Internet Firewalls &Security

8/9/2019 Internet Firewalls &Security

1/18


2/18

1

Internet Firew alls and Sec urity A Technology Overview

ContentsInternet Firewalls 2

Benefits of an Internet Firewall 2

Limitations of an Internet Firewall 3

The Hackers Toolbox 4

Information Gathering 4

Probing Systems for Security Weaknesses 5

Accessing Protected Systems 5

Basic Firewall Design Decisions 5

Stance of the Firewall 5

Security Policy of the Organization 6

Cost of the Firewall 6

Components of the Firewall System 6

Building Blocks: Packet-Filtering Routers 6

Service-Dependent Filtering 7

Service-Independent Filtering 7

Benefits of Packet-Filtering Routers 7

Limitations of Packet-Filtering Routers 8

Building Blocks: Application-Level Gateways 8Bastion Host 8

Example: Telnet Proxy 9

Benefits of Application-Level Gateways 10

Limitations of Application-Level Gateways 11

Building Blocks: Circuit-Level Gateways 11

Firewall Example #1: Packet-Filtering Router 11

Firewall Example #2: Screened Host Firewall 12

Firewall Example #3: Demilitarized Zone or Screened-Subnet Firewall 13Summary 14

References 15

Copyright 1996 3Com Corporation. All rights reserved.


3/18

Internet Firewalls and Security

A Technology Overview

By Chuck Semeria

Security has become one of the primaryconcerns when an organization connects its

private network to the Internet. Regardless of the business, an increasing number of userson private networks are demanding access to

Internet services such as the World Wide Web(WWW), Internet mail, Telnet, and FileTransfer Protocol (FTP). In addition, corpo-rations want to offer WWW home pages and FTP servers for public access on the Internet.

Network administrators have increasing

concerns about the security of their networkswhen they expose their organizations privatedata and networking infrastructure to Internet crackers. To provide the required level of pro-tection, an organization needs a security

policy to prevent unauthorized users fromaccessing resources on the private network and to protect against the unauthorized export of private information. Even if an organizationis not connected to the Internet, it may stillwant to establish an internal security policy tomanage user access to portions of the network and protect sensitive or secret information.

Internet FirewallsAn Internet firewall is a system or group of systems that enforces a security policybetween an organizations network and theInternet. The firewall determines whichinside services may be accessed from theoutside, which outsiders are permitted access

to the permitted inside services, and whichoutside services may be accessed by insiders.For a firewall to be effective, all traffic toand from the Internet must pass through thefirewall, where it can be inspected (Figure 1).The firewall must permit only authorizedtraffic to pass, and the firewall itself must beimmune to penetration. Unfortunately, afirewall system cannot offer any protectiononce an attacker has gotten through or aroundthe firewall.

It is important to note that an Internetfirewall is not just a router, a bastion host, ora combination of devices that providessecurity for a network. The firewall is part of an overall security policy that creates aperimeter defense designed to protect the

information resources of the organization.This security policy must include publishedsecurity guidelines to inform users of theirresponsibilities; corporate policies definingnetwork access, service access, local andremote user authentication, dial-in and dial-out, disk and data encryption, and virus pro-tection measures; and employee training. Allpotential points of network attack must beprotected with the same level of network security. Setting up an Internet firewall

without a comprehensive security policy islike placing a steel door on a tent.

Benefits of an Internet Firewall Internet firewalls manage access between theInternet and an organizations private network (Figure 2). Without a firewall, each hostsystem on the private network is exposed toattacks from other hosts on the Internet. Thismeans that the security of the private network

2

huck Semeria has w orked for Com for th e past six years. In is position as a marketing ngineer in the netw ork ystems division, he develops lassroom and independent tudy courses for the edu- ation services departmentn the customer servicesrganization.

rior to joining 3Com, Chuck w as the senior course

eveloper and instructor for

Adept, a robotics and vision ystems company. Before that,e taught mathematics and omputer science in California igh schools and junior olleges. Chuck is a graduate f the University of California t Davis.

Figure 1. Security Policy Creates a Perimet er Defense

T h e I n t e r n e t

I n t e r n e t

f i r e w a l l

s y s t e m

C o r p o r a t e H Q

R e m o t e o f f i c e

R e m o t e o f f i c e S e c u r i t

y p e r i m e t e r d e f e n s e

M o d e m s

F r a m e R e l a y

L e a s e d l i n e


4/18

would depend on the hardness of eachhosts security features and would be only assecure as the weakest system.

Internet firewalls allow the network administrator to define a centralized chokepoint that keeps unauthorized users such ashackers, crackers, vandals, and spies out of theprotected network; prohibits potentially vul-nerable services from entering or leaving theprotected network; and provides protectionfrom various types of routing attacks. AnInternet firewall simplifies security man-agement, since network security is consol-idated on the firewall systems rather thanbeing distributed to every host in the entireprivate network.

Firewalls offer a convenient point whereInternet security can be monitored and alarmsgenerated. It should be noted that for organi-

zations that have connections to the Internet,the question is not whether but when attackswill occur. Network administrators must auditand log all significant traffic through thefirewall. If the network administrator doesnttake the time to respond to each alarm andexamine logs on a regular basis, there is noneed for the firewall, since the network admin-istrator will never know if the firewall has beensuccessfully attacked!

For the past few years, the Internet hasbeen experiencing an address space crisis thathas made registered IP addresses a lessplentiful resource. This means that organi-zations wanting to connect to the Internet maynot be able to obtain enough registered IPaddresses to meet the demands of their userpopulation. An Internet firewall is a logicalplace to deploy a Network Address Translator(NAT) that can help alleviate the address spaceshortage and eliminate the need to renumber

when an organization changes Internet serviceproviders (ISPs).

An Internet firewall is the perfect pointto audit or log Internet usage. This permitsthe network administrator to justify theexpense of the Internet connection to man-agement, pinpoint potential bandwidthbottlenecks, and provide a method for depart-mental charge-backs if this fits the organi-zations financial model.

An Internet firewall can also offer acentral point of contact for informationdelivery service to customers. The Internetfirewall is the ideal location for deployingWorld Wide Web and FTP servers. Thefirewall can be configured to allow Internetaccess to these services, while prohibitingexternal access to other systems on the pro-tected network.

Finally, some might argue that thedeployment of an Internet firewall creates asingle point of failure. It should be emphasizedthat if the connection to the Internet fails, theorganizations private network will stillcontinue to operateonly Internet access islost. If there are multiple points of access, eachone becomes a potential point of attack that thenetwork administrator must firewall andmonitor regularly.

Limitations of an Internet Firewall An Internet firewall cannot protect againstattacks that do not go through the firewall. Forexample, if unrestricted dial-out is permittedfrom inside the protected network, internalusers can make a direct SLIP or PPP con-nection to the Internet. Savvy users whobecome irritated with the additional authenti-cation required by firewall proxy servers maybe tempted to circumvent the security system

3

Figure 2. Benefits of an Internet Firewall


I n t e r n e t

f i r e w a l l

s y s t e m

P r i v a t e n e

t w o r k

Concentrates network securityServes as centralized access choke pointGenerates security alarmsMonitors and logs Internet usageGood location for Network Address Translator (NAT)Good location for WWW and FTP servers


5/18

by purchasing a direct SLIP or PPP connectionto an ISP. Since these types of connectionsbypass the security provided by the mostcarefully constructed firewall, they create a

significant potential for back-door attacks(Figure 3). Users must be made aware thatthese types of connections are not permitted aspart of the organizations overall securityarchitecture.

Internet firewalls cannot protect againstthe types of threats posed by traitors orunwitting users. Firewalls do not prohibittraitors or corporate spies from copying sen-sitive data onto floppy disks or PCMCIA cardsand removing them from a building. Firewallsdo not protect against attacks where a hacker,pretending to be a supervisor or a befuddlednew employee, persuades a less sophisticateduser into revealing a password or grantingthem temporary network access. Employeesmust be educated about the various types of attacks and about the need to guard and period-ically change their passwords.

Internet firewalls cannot protect againstthe transfer of virus-infected software or files.Since there are so many different viruses,operating systems, and ways of encoding and

compressing binary files, an Internet firewallcannot be expected to accurately scan each andevery file for potential viruses. Concernedorganizations should deploy anti-viral softwareat each desktop to protect against their arrivalfrom floppy disks or any other source.

Finally, Internet firewalls cannot protectagainst data-driven attacks. A data-drivenattack occurs when seemingly harmless data ismailed or copied to an internal host and is

executed to launch an attack. For example, adata-driven attack could cause a host to modifysecurity-related files, making it easier for anintruder to gain access to the system. As we

will see, the deployment of proxy servers on abastion host is an excellent means of pro-hibiting direct connections from the outsideand reducing the threat of data-driven attacks.

The Hackers ToolboxIt is difficult to describe a typical hacker attack because intruders have different levels of technical expertise and many different moti-vations. Some hackers are intrigued by thechallenge, others just want to make life moredifficult for others, and still others are out tosteal sensitive data for profit.

Information Gathering Generally, the first step in a break-in is someform of information gathering. The goal is toconstruct a database of the target organi-zations network and gather information aboutthe hosts residing on each of the networks.There are a number of tools that a hacker canuse to collect this information: The SNMP protocol can be used to examine

the routing table of an unsecured router tolearn intimate details about the target organi-zations network topology.

The TraceRoute program can reveal inter-mediate network numbers and routers in thepath to a specific host.

The Whois protocol is an informationservice that can provide data about all DNSdomains and the system administratorsresponsible for each domain. However, thisinformation is usually out of date.

4

Figure 3. A Connection Circumventing an Internet Firewall


P r i v a t e

n e t w o r k

I n t e r n e t

f i r e w a l l

s y s t e m

S L I P

S e c u r i t y h o l e

S e c u r i t y p e r i m

e t e r d e f e n s e

I n t e r n e t s e r

v i c e

p r o v i d e

rGlossary

Back door A security hole in a com-

romised system that al low s ontinued access to the system y an intruder even if the riginal att ack is discovered.

Bastion host A designated Internet firewall ystem specifically armored nd protected against at tacks.

Circuit-level gateway A specialized function that elays TCP connections w ithout erform ing any addit ional acket processing or f il te ring.

nternet firewall A system or group of systems hat enforces an access control olicy betw een an organ i- ations netw ork and the nternet.

acket filtering A feature that allow s a router o make a permit/ deny decision or each packet based on the acket header info rmat ion that s made available t o the IP for-

w arding process.

roxy service pecial-purpose, appli cation-

evel code installed on an nternet firewall gateway. The roxy service all ow s the etwork administrator to permit r deny specific applications or pecific features of an appli- ation.

rojan horse A packet sniffer that hides its niffing activity. These packet niffers can collect account ames and passwords for nternet services, allowi ng a acker to gain unaut horized ccess to other machines.


6/18

DNS servers can access a list of host IPaddresses and their corresponding hostnames.

The Finger protocol can reveal detailedinformation about the users (login names,phone numbers, time they last logged in,etc.) of a specified host.

The Ping program can be employed to locatea particular host and determine its reacha-bility. This simple tool can be used in a shortscanning program that pings every possiblehost address on a network to construct a listof the hosts actually residing on the network.

Probing Systems for Security Weaknesses After information about the targeted organi-zations network is gathered, the hacker

attempts to probe each host for security weak-nesses. There are a number of tools that ahacker can use to automatically scan the indi-vidual hosts residing on a network; for example: Since the list of known service vulnera-

bilities is rather short, a knowledgeablehacker can write a small program thatattempts to connect to specific service portson a targeted host. The output of theprogram is a list of hosts that supportservices that are exposed to attack.

There are several publicly available tools,such as the Internet Security Scanner (ISS)or the Security Analysis Tool for AuditingNetworks (SATAN), that scan an entiredomain or subnetwork and look for securityholes. These programs determine the weak-nesses of each system with respect to severalcommon system vulnerabilities. Intrudersuse the information collected from thesescans to gain unauthorized access to thetargeted organizations systems.

A clever network administrator can use

these tools within their private network todiscover potential security weaknesses anddetermine which hosts need to be updated withnew software patches.

Accessing Protected Systems The intruder uses the results of the host probesto target a specific system for attack. Aftergaining access to a protected system, thehacker has many options available:

The intruder can attempt to destroy evidenceof the assault and open new security holes orback doors in the compromised system inorder to have continued access even if theoriginal attack is discovered.

The intruder can install packet sniffers thatinclude Trojan horse binaries that hide thesniffing activity on the installed systems.The packet sniffers collect account namesand passwords for Telnet and FTP servicesthat allow the hacker to spread the attack toother machines.

The intruder can find other hosts that trustthe compromised system. This allows thehacker to exploit the vulnerabilities of asingle host and spread the attack across theentire organizations network.

If the hacker can obtain privileged access ona compromised system, he or she can readmail, search private files, steal private files,and destroy or corrupt important data.

Basic Firewall Design DecisionsWhen designing an Internet firewall, there area number of decisions that must be addressedby the network administrator: The stance of the firewall The overall security policy of the organi-

zation The financial cost of the firewall The components or building blocks of the

firewall system

Stance of the Firewall The stance of a firewall system describes thefundamental security philosophy of the orga-nization. An Internet firewall may take one of two diametrically opposed stances: Everything not specifically permitted is

denied. This stance assumes that a

firewall should block all traffic, and thateach desired service or application shouldbe implemented on a case-by-case basis.This is the recommended approach. Itcreates a very secure environment, sinceonly carefully selected services are sup-ported. The disadvantage is that it placessecurity ahead of ease of use, limiting thenumber of options available to the usercommunity.

5

Acronyms

CERT Computer Emergency RespTeam

DNS Domain Name Service

FAQ Frequently Asked Question

FTP File Transfe r Protocol

ICMP Internet Control M essage Protocol

ISP Internet service provider

ISS Internet Security Scanner

NAT Netw ork Address Translat

PCMCIAPersonal Computer M emorCard International Associa

PPP Point-to-Point Protocol

RFC Request f or Comment

SATAN Security Analysis Tool forAuditing Netw orks

SLIP Serial Line Internet Protoc

SMTP

Simple M ail Transfer ProtTCP Transmission Control Proto

UDP User Datagram Protocol


7/18

Everything not specifically denied is per-mitted. This stance assumes that a firewallshould forward all traffic, and that eachpotentially harmful service should be shutoff on a case-by-case basis. This approachcreates a more flexible environment, withmore services available to the user com-munity. The disadvantage is that it putsease of use ahead of security, putting thenetwork administrator in a reactive modeand making it increasingly difficult toprovide security as the size of the protectednetwork grows.

Security Policy of the Organization As discussed earlier, an Internet firewall doesnot stand aloneit is part of the organi-

zations overall security policy, which definesall aspects of its perimeter defense. To be suc-cessful, organizations must know what theyare protecting. The security policy must bebased on a carefully conducted securityanalysis, risk assessment, and business needsanalysis. If an organization does not have adetailed security policy, the most carefullycrafted firewall can be circumvented to exposethe entire private network to attack.

Cost of the Firewall

How much security can the organizationafford? A simple packet-filtering firewall canhave a minimal cost since the organizationneeds a router to connect to the Internet, andpacket filtering is included as part of thestandard router feature set. A commercialfirewall system provides increased securitybut may cost from U.S.$4,000 to $30,000,depending on its complexity and the numberof systems protected. If an organization hasthe in-house expertise, a home-brewed

firewall can be constructed from public

domain software, but there are still costs interms of the time to develop and deploy thefirewall system. Finally, all firewalls requirecontinuing support for administration, generalmaintenance, software updates, securitypatches, and incident handling.

Components of the Firewall System After making decisions about firewall stance,security policy, and budget issues, the organi-zation can determine the specific componentsof its firewall system. A typical firewall iscomposed of one or more of the followingbuilding blocks: Packet-filtering router Application-level gateway (or proxy server) Circuit-level gateway

The remainder of this paper discusseseach of these building blocks and describeshow they can work together to build aneffective Internet firewall system.

Building Blocks: Packet-Filtering RoutersA packet-filtering router (Figure 4) makes apermit/deny decision for each packet that itreceives. The router examines each datagramto determine whether it matches one of itspacket-filtering rules. The filtering rules arebased on the packet header information that ismade available to the IP forwarding process.This information consists of the IP sourceaddress, the IP destination address, the encap-sulated protocol (TCP, UDP, ICMP, or IPTunnel), the TCP/UDP source port, theTCP/UDP destination port, the ICMP messagetype, the incoming interface of the packet, andthe outgoing interface of the packet. If a matchis found and the rule permits the packet, thepacket is forwarded according to the infor-mation in the routing table. If a match is found

and the rule denies the packet, the packet is

6

Figure 4. Packet-Filteri ng Router

T h e I n t e r n e t P a c

k e t -

f i l t e r i n g

r o u t e r

P r i v a t e n e t w o

r k

S e c u r i t y p e r i m

e t e r d e f e n s e

Learning More Aboutnternet Attacks

or the lat est, up-to-date information concerning attacks on nternet sites, contact the omputer Emergency Response eam (CERT) Coordination enter. CERT periodically pub- shes warnings and summaries

o draw attention to the various ypes of attacks that have been eported to their incident

esponse staff. These reports lso contain information and olutions for defeating each ype of attack. New or updated iles are available for nonymous FTP from tp:/ / info.cert.org, and past ummaries are available from tp://info.cert.org/pub/ ert_summaries.

or more informat ion con- erning the techniques mployed by hackers, track the

ollow ing USENET newsgroups: omp.security.announce,omp.security.mis,omp.security.unix, alt.2600 ,lt.w ired, alt.hackers, andlt.security.Finally, look for arious hacker bulletin oards theyre everywhere!


8/18

discarded. If there is no matching rule, a user-configurable default parameter determineswhether the packet is forwarded or discarded.

Service-Dependent Filtering The packet-filtering rules allow a router topermit or deny traffic based on a specificservice, since most service listeners reside onwell-known TCP/UDP port numbers. Forexample, a Telnet server listens for remoteconnections on TCP port 23 and an SMTPserver listens for incoming connections onTCP port 25. To block all incoming Telnetconnections, the router simply discards allpackets that contain a TCP destination portvalue equal to 23. To restrict incoming Telnetconnections to a limited number of internal

hosts, the router must deny all packets thatcontain a TCP destination port value equal to23 and that do not contain the destination IPaddress of one of the permitted hosts.

Some typical filtering rules include: Permit incoming Telnet sessions only to a

specific list of internal hosts Permit incoming FTP sessions only to

specific internal hosts Permit all outbound Telnet sessions Permit all outbound FTP sessions Deny all incoming traffic from specific

external networks

Service-Independent Filtering There are certain types of attacks that are dif-ficult to identify using basic packet headerinformation because the attacks are serviceindependent. Routers can be configured toprotect against these types of attacks, butthey are more difficult to specify since thefiltering rules require additional informationthat can be learned only by examining the

routing table, inspecting for specific IPoptions, checking for a special fragmentoffset, and so on. Examples of these types of attacks include:

Source IP Address Spoofing Attacks. For thistype of attack, the intruder transmits packetsfrom the outside that pretend to originate froman internal host: the packets falsely contain thesource IP address of an inside system. The

attacker hopes that the use of a spoofed sourceIP address will allow penetration of systemsthat employ simple source address securitywhere packets from specific trusted internalhosts are accepted and packets from otherhosts are discarded. Source spoofing attackscan be defeated by discarding each packetwith an inside source IP address if the packetarrives on one of the routers outsideinterfaces.

Source Routing Attacks. In a source routingattack, the source station specifies the routethat a packet should take as it crosses theInternet. This type of attack is designed tobypass security measures and cause the packetto follow an unexpected path to its destination.

A source routing attack can be defeated bysimply discarding all packets that contain thesource route option.

Tiny Fragment Attacks. For this type of attack, the intruder uses the IP fragmentationfeature to create extremely small fragmentsand force the TCP header information into aseparate packet fragment. Tiny fragmentattacks are designed to circumvent user-defined filtering rules; the hacker hopes that a

filtering router will examine only the firstfragment and allows all other fragments topass. A tiny fragment attack can be defeatedby discarding all packets where the protocoltype is TCP and the IP FragmentOffset isequal to 1.

Benefits of Packet-Filtering Routers The majority of Internet firewall systems aredeployed using only a packet-filtering router.Other than the time spent planning the filtersand configuring the router, there is little or no

cost for implementing packet filtering since thefeature is included as part of standard routersoftware releases. Since Internet access is gen-erally provided over a WAN interface, there islittle impact on router performance if trafficloads are moderate and few filters are defined.Finally, a packet-filtering router is generallytransparent to users and applications, so it doesnot require specialized user training or thatspecific software be installed on each host.

7


9/18

Limitations of Packet-Filtering Routers Defining packet filters can be a complex task because network administrators need to have adetailed understanding of the various Internetservices, packet header formats, and thespecific values they expect to find in eachfield. If complex filtering requirements mustbe supported, the filtering rule set can becomevery long and complicated, making it difficultto manage and comprehend. Finally, there arefew testing facilities to verify the correctnessof the filtering rules after they are configuredon the router. This can potentially leave a siteopen to untested vulnerabilities.

Any packet that passes directly through arouter could potentially be used launch a data-driven attack. Recall that a data-driven attack

occurs when seemingly harmless data is for-warded by the router to an internal host. Thedata contains hidden instructions that causethe host to modify access control and security-related files, making it easier for the intruderto gain access to the system.

Generally, the packet throughput of arouter decreases as the number of filtersincreases. Routers are optimized to extract thedestination IP address from each packet, makea relatively simple routing table lookup, andthen forward the packet to the proper interfacefor transmission. If filtering is enabled, therouter must not only make a forwardingdecision for each packet, but also apply all of the filter rules to each packet. This canconsume CPU cycles and impact the per-formance of a system.

IP packet filters may not be able toprovide enough control over traffic. A packet-filtering router can permit or deny a particularservice, but it is not capable of understandingthe context/data of a particular service. Forexample, a network administrator may need tofilter traffic at the application layer in order tolimit access to a subset of the available FTP orTelnet commands, or to block the import of mail or newsgroups concerning specifictopics. This type of control is best performedat a higher layer by proxy services and appli-cation-level gateways.

Building Blocks: Application-Level GatewaysAn application-level gateway allows thenetwork administrator to implement a muchstricter security policy than with a packet-fil-tering router. Rather than relying on a genericpacket-filtering tool to manage the flow of Internet services through the firewall, special-purpose code (a proxy service) is installed onthe gateway for each desired application. If the network administrator does not install theproxy code for a particular application, theservice is not supported and cannot be for-warded across the firewall. Also, the proxycode can be configured to support only thosespecific features of an application that thenetwork administrator considers acceptablewhile denying all other features.

This enhanced security comes with anincreased cost in terms of purchasing thegateway hardware platform, the proxy serviceapplications, the time and knowledge requiredto configure the gateway, a decrease in thelevel of service that may be provided to users,and a lack of transparency resulting in a lessuser-friendly system. As always, the network administrator is required to balance the orga-nizations need for security with the user com-munitys demand for ease of use.

It is important to note that users are per-mitted access to the proxy services, but theyare never permitted to log in to the appli-cation-level gateway. If users are permitted tolog in to the firewall system, the security of the firewall is threatened, since an intrudercould potentially perform some activity thatcompromises the effectiveness of the firewall.For example, the intruder could gain rootaccess, install Trojan horses to collectpasswords, and modify the security configu-ration files of the firewall.

Bastion Host Unlike packet-filtering routers, which allowthe direct flow of packets between insidesystems and outside systems, application-levelgateways allow information to flow betweensystems but do not allow the direct exchangeof packets. The chief risk of allowing packetsto be exchanged between inside systems and

8


10/18

outside systems is that the host applicationsresiding on the protected networks systemsmust be secured against any threat posed bythe allowed services.

An application-level gateway is oftenreferred to as a bastion host because it is adesignated system that is specifically armoredand protected against attacks. Several designfeatures are used to provide security for abastion host: The bastion host hardware platform executes

a secure version of its operating system.For example, if the bastion host is a UNIX

platform, it executes a secure version of theUNIX operating system that is specificallydesigned to protect against operating systemvulnerabilities and ensure firewall integrity.

Only the services that the network adminis-trator considers essential are installed on thebastion host. The reasoning is that if aservice is not installed, it cant be attacked.Generally, a limited set of proxy appli-cations such as Telnet, DNS, FTP, SMTP,and user authentication are installed on abastion host.

The bastion host may require additionalauthentication before a user is allowedaccess to the proxy services. For example,

the bastion host is the ideal location forinstalling strong authentication using a one-time password technology where a smartcard cryptographic authenticator generates aunique access code. In addition, each proxyservice may require its own authenticationbefore granting user access.

Each proxy is configured to support only asubset of the standard applications com-mand set. If a standard command is not sup-ported by the proxy application, it is simplynot available to the authenticated user.

Each proxy is configured to allow accessonly to specific host systems. This meansthat the limited command/feature set may beapplied only to a subset of systems on theprotected network.

Each proxy maintains detailed audit infor-mation by logging all traffic, each con-nection, and the duration of each connection.The audit log is an essential tool for dis-covering and terminating intruder attacks.

Each proxy is a small and uncomplicatedprogram specifically designed for network security. This allows the source code of theproxy application to be reviewed andchecked for potential bugs and securityholes. For example, a typical UNIX mailapplication may contain over 20,000 lines of code, while a mail proxy may contain fewerthan 1000!

Each proxy is independent of all otherproxies on the bastion host. If there is aproblem with the operation of any proxy, orif a future vulnerability is discovered, it canbe uninstalled without affecting theoperation of the other proxy applications.Also, if the user population requires supportfor a new service, the network administrator

can easily install the required proxy on thebastion host.

A proxy generally performs no disk accessother than to read its initial configurationfile. This makes it difficult for an intruder toinstall Trojan horse sniffers or other dan-gerous files on the bastion host.

Each proxy runs as a nonprivileged user in aprivate and secured directory on the bastionhost.

Example: Telnet Proxy Figure 5 on page 10 illustrates the operation of a Telnet proxy on an bastion host. For thisexample, the outside client wants to Telnet toan inside server protected by the application-level gateway.

The Telnet proxy never allows the remoteuser to log in or have direct access to theinternal server. The outside client Telnets tothe bastion host, which authenticates the useremploying one-time password technology.After authentication, the outside client gains

access to the user interface of the Telnet proxy.The Telnet proxy permits only a subset of theTelnet command set and determines whichinside hosts are available for Telnet access.The outside user specifies the destination hostand the Telnet proxy makes its own connectionto the inside server and forwards commands tothe inside server on behalf of the outsideclient. The outside client believes that theTelnet proxy is the real inside server, while

9


11/18

the inside server believes that the Telnetproxy is the outside client.

Figure 6 shows the output to the outsideclients terminal screen as the connection to theinside server is established. Note that the clientis not performing a logon to the bastion host;the user is being authenticated by the bastionhost and a challenge is issued before the user ispermitted to communicate with the Telnetproxy. After passing the challenge, the proxyserver limits the set of commands and desti-nations that are available to the outside client.

Authentication can be based on eithersomething the user knows (like a password)or something the user physically possesses(like a smart card). Both techniques are

subject to theft, but using a combination of both methods increases the likelihood of correct user authentication. In the Telnetexample, the proxy transmits a challenge andthe user, with the aid of a smart card, obtainsa response to the challenge. Typically, a userunlocks the smart card by entering their PINnumber and the card, based on a sharedsecret encryption key and its own internalclock, returns an encrypted value for the userto enter as a response to the challenge.

Benefits of Application-Level Gateways There are many benefits to the deployment of application-level gateways. They give thenetwork manager complete control over each

10

Figure 5. Telnet Proxy

Figure 6. Telnet Session Terminal Display

F T P p r o x

y I n s i d e s e r v e r

O u t s i d e c l i e n t

C l i e n t - p r o x y

c o n n e c t i o n

A p p l i c a t i o n - l e v

e l g a t e w a y

P r o x y - s e r v e r

c o n n e c t i o n

T e l n e t

p r o x y O u t

I n

O u t I n

I n s i d e

O u t s i d e

Outside-Client > telnet bastion_hostUsername: John SmithChallenge Number 237936Challenge Response: 723456Trying 200.43.67.17 ...

HostOS UNIX (bastion_host)

bh-telnet-proxy> helpValid commands are: connect hostname

help/?quit/exit

bh-telnet-proxy> connect inside_server

HostOS UNIX (inside_server)

login: John SmithPassword: ######Last login: Wednesday April 15 11:17:15


12/18

service, since the proxy application limits thecommand set and determines which internalhosts may be accessed by the service. Also,the network manager has complete controlover which services are permitted, since theabsence of a proxy for a particular servicemeans that the service is completely blocked.Application-level gateways have the ability tosupport strong user authentication andprovide detailed logging information. Finally,the filtering rules for an application-levelgateway are much easier to configure and testthan for a packet-filtering router.

Limitations of Application-Level Gateways The greatest limitation of an application-levelgateway is that it requires either that users

modify their behavior, or that specializedsoftware be installed on each system thataccesses proxy services. For example, Telnetaccess via an application-level gatewayrequires two user steps to make the connectionrather than a single step. However, specializedend-system software could make the appli-cation-level gateway transparent by allowingthe user to specify the destination host ratherthan the application-level gateway in theTelnet command.

Building Blocks: Circuit-Level GatewaysA circuit-level gateway is a specializedfunction that can be performed by an appli-cation-level gateway. A circuit-level gatewaysimply relays TCP connections without per-forming any additional packet processing orfiltering.

Figure 7 illustrates the operation of atypical Telnet connection through a circuit-level gateway. The circuit-level gateway

simply relays the Telnet connection throughthe firewall but does no additional exami-nation, filtering, or management of the Telnetprotocol. The circuit-level gateway acts like awire, copying bytes back and forth between theinside connection and the outside connection.However, because the connection appears tooriginate from the firewall system, it concealsinformation about the protected network.

Circuit-level gateways are often used foroutgoing connections where the system admin-istrator trusts the internal users. Their chief advantage is that a bastion host can be con-figured as a hybrid gateway supporting appli-cation-level or proxy services for inboundconnections and circuit-level functions foroutbound connections. This makes the firewall

system easier to use for internal users whowant direct access to Internet services, whilestill providing the firewall functions needed toprotect the organization from external attack.

Firewall Example #1: Packet-Filtering RouterThe most common Internet firewall systemconsists of nothing more than a packet-filteringrouter deployed between the private network and the Internet (Figure 8 on page 12). Apacket-filtering router performs the typicalrouting functions of forwarding traffic betweennetworks as well as using packet-filtering rulesto permit or deny traffic. Typically, the filterrules are defined so that hosts on the privatenetwork have direct access to the Internet,while hosts on the Internet have limited accessto systems on the private network. Theexternal stance of this type of firewall systemis usually that everything not specifically per-mitted is denied.

11

Figure 7. Circuit-Level Gateway

I n s i d e h o s t

O u t O u t

O u t

I n I n

I n

O u t s i d e h o s t

O u t s i d e c o n n e

c t i o n C i r c u i t -

l e v e l g a t e w a y

I n s i d e c o n n e c

t i o n


13/18

Although this firewall system has thebenefit of being inexpensive and transparent tousers, it possesses all of the limitations of apacket-filtering router such as exposure toattacks from improperly configured filters andattacks that are tunneled over permittedservices. Since the direct exchange of packetsis permitted between outside systems andinside systems, the potential extent of an attack is determined by the total number of hosts andservices to which the packet-filtering routerpermits traffic. This means that each hostdirectly accessible from the Internet needs tosupport sophisticated user authentication andneeds to be regularly examined by the network administrator for signs of an attack. Also, if thesingle packet-filtering router is penetrated,every system on the private network may becompromised.

Firewall Example #2: Screened Host FirewallThe second firewall example employs both apacket-filtering router and a bastion host(Figure 9). This firewall system provides ahigher level of security than the previousexample because it implements both network-layer security (packet-filtering) and appli-cation-layer security (proxy services). Also, anintruder has to penetrate two separate systemsbefore the security of the private network can

be compromised.

For this firewall system, the bastion hostis configured on the private network with apacket-filtering router between the Internetand the bastion host. The filtering rules on theexposed router are configured so that outsidesystems can access only the bastion host;traffic addressed to all other internal systemsis blocked. Since the inside hosts reside on thesame network as the bastion host, the securitypolicy of the organization determines whetherinside systems are permitted direct access tothe Internet, or whether they are required touse the proxy services on the bastion host.Inside users can be forced to use the proxyservices by configuring the routers filter rulesto accept only internal traffic originating fromthe bastion host.

One of the benefits of this firewall systemis that a public information server providingWeb and FTP services can be placed on thesegment shared by the packet-filtering routerand the bastion host. If the strongest security isrequired, the bastion host can run proxyservices that require both internal and externalusers to access the bastion host before commu-nicating with the information server. If a lowerlevel of security is adequate, the router may beconfigured to allow outside users direct accessto the public information server.

12

Figure 8. Packet-Filteri ng Router Firewa ll

Figure 9. Screened Host Firew all System (Single-Homed Bastion Host)


P a c k e t -

f i l t e r i n g

r o u t e r P r i v a t e n e t w o

r k I n s i d e

O u t s i d e


k e t -

f i l t e r i n g

r o u t e r

B a s t i o n h o s t

P r i v a t e

n e t w o r k h o s t s

I n f o r m a t i o n

s e r v e r

I n s i d e

O u t s i d e


14/18

An even more secure firewall system canbe constructed using a dual-homed bastionhost system (Figure 10). A dual-homed bastionhost has two network interfaces, but the hostsability to directly forward traffic between the

two interfaces bypassing the proxy services isdisabled. The physical topology forces alltraffic destined for the private network throughthe bastion host and provides additionalsecurity if outside users are granted directaccess to the information server.

Since the bastion host is the only internalsystem that can be directly accessed from theInternet, the potential set of systems open toattack is limited to the bastion host. However,if users are allowed to log on to the bastion

host, the potential set of threatened systemsexpands to include the entire private network,since it is much easier for an intruder to com-promise the bastion host if they are allowed tolog on. It is critical that the bastion host behardened and protected from penetration andthat users never be allowed to log on to thebastion host.

Firewall Example #3: Demilitarized Zoneor Screened-Subnet FirewallThe final firewall example employs twopacket-filtering routers and a bastion host(Figure 11). This firewall system creates themost secure firewall system, since it supportsboth network- and application-layer securitywhile defining a demilitarized zone (DMZ)network. The network administrator places thebastion host, information servers, modempools, and other public servers on the DMZnetwork. The DMZ network functions as asmall, isolated network positioned between theInternet and the private network. Typically, theDMZ is configured so that systems on theInternet and systems on the private network

can access only a limited number of systemson the DMZ network, but the direct trans-mission of traffic across the DMZ network isprohibited.

For incoming traffic, the outside routerprotects against the standard external attacks(source IP address spoofing, source routingattacks, etc.) and manages Internet access tothe DMZ network. It permits external systems

13

Figure 10. Screened Host Firew all System (Dual-Homed Bastion Host)

Figure 11. Screened-Subnet Firewall System


k e t -

f i l t e r i n g

r o u t e r

B a s t i o n h o s t

P r i v a t e

n e t w o r k h

o s t s

I n f o r m a t i o n s e r v e r

I n s i d e

O u t s i d e

T h e I n t e r n e t O u t

s i d e

r o u t e r

I n s i d e

r o u t e r B a s t i o n

h o s t

I n f o r m a t i o n

s e r v e r

I n s i d e

D M Z

O u t s i d e

P r i v a t e n e t w o r k

M o d e m s


15/18

to access only the bastion host (and possiblythe information server). The inside routerprovides a second line of defense, managingDMZ access to the private network byaccepting only traffic originating from thebastion host.

For Internet-bound traffic, the insiderouter manages private network access to theDMZ network. It permits internal systems toaccess only the bastion host (and possibly theinformation server). The filtering rules on theoutside router require use of the proxy servicesby accepting only Internet-bound traffic fromthe bastion host.

There are several key benefits to thedeployment of a screened subnet firewallsystem:

An intruder must crack three separatedevices (without detection) to infiltrate theprivate network: the outside router, thebastion host, and the inside router.

Since the outside router advertises theDMZ network only to the Internet, systemson the Internet do not have routes to theprotected private network. This allows thenetwork manager to ensure that the privatenetwork is invisible, and that onlyselected systems on the DMZ are known to

the Internet via routing table and DNSinformation exchanges. Since the inside router advertises the DMZ

network only to the private network, systemson the private network do not have directroutes to the Internet. This guarantees thatinside users must access the Internet via theproxy services residing on the bastion host.

Packet-filtering routers direct traffic tospecific systems on the DMZ network, elim-inating the need for the bastion host to bedual-homed.

The inside router supports greater packetthroughput than a dual-homed bastion hostwhen it functions as the final firewall systembetween the private network and theInternet.

Since the DMZ network is a differentnetwork than the private network, a Network Address Translator (NAT) can be installedon the bastion host to eliminate the need torenumber or resubnet the private network.

SummaryThere is no single correct answer for the design

and deployment of Internet firewalls. Eachorganizations decision will be influenced bymany different factors such as their corporatesecurity policy, the technical background of their staff, cost, and the perceived threat of attack. This paper focused on many of theissues relating to the construction of Internetfirewalls, including their benefits, limitations,building blocks, and examples of firewallsystem topologies. Since the benefits of con-necting to the global Internet probably exceedits costs, network managers should proceedwith an awareness of the dangers and anunderstanding that, with the proper pre-cautions, their networks can be as safe as theyneed them to be.

14


16/18

References

Textbooks Building Internet Firewalls. D. BrentChapman and Elizabeth Zwicky. OReilly &

Associates, 1995.

Firewalls and Internet Security: Repellingthe Wily Hacker. Bill Cheswick and SteveBellovin. Addison-Wesley, 1994.

Practical UNIX Security. Simson Garfinkeland Gene Spafford. OReilly & Associates,1991.

Requests for Comment RFC 1244: Site Security Handbook. P.

Holbrook and J. Reynolds, July 1991.

RFC 1636: Report of IAB Workshop onSecurity in the Internet Architecture(February 810, 1994). R. Braden, D. Clark,S. Crocker, and C. Huitema, June 1994.

RFC 1704: On Internet Authentication. N.Haller and R. Atkinson, October 1994.

RFC 1858: Security Considerations for IP

Fragment Filtering. G. Ziemba, D. Reed, andP. Traina, October 1995.

Firewall and Security Papers Almost Everything You Ever Wanted to

Know About Security (but were afraid toask). Maintained by Alec Muffett(http://www.cis.ohio-state.edu/ hypertext/faq/usenet/ security-faq/ faq.html).

How to Set Up a Secure Anonymous FTP

Site. Christopher Klaus, InternetSecurity Systems, Inc.(http://www.cis.ohio-state.edu/ hypertext/faq/usenet/computer-security/anonymous-ftp-faq/faq.html).

Internet Firewalls Frequently AskedQuestions. Maintained by Marcus J.Ranum, Trusted Information Systems,

Inc. (http://www.v-one.com/pubs/fw-faq/faq.htm).

Thinking About Firewalls. Marcus J.Ranum, Trusted Information Systems,Inc.(http://www.telstra.com.au/pub/docs/ security/ThinkingFirewalls/ThinkingFirewalls. html).

A Toolkit and Methods for InternetFirewalls. Marcus J. Ramus andFrederick M. Avolio, TrustedInformation Systems, Inc.(http://web1.cohesive.com/ original/centri/usenix.htm).

What If Your Machines Are Compromisedby an Intruder. Christopher Klaus,Internet Security Systems, Inc.(http://www.cis.ohio-state.edu/hypertext/ faq/usenet/ computer-security/com-promise-faq/faq.html).

The World Wide Web Security FAQ.Lincoln D. Stein (http://www-genome.wi. mit.edu/WWW/faqs/www-security-faq.html).

World Wide Web Index Pages toSecurity-Related Documents http://lcweb.loc.gov/global/internet/ security.html

Library of Congress page containinglinks to documents on computer security.

http://www.telstra.com.au/pub/docs/security/ Telstra page containing links to doc-uments on computer security.

15


17/18

References (Continued)

http://mls.saic.com/docs.htmlScience Applications InternationalCorporations (SAIC) page containing

links to documents on computer security.

http://csrc.ncsl.nist.gov/first/resources/ from-cd95/pap.htm

Forum of Incident Response andSecurity Teams (FIRST) page con-taining links to documents on network security.

http://web1.cohesive.com/original/centri/ info.htm#applevel

Cohesive Systems page containing linksto documents on network security.

http://www.netsurf.com/nsf/v01/01/resource/ firewall.html

General index page containing links todocuments on firewalls.

http://burgau.inesc.pt/docs/security/firewall/ index.html

General index page containing links to

documents on firewalls.

http://burgau.inesc.pt/docs/security/ IP-security/index.html

General index page containing links todocuments on IP security.

ftp://ftp.uni-paderborn.de/doc/FAQ/comp.security.misc/

General index page containing links tosecurity-related Frequently AskedQuestions (FAQs).

16


18/18

Printed in U.S.A. 500619-001 7/ 96

1996 3Com Corporation. All rights reserved. 3Com is a publicly owned corporation (NASDAQ.COMS). 3Com is a registered trademark of 3Com Corporation. Otherbrand and product names may be trademarks or registered trademarks of their respective owners.

3ComCorporationP.O. Box 581455400 Bayfront PlazaSanta Clara, CA95052-8145Phone: 800-NET-3Com

or 408-764-5000Fax: 408-764-5 001World Wide Web:http://www.3com.com

3ComANZAANZA EastPhone: 61 2 9937 50 00Fax: 61 2 9956 6247ANZA West Phone: 61 3 9653 95 15Fax: 61 3 9653 9505

3ComAsia LimitedBeijing, China Phone: 8610 849 2568Fax: 8610 8 492789Shanghai, China Phone: 86 21 3740220

Ext. 6115Fax: 86 21 3552079Hong Kong Phone: 852 2501 1111Fax: 852 2537 1149Indonesia Phone: 6221 523 9181Fax: 6221 523 9156Korea Phone: 82 2 319 471 1Fax: 82 2 319 4 710Malaysia Phone: 60 3 732 791 0Fax: 60 3 732 7 912Singapore Phone: 86 21 6374 0 220

Ext. 6155Fax: 86 21 6355 2079

Taiwan Phone: 886 2 377 5850Fax: 886 2 377 5860Thailand Phone: 622 231 8151 2Fax: 622 231 8121

3ComBenelux B.V.Belgium, Luxembourg Phone: 32 2 716 4880Fax: 32 2 716 4780Netherlands Phone: 31 030 6029700Fax: 31 030 60297 77

3ComCanadaCalgary Phone: 403 265 3266Fax: 403 265 3268Montreal Phone: 514 874 8008Fax: 514 393 1249Toronto Phone: 416 498 3266Fax: 416 498 1262Vancouver Phone: 604 434 3266Fax: 604 434 3264

3ComEuropean HQPhone: 44 1628 897000Fax: 44 1628 8970 41

3ComFrancePhone: 33 1 69 86 68 00Fax: 33 1 69 0 7 11 54

3ComGmbHGermany Phone: 49 89 627320Fax: 49 89 627322 33Berlin Phone: 49 30 3498790Fax: 49 30 349879 99

Poland Phone: 48 22 6451351Fax: 48 22 6451352Switzerland Phone: 41 31 9984555Fax: 41 31 9984550

3ComIrelandPhone: 353 1 820 707 7Fax: 353 1 820 7107

3ComJapanPhone: 81 3 3345 725 1Fax: 81 3 3345 7261

3ComLatin AmericaU.S. Headquarters Phone: 408-764-6 075Fax: 408-76 4-5730Argentina Phone: 541 815 7164Fax: 541 815 7165

BrazilPhone: 55 11 546 086 9Fax: 55 11 246 6813Chile Phone: 562 633 9242Fax: 562 633 8935Colombia Phone: 571 618 4584Fax: 571 618 4534Mexico Phone: 525 520 7841Fax: 525 520 78373Com Northern Latin America

M iami, Florida Phone: 305-261-3 266Fax: 305-26 1-4901Venezuela Phone: 582 261 0710Fax: 582 261 5257

3ComMediterraneoMilano, Italy Phone: 39 2 253011Fax: 39 2 27304244Rome, Italy Phone: 39 6 5917756

Fax: 39 6 5918969Spain Phone: 34 1 3831700Fax: 34 1 3831703

3ComMiddle EastPhone: 971 4 349049Fax: 971 4 349803

3ComNordic ABSweden Phone: 46 8 632 91 00Fax: 46 8 632 09 05Norway Phone: 47 22 18 40 03Fax: 47 22 18 23 85Denmark Phone: 45 33 37 71 17Fax: 45 33 32 43 70Finland Phone: 358 0 435 42 0 67Fax: 358 0 435 422 00

3ComSouth AfricaPhone: 27 11 803 7404/5Fax: 27 11 803 7411

3ComUK Ltd.Buckinghamshire Phone: 44 1628 89700 0Fax: 44 1628 89700 3Manchester Phone: 44 161 873 7 717Fax: 44 161 873 8053Scotland Phone: 44 131 220 8 228Fax: 44 131 226 1410