Is your Internet connection putting your networks at risk? Establish a firewall and sleep easier.
John Bryan
The Internet is on fire. But as traffic increases dramatically, so, too, do the risks that your company's data may be sabotaged or stolen. Network firewalls have become a hot topic.
Relatively new creations in the computing world, Internet firewalls have their roots in control mechanisms and security measures that have long been standard practice in the mainframe community. But today's networked world has grown from the bottom up, with millions of new connections originating from personal computers and small networks. It's no longer possible to know who or what is on the other end of a network connection unless we take extraordinary measures.
What's in a Name?
A firewa
ll is a barrier placed between your network and the outside world to prevent unwanted and potentially damaging intrusion of your network. Just as no physical fire wall is perfect protection against a fire, no digital firewall can make a network 100 percent secure against outside intrusion. But they can come remarkably close.
An important caveat to remember: Firewalls won't work, no matter how they are designed or implemented, without a clear security policy (see "Network Security Starts with Workable Policy"). If a firewall is established for the wrong reasons, that can cause you problems, too.
Firewall Architectures
You can build firewalls in several ways, using a variety of mechanisms. The following examples are the most common:
-- Router-based filters
-- Host computer gateways, or bastions
-- A separate, isolation network
The cost of a firewall can range from a $100,000 turnkey hardware/software system, installed and maintained by an outside vendo
r, to "no-cost" software available on the Internet from various suppliers and users groups. (Of course, creating your own firewall, even starting with free software, still requires a significant investment in time and people, which can quickly dwarf the cost of a ready-made solution.) One firewall-product vendor suggests that implementing a comprehensive firewall from scratch could require several worker-months, the equivalent of perhaps $30,000 in salary and benefits. Rolling your own system carries with it other potential problems, particularly in maintenance and administration. You don't want a system that requires constant tweaking and expensive revisions.
Filtering Routers
Perhaps the simplest approach to creating a firewall involves using a programmable router--the type of device normally used to create a permanent, Internet connection to the outside world (often via a commercial Internet provider). Routers work by controlling traffic at the IP level, selectively passing or
blocking data packets based on source/destination address or port information in the packet's header.
At the very least, you can use your router as a packet filter. This approach is probably the most common internetwork security mechanism used today. While reasonably good firewalls can be created with routers alone, it may prove difficult to program the router to exclude everything that you want kept out. Unfortunately, most routers come configured with a minimum of built-in protection, and many organizations simply install them this way.
The problem with the router-based approach stems from the variety of different protocols that are used on the Internet. At least three major network services are not handled well by packet filters--FTP, DNS (Domain Name System), and X11 all present special problems for the firewall implementor (see "Safe Network Services: FTP, DNS, and X11").
Host-Based Firewalls
An alternative approach to firewall construction is to use a compute
r rather than a router. This offers many more capabilities, including the ability to log all the activity over the gateway. Indeed, when you think of a network firewall, you probably think first of a separate, highly secured computer system standing guard over your networks. This sentry system, sometimes called a bastion host, is a critical defense point that must be carefully designed, tightly controlled, and audited regularly.
While a router-based firewall monitors data packets at the IP level, hosts exert their control at an application level, where traffic can be examined more thoroughly. However, you can't use just any applications; you need to know that the application software (and even the operating system) you run on this system may have its own gaping security holes.
To get around these problems and deal with potentially buggy protocols, host-based firewalls must use specialized software applications gateways and service proxies. These are, in essence, stripped-down versions of the ori
ginal programs. For instance, the standard versions of the Unix sendmail utility have perhaps 20,000 lines of code. A proxy version, such as Trusted Information Systems' (Glenwood, MD) smap (sendmail application proxy), contains only about 700 lines, because it doesn't include all the functionality of the standard version. It passes along mail messages only after verifying that they fit within the programmed restrictions. However, the cut-down nature of a proxy means that you can use it only with the application it's designed to serve (see the figure "
Proxies and Host-Based Firewalls
").
Isolation Networks
Another way to establish a firewall is similar to the host-based systems just described. Instead of interposing a host computer, you create another network, an isolated subnetwork that sits between the external and internal networks.
Typically, this network is configured so that both the Internet and the private network can access it, but traffic acro
ss the isolation network is blocked. Some isolation networks may contain only a single node configured as a bastion host that will support interactive sessions or application-level gateways. One advantage of isolation networks is that they can also simplify the establishment and enforcement of new Internet addresses, especially for large private networks that may otherwise face the prospect of having to undergo significant reconfiguration.
Roll Your Own or Hire a Mercenary?
If you choose not to buy a turnkey system, what other options do you have? You could certainly create your own if you have the expertise and required staff time. One valuable resource you should be aware of is the TIS Firewall Toolkit, created by Trusted Information Systems and available for no-cost downloading. (For more information, point your Web browser to this URL (uniform resource locator): http://www.tis.com/.) You can download bridge and host-based tools from Texas A&M University (ftp to net.tamu.edu,
files in /pub/security/TAMU). Ohio State University offers a shareware version of KarlBridge, with limited features and hardware support (ftp to ftp.net.ohio-state.edu, files in /pub/kbridge).
Full-featured commercial versions of KarlBridge and KarlBrouter are also available from KarlNet (Columbus, OH, sales@karlnet.com). A version of Digital Equipment's "screennd" kernel screening software is available for BSD/386, NetBSD, and BSDI.
If you don't have the in-house expertise, you could hire a guru onto your staff or deal with an experienced consultant. But each of these will require significant effort and attention on your part.
One final approach to creating a firewall involves having someone else do everything for you--hardware, software, and administration. This may be especially attractive for the smaller company or even for the larger organization that simply doesn't want to commit people and time to the job. Outsourcing the firewall is simple and straightforward, and it means you don
't have to worry about acquiring staff with the specialized knowledge needed.
Dreams and Drawbacks
The Internet beckons us in some alluring ways. It promises a great deal in the way of rewards and benefits--connections with a multitude of individuals and organizations and access to information and resources on a scale heretofore unparalleled. And yet hooking up to the Internet can also be the source of significant dangers and risks.
Security is sometimes an elusive goal and can seem unattainable, especially when you think in terms of the exposure that an Internet connection offers. But there are workable, practical solutions on the market today.
FURTHER READING
For more detailed information on firewall and gateway systems, see Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 1994), which was reviewed in the September 1994 BYTE, page 42.
Firewalls is an Inter
net mailing list for firewall administrators and implementors. To subscribe, send "subscribe firewalls" in the body of a message to majordomo@greatcircle.com.
Another helpful paper is "Thinking About Firewalls," by Marcus Ranum, Proceedings of the Second International Conference on Systems and Network Security and Management; available via ftp from ftp.tis.com:/pub/firewalls/firewall.ps.Z.
illustration_link (22 Kbytes)
In a typical host-based firewall, all Internet connections are handled through a single host system that runs proxy versions of such software as FTP, Telnet, Gopher, and other common programs. These proxies are written with deliberately limited capabilities so that access can be better controlled and the firewall made more secure.
John Bryan is a freelance technology writer and consultant who i
s based in San Jose, California. You can contact him on the Internet at
5051339@mcimail.com
or on BIX c/o "editors."
Build A Firewall
