Internet Firewalls and Security

3 C o m T e c h n i c a l P a p e r s

A Technology Overview

1

Internet Firewalls and SecurityA Technology Overview

ContentsInternet Firewalls 2

Benefits of an Internet Firewall 2

Limitations of an Internet Firewall 3

The Hackers Toolbox 4

Information Gathering 4

Probing Systems for Security Weaknesses 5

Accessing Protected Systems 5

Basic Firewall Design Decisions 5

Stance of the Firewall 5

Security Policy of the Organization 6

Cost of the Firewall 6

Components of the Firewall System 6

Building Blocks: Packet-Filtering Routers 6

Service-Dependent Filtering 7

Service-Independent Filtering 7

Benefits of Packet-Filtering Routers 7

Limitations of Packet-Filtering Routers 8

Building Blocks: Application-Level Gateways 8

Bastion Host 8

Example: Telnet Proxy 9

Benefits of Application-Level Gateways 10

Limitations of Application-Level Gateways 11

Building Blocks: Circuit-Level Gateways 11

Firewall Example #1: Packet-Filtering Router 11

Firewall Example #2: Screened Host Firewall 12

Firewall Example #3: Demilitarized Zone or Screened-Subnet Firewall 13

Summary 14

References 15

Copyright 1996 3Com Corporation. All rights reserved.

Internet Firewalls and Security

A Technology Overview

By Chuck Semeria

Security has become one of the primaryconcerns when an organization connects itsprivate network to the Internet. Regardless ofthe business, an increasing number of userson private networks are demanding access toInternet services such as the World Wide Web(WWW), Internet mail, Telnet, and FileTransfer Protocol (FTP). In addition, corpo-rations want to offer WWW home pages andFTP servers for public access on the Internet.

Network administrators have increasingconcerns about the security of their networkswhen they expose their organizations privatedata and networking infrastructure to Internetcrackers. To provide the required level of pro-tection, an organization needs a securitypolicy to prevent unauthorized users fromaccessing resources on the private networkand to protect against the unauthorized exportof private information. Even if an organizationis not connected to the Internet, it may stillwant to establish an internal security policy tomanage user access to portions of the networkand protect sensitive or secret information.

Internet FirewallsAn Internet firewall is a system or group ofsystems that enforces a security policybetween an organizations network and theInternet. The firewall determines whichinside services may be accessed from theoutside, which outsiders are permitted access

to the permitted inside services, and whichoutside services may be accessed by insiders.For a firewall to be effective, all traffic toand from the Internet must pass through thefirewall, where it can be inspected (Figure 1).The firewall must permit only authorizedtraffic to pass, and the firewall itself must beimmune to penetration. Unfortunately, afirewall system cannot offer any protectiononce an attacker has gotten through or aroundthe firewall.

It is important to note that an Internetfirewall is not just a router, a bastion host, ora combination of devices that providessecurity for a network. The firewall is part ofan overall security policy that creates aperimeter defense designed to protect theinformation resources of the organization.This security policy must include publishedsecurity guidelines to inform users of theirresponsibilities; corporate policies definingnetwork access, service access, local andremote user authentication, dial-in and dial-out, disk and data encryption, and virus pro-tection measures; and employee training. Allpotential points of network attack must beprotected with the same level of networksecurity. Setting up an Internet firewallwithout a comprehensive security policy islike placing a steel door on a tent.

Benefits of an Internet FirewallInternet firewalls manage access between theInternet and an organizations private network(Figure 2). Without a firewall, each hostsystem on the private network is exposed toattacks from other hosts on the Internet. Thismeans that the security of the private network

2

Chuck Semeria has worked for3Com for the past six years. Inhis position as a marketingengineer in the networksystems division, he developsclassroom and independentstudy courses for the edu-cation services department in the customer services organization.

Prior to joining 3Com, Chuckwas the senior coursedeveloper and instructor forAdept, a robotics and visionsystems company. Before that,he taught mathematics andcomputer science in Californiahigh schools and juniorcolleges. Chuck is a graduateof the University of Californiaat Davis.

Figure 1. Security Policy Creates a Perimeter Defense

The Internet

Internet

firewall

syste

m

Corporate H

QRemot

e office

Remote offic

eSecur

ity perimeter

defense

Modems

Frame

Relay

Leased line

would depend on the hardness of eachhosts security features and would be only assecure as the weakest system.

Internet firewalls allow the networkadministrator to define a centralized chokepoint that keeps unauthorized users such ashackers, crackers, vandals, and spies out of theprotected network; prohibits potentially vul-nerable services from entering or leaving theprotected network; and provides protectionfrom various types of routing attacks. AnInternet firewall simplifies security man-agement, since network security is consol-idated on the firewall systems rather thanbeing distributed to every host in the entireprivate network.

Firewalls offer a convenient point whereInternet security can be monitored and alarmsgenerated. It should be noted that for organi-zations that have connections to the Internet,the question is not whether but when attackswill occur. Network administrators must auditand log all significant traffic through thefirewall. If the network administrator doesnttake the time to respond to each alarm andexamine logs on a regular basis, there is noneed for the firewall, since the network admin-istrator will never know if the firewall has beensuccessfully attacked!

For the past few years, the Internet hasbeen experiencing an address space crisis thathas made registered IP addresses a lessplentiful resource. This means that organi-zations wanting to connect to the Internet maynot be able to obtain enough registered IPaddresses to meet the demands of their userpopulation. An Internet firewall is a logicalplace to deploy a Network Address Translator(NAT) that can help alleviate the address spaceshortage and eliminate the need to renumber

when an organization changes Internet serviceproviders (ISPs).

An Internet firewall is the perfect pointto audit or log Internet usage. This permitsthe network administrator to justify theexpense of the Internet connection to man-agement, pinpoint potential bandwidthbottlenecks, and provide a method for depart-mental charge-backs if this fits the organi-zations financial model.

An Internet firewall can also offer acentral point of contact for informationdelivery service to customers. The Internetfirewall is the ideal location for deployingWorld Wide Web and FTP servers. Thefirewall can be configured to allow Internetaccess to these services, while prohibitingexternal access to other systems on the pro-tected network.

Finally, some might argue that thedeployment of an Internet firewall creates asingle point of failure. It should be emphasizedthat if the connection to the Internet fails, theorganizations private network will stillcontinue to operateonly Internet access islost. If there are multiple points of access, eachone becomes a potential point of attack that thenetwork administrator must firewall andmonitor regularly.

Limitations of an Internet FirewallAn Internet firewall cannot protect againstattacks that do not go through the firewall. Forexample, if unrestricted dial-out is permittedfrom inside the protected network, internalusers can make a direct SLIP or PPP con-nection to the Internet. Savvy users whobecome irritated with the additional authenti-cation required by firewall proxy servers maybe tempted to circumvent the security system

3

Figure 2. Benefits of an Internet Firewall

The Internet

Internet

firewall

syste

m

Private netwo

rk

Concentrates network security Serves as centralized access choke point Generates security alarms Monitors and logs Internet usage Good location for Network Address Translator (NAT) Good location for WWW and FTP servers

by purchasing a direct SLIP or PPP connectionto an ISP. Since these types of connectionsbypass the security provided by the mostcarefully constructed firewall, they create asignificant potential for back-door attacks(Figure 3). Users must be made aware thatthese types of connections are not permitted aspart of the organizations overall securityarchitecture.

Internet firewalls cannot protect againstthe types of threats posed by traitors orunwitting users. Firewalls do not prohibittraitors or corporate spies from copying sen-sitive data onto floppy disks or PCMCIA cardsand removing them from a building. Firewallsdo not protect against attacks where a hacker,pretending to be a supervisor or a befuddlednew employee, persuades a less sophisticateduser into revealing a password or grantingthem temporary network access. Employeesmust be educated about the various types ofattacks and about the need to guard and period-ically change their passwords.

Internet firewalls cannot protect aga