Abstract This paper describes firewalls. It is intended to provide a basic understanding of why we need firewalls and how they work. It also illustrates the issues that are involved in planning or purchasing a firewall. 1. Introduction to Internet Security Internet promises access to information by anyone, from anywhere. This results in some serious security issues. The network is usually the most insecure part of an organization's computer system. This is due to three factors: 1) there are more points now existing from which an assault can be launched, 2) Internet protocols were not designed with security in mind, and 3) many users and network administrators are not willing to put up with the extra annoyance of security checks and as a result the security measures are compromised. To make the situation worse, OS are not totally secure and bug-free. This creates holes that can be exploited by knowledgeable intruders. This is not to say that all of the security risks are due to the Internet. Some risks like password attacks have been around for a long time, while others are newer. Furthermore, many of the network services were developed under the assumption that the extent of the network was relatively bounded. In an era of globe-spanning connectivity, that assumption has broken down, sometimes with severe consequences. 1.1 Overview of the problems with TCP/UDP/IP/ICMP The network level TCP and UDP services generally assume that the source address in a packet is valid when accepting a packet. In other words, the protocol trusts that the packet has been sent from a valid host. IP's source routing, as [1] points out can be used to trick systems into permitting connections from systems that otherwise would not be permitted to connect. Spoofing UDP packets is easier than TCP packets, since there is no handshake involved [3]. Thus, there is a higher risk associated with UDP-based services. One of the problems with ICMP as discussed by [1] is that ICMP redirected messages can be used to trick routers and hosts acting as routers into using erroneous routes. Therefore, ICMP can be used to direct the traffic to an invader's system instead of a legitimate system. This can result in an attacker gaining access to systems that normally would not permit connections to the attacker's system or network. 1.2 Types of security problems The following sections describe the problems that exist on the Internet and reasons behind their existence. - Weak Authentication: Passwords on the Internet can be cracked a number of different ways. Another problem with authentication is due to some TCP or UDP services being able to authenticate only to the granularity of host addresses and not to specific users. The administrator of a NFS (UDP) server is thus forced to grant access to all users or grant no access at all [10]. - Ease of Spying/Monitoring: During a connection to a remote host using TELNET or FTP, the user's password travels across the Internet unencrypted, or in plain text. Thus, it is possible to monitor connections for IP packets bearing a username and password, and then using them on the system to login normally [10]. - 1.2.3 Ease of Spoofing: It is relatively easy for a system wizard to "spoof" machine addresses - i.e., pretend that your machine is a different one. Consider a case when an intruder just waits until the client system is turned off and then impersonates the client's system. Electronic mail on the Internet is particularly easy to spoof and cannot be trusted without enhancements such as digital signatures [7]. - 1.2.4 Flawed LAN Services and Mutually Trusting Hosts: Network services like NFS allow the password files to be managed in a distributed manner and allows systems to share files and data. These services are inherently insecure and can be exploited to gain access by knowledgeable invaders. This can result in domino effects if a central server system is compromised. The result will be the compromising of other systems trusting the central system. - 1.2.5 Complex Configuration and Controls: Host system access controls are often complex to configure and test for correctness. Therefore, controls are often incorrectly configured. This can result in intruders gaining access. 2. Introduction to Firewalls A firewall is a security system that implements a network access policy by forcing connections to pass through it, where they can be examined and evaluated. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one that exists to block traffic, and the other that exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. 3. Why do we need Firewalls? The general reasoning behind firewall usage is that the Internet is fundamentally flawed with respect to securities. Without a firewall, the system will be exposed to inherently vulnerable services. The firewall reduces risks to hosts on the subnet by filtering inherently insecure services such as NFS from entering or leaving a protected subnet. Firewall increases overall host security. A firewall is very important, since it is the embodiment of the corporate policy. It also plays an important role as a security blanket for management. It provides controlled access to sites by not providing access to hosts or services that do not require access. It can localize the security by installing security software on the firewall systems as opposed to being distributed on many hosts. Firewalls can enhance privacy blocking services such as finger since finger could leak information to attackers. Last but not least, it can provide logging and statistics on network use/misuse and can be used to pinpoint the bottlenecks. 4. Firewalls disadvantages In general, security is a trade-off with convenience. Firewalls, like many other security systems, are not perfect. The trade-off they usually represent is between ease of use and security. The biggest disadvantage of a firewall is that it might block certain services that might be desirable. This policy is based on access denial and this can sometimes be too restrictive (see NetRanger). In addition, some sites may have requirements or usage that do not lend themselves to be conducive to a firewall. Secondly, firewalls do not protect against back doors into the site. For example, attackers could jump around the firewall, if unqualified modem access is still permitted into a site protected by a firewall [6]. Firewalls generally do not provide protection from insider threats. Firewalls could be a potential bottleneck, since all connections must be filtered through the firewall and, in some cases, be examined by the firewall (see performance). Firewalls do not protect against user downloading/ transferring viruses infected files, since these files can be encoded or compressed in many different ways. In general, a firewall cannot protect against a data-driven attack in which something is mailed or copied to an internal host where it is then executed. Products like McAfee WebShield check the incoming files across the Internet for viruses. WebShield takes the IP packets, reassemble them into files, scan the files, provide necessary alerts, and then passes the packets on to the internal network. The anti-virus software does not run on the firewall, since the firewall should get information in and out as fast as possible, and you don't want to bog it down with intensive virus scanning [16]. Finally, a firewall system is a central security place. It puts all the eggs in one basket rather than dispersing them. A compromised firewall can be disastrous to other less-protected systems on the subnet. On the other hand, a firewall can be viewed as a trustworthy basket and a single point from which security systems can be controlled. Therefore, from a network management viewpoint, it can be leverage-increasing tool. 5.0 Firewall Policy Firewalls generally either permit any service unless it is expressly denied, or deny any service unless it is expressly permitted. A firewall that implements the first policy allows all services to pass into the site, with the exception of those services that the service access policy has prohibited. A firewall that implements the second policy denies all services by default, except the services that have been specified by access control policy. The first policy is less desirable, since it leaves more backdoors. Some services like RPC and FTP cannot be filtered easily [2], [3], and are better served by the first policy. The second policy is stronger and safer, but it is more difficult to implement and may be too restrictive to users. 6.0 Different types of filtering 6.1 Screening Router (Packet Filtering) A screening router is a basic component of most firewalls. A screening router can be a commercial router or a host-based router running an operating system that supports packets. A packet filtering router usually can filter IP packets based on source or destination IP address, and TCP source or destination port. Some firewalls consist of nothing more than a screening router between a private network and the Internet. Screening routers operate only at the network level, and make all their permit/denial decisions based on the contents of the TCP/IP packet header. They are very fast, and inexpensive. Figure 1: Representation of Packet Filtering on TELNET and SMTP [10]. 6.1.1 Problems with Packet Filtering Routers Packet filtering routers suffer from a number of weaknesses, as described in [2]. There are drawbacks to Screening Routers: - There is very minimal logging information. - Essentially no audit trails other than traffic statistics. - Hard to specify and get screening rules. - Usually no testing facility exists for verifying the correctness of the rules. - Services can be "tunneled" on top of other services to bypass the firewall. - A number of RPC services are very difficult to filter effectively because the associated servers listen at ports that are assigned randomly at system startup. - Most security policies require finer control than this: they need to define access to specific services for hosts that are otherwise insecure. For example, one might want to allow any host to connect to machine A, but only to send or receive mail. Other services may or may not be permitted. Packet filtering allows some control at this level, but it is a dangerous and error- prone process. For these reasons they are usually avoided as a sole defense. 6.2 Application-Level Gateways An application-level gateway represents the opposite extreme in firewall design. In general, the term "application level gateway" describes some kind of forwarding service that runs across a firewall, and is a potential security concern. In general, crucial application level gateways are run on some kind of bastion host. Rather than using a general-purpose mechanism to allow many different kinds of traffic to flow, special-purpose code can be used for each desired application. Such an application is referred to as a proxy service, while the host running the proxy service is referred to as an application gateway. Application gateways and screening routers can be combined to provide higher levels of security and flexibility than if either were used alone. It is easy to log and control all incoming and outgoing traffic. For example, outbound FTP traffic can be restricted to authorized individuals. The intent is to prevent theft of valuable company programs and data. This way, proxy services allow only those services through for which there is a proxy. Application gateways can hide information, in which the names of internal systems need not necessarily be made known via DNS to outside systems. This way the application gateway may be the only host whose name must be made known to outside systems. They can also provide pre-authentication and better logging, in which the application traffic can be pre- authenticated before it reaches internal hosts and can be logged more effectively than if logged with standard host logging, Figure 2: A typical application level gateway [9] 6.2.1 Problems with application gateways They are usually of limited utility against insiders, who could easily dump the desired files to tapes or floppies. That is, it is only a security measure against electronic intruders who lack physical access. More steps might be required to connect inbound or outbound for services like TELNET. 6.3 Circuit-Level Gateways A circuit-level gateway relays TCP connections but does no extra processing or filtering of the protocol. The caller connects to a TCP port on the gateway, which connects to some destination on the other side of the gateway. During the call the gateway's relay program(s) copy the bytes back and forth: the gateway acts as a wire. Application and circuit gateways are well suited for some UDP applications. The client programs must be modified to create a virtual circuit to some sort of proxy process; the existence of the circuit provides sufficient context to allow secure passage through the filters. One of the big problems with circuit relays is the need to provide new client programs. However, the code changes are generally not large. Various strategies are available for making the necessary changes. They usually consist of a set of almost-compatible replacements for various system calls. This would permit existing applications to run unchanged. But such libraries are not portable, and it may not be possible to include some of the security features mentioned earlier. 7.0 Example of possible firewall setups 7.1 Dual Homed Gateway - Some firewalls are implemented without a screening router, by placing a system on both the private network and the Internet, and disabling TCP/IP forwarding. A dual homed gateway is reachable from both Internet and private network, but traffic cannot flow across it directly. This makes this system a Bastion Host. Figure 3: A typical Dual Homed Gateway [8] 7.2 Screened Host Gateway - Screened Host Gateways are the most common form of firewall, and possibly the most flexible one. This is implemented using a screening router and a bastion host. The screening router blocks traffic between Internet and all hosts on private network except for a single Bastion Host. The screening router can be configured to permit nodes on private network to directly access Internet via TELNET or FTP. At times, the gateway might also have to act as a DNS for the outside world. The gateway would handle DNS inquiries for LANs behind it, but it would only identify a few hosts. The rest would be hidden. The gateway's Mail Exchange record, which would normally indicate the host names and IP addresses of E- mail servers on the inside LANs, instead would point to the gateway itself. Figure 4: A typical Screened Host Gateway [8] 7.3 Screened Subnet -- In some firewall configurations, a network is installed between the Internet and the private network. Both private network nodes and the Internet can only communicate with nodes on the screened subnet and direct communication is permitted. This lets the private network to be effectively "invisible" to the Internet. Figure 5: A typical Screened subnet [8] 8.0 Firewall Design Related Issues 8.1 Remote User Advanced Authentication Policy Remote users are those who originate connections to site systems from elsewhere on the Internet. Connections due to remote users originate from any location on the Internet, from dial-in lines, or from authorized users. It is absolutely necessary that all these connections use the advanced authentication service of the firewall to access systems at the site. The disadvantage of this of course is: 1) increased overhead in administering remote access policy and 2) increases user training for using these advanced authentication procedures. Non-controlled remote access defeats the whole purpose of firewall. 8.3 Dial-in/out Policy and Remote Network Connections A useful feature is to have remote access to the systems when these users are not on site. These capabilities should be considered in the design of the firewall and incorporated into it. Forcing outside users to go through the advanced authentication of the firewall should be strongly reflected in policy. In addition to dial-in/dial-out connections, the use of Serial Line IP (SLIP) and Point-to-Point Protocol (PPP) connections need to be considered as part of the policy. Such a connection is potentially a backdoor around the firewall, and may be an even larger backdoor than a simple dial-in connection. 8.5 Information Server Policy A site that is providing public access to servers like an FTP server must incorporate this access pattern into the firewall design policy. The information server should not compromise security of the protected site. Otherwise, providing these types of services should be questioned. 9.0 Purchasing a Firewall Once the decision is made to acquire a firewall, one must select a firewall that provides the appropriate level of protection and is cost-effective. One important point to remember is that the Internet is a constantly changing network [10]. New security holes can arise, and new services and enhancements to other services may represent potential difficulties for any firewall installation. Therefore, flexibility to adapt to changing needs is an important consideration. This means you'll want to ensure the firewall vendor offers regular software updates that combat such new threats [11]. Firewalls in many cases are complex software products so you probably want the vendor install and configure the firewall initially. Most vendors maintain that security breaches occur mostly because of poor configuration. It reduces the likelihood of bad configuration by asking the vendors to come on site and handle configuration chores themselves. Many vendors offer maintenance services along with firewall installation, this is of great importance since hacker innovations being discovered regularly, you'll want to ensure the firewall vendor offers regular software updates that combat such new threats. If a monthly or quarterly software update service is available and affordable, consider it. 9.1 What to look for when shopping for a firewall In general, you want your firewall to exhibit the following features: 1. The firewall should be able to support both type of design policies, denial and permissive. 2. The firewall should support your security policy, not impose one. 3. The firewall should be able to effective accommodate any services and needs of the organization throughout the future. Flexibility is imperative. 4. The firewall should allow filtering to deny specific service to a host. 5. For services such as FTP and TELNET, a proxy server should be used so that sophisticated authentication can be performed at a central location. 6. The SMTP access should be centralized. 7. Public access should be carefully accommodated, but segregation from site systems should also be possible. 8. The firewall design should take the dial-in access into consideration. 9. The firewall design should have mechanisms for meaningful logging. 10. Ideally, the firewall should be able to notify the network manager by page or e-mail and allow remote disabling of the firewall's external interface (useful feature when break-in attempt is under way) [4], [5]. 11. Ask the vendor how long they've been in the business, the size of their installed base, and whether they have had independent experts review their design and implementation. 10.0 Firewalls Performance Exhaustive evaluation of 20 firewall products which raises concerns about just how safe things really are[13,14]. This study also indicated that firewalls aren't yet at the commodity stage where one product is as good as another. Most crucial of all: Security is not as great as one expected. There could be much vulnerability breaches result from misconfiguration. Management capabilities vary greatly. For performance conscious managers, some firewalls couldn't handle the heavy loads of these performance tests. High throughput might be more important especially on intranets, where data rates of close to 10 Mbit/s are more common. This is not to discourage anyone from procuring a firewall. The firewall is an incredibly valuable resource, one which is needed for years to come. Finally, this study showed that there were several products that did an outstanding job covering all the bases in this study. 11.0 Firewalls Alternatives Firewall products are usually based on denial of some services and are usually too restrictive. However, WheelGroup's NetRanger Network Security Management System is one of the first firewall permissive alternative solutions. Unlike traditional firewalls, NetRanger secures an organization from both external and internal threats. NetRanger examines the content and context of network traffic for security policy violations, and reports such violations to a central monitoring site without disrupting authorized services or users. 11.1 NetRanger NetRanger conducts bi-directional packet analysis, and makes instant decisions whether to allow or deny user network access based on client's specific security policy. NetRanger examines the content and context of packet for misuse and reports security violations without disrupting authorized services [12]. WheelGroup's claims that NetRanger detects an expanding number of attacks including sendmail, IP spoofing, syn, and SATAN and others. New attack profiles can be added remotely to NetRanger sensors to ensure a strong defense is maintained against attackers. However, from the WheelGroup's literature, it is not clear how flexible, and user-friendly this profiles language is to program. Once a security policy violation is detected, NetRanger blocks the specific connection. The NetRanger system is comprised of two basic components: one or more NetRanger Sensors, placed at critical points on the network (such as connections to the Internet) to monitor inbound and outbound traffic; and a NetRanger Director, a graphical security management system, located in your network operations center. The intrusion detection engine uses an attack signature database to recognize attacks mentioned above. Upon intrusion detection, the NetRanger sensor will send a real-time alarm over an encrypted link to the Network Operations Center where the NetRanger Director resides. The NetRanger Director can manage over 100 NetRanger sensors. Details of the specific violation are included in each alarm and also logged to the Director's database. The Director also controls the configuration of each specific NetRanger sensor in its domain via an encrypted sleeve. This solution does have some drawbacks. First, the issue of relying only on one vendor. This might not be acceptable to some enterprises. Second. this approach seems to be more complicated than traditional firewalls and hence violating Gray's KISS-1. Finally, this approach yields more points of failure, while the simpler approaches like firewall are less complicated and have less point of failure [15]. Figure 6: A typical NetRanger site [12] 12. Conclusion After reading numerous literatures, I could not draw any decisive conclusions. The only conclusion is that there is no conclusion. In dealing with firewalls, one can not declare that any particular approach is best, since there are many factors like cost, corporate policy, existing network technology, etc. that effect the decision process. However, some commentaries can be made about firewall. Firstly, there is no easy way to know if a firewall is secure since there are no formal tests that can be easily applied. This to some degree is attributed to firewalls flexibility requirements. The second reason is that unlike PC hardware, which is a commodity market, the firewall market has not yet settled down enough for consistent and competitive pricing to evolve. Secondly, when setting up firewall, the user resentment factor must be taking into account in design decisions or purchase. Proxy firewalls provide better auditing and finer access control than screening router firewalls. It was found in [13,14] that some firewalls couldn't handle the heavy loads. This should be of greater concerns with Proxy firewalls since they might not have sufficient capacity to support network connections faster than Ethernet speed. Therefore, if you are planning on using ATM networks or T3 lines, you may want to weigh your options very carefully and use a screening router type firewall or NetRanger. References [1] Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review, 9(2):32-48, April 1989. [2] D. Brent Chapman. Network (In)Security Through IP Packet Filtering. In USENIX Security Symposium III Proceedings, pages 63-76. USENIX Association, September 14-16 1992. [3] William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security. Addison- Wesley, Reading, MA, 1994. [4] David Curry. UNIX System Security: A Guide for Users and System Administrators. Addison- Wesley, Reading, MA, 1992. [5] Simpson Garfinkel and Gene Spafford. Practical UNIX Security. O'Reilly and Associates, Inc., Sebastopol, CA, 1992. [6] Katie Hafner and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon and Schuster, New York, 1991. [7] NIST. Guideline for the use of Advanced Authentication Technology Alternatives. Federal Information Processing Standard 190, National Institute of Standards and Technology, September 1994. [8] Marcus J. Ranum "Internet Firewalls: An Overview",1993 Trusted Information Systems. [9] Marcus J. Ranum "A Toolkit and Methods for Internet Firewalls",1994 Trusted information Systems. [10] John P. Wack, Lisa J. Carnahan, "Keeping your site comfortably secure: An Introduction to Internet Firewalls", National Institute of Standards and Technology, http://csrc.ncsl.nist.gov/nistpubs/800-10/ [11] Buyer's Guide: The softer side of firewall selection (Edwin Meir 29 April 1996 Network World) [12] WheelGroup Co. online brochure, http://www.wheelgroup.com/netrangr/fnetrang.html., 1997. [13] David Newman, Helen Holzbaur, and Kathleen Bishop: "Firewalls: Don't Get Burned" ,Data Communications, March 21, 1997 [14] David Newman, and Brent Melson "Can Firewalls Take the Heat" , Data Communications, November 21, 1995 [15] Bill Cheswick, "The Design of a Secure Internet Gateway," USENIX proceedings. Available for FTP from research.att.com: /dist/secure_internet_gateway.ps [16] McAfee press release, http://www.mcafee.com/corp/press/051496.html, May 14, 1996 1 10