|
Firewalls Equal Security
What is a network firewall?
A firewall is a system or group of systems that enforces an access control
policy between two networks. The actual means by which this is accomplished
varies widely, but in principle, the firewall can be thought of as a pair
of mechanisms: one which exists to block traffic, and the other which
exists to permit traffic. Some firewalls place a greater emphasis on blocking
traffic, while others emphasize permitting traffic. Probably the most
important thing to recognize about a firewall is that it implements an
access control policy. If you don't have a good idea of what kind of access
you want to allow or to deny, a firewall really won't help you. It's also
important to recognize that the firewall's configuration, because it is
a mechanism for enforcing policy, imposes its policy on everything behind
it. Administrators for firewalls managing the connectivity for a large
number of hosts therefore have a heavy responsibility.
Why would I want a firewall?
The Internet, like any other society, is plagued with the types of people
who enjoy the electronic equivalent of writing on other people's walls
with spraypaint, tearing their mailboxes off, or just sitting in the street
blowing their car horns. Some people try to get real work done over the
Internet, and others have sensitive or proprietary data they must protect.
Usually, a firewall's purpose is to keep these juveniles out of your network
while still letting you get your job done.
Many traditional-style corporations and data centers have computing security
policies and practices that must be adhered to. In a case where a company's
policies dictate how data must be protected, a firewall is very important,
since it is the embodiment of the corporate policy. Frequently, the hardest
part of hooking to the Internet, if you're a large company, is not justifying
the expense or effort, but convincing management that it's safe to do
so. A firewall provides not only real security--it often plays an important
role as a security blanket for management.
Lastly, a firewall can act as your corporate ``ambassador'' to the Internet.
Many corporations use their firewall systems as a place to store public
information about corporate products and services, files to download,
bug-fixes, and so forth. Several of these systems have become important
parts of the Internet service structure (e.g.: UUnet.uu.net, whitehouse.gov,
gatekeeper.dec.com) and have reflected well on their organizational sponsors.
What can a firewall protect against?
Some firewalls permit only email traffic through them, thereby protecting
the network against any attacks other than attacks against the email service.
Other firewalls provide less strict protections, and block services that
are known to be problems.
Generally, firewalls are configured to protect against unauthenticated
interactive logins from the ``outside'' world. This, more than anything,
helps prevent vandals from logging into machines on your network. More
elaborate firewalls block traffic from the outside to the inside, but
permit users on the inside to communicate freely with the outside. The
firewall can protect you against any type of network-borne attack if you
plug it in.
Firewalls are also important since they can provide a single ``choke point''
where security and audit can be imposed. Unlike in a situation where a
computer system is being attacked by someone dialing in with a modem,
the firewall can act as an effective ``phone tap'' and tracing tool. Firewalls
provide an important logging and auditing function; often they provide
summaries to the administrator about what kinds and amount of traffic
passed through it, how many attempts there were to break into it, etc.
This is an important point: providing this ``choke point'' can serve the
same purpose on your network as a guarded gate can for your site's physical
premises. That means anytime you have a change in ``zones'' or levels
of sensitivity, such a checkpoint is appropriate. A company rarely has
only an outside gate and no receptionist or security staff to check badges
on the way in. If there are layers of security on your site, it's reasonable
to expect layers of security on your network.
What are some of the basic design decisions in a firewall?
There are a number of basic design issues that should be addressed by
the lucky person who has been tasked with the responsibility of designing,
specifying, and implementing or overseeing the installation of a firewall.
The first and most important decision reflects the policy of how your
company or organization wants to operate the system: is the firewall in
place explicitly to deny all services except those critical to the mission
of connecting to the Net, or is the firewall in place to provide a metered
and audited method of ``queuing'' access in a non-threatening manner?
There are degrees of paranoia between these positions; the final stance
of your firewall might be more the result of a political than an engineering
decision.
The second is: what level of monitoring, redundancy, and control do you
want? Having established the acceptable risk level (e.g., how paranoid
you are) by resolving the first issue, you can form a checklist of what
should be monitored, permitted, and denied. In other words, you start
by figuring out your overall objectives, and then combine a needs analysis
with a risk assessment, and sort the almost always conflicting requirements
out into a laundry list that specifies what you plan to implement.
The third issue is financial. We can't address this one here in anything
but vague terms, but it's important to try to quantify any proposed solutions
in terms of how much it will cost either to buy or to implement. For example,
a complete firewall product may cost between 0,000 at the high end, and
free at the low end. The free option, of doing some fancy configuring
on a Cisco or similar router will cost nothing but staff time and a few
cups of coffee. Implementing a high end firewall from scratch might cost
several man-months, which may equate to ,000 worth of staff salary and
benefits. The systems management overhead is also a consideration. Building
a home-brew is fine, but it's important to build it so that it doesn't
require constant (and expensive) attention. It's important, in other words,
to evaluate firewalls not only in terms of what they cost now, but continuing
costs such as support.
On the technical side, there are a couple of decisions to make, based
on the fact that for all practical purposes what we are talking about
is a static traffic routing service placed between the network service
provider's router and your internal network. The traffic routing service
may be implemented at an IP level via something like screening rules in
a router, or at an application level via proxy gateways and services.
The decision to make is whether to place an exposed stripped-down machine
on the outside network to run proxy services for telnet, FTP, news, etc.,
or whether to set up a screening router as a filter, permitting communication
with one or more internal machines. There are pluses and minuses to both
approaches, with the proxy machine providing a greater level of audit
and potentially security in return for increased cost in configuration
and a decrease in the level of service that may be provided (since a proxy
needs to be developed for each desired service). The old trade-off between
ease-of-use and security comes back to haunt us with a vengeance.
What is a DMZ, and why do I want one?
``DMZ'' is an abbreviation for ``demilitarized zone''. In the context
of firewalls, this refers to a part of the network that is neither part
of the internal network nor directly part of the Internet. Typically,
this is the area between your Internet access router and your bastion
host, though it can be between any two policy-enforcing components of
your architecture.
A DMZ can be created by putting access control lists on your access router.
This minimizes the exposure of hosts on your external LAN by allowing
only recognized and managed services on those hosts to be accessible by
hosts on the Internet. Many commercial firewalls simply make a third interface
off of the bastion host and label it the DMZ. The point is that the network
is neither ``inside'' nor ``outside''.
For example, a web server running on NT might be vulnerable to a number
of denial-of-service attacks against such services as RPC, NetBIOS and
SMB. These services are not required for the operation of a web server,
so blocking TCP connections to ports 135, 137, 138, and 139 on that host
will reduce the exposure to a denial-of-service attack. In fact, if you
block everything but HTTP traffic to that host, an attacker will only
have one service to attack.
This illustrates an important principle: never offer attackers more to
work with than is absolutely necessary to support the services you want
to offer the public.
Different Attacks
What is source routed traffic and why is it a threat?
Normally, the route a packet takes from its source to its destination
is determined by the routers between the source and destination. The packet
itself only says where it wants to go (the destination address), and nothing
about how it expects to get there.
Implementing such an attack is quite easy; so firewall builders should
not discount it as unlikely to happen.
In practice, source routing is very little used. In fact, generally the
main legitimate use is in debugging network problems or routing traffic
over specific links for congestion control for specialized situations.
When building a firewall, source routing should be blocked at some point.
Most commercial routers incorporate the ability to block source routing
specifically, and many versions of Unix that might be used to build firewall
bastion hosts have the ability to disable or ignore source routed traffic.
What are ICMP redirects and redirect bombs?
An ICMP Redirect tells the recipient system to over-ride something in
its routing table. It is legitimately used by routers to tell hosts that
the host is using a non-optimal or defunct route to a particular destination,
i.e.; the host is sending it to the wrong router. The wrong router sends
the host back an ICMP Redirect packet that tells the host what the correct
route should be. If you can forge ICMP Redirect packets, and if your target
host pays attention to them, you can alter the routing tables on the host
and possibly subvert the security of the host by causing traffic to flow
via a path the network manager didn't intend. ICMP Redirects also may
be employed for denial of service attacks, where a host is sent a route
that loses it connectivity, or is sent an ICMP Network Unreachable packet
telling it that it can no longer access a particular network.
Many firewall builders screen ICMP traffic from their network, since it
limits the ability of outsiders to ping hosts, or modify their routing
tables.
What is denial of service?
Denial of service is when someone decides to make your network or firewall
useless by disrupting it, crashing it, jamming it, or flooding it. The
problem with denial of service on the Internet is that it is impossible
to prevent. The reason has to do with the distributed nature of the network:
every network node is connected via other networks which in turn connect
to other networks, etc. A firewall administrator or ISP only has control
of a few of the local elements within reach. An attacker can always disrupt
a connection ``upstream'' from where the victim controls it. In other
words, if someone wanted to take a network off the air, they could do
it either by taking the network off the air, or by taking the networks
it connects to off the air, ad infinitum. There are many, many, ways someone
can deny service, ranging from the complex to the brute-force. If you
are considering using Internet for a service which is absolutely time
or mission critical, you should consider your fall-back position in the
event that the network is down or damaged.
TCP/IP's UDP echo service is trivially abused to get two servers to flood
a network segment with echo packets. You should consider commenting out
unused entries in /etc/inetd.conf of Unix hosts, adding no ip small-servers
to Cisco routers, or the equivalent for your components.
Addendum
What is a port?
A ``port'' is ``virtual slot'' in your TCP and UDP stack that is used
to map a connection between two hosts, and also between the TCP/UDP layer
and the actual applications running on the hosts.
They are numbered 0-65535, with the range 0-1023 being marked as ``reserved''
or ``privileged'', and the rest (1024-65535) as ``dynamic'' or ``unprivileged''.
There are basically two uses for ports:
``Listening'' on a port.
This is used by server applications waiting for users to connect, to get
to some ``well known service'', for instance HTTP (TCP port 80), Telnet
(TCP port 21), DNS (UDP and sometimes TCP port 53).
Opening a ``dynamic'' port.
Both sides of a TCP connection need to be identified by IP addresses and
port numbers. Hence, when you want to ``connect'' to a server process,
your end of the communications channel also needs a ``port''. This is
done by choosing a port above 1024 on your machine that is not currently
in use by another communications channel, and using it as the ``sender''
in the new connection.
Dynamic ports may also be used as ``listening'' ports in some applications,
most notably FTP.
Ports in the range 0-1023 are almost always server ports. Ports in the
range 1024-65535 are usually dynamic ports (i.e., opened dynamically when
you connect to a server port). However, any port may be used as a server
port, and any port may be used as an ``outgoing'' port.
How do I know which application uses what port?
There are several lists outlining the ``reserved'' and ``well known''
ports, as well as ``commonly used'' ports. For those of you still reading
this to find out what a specific port number does what, STOP! There are
lists that on which ports do what, but...
THERE IS NO WAY OF RELIABLY DETERMINING WHAT PORT DOES WHAT SIMPLY BY
LOOKING IN A LIST.
Suppose you did ``netstat -a'' on your machine and ports 1025 and 1030
showed up as LISTENing. What do they do?
Right, let's take a look in the assigned port numbers list.
blackjack 1025/tcp network blackjack
iad1 1030/tcp BBN IAD
Wait, what's happening? Has my workstation stolen my VISA number and decided
to go play blackjack with some rogue server on the internet? And what's
that software that BBN has installed?
This is NOT where you start panicking and send mail to the firewall administrator.
If you are asking this question, you are most likely using a windows box.
The ports you are seeing are (most likely) two listening ports that the
RPC subsystem opens when it starts up.
This is an example of where dynamically assigned ports may be used by
server processes. Applications using RPC will later on connect to port
135 (the netbios ``portmapper'') to query where to find some RPC service,
and get an answer back saying that that particular service may be contacted
on port 1025.
Now, how do we know this, since there's no ``list'' describing these ports?
Simple: There's no substitute for experience.
|
