BACKGROUND FIREWALL AND BASICS
What is a Network Firewall
?
A firewall is a system or group of systems that enforces an access
control policy between two networks. The actual means by which this is
accomplished varies widely, but in principle, the firewall can be
thought of as a pair of mechanisms:
one which exists to block traffic, and the other which exists to permit
traffic. Some firewalls place a greater emphasis on blocking traffic,
while others emphasize permitting traffic. Probably the most important
thing to recognize about a firewall is that it implements an access
control policy. If you don't have a good idea of what kind of access you
want to allow or to deny, a firewall really won't help you. It's also
important to recognize that the firewall's configuration, because it is
a mechanism for enforcing policy, imposes its policy on everything
behind it. Administrators for firewalls managing the connectivity for a
large number of hosts therefore have a heavy responsibility.
Why would I want a
firewall ?
The Internet, like any other society, is plagued with the kind of jerks
who enjoy the electronic equivalent of writing on other people's walls
with spraypaint, tearing their mailboxes off, or just sitting in the
street blowing their car horns. Some people try to get real work done
over the Internet, and others have sensitive or proprietary data they
must protect. Usually, a firewall's purpose is to keep the jerks out of
your network while still letting you get your job done.
Many traditional-style corporations and data centers have computing
security policies and practices that must be adhered to. In a case where
a company's policies dictate how data must be protected, a firewall is
very important, since it is the embodiment of the corporate policy.
Frequently, the hardest part of hooking to the Internet, if you're a
large company, is not justifying the expense or effort, but convincing
management that it's safe to do so. A firewall provides not only real
security--it often plays an important role as a security blanket for
management.
Lastly, a firewall can act as your corporate ``ambassador'' to the
Internet. Many corporations use their firewall systems as a place to
store public information about corporate products and services, files to
download, bug-fixes, and so forth. Several of these systems have become
important parts of the Internet service structure (e.g.: UUnet.uu.net,
whitehouse.gov, gatekeeper.dec.com) and have reflected well on their
organizational sponsors.
What can a firewall
protect against ?
Some firewalls permit only email traffic through them, thereby
protecting the network against any attacks other than attacks against
the email service. Other firewalls provide less strict protections, and
block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated
interactive logins from the ``outside'' world. This, more than anything,
helps prevent vandals from logging into machines on your network. More
elaborate firewalls block traffic from the outside to the inside, but
permit users on the inside to communicate freely with the outside. The
firewall can protect you against any type of network-borne attack if you
unplug it.
Firewalls are also important since they can provide a single ``choke
point'' where security and audit can be imposed. Unlike in a situation
where a computer system is being attacked by someone dialing in with a
modem, the firewall can act as an effective ``phone tap'' and tracing
tool. Firewalls provide an important logging and auditing function;
often they provide summaries to the administrator about what kinds and
amount of traffic passed through it, how many attempts there were to
break into it, etc.
This is an important point: providing this ``choke point'' can serve
the same purpose on your network as a guarded gate can for your site's
physical premises. That means anytime you have a change in ``zones'' or
levels of sensitivity, such a checkpoint is appropriate. A company
rarely has only an outside gate and no receptionist or security staff to
check badges on the way in. If there are layers of security on your
site, it's reasonable to expect layers of security on your
network.
What can't a firewall
protect against ?
Firewalls can't protect against attacks that don't go through the
firewall. Many corporations that connect to the Internet are very
concerned about proprietary data leaking out of the company through that
route. Unfortunately for those concerned, a magnetic tape can just as
effectively be used to export data. Many organizations that are
terrified (at a management level) of Internet connections have no
coherent policy about how dial-in access via modems should be protected.
It's silly to build a 6-foot thick steel door when you live in a wooden
house, but there are a lot of organizations out there buying expensive
firewalls and neglecting the numerous other back-doors into their
network. For a firewall to work, it must be a part of a consistent
overall organizational security architecture. Firewall policies must be
realistic and reflect the level of security in the entire network. For
example, a site with top secret or classified data doesn't need a
firewall at all: they shouldn't be hooking up to the Internet in the
first place, or the systems with the really secret data should be
isolated from the rest of the corporate network.
Another thing a firewall can't really protect you against is traitors
or idiots inside your network. While an industrial spy might export
information through your firewall, he's just as likely to export it
through a telephone, FAX machine, or floppy disk. Floppy disks are a far
more likely means for information to leak from your organization than a
firewall! Firewalls also cannot protect you against stupidity. Users who
reveal sensitive information over the telephone are good targets for
social engineering; an attacker may be able to break into your network
by completely bypassing your firewall, if he can find a ``helpful''
employee inside who can be fooled into giving access to a modem pool.
Before deciding this isn't a problem in your organization, ask yourself
how much trouble a contractor has getting logged into the network or how
much difficulty a user who forgot his password has getting it reset. If
the people on the help desk believe that every call is internal, you
have a problem.
Lastly, firewalls can't protect against tunneling over most application
protocols to trojaned or poorly written clients. There are no magic
bullets and a firewall is not an excuse to not implement software
controls on internal networks or ignore host security on servers.
Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite
simple and trivially demonstrated. Security isn't ``fire and
forget''.
What about viruses ?
Firewalls can't protect very well against things like viruses. There
are too many ways of encoding binary files for transfer over networks,
and too many different architectures and viruses to try to search for
them all. In other words, a firewall cannot replace
security-consciousness on the part of your users. In general, a firewall
cannot protect against a data-driven attack--attacks in which something
is mailed or copied to an internal host where it is then executed. This
form of attack has occurred in the past against various versions of
sendmail, ghostscript, and scripting mail user agents like
OutLook.
Organizations that are deeply concerned about viruses should implement
organization-wide virus control measures. Rather than trying to screen
viruses out at the firewall, make sure that every vulnerable desktop has
virus scanning software that is run when the machine is rebooted.
Blanketing your network with virus scanning software will protect
against viruses that come in via floppy disks, modems, and Internet.
Trying to block viruses at the firewall will only protect against
viruses from the Internet--and the vast majority of viruses are caught
via floppy disks.
Nevertheless, an increasing number of firewall vendors are offering
``virus detecting'' firewalls. They're probably only useful for naive
users exchanging Windows-on-Intel executable programs and
malicious-macro-capable application documents. There are many
firewall-based approaches for dealing with problems like the
``ILOVEYOU'' worm and related attacks, but these are really
oversimplified approaches that try to limit the damage of something that
is so stupid it never should have occurred in the first place. Do not
count on any protection from attackers with this feature.
A strong firewall is never a substitute for sensible software that
recognizes the nature of what it's handling--untrusted data from an
unauthenticated party--and behaves appropriately. Do not think that
because ``everyone'' is using that mailer or because the vendor is a
gargantuan multinational company, you're safe. In fact, it isn't true
that ``everyone'' is using any mailer, and companies that specialize in
turning technology invented elsewhere into something that's ``easy to
use'' without any expertise are more likely to produce software that can
be fooled.
|