditions it is to filter from access to the internal network from the Internet or vice versa. P a c k e t f i l t e r i n g firewalls cannot be on wimpy machines -only truly sturdy hardware need apply. The performance of the firewall will degrade, big-time, as more filters and conditional filter handling are set up. Packet filtering, however, does not handle certain types of transactions on a network that are context-sensitive (i.e. many packets are required to do something, which, taken as a whole, means a certain condition has occurred that may not be a happy situation).
"The performance of the firewall will degrade, big-time, as more filters and conditional filter handling are set up"
Circuit gateways Circuit gateway firewalls typically involve the session set-up b e t w e e n systems and the associated user security options usually part of a connection set-up. For instance, a circuit gateway might check user IDs and passwords for a connection request. Other types of circuit firewalls might implement proxy connection authorization or other types of authentication services. Circuit firewalls are also responsible for logging who came from where and went to what, which is not trivial.
Application gateways A p p l i c a t i o n firewalls are p r o g r a m specific. An example might be a TELNET firewall facility that provides security facilities, full p a c k e t c o n t e n t
11
FEATURE scanning, session management, session capturing and other facilities. This type of firewall is specific to a particular IP application, T E L N E T , and is usually much more secure than packet and address filtering in a router as it m i g h t not o n l y worry about user IDs, passwords and proxies, but it also might consider applicationspecific access metho d s and s e c u r i t y issues. Many application firewalls contain circuit firewall facilities for specific application types and this can increase the security of the connection quite substantially.
"There is no such thing as a cheap firewall"
There is no such thing as a cheap firewall. In the implementations of firewalls, there are the obvious costs (hardware, software) and the not so obvious costs (maintenance of filters and rules, administrative costs, loss of services due to security violation potential, training etc.). A firewall is never an automatic thing and must be set up for proper functionality in an environment. Not all things work well with firewalls a they can cause performance problems for users of the firewall as well as application restrictions that may not work well for corporate goals. Since firewall requirements from company to company vary dramatically, there are many situations where more than one product from more than one vendor is required to properly provide firewall facilities. A router with packet filters would be almost a necessity for each site. A user terminal security facility for TELNET users is also necessary, but there is not a router made that can provide all the sophisticated security facilities for terminal traffic as well as provide swift routing facilities. As a result, these two f u n c t i o n s alone result in different systems for control and access.
a reasonable level, there is little hope of properly s e t t i n g up a p a c k e t f i l t e r f a c i l i t y . H o w m u c h technical knowledge is required varies from firewall to firewall, but none are exactly straightforward and clear to set up. In almost all situations, no matter how mature and well written the firewall software is, t h e r e are a m y r i a d of a d m i n i s t r a t i v e t a s k s involved. Even with fairly decent firewalls for Internet access, there are situations when left to their own, that will cause defeat of the firewalls. For instance, tunnelling of a protocol in a protocol can be difficult, if not i m p o s s i b l e , to filter and control. S o m e sites, for purely political reasons, will not allow restrictions on certain applications that a l l o w r e m o t e Internet users to gain access to critical data about a site that may be used to exploit the network. There are plenty of other situations, but it is important to note that firewalls are not forever and may be d e f e a t e d f r o m time to time even in the best of environments.
"Firewalls are not forever and may be defeated from time to time even in the best of environments."
"If one does not understand TCP/IP to a reasonable level, there is little hope of properly setting up a packet filter facility."
One of the problems of firewall implementation is the need for some technical expertise to set the firewall(s) up. If one does not understand TCP/IP to
12
Should you have a series of firewalls? Absolutely - the more the merrier and the greater the chance of picking up someone 'doing the dirty' to the network and its resources. In practically all situations, having firewalls is infinitely cheaper than not having them and spending a great amount of time and energy stopping n e t w o r k scum from a c c e s s i n g y o u r network.
Internet firewalls are useful and beneficial. I have never seen any one product that provides all the facilities that I consider necessary for total security from and to the Internet. However, careful selection and integration of the product sets available for Internet firewalls can result in a good firewall set up and better access and tracking of Internet activities.
Computer Fraud & Security December 19983 3723/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved