| |
|
|
| |
|
|
| |
Firewalls: A Piece In The Internet Security Puzzle
by David L Schoen
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
Internet security is a growing concern.
This concern has been brought to the forefront by the
well-publicized case of Kevin Mitnick, an infamous hacker, and
the cases of hacked web sites of CNN.com and Microsoft Corporation.
This paper will look at why Internet security is needed
and the need for developing awareness about Internet security.
In addition, this paper will focus on one aspect of Internet
security – firewalls. |
|
| |
|
|
| |
Most consumers think about Internet security when they send
their social security or credit card number over the Internet.
In reality this may be the time when their information
is the best protected.
Recent releases of browsers in the United States feature
128-bit encryption. This
level of encryption along with web sites offering secured transaction
sets; create a secured method of sending information over the
Internet. |
|
| |
|
|
| |
In an interview, Joan Wilbanks, chief executive officer of
SecureWorks commented on encrypted transactions, ‘Everybody
brags about being encrypted … but that doesn’t mean anything
once it (card (sic) card information) gets into the database.’
(Paul, 2000, pE6). Wilbanks
went on to say, ‘… the most critical component --- the database
where all that information is stored --- is what businesses
need to focus on.’ Paul A. Henry, managing director of CyberGuard, agreed saying,
‘As the sector matures, people are now going to have to go back
and spend money (on security).
Web site merchants also are being forced in that direction
by credit card networks.’ |
|
| |
|
|
| |
Web sites that do not store credit card information also need
to be concerned with Internet security.
Patrick Gray, special agent with FBI’s Computer crimes
stated ‘A lot of companies will not report intrusions because
people will have a loss of faith in the company… Nationally,
the FBI is investigating about 2,000 cyber crimes and Web break-ins,
up from 1,200 last year.’ (Paul, 2000, pE6).
An article in Maclean’s reports “More sophisticated attacks
are often concealed from the public – or clients—by embarrassed
businesses. But
they happen daily. Computer
intrusions reported to CERT” (Computer Emergency Response Team
at Carnegie Mellon University) “tripled last year to nearly
10,000. The San
Francisco-based Computer Society Institute found in one recent
study that 70 per cent of Fortune 500 companies surveyed experienced
at least one security breach during 1999.”
(Wood, Branswell, and Scott, 2000, p38). |
|
| |
|
|
| |
Frank Bernhard, technology economist for University of California
at Davis states, ‘The security problem on the Internet is growing
faster than anyone could have dreamed a couple of years ago.”
(DeLong, 2001).
His research found “computer hackers cost businesses
nearly 6 cents for every dollar of revenue.”
Frank Bernhard went on to say ‘This year could make the
Y2K scare look innocent, because it is really happening.
The Internet is not a very secure place." Michael
Epstine reported on Morning Edition “A recent Pricewaterhouse
study puts the cost of cybercrime and industrial espionage in
the United States at about $300 million a year.” (Edwards, 2001). |
|
| |
|
|
| |
With the more traditional criminal elements moving onto the
Web, (Paul, 2000, pE6) what are lawmakers doing?
NewsFactor Network reported “Congress is still bogged
down on basic privacy issues and anti-spam legislation – a far
cry from the growing problems presented by hackers and the economic
and security damage they are causing, which ranges from theft
of sensitive information to loss of credibility.” (DeLong 2001). When looking for governments to play a role in controlling
crime, how much involvement is needed? Last November, Tom Heneghan
reported, “The world’s first cybercrime treaty is being hastily
redrafted after Internet lobby groups assailed it as a threat
to human rights that could have ‘a chilling effect on the free
flows of information and ideas.’
(Heneghan, 2000).
Ken Athanasiou, director of information security for
WingspanBank.com states, ‘I’d like to see more pressure on software
organizations to spend time building security into their products
and testing for the most common vulnerabilities.
Other than that, I’d rather they stayed clear.
My experience with government organizations is that they
are very expensive and accomplish things too slowly to be of
much use in the fast-paced Internet arena.’ (Sieglein, 2000,
p7). |
|
| |
|
|
| |
Part of any defense system is knowing the aggressor and their
method of operation. Defending a web site is no different.
Attacks on web sites are not similar in nature.
They vary as to agenda, damage, and type of attacker.
In an article in InternetWeek, Tim Wilson makes a differentiation
between hackers and crackers, “… hackers set forth rules and
codes to separate themselves from ‘crackers,’ the criminals
who steal, destroy or damage the data they access.
True hackers…only explore the sites they penetrate, never
leaving behind anything more than a signature to let others
know they were there.”
(Wilson, 2000, p88).
The web site for Network Ice Corporation, a developer
of Internet firewalls, profiles four basic types of attackers:
the script kiddie, the web vandal, the serious hacker, and the
internal intruder. (Network
Ice Corp.) |
|
| |
|
|
| |
Script Kiddies are mostly males under the age of 18 who are
not afraid of being prosecuted due to their age.
In addition, the may be accessing web sites from international
locations particularly Russia.
Script Kiddies are usually inexperienced hackers looking
to create problems by deleting files or adding scripted code
that was created by more experienced hackers.
A slightly more experienced hacker is the Web Vandal.
Their agenda is to vandalize web sites.
A well-known example of a Web Vandal attack is in 1998,
ABC’s web site was hacked and Nazi propaganda posted.
(Network Ice Corp.). |
|
| |
|
|
| |
The serious hacker does not want their access to the web site
discovered. They
discretely move about the site searching for vulnerabilities.
This may be done while posing as a customer or a user
of the system. Each
hacker has their own style but generally follows the same pattern:
gather information, scan the network, and then break into the
network. (Network Ice Corp.). |
|
| |
|
|
| |
When the serious hacker gathers information,
they are looking for social information about the site such
as system administrator and employees. The hacker then notes scripts, applets and any other items
they might perceive as vulnerable.
Once the hacker has completed gathering information,
the hacker will begin scanning the network by pinging to locate
active devices and open ports.
The hacker then focuses on finding specific vulnerabilities
such as the version of FTP (File Transfer Protocol) software
being used. Using
the information acquired, the hacker attacks the network.
Unlike their counterparts, serious hackers do not want
to be discovered. They
want time to download information about your company, its
finances, and its clients.
The serous hackers’ agenda may include extortion or
industrial espionage. (Network Ice Corp.). |
|
| |
|
|
| |
The internal intruder may be an employee or contractor working
for the company. Because
they were doing legitimate work on the network they are more
difficult to detect and stop. (Network Ice Corp.).
Bruce Schneier, chief technology officer for Counterpane
Internet Security, said a survey they conducted “found that
71 percent of respondents detected unauthorized access by insiders,
such as employees and contractors.”
(Schwartz, 2000, p3)
Kevin Mitnik often used social engineering to gain access
to sites, “What I’ve always said, you could have the best firewalls,
the best encryption, the best authentication devices, even using
biometric authentication devices, all it takes is one person
to be duped that has access to information or could weaken the
network infrastructure and all that money is wasted.
Security’s as strong as the weakest link in the chain,
and usually the human element is the one that’s overlooked the
most.” (Edwards,
2001). |
|
| |
|
|
| |
Anita Rosen, author of The E-Commerce Question And Answer
Book, feels there is a low probability your site will be hacked
“Since there is a tremendous amount of information on the Internet,
there is a low probability that a hacker is targeting you or
your company. Hackers
tend to go after big name companies and organizations.
They are usually looking for recognition from other hackers.
Organizations that are high-level targets are the military
and financial institutions.”
(Rosen, 2000, p24.).
Gary Shipley at Planet IT disagrees, “Last year, we were
performing a routine security assessment for a small organization.
This organization has fewer than 100 servers and does
nothing involving credit cards or national security…We found
signs of intruders on not just one but many machines … It quickly
became obvious that the network had been severely compromised,
but the intruders were in for the long haul.”
(Shipley, 2001,p2). |
|
| |
|
|
| |
Gene Spafford points out four reasons individuals and organizations
do not properly secure their computer and networks.
The first reason is failing to understand information
security. Criminals
will go to any length to find out information.
This may include dumpster diving and social engineering.
Secondly, management has not bought-in to the security
program and made it part of corporate policy.
Thirdly, users want additional features added to the
system so they load their own software. Finally, users are only worried about attacks from outside.”
(Sieglein, 2000, p2). |
|
| |
|
|
| |
How can an individual or organization protect
their information and networks against intruders?
Anup K. Ghosh, author of E-commerce Security states
“Firewalls are the first line of defense against malicious
users, placed between the computer network to be protected
and the network that is considered to be a security threat.” (Ghosh, 1998, p210).
Christopher Westland, author of Global Electronic Commerce
points out not all companies understand this staple of Internet
security. “Despite
widespread public concern about Internet security, firewalls
are implemented in only about half of U.S. firms, and an even
lower percentage internationally.
Industry’s relatively low level of firewall implementation
reflects the fact that the greatest barrier a firm has to
external hackers is the hacker’s limited knowledge of the
architecture and operations of the firm’s systems.
(Westland, 1999, p278). |
|
| |
|
|
| |
“A firewall is a system or a group of systems that enforces
an access control policy between two networks.”
(Curtin and Ranum, 2000, p4).
In a white paper, Steven M. Bellovin states,
” …they rely on the assumption that everyone on one side
of the entry point – the firewall – is to be trusted, and that
anyone on the other side is, at least potentially, an enemy.”
(Bellovin, 1999).
Chuck Semeria at 3Com points out “… a firewall system
cannot offer any protection once an attacker has gotten through
or around the firewall.”
(Semeria,1996,p1). |
|
| |
|
|
| |
“ Firewalls offer a convenient point where Internet security
can be monitored and alarms generated.”
(Semeria, 1996, p1).
“Firewalls are also important since they can provide
a single ‘choke point’ where security and audit can be imposed.”
(Curtin and Ranum, 2000, p4).
Dave Jarrell, technical director for the Federal Computer
Incident Response Capability (FedCIRC) points out firewalls
can be used in several locations within an intranet for added
levels of security “…more organizations realize that firewalls
can be used internally, to control access to different layers
of an enterprise network, where security requirements may vary”
(Robinson, 1999). |
|
| |
|
|
| |
The two basic types of firewalls being used today are packet
filtering routers and proxy servers. (Palmer and Nash)
The packet filtering router is a network layer firewall.
The decision the router makes is based upon IP packets
source, destination and port.
Because a packet filtering router works at a lower level,
they “…are faster, but easier to fool into doing the wrong thing.”
(Curtin and Ranum, 2000, p10).
Below are examples of firewalls.
Figures 1 and 2 are examples of network work layer firewalls.
Figure 3 is an example of a application layer firewall.”
(Curtin and Ranum, 2000, p10).
A discussion on the operation of these firewalls is beyond
the scope of this paper.
“Certain services (e.g., SMTP, HTTP, or NTP) are usually
safe to control via packet filters while others (e.g., DNS,
FTP) may require the more complex feature available only in
proxies. (Carnegie
Mellon Software Engineering Institute, 1999, p1).
The proxy server is an application layer firewall.
“Since the proxy applications are software components
running on the firewall, it is a good place to do lots of logging
and access control.” (Curtin and Ranum, 2000, p12). |
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
In his book, Global Electronic Commerce, Christopher Westland
states: |
|
| |
| Remember that firewalls are not the panacea to providing
network host security.
Rather, a combination of application-level security,
secure protocols, Internet-safe clients, and secured operating
system software can provide the optimal solution.
This requires an active maintenance plan on the
part of the system administration that includes monitoring
security newsgroups, patching software released vendors,
auditing system logs, and perhaps even employing real-time
intrusion-detection software.
(Westland, 1999, p218). |
|
|
| |
Matt Curtin and Marcus Ranum agree.
They write, “Firewalls can’t protect against attacks
that don’t go through the firewall.”
(Curtin and Ranum, 2000, p5).
They go on to state “It’s silly to build a 6-foot thick
steel door when you live in a wooden house, but there are a
lot of organizations out there buying expensive firewalls and
neglecting the numerous other back doors into their network.”
(Curtin and Ranum, 2000, p6). |
|
| |
|
|
| |
An article, Firewalls Becoming Ineffective,
Experts Say, which was in the December 22, 2000 edition of
Planet IT offers numerous summary points. The article quotes Mark Bouchard, program director for global
network strategies group at Meta Group as saying “Firewalls
are certainly part of any good security scenario, but are
not a complete solution without the addition of other technologies.”
(Schwartz, 2000).
The article states that Bouchard’s “strategy would
start with firewalls as the primary defense mechanism, adding
network intrusion detection on more critical junctions in
the network and host-based intrusion detection on critical
application servers and database servers. (Schwartz, 2000).
Dennis Vogel, product manager for PIX Firewall at Cisco
agrees “If your firewall were your only security product,
you might end up with something that is crunchy on the outside
but soft and chewy in the middle.
You might have a nice perimeter of defense, but once
someone were to penetrate that, they have a free reign on
the inside of the network.” (Schwartz, 2000).
What about the internal intruder?
Barry Cioe, product manager with Symantec Corp, recommends
firewalls be deployed at the external entry point and within
the corporate intranet on sensitive servers.
He states, ”That goes a long way toward protecting
your sensitive servers as well as restricting the nature and
type of access you internal users have, even inside your own
network.” (Schwartz, 2000).
Ted Doty, product manager at Internet Security Systems,
Inc. states “Firewall technology is now considered a critical
part of any agency’s security posture …doing business with
out a firewall is no longer an option.
Firewalls are the first line of defense for any security
scheme … and they are inexpensive enough that ‘there’s no
longer any reason for people not to have one.’”
(Robinson, 1999). |
|
| |
|
|
| |
|
|
| |
Bibliography |
|
| |
Bellovin, Steven M.,
Distributed Firewalls login:, 11-1999. |
|
| |
|
|
| |
Curtin, Matt., Ranum,
Marcus, Internet Firewalls: Frequently Asked Questions, Computer Based Learning
Unit, University of Leeds, 2000, p12. |
|
| |
|
|
| |
DeLong, Daniel F., Hackers
said to cost U.S. billions, NewsFactor Network, 02-08-2001. |
|
| |
|
|
| |
Edwards, Bob., Profile:
Social engineering as an effective tool., Morning Edition
(NPR), 02-23-2001. |
|
| |
|
|
| |
Ghosh, Anup K., E-commerce Security, New York, John Wiley,
1998, p210. |
|
| |
|
|
| |
Heneghan, Tom., Protests
Force Rewrite Of Cybercrime Pact, Plant IT, 11-13-2000. |
|
| |
|
|
| |
Palmer, Gary., Nash, Alex., FreeBSD Handbook. |
|
| |
|
|
| |
Paul, Peralte C., Staff, Hackers
show new criminal twist ALANTA TECH., The Atlanta Constitution,
12-27-2000, ppE6. |
|
| |
|
|
| |
Robinson, Brian., Firewalls: The first line of defense.
FCW on Security, 03-29-1999. |
|
| |
|
|
| |
Rosen, Anita., The E-Commerce Question And Answer Book, New
York, AMACOM, 2000, p24. |
|
| |
|
|
| |
Schwartz, Karen D., Firewalls Becoming Ineffective, Experts
Say., Planet IT, 12-22-2000, p3. |
|
| |
|
|
| |
Semeria, Chuck., Internet
Firewalls and Security 3Com Corporation, 1996, p1. |
|
| |
|
|
| |
Shipley, Greg., Defensive Tools, The High Price of Vulnerability,
Planet IT, 02-20-2001, p2. |
|
| |
|
|
| |
Sieglein, William.,
Defensive Tools, Washington E-Security Conference Paints Gloomy
Picture, Planet IT, 12-19-2000, p7. |
|
| |
|
|
| |
Unknown., Design the firewall system, Carnegie Mellon
Software Engineering Institute,1999, p1. |
|
| |
|
|
| |
http://www.cert.org/security-improvement/practices/p053.html |
|
| |
|
|
| |
Unknown., Network Ice Corp.
http://advice.networkice.com/products/firewalls.html |
|
| |
|
|
| |
Westland, Christopher J., Global Electronic Commerce, Cambridge,
Mass, MIT Press, 1999, p278. |
|
| |
|
|
| |
Wilson, Tim., BACK TALK:
Hackers’ Best Days Are Far Behind Them., InternetWeek, 04-17-2000,
p88. |
|
| |
|
|
| |
Wood, Chris., Branswell, Brenda., in Montreal and Scott, Robert.,
in Toronto, Tech: Fighting
Net Crime: Canada’s police are only starting to catch up with
hackers and other criminals who target online computer users.,
Maclean’s, 06-12-2000, p38. |
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
|
