Firewalls

CSE588 - Network Systems
5/1/97

Contents

  • Abstract
  • Overview
  • Common Firewall Architectures
  • An Example Firewall Implementation
  • A Comparison of Two Firewall Products
  • Conclusion
  • References
  • Appendix: Detailed Vendor Comparison
  • Abstract

    The first section of this document gives a brief overview of what a firewall, and what components go into creating one. The second section provides some insight into the most common firewall architectures, along with the pros and cons of each. The third section describes one company's firewall configuration and discusses the rationale for the configuration. The last section compares two of the leading firewall products: CheckPoint's FireWall-1 and Trusted Information System's Gauntlet.

    Overview

    What is a firewall?

    A firewall is a combination of a network policy and a firewall system. The network policy defines what services and access is permitted between a trusted internal network and an untrusted external network. The firewall system is a collection of hardware and software used to implement the security access policy.

    Why set up a firewall?

    The primary reason to set up a firewall is to enforce a network access policy. A firewall can simplify the task of protecting your site from unwanted intrusions. Without a firewall, each system that is attached to the internet has to be made secure, and must provide a uniform level of security so that one machine cannot compromise another. As the internal network gets larger, this becomes harder to do.

    A firewall not only reduces the risks to the internal network, it can provide enhanced privacy to not allowing services such as finger and the Domain Name Service. In addition, a firewall can be used log access to and from the internal network, and to keep statistics about network usage.

    Why you might not set up a firewall

    A firewall system can not solve all Internet security issues. For example, it does not provide protection from insider attacks. It is also not very useful to set up a firewall if you users will set up unrestricted modems on internal machines.

    Another reason you may not set up a firewall is because it blocks services that you want your users to have access to. For example, sites that need to use NFS and NIS across major gateways may find it costly, if not impossible, to set up a firewall that supports this. In such cases, the need for security must be weighed against the benefits to the users.

    Components of a firewall

    The main components of a firewall are a network policy and some combinations of packet filtering and proxy services. [WACK, CARNAHAN] argue that another component is some sort of advanced authentication measures, such as smart cards, and authentication tokens.

    Network Policy

    A network policy defines what types of services will be allowed or denied. Ideally, it is specified before the firewall system is set up.

    Packet Filtering

    IP packet filtering is performed at the network level use a screening router. The router parses the network packet headers for the following information

    to filter which packets are allowed into or out of your internal network.

    Figure 1. Packet Filtering      

    Static packet filtering

    The router uses this information, plus a rules table set up by a system administrator to determine whether to allow or deny the packet. The rules table contains a list of conditions and actions that are applied in a particular order until a match is found. When a packet meets all of the conditions for a particular entry, the action for that entry is applied to the packet. The action may be to allow the packet through, or to drop it.

    Advantages

    One of the main advantages of packet filtering is that it is transparent. Users do not need to be aware that packet filtering exists unless they try to use a service that is not allowed. There is no need for specialized application software.

    Packet filtering is also fast, and generally inexpensive. Most organizations already have routers.

    Disadvantages

    One of the main disadvantages is of packet filtering that it is more limited in the types of access control that it provides. Routers can only filter based on host addresses, and type of service. They do not have the ability to filter service based on user, or on the type of operation being performed. For example, you may want to allow users on the external network to use FTP to get files from your site, but be able to put files. Packet filtering does not provide a mechanism to do this. It can also be difficult to set up a rules table that is correct, and that accurately reflects your security model.

    Packet filtering is typically easier to bypass. [CHAPMAN92] goes into great detail about the various ways in which packet filtering can be insecure.

    There are little or no logging capabilities, so it difficult to determine when a screening router has been compromised or is under attack.

    Dynamic packet filtering (also known as "Stateful Inspection")

    Dynamic packet filtering attempts address many of the weaknesses of static packet filtering. With dynamic packet filtering, the router looks inside the network packet to find higher-level protocol information. It uses this information to determine whether a packet is expected based on previous communication. For example, a dynamic packet filter may set up simulated connections for connectionless protocols such as NFS and RPC.

    Proxy services

    A proxy service is an application that forwards and filters connections to a specific service, such as Telnet and FTP, based on your sites security policy. The host that a proxy service runs on is referred to as an application gateway (or proxy gateway).

    Figure 2. Proxy Services             

    Advantages

    Proxy services allow only those services through for which there is a proxy. In addition, proxy servers can proved additional features such as user authentication, enhanced logging, and protocol specific filtering. For example, the proxy server can be configured to allow FTP get commands from the internal network, but deny FTP put commands to the internal network.

    Proxy servers also hide the names of internal systems. The internal systems think they are talking to the external network, while the external network thinks it is talking to the application gateway.

    Disadvantages

    There are two main disadvantages to using proxy servers. The first is performance. They must set up two separate connections between the internal and external networks, and there is also some extra processing that must be done.

    The second disadvantage is that a new protocol cannot be provided until a proxy server is written. And in some cases, a modified clients are needed to talk to the proxy server.

    Common Firewall Architectures

    There are four common combinations of screening routers and application gateways used when creating a firewall system:

    Packet Filtering Architecture

    A packet filtering architecture typically consists of a single screening router that is placed between the internal and external network (see figure 1).

    This type of firewall might be appropriate for sites that have a wide variety of systems for which it would be difficult to obtain modified application software for all the system types.

    Dual-Homed Host Architecture

    A dual-homed host architecture consists of a host that is connected to two network interface - the trusted internal network and the untrusted external network. The host's IP forwarding is disabled so that packets cannot be directly routed between the networks. A dual-homed host provides services only by proxying them. The application gateway in figure 2 is an example of a dual-homed host.

    Screened Host Architecture

    A screened host architecture provides services from a host that is attached to only the internal network. A separate router connects the screened host to the external network. The primary security is provided by packet filtering.

    The router services for which a proxy exists to the application gateway. Other trusted traffic is allowed to go directly through to the site systems.


    Figure 3. Screened Host                  

    Advantages

    The screened host architecture is more flexible than dual-homed host architecture. It can be used to allow trusted services for which there are no proxies.

    Disadvantages

    The firewall is less secure. There are now two systems which much be configured correctly. And, it is easier for the users to bypass the screened host, possibly violating your security policy. Also, if an attacker breaks into either the router or the screened host, they have complete access to the rest of the site systems.

    Screened Subnet Architecture

    The screened subnet architecture adds an extra level of security by creating a screened subnet (also referred to as a perimeter network or a "DMZ") between the internal and external networks. There may be one or more application gateways on the screened subnet. The exterior router restricts Internet access to specific systems on the screened subnet. The inner router passes traffic to and from the internal systems to one of the hosts on the screened subnet. Thus, no site system is directly reachable from an external system and vice-versa.

    Figure 4. Screened Subnet                  

    Advantages

    Each component of the firewall be set up to handle a specific protocol, which can increase throughput.

    It is more difficult for an attacker to get access to information on the internal network. If an attacker manages to get through the external router, they are limited in how much information they have access to on the screened subnet.

    Disadvantages

    The firewall can be made to pass "trusted" services around the application gateway(s), thereby subverting policy. And more emphasis is placed on the routers, which can be difficult to configure correctly.

    An Example Firewall Implementation

    A software company based in Seattle agreed to outline their security and firewall implementation for this study, with the condition of anonymity. For the purpose of this paper, they will be referred to as Really Cool Software (RCS).

    Company Background

    In order to understand the implementation that RCS chose for it's network security, a little background on the company is in order. RCS is a company of approximately 650 employees whose headquarters is split between two buildings in Seattle, WA. The company has branch offices in Europe and Asia and works closely with vendors and customers throughout the world.

    RCS produces software that is focused on the networking market, primarily in the area of connecting host computers (everything from NT servers and AS/400's) to desktop computers (any flavor of Microsoft Windows or Macintosh). One of the company's distinguishing features is its focus on technical support for its customers; this task employs approximately 25% of the employees and has had a significant impact on the chosen network implementation.

    The company culture of RCS is one of openness and empowerment - all employees are assumed and expected to be able to take initiative and creativity to find good solutions for their customers. While that may be a great goal for a company, as we will see, it can make configuring a secure network quite a challenge.

    Issues and Design Goals

    Approximately three years ago, the IS department in RCS was faced with the reality of a serious lack of security on their internal networks. The company was doubling both in revenue and employees every year, and the corporate culture did not encourage them to set up "walls" that appeared to keep people from doing their jobs.

    The IS group set out to define the problems and challenges that they needed to solve to protect the company's networks while still providing customers and vendors ready access to the information they needed. The following are some of the issues and design goals that were raised during the evaluation:

    1. Need for remote access to demo machines.

      As a growing software company, RCS attends approximately 150 trade shows per year. Since RCS has products that involve logging into large computers, a demo at a trade show would always include a remote login back to a host Seattle. (The alternative of bringing the hosts to the trade shows was not reasonable given the monetary cost.) As the IS manager said, "a trade show is about the most insecured place you can be and we were allowing access to our internal networks from trade show floors!"

      RCS also had the same issue with customer site visits. In order to do a product demonstration at a customer site, they often have to remotely log into RCS host computers.

      Similarly, the development teams need a way to test software through firewalls. That is, they need to make sure that direct internet connections (i.e., between computers not behind a firewall) and connections through a variety of firewalls would work correctly.

    2. Employees are to always be trusted.

      Any other approach violates a basic tenet of the corporate culture.

    3. Need for off-site access by employees

      A significant number of employees, both in sales and technical support, travel extensively. While off-site, these employees need access to e-mail and other services (e.g., FTP or internal Web pages) on the internal networks.

    4. Need to be able to isolate a group of machines for during training classes

      RCS provides extensive customer, vendor and distributor training at its headquarters. Computers used during external training courses should not have access to the internal network. However, those same computers needed access to the internal networks at other times.

    5. Centralized network administration was deemed to be a paramount consideration.

      This was deemed to be primarily a cost consideration. However, it was clearly a security issue as well.

    6. Performance is critical.

      Product demonstrations at trade shows, customer support, and development teams located throughout the world all combine to make performance one of the primary criterion upon which their security solution would be built.

    Firewall Implementation

    Faced with all of these challenges, the IS department decided upon a rather common approach to a firewall and overall network security policy with a few creative solutions to the company's unique problems.

    Hardware and Software Configuration

    In each of the Seattle buildings, there is a fully redundant collapsed backbone Ethernet network, connected between the buildings by a fiber channel (100BaseFX). The central router for the company is housed in one of these buildings.

    Conceptually, this router has three exit points:

    In front of the firewall, is a DMZ network with the FTP and Web servers available for distributing public information and communicating with customers and vendors. The DMZ network is protected by a Cisco router that does basic packet filtering on incoming network traffic, ensuring that all appropriate traffic is being directed to either one of the servers or the firewall. Traffic that is not appropriate (e.g., telnet to the Web server) is discarded. In front of this router is what is called the "Free Net".

    The "Free Net" is a collection of completely unprotected host computers (including HP, IBM and DEC mainframes, NT server and Novell servers) that are used primarily for trade show and customer demonstrations and support. Occasionally, these systems are also use for product testing and development. (This is a little bit of a risk, but was deemed to be acceptable given the rarity of this work.) In front of the FreeNet there is a POP router that is provided by RCS's ISP for troubleshooting and support that actually connects to the Internet.

    The firewall product selected by RCS was CheckPoint Software's FireWall-1, running on a Sun workstation. It was selected for many reasons, but the primary reason was performance. From the testing done during evaluation of firewall products, as well as a review of published reports, FireWall-1 was found to be the fastest firewall on the market at the time. In addition, the IS department liked the manageability of the software both because of a good user interface, as well as the fact that FireWall-1 does an excellent job of managing a centralized network like RCS. The Sun platform was chosen for the firewall for two simple reasons: although there was a Windows NT version of the software available at the time, the platform's performance and manageability were deemed to be unsatisfactory, and most of the IS personnel had Unix backgrounds, thus making a Unix network easier for them to manage.

    Security Policy

    As has already been discussed, a firewall is really an implementation of an overall security policy. Because of the culture of openness and trust at RCS, all network traffic is allowed to pass out of the internal network. There is no auditing or screening of out-bound traffic. Inbound traffic is understandably much more restrictive, with only FTP and Web traffic allowed to pass through to the internal network. There is a significant amount of logging and auditing of inbound traffic.

    Back Doors

    One of the most common problems with firewall implementations is the tendency of employees to circumvent that security using dial-up lines from desktop computers. RCS is no exception, and because several of their products involve developing network support for dial-up connections, it is common to have dial-up connections into offices. In an effort to manage this issue, the IS department keeps a list of external dial-up connections and attempts to use employee education to ensure security. When possible, "dial-out only" lines are used. This is a difficult issue for RCS, as the appearance of someone keeping track of an employee's dialup connections can be perceived as contrary to the culture of employee empowerment.

    Frequency of Attacks

    With this security arrangement in place, the network administrator estimates that the RCS firewall registers an average of 2-3 "attacks" per day. Most of these, however, are benign, with approximately 2 -3 per month being antagonistic. Only once has the network been severely victimized and this was actually as a backlash from a storm that was sent to an MCI server in an attempt to bring it down. One of RCS's addresses was used as the spoof address and the backlash from the MCI server flooded the RCS server.

    Future Directions

    There are four areas in this network plan where RCS is currently researching a future direction: remote access to mail, virtual private networks, product distribution via the World Wide Web, and firewall redundancy.

    Remote access to mail

    The current process of having employees that are traveling access their mail via a modem pool is adequate but not ideal. It is possible that a mail proxy will be used to allow a more direct access to the mail server.

    Virtual Private Network

    Another technology being considered is support for virtual private networks. As RCS does a significant amount of on-line work with customers and vendors, the need for encrypted conversations between firewalls is becoming obvious.

    Software Distribution via the World Wide Web

    As a software firm, RCS is considering ways to provide product distribution via the Web. Because this can result in a significant spike in the usage pattern on the web server - this, after all, is what caused Microsoft's web server(s) to grind to a halt when Windows '95 was released - RCS is considering outsourcing all software distribution. As the IS manager at RCS said, "Sometimes the most cost-effective solution to a problem is to let someone else deal with it."

    Firewall Redundancy

    Currently the firewall is a single point of failure in RCS's system. They are purchasing a system that will act as a backup if the firewall fails or is compromised.

    A Comparison of Two Firewall Products

    The following section compares the general strengths and weaknesses of Trusted Information System's Gauntlet product to CheckPoint's FireWall-1 product. A detailed comparison is provided at the end of this document.

    The Gauntlet product relies on proxies to provide services. The CheckPoint product uses stateful inspection. For a detailed technical discussion of the advantages and disadvantages of proxies and stateful inspection, see this CNS mail thread.

    In general, the tradeoffs between the two products boils down to balancing ease of use and security. According to [DATACOM97], both products are very secure. As for ease use, some of that depends on the systems you are familiar with.

    [FORBES96] and some mail groups mentioned that one of the issues that differs between the products is that you can get Gauntlet from the same vendor you get your hardware (e.g., SGI). Some saw that as positive (i.e., SGI then is responsible for the entire system and maintanence and holes would theoretically be less likely). Others saw this as a negative with the rationale that having a vendor supply a firewall to protect against (possible) bugs in its own system is not a wise choice.

    TIS/Gauntlet

    The two main strengths of the Gauntlet product are the fact that it provides transparent proxies, and it supports IP-level encryption.

    Gauntlet provides a separate proxy server for each application, rather than a single proxy server for all applications, so the applications themselves do not need to be modified. This makes the proxies transparent to the users of the internal network.

    Gauntlet also provides IP-level encryption, which can be used to build Virtual Network Perimeters (also known as Virtual Private Networks). All trafiic between the networks forming a VPN must be routed through the firewalls, which encapsulate and trasmit the traffic encrypted using DES.


    Figure 5. Virtual Perimeter Networks

    This features is particularly useful for companies with branches around the world that must rely on sending traffic over untrusted networks between locations.

    Strengths:

    Weaknesses:

    CheckPoint/FireWall-1

    FireWall-1 uses the relatively new dynamic filtering technology. This technology, also known as Stateful Inspection, has been patented by CheckPoint, Inc. (for details about the patent, see their press release).

    FireWall-1 provides application-level filtering at the network level by adding a layer called an Inspection Module between the Data Link and Network layers. This has the advantage of being faster than a true application layer proxy. It also allows FireWall-1 to handle services such as UDP and RPC, which proxies cannot deal with.

    Figure 6. FireWall-1 Inspection Module

    Strengths:

    Weaknesses:

    Conclusion

    As the Internet becomes more a part of business, firewalls are becoming an important ingredient of an overall network security policy. We have seen that there are several approaches to integrating a firewall into a network topology. We've also found that there are many possible criteria upon which decisions are made regarding whether to implement a firewall, and if so, which one. Generally, performance, feature set (that is, does this product provide security in the ways that is most needed) and how well the product fits into the current network infrastructure are the most important issues. The firewall market is still relatively young and there are an abundance of choices (approximately 40 vendors currently offer products), so it is expected that as the market matures, the products that are successful are those that excel in these areas.

    References

    1. SGI Guantlet Product Information.
    2. "An Introduction To Firewalls" SunExpert Magazine. Computer Publishing Group. March 1997.Vol 8. No. 3. pp 60+.
    3. CheckPoint FireWall-1 White Paper.
    4. Fortified Networks Inc.'s Internet Firewall Evaluation Checklists
    5. "Internet Security: Part 1: Firewall Positioning", M. Zboray, Gartner Group, Inc. July 1996.
    6. How to pick an Internet Firewall. Marcus J. Ranum. V-ONE Corporation.
    7. "Firewalls: Don't Get Burned". David Newman, Helen Holzbaur, and Kathleen Bishop. Data Communications. March 1997.
    8. "Can Firewalls Take the Heat? Performance tests show that some Internet firewalls are stronger than others". David Newman, Data Communications, and Brent Melson, Nat ional Software Testing Laboratories Inc. November 1995.
    9. "Safe at 100 Megabits Per Second". Josh McHugh. Forbes Magazine, Dec. 30, 1996.
    10. Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. J. P. Wack and Lisa J. Carnahan. NIST Special Publication 800-10.
    11. Network (In)Security Through IP Packet Filtering. D. Brent Chapman, Proceedings of the Third USENIX UNIX Security Symposium; Baltimore, MD; September, 1992.
    12. Building a Firewall. Vance McCarthy. Datamation, May, 1996.
    13. Filtering Gateways vs. Application Gateways. David Dalva, Trusted Information Systems, Inc.
    14. Firewall Design. D. Brent Chapman and Elizabeth D. Zwicky. SunWorld Online, January 1996.
    15. TIS Product Information.

    Appendix: Detailed Vendor Comparison

    The following table compares the features of CheckPoints FireWall-1 product and Trusted Information System's Gauntlet product in detail.

      Vendor CheckPoint Software Trusted Information Systems, Inc
    Product & Vendor Information      
      Product FireWall-1 Gauntlet
      Architecture Stateful inspection Application level proxy
      System/OS supported HP-UX, Solaris, SunOS, Win95, NT 3.51, NT 4.0 BSD/OS v2.1, HP Unix, Solaris, SunOS, Windows NT 4.0, Irix
      Price for 25/100/1000 users $2995, $7997, $18,990 $11,900 (s/w only);$16,500 (w/ h/w)
      Disk space required 26 MB 512 MB
      Memory required 64 MB 16-32 MB
      Consulting services ? yes
    Management, Logging & Auditing      
      Audit Capabilities yes yes
      Session accounting (eg min/session) yes yes
      Log filters Service, time, source, destination Service, time, source, destination
      * log non-filtered packets no (n/a -- all packets are filtered) yes
      * log violations yes yes
      * log/view live connections yes  
      Alarm functions yes yes
      Notification paging, email, SNMP traps paging, email
      Syncronization & high availability yes  
      Load balancing between firewalls yes - server load, round trip, round robin, random, domain  
      Real-time monitoring yes  
      Remote auto logging yes  
    Usability      
      GUI tools yes yes
      Application transparency yes yes
      Scalable yes yes
      Automatic integrity check no yes
    Encryption      
      Virtual encrypted networks yes yes
      Encryption & authentication MD5 MD5, SHTTP, SLL, Cryptocard, Enigma Logic, Safeword, Smartgate, DES, triple DES
      Encryption schemes available DES RC4, SKIP, Manual IPSec, more DES
      Firewall-to-firewall encryption yes yes
    Timer based management      
      Timed sessions on port yes yes
      Timed security policies yes yes
      Time based user access yes yes
      Secure ID yes yes
    Authentication      
      User Authentication yes - S/Key, SecurID, OSPasswd, RADIUS, AssureNet yes - SecureID
      Client Authentication all apps, once per IP address, non-transparent  
      Session Authentication all apps, once per session, non-transparent  
    Network Interfaces      
      Max interfaces depends only on hardware depends only on hardware
      Supported interfaces Ethernet, FDDI, ATM, fast Ethernet, AnyLAN, serial up to T1/E1, T3/E3 Ethernet, FDDI, ATM, fast Enet, serial up to T1/E1, T3/E3
    Application & Protocols Filtered      
      Java screening yes yes
      Active X screening no yes
      telnet partial (no content filtering) yes
      ftp yes yes
      http (www) yes yes
      Gopher partial yes
      WAIS partial yes
      SMTP yes yes
      NNTP partial yes
      X11 partial yes
      Berkeley r-services (rlogin, rsh…) yes yes
      Sun RPC services (NIS, NFS, …) yes no
      RealAudio yes yes
      UDP Support yes no
      TCP/IP filtered yes yes
      ICMP - Ping yes no
      RPC yes no
      DNS yes yes
      Finger yes yes
      NFS yes no
      NNTP yes yes
      NTP yes yes
      Pointcast yes yes
      POP yes yes
      Quicktime yes no
      SHTTP yes yes
      SSL (Secure sockets layer) yes yes
      TFTP (trivial FTP) yes no
      TN3270 yes yes
      Custom applications yes yes
      Novell protocol filtered yes no
      DECnet protocol filtered yes no
      AppleTalk protocol filtered yes no
      Bridging protocol filtered no yes
      Automatic filters n/a no
    Network Protection      
      Network address translation yes yes
      IP Address hiding yes no
      Hide internal DNS info yes yes
      Sequence number prediction yes yes
      Source routing attack protection yes no
      Secure on system boot yes yes
    Misc Features      
      Virus scanning yes no
      Certifications NCSA NCSA, NSA
      Port scanning detection no yes
    Table 1. Comparison of CheckPoint/FireWall-1 and TIS/Gauntlet Firewall Products