). So, the first lesson to learn about firewalls is this: A firewall is only one component of a comprehensive security policy.
Here are some ways that you can choose the right firewall product for your firm, implement it within an overall strategy, and plug any remaining security holes.
Security vs. Convenience
Choosing the right security architecture involves inevitable trade-offs. In general, the more secure the firewall, the less transparent it becomes, and the less convenient it is for authorized users to pass through. To weigh the trade-offs, you must determine what constitutes an acceptable risk. Ask yourself, "Ho
w much damage can be done if my data is compromised or corrupted?" However, you shouldn't automatically discount the value of convenience. It could determine the success of Internet acceptance across your organization and may have some security consequences of its own. If Internet access becomes too cumbersome, savvy users will find other, less manageable, ways to connect to the Internet, usually through Internet service providers (ISPs) or on-line services.
On the low end of firewall security is
packet screening
(also known as
network-level firewalls
or
filtering gateways
), a mechanism that is usually handled at the router level. Consistent with TCP/IP, the router screens packet headers for source and destination addresses, and allows or denies entry based on rules that you develop to define allowable transmissions.
Network-level firewalls are low-security approaches, because they're vulnerable to hackers who break in by IP spoofing. In this breach, hackers disguise inc
oming packets to look as if they come from a trusted host, thus gaining entry because the router can't tell the difference between an authentic network address and a disguised one. Routers are insecure because they're essentially dumb boxes that were designed to enable the free flow of information, not to prevent data transmission.
To improve security, you can place a host or an isolated subnetwork behind the screening router. The host sits on the private network, and the screening router allows access only to this host. The screened host restricts entry points to the private network, so you can better audit, control, and fortify access by adding security measures to the single host. The screened host then becomes a choke point for monitoring data flow.
Internet by Proxy
Application-level firewalls
go a step further than network-level packet screening. An application-level firewall sits between the private network and the Internet. It relays data between the two network
s. Application programs, or proxies, run on the firewall gateway and enable specific software services, such as e-mail, SNMP, or FTP. Proxies can perform sophisticated functions such as logging or user authentication, and because they are built to monitor specific protocols, proxies can enforce customized security options (e.g., allowing incoming FTP while blocking outgoing FTP).
However, even application-level firewalls are vulnerable. FTP and other Internet protocols can leave the system without a security check, thus exposing a network to attack from the inside. Application-level firewalls can also let pass Trojan-horse programs or macro files, two variations of rogue programs that hide inside authorized programs. These programs execute as soon as they are opened or read. Besides causing direct damage to your system, embedded programs might look for a well-known host table and mail data and password lists to another address.
Proxy servers present management headaches, according to Kevin Kitagaw
a, Internet security product line manager for Sun's Internet Commerce Group. "Proxy servers are wonderful for most common Internet protocols or services," he says. "The problem is, for every new protocol or service that comes out, you have to add another application to the proxy server, like screening audio and so on." The proxy server cannot handle protocols that lack a specific proxy for them. Proxy architectures can also degrade performance and transparency.
A
dual-homed
gateway represents the highest level of firewall security. A host system sits on both the private network and the Internet. TCP/IP forwarding is disabled, fully isolating the two networks. You supply access by configuring application proxies or by granting user log-ins to the gateway host.
If you choose to implement proxies for access, you face the same shortcomings inherent to proxy servers (i.e., requiring a proxy for each supported service). If, instead, you grant access to the gateway host, you
risk compromising the entire private network if the gateway password is compromised.
Several commercial firewall products provide turnkey ways to install a firewall in your organization. No matter which level of firewall security you choose, the product you buy or create should offer some minimum capabilities (see the table
"Firewall Checklist"
).
A good firewall should incorporate a set of peripheral security systems to protect such things as e-mail transfers and provide for data integrity through password protection and encryption capabilities. These peripheral systems should perform five key functions:
-- Authentication
(on an individual, computer, network, or subnetwork basis).
-- Access control.
-- Encryption:
Encoding transferred data that the intended recipient can deencrypt securely.
-- Data integrity:
Ensuring that information cannot be changed if it is intercepted.
-- Nonrepu
diation:
Proof that a known entity generated a transaction, usually performed by digital signatures.
A Firewall Isn't Enough
Checking for and plugging security holes is one of the final stages of a firewall security audit, according to Padgett Peterson, corporate information security engineer for Lockheed Martin. From his base office in Orlando, Peterson manages over 1000 WANs, from government installations and various partner companies to the WANs that support the 190,000 employees of Lockheed Martin.
Echoing other security experts, Peterson recommends that you begin a security audit by establishing a comprehensive network security policy. According to a survey done this year by the American Society for Industrial Security, only 51 percent of reporting companies had a written information-systems security policy. Yet, policy is the most crucial part of performing a security audit. It should define what information, computer resources, and corporate assets are mo
st sensitive -- in short, what needs protection and from whom.
You should set up a policy that controls employee passwords and teaches basic rules of password protection. For example, don't make passwords obvious, don't give out passwords over the phone, and don't leave them lying around or scribbled on Post-It notes. Michael Oke, a system software and security consultant, reports that a 12-year-old boy hacked a Southern California sales firm using just such a found password. He capitalized on a bug in SYSEDIT and downloaded an entire database after memorizing a password he saw stuck to the receptionist's terminal when tagging along on a delivery with an older sibling.
The second step in plugging security holes is to take a census of your company's electronic weak points. Know the inherent security holes in each computing platform that runs at your company. Then, on a node-by-node basis, check for human programming errors and locations where information may cross paths, such as e-mail and telnet t
ransfer points, dial-in-modem ports, Web access points, or a Web server that's set up on the intranet.
Third, consider using a network security testing firm or a commercial security tool. One such firm is Internet Security Systems (Atlanta, GA). ISS developed a software tool that's called the Internet Scanner to search for network security breaches. The Internet Scanner goes over the network and applies the algorithms and techniques a hacker uses to see if there's a known weakness in the firewall or an individual host such as Unix.
The scanner looks for 130 known security holes on firewalls, routers, Unix, Windows, and Windows NT -- any device that is accessible through TCP/IP. It runs on a variety of Unix variants, and the cost varies depending on the work load: $795 to scan 10 devices, $3995 for 100, and $19,995 for 1000.
Programs such as SATAN (System Administrator's Tool for Analyzing Networks) also scan Unix-based machines for typical entry points. They are available for free off the In
ternet (search for keyword "SATAN") but require a fairly technical security auditor to direct and read them.
The last step in a comprehensive security audit is to create a report of known weaknesses. It should answer several key questions, including how to secure access and monitor the bidirectional flow of data, whom your company should allow access rights to, how up to date are your current security mechanisms, how much will the security system cost, and how much is the data worth in relation to the overall expense?
Peterson recommends performing audits and updating system security policy once a year or when a major change in corporate structure takes place.
Due Diligence
Ultimately, firewalls are not impenetrable. The good news is that the firewall market is still maturing. Modern commercial firewalls take security to the next level by combining the best elements of past firewall developments and teaming them with encryption, user authentication, digital signatures, and m
anagement software to further tighten gateway security. The best software-driven devices are fully configurable with comprehensive, single-point management and reporting capabilities administered from a stand-alone terminal that talks to the firewall. Firewalls are increasingly used to buffer corporate intranets not only from the Internet, but from each other.
After you install a state-of-the-art firewall, don't get complacent, warns Oke. "The main reason firewalls don't work is because people put too much dependence on them. They open holes that may or may not have been there before they installed the firewall," he says.
The best firewall won't prevent breaches caused by obvious passwords, passwords carelessly given to unauthorized persons, or insecure dial-in modems. Remember the Maginot Line. No doubt it was impressive, but all you had to do was walk around it.
In a comprehensive report financed by the National Institute of
Standards
and Technology, authors John Wack and Lisa Carnahan
recommend looking for firewalls with the following elements:
Strong filtering techniques
that support a "deny all services except
those specifically permitted" policy, based on attributes such as
source and destination IP address, protocol type, source and
destination ports, and inbound/outbound interfaces.
Easy configuration
to support your basic security policy.
Flexibility to accommodate
new services and needs as the security
policy and organizational structure change.
Proxy services to implement
advanced authentication measures (e.g.,
digital-signature certificates or public-key cryptography) and
centralize SMTP at a buffer zone between servers.
Segregation of systems
that don't require public access.
Thorough logging and auditing
tools for reporting suspicious
activity.
A secured version of the OS
, such as
Unix, in which all known
security holes are already plugged.
An interface that is easy
to use and maintain, including an
extensible architecture for patching new holes that might arise.
illustration_link (16 Kbytes)
A security policy that's too restrictive may encourage employees to open up entry points around a firewall.
illustration_link (13 Kbytes)
A dual-homed gateway boosts security with a host on both the private network and to the Internet.
Deborah Kerr is a freelance writer based in northern California who specializes in Internet commerce and related security issues. You can reach her at
dkerr@aol.com
.
Barbarians at the Firewall
