Firewalls

1998-11-18

Juha Sääskilahti
Tuotantotalous
Teknillinen Korkeakoulu
Juha.Saaskilahti@hut.fi

Executive Summary

---

Contents:
1. Introduction
2. What Is a Firewall
3. Dangers
3.1 Direct Intrusion
3.2 Spoofing
3.3 Domain Name Services (DNS)
3.4 Sendmail
3.5 FTP
3.6 Satan
3.7 Not Encrypted Connections
3.8 Getting Confidential Information
3.9 Disturbing Normal Use
3.10 Altering Information
4. Firewall
4.1 Firewall Types
4.2 Firewall Parts
5 A Few Words

---

1. Introduction

Internet is now and here. Everyone can get into the Internet. That means not only the good people, but also the malicious and bad people like hanging around in the Internet. And also the ingenious prank lovers like to try to get into YOUR computer and into YOUR network. Therefore it is important for companies also of small- and medium size to have a secure connection to the Internet. [2], [4]

2. What Is a Firewall

In real life a firewall is a construction that will stop the fire from spreading straight throughout the building. In the world of networking a firewall is a device that will stop (or at least does its best effort to stop - as a real firewall) unwanted networking to go from a network to another - it is a controlled gateway between one network and another [3]. In a normal case the unwanted network traffic could consist of break-in attempts, malicious software, et cetera.

Figure 1 represents two examples for using firewalls. Nowadays it is getting crucial for every company to have an Internet connection. The connection could anyhow be very dangerous, as we have stated the Internet is full of anonymous perils that have no other tasks but to try to get into YOUR network. The simplest solution is to filter all traffic between the company internal network (should that be LAN/MAN/WAN or whatever) and the Internet. The firewall can monitor and restrict the traffic in various ways; that can help to stop the spiteful crackers. The firewall can for instance simply stop all the traffic but the one coming from some specific network address. (That can be got around anyhow, as we later in this document find out.)



If the company is big, it might want to protect some part of its network (see figure 1). That part could be anything from strategic database to production control system. It is not a wise politics to let everyone within the company (or in worst case in the Internet) to access the production system - whether it is a railroad control system or a bottling machine order handler.

3. Dangers

This chapter will go through the different risks that possible hackers or other vicious instances may pose to a network. First we look at a couple of methods of breaking into a network and then we take a short overview of the vulnerability of different network services and for the end we consider some possible consequences an intrusion could cause.

3.1 Direct Intrusion

If the whole network is connected openly to the Internet, anyone within the Internet can try to break into the computer systems in the network. If the passwords are weak, the password-files freely available (even in encrypted form), or some other security risk exists, it is pretty easy to find out a user id-password - combination and do anything within the system. The intrusion could be done with telnet, ftp or such protocol. [7]

The password security is pretty low in open networks; for instance telnet and ftp transfer the passwords in plain text-form, and it is very easy to spy/monitor the network traffic and obtain the password.

3.2 Spoofing

In the TCP/IP the origin, route and destination of a data packed is marked on the data packet. Firewalls usually provide a security feature to restrict the traffic to some specific network addresses. Anyhow, it is very easy for a malevolent party to masquerade itself to a trusted network address and set the routing options so that the data is sent back to it. That could happen so that the attacker would change its host's IP address to match the trusted client. Then the attacker would create a such source route that will use the attacker's network address as the last hop address. Then the attacker could just send a request to the server under attach and get the answer. [7]

SMTP (Simple Mail Transfer Protocol) is a very vulnerable to spoofing, because with it, it is very easy to change the sender's identity. It could be used to send harmful information by some third party.

3.3 Domain Name Services (DNS)

Domain Name Services are rather vulnerable to break-in attempts. From a DNS service it is usually pretty easy to find out the whole network topology and the trusted IP-address-space. With these data it is then easy for the twisted hackers to plan and implement a large-scale intrusion attempt. [6]

3.4 Sendmail

Sendmail is a Unix-based emailing software that can pose a remarkable risk to the invulnerability of a network. The software consists of thousands of lines of code. And already now the flaws in the software have enabled some pretty "big" intrusions. [6]

3.5 FTP

If the FTP service is not carefully implemented, it could be used to get to all kinds of information in the computer with an anonymous id. In 1996 the hackers got into a server of Freenet, and user-information of 65000 users were nearly removed. [6]

3.6 Satan

With Satan software it is possible to probe the weaknesses of several hosts. The Satan is freely available and could be very harmful when used by beginner. [6]

3.7 Not Encrypted Connections

Telnet, http, smtp, as many other protocols transfer the data over Internet in a form that is not encrypted. It is rather easy to get this data with adequate monitors. From this data it is then easy to either read the contents or get some password-, credit card etc. information. There are some secure protocols to be used in not trusted networks, like https and ssh.

3.8 Getting Confidential Information

One risk that the crooked hackers pose to the systems they have got in is that they find their way up to the confidential information. The information could be then sold to the direct competitors, or could be spread throughout the internet. Just think what would happen if a competitor of a software developing company would get detailed information of its competitor's next generation software project.

3.9 Disturbing Normal Use

Sometimes it is not even necessary to get into the system and get crucial information; the ill-minded frauds just like to block the information channels by sending so much data that it blocks the normal communications. The data sent could be anything from emails to break-in attempts. Disturbance could also be some viruses or malicious software spread within the network. For instance a Trojan Horse is a piece of software that says it does something, but what it actually does is something harmful, like spreads viruses.

3.10 Altering Information

If the vile crackers get in to the network and computers they might just like to do a nasty trick. As we have from newspapers read, these attempts do succeed every now and then: for instance the CIA homepage was altered to remind of some not so desirable philosophy few years ago. Swedish telecom monopoly Telia was attached some time ago and its WWW site was changed to one of its competitor [6].

4 Firewalls

In this chapter we will take a short look over the different types of firewalls and their protective measures. Then we take a short look over what should a proper firewall system consist of.

4.1 Firewall Types

There are four types of firewalls: Filtering gateways, circuit gateways, application gateways and hybrid or complex firewalls [3].

A packet filtering firewall will filter the TCP/IP packets sent through the firewall. That means, that for instance packets only from some specific network address get through. As we earlier found out the IP- addresses are rather easy to spoof. A second step in packet filtering is to allow/disallow some specific protocols. The most risky protocols should be blocked or restricted to some specific computers only. A following list is just an overview of protocols that could cause a serious risk, if configured wrongly [1]:

• tftp, (trivial ftp)
• X-Windows, Sun Open Windows
• RPC-services, like NIS or NFS
• rlogin, rsh, rexec
• telnet
• SMTP (Simple Mail Transfer Protocol)
• RIP (Routing Information Protocol)
• DNS (Domain Name Services)
• UUCP (Unix-Unix Copy Protocol)
• NNTP (Network News Transfer Protocol)
• NTP (Network Time Protocol)

A circuit level firewall works so that all requests from the requesting computer are directed to a single computer acting as a firewall. The requests are then forwarded out from the network and they appear just like coming directly from the firewall. This means that the topology and IP-space of the internal network is masqueraded so that internal IP-addresses are not visible outside the network. This enables also that the whole network can access Internet with a single IP-number allocated from the Internet IP-space. The circuit level firewall implementation may anyhow require some modifications to the computers in the network, that could turn out very hard to make or impossible. [3]

Application level firewalls are often called proxies. The proxies act very much similarly to circuit level firewalls, but provide a higher level of filtering and security capabilities. A proxy may have a secondary authentication (which can be very secure, like when using SecureID, which is a small device that is synchronised to the proxy and generates continuously new passwords [6]). A proxy could even have some kind of a virus protection. The limitation of proxies is that the data throughput might not be high enough because of the advanced handling. One positive side of proxies is that they will in many cases provide an extensive logging of the traffic.

One very important feature that almost all commercially available firewalls provide - some better, some not so well - is the ability to log and monitor the network traffic. Monitoring is very important for instance for noticing the attempts to break in to the system. There are different levels of monitoring systems available.

4.2 Firewall Parts

A firewall configuration can be divided to four parts. The first part is the network policy. There are two basic network policies [5]:

• To allow all the services, but the ones separately prohibited
• To disallow all the services, but the ones separately allowed

The policy states all the services that are either allowed or disallowed. The first policy is of course more insecure.

A Second part of a firewall configuration is the configuration of the authentication methods. Third part is the set-up for packet filtering and the fourth part is a possible configuration of gateways (i.e. proxies). A proxy is a mediator between the Internet and LAN. That is: if one wants to retrieve a HTML-document from web, he will send the request to a proxy-server, instead of directly to the WWW-server. The proxy server then will forward the request to the Internet and will control all the network traffic. [5]

If a company wants to have for instance own WWW-services in the Internet, it is not wise policy to have the WWW-server within the own network. On the other hand if the WWW-services are located in a separate server in Internet, the updating could be dangerous - especially if the updating process is done with ftp, telnet etc. not-encrypted system: anyone could get the passwords and damage the contents of the WWW-site.



One solution for this is represented in figure 2. The idea of DMZ (Demilitarised Zone) is to have a protected area for the external services [1]. That means that there are double-firewalls against the internet. The company side firewall will enable the updates to the WWW-servers, but no other traffic. A proxy- server could be located in this DMZ. The outbound firewall will protect the services from getting vandalised or intruded from outside. Either, or both firewalls can and should include features like packet filtering, IP-masquerading and authentication.

5. A Few Words

Security is a very important matter to be considered when designing a network. Firewall is a handy way to provide in many cases sufficient security for the network. Anyhow, one should keep in mind, that if a company is small, and the only Internet connection is a single computer with a dial-up adapter, there is no need for extensive firewall set-up. The security could get very expensive. A maximum security firewall usually requires a person either part-time or full-time to monitor the usage of the connection and do all new set-ups.

Therefore the level of a firewall should be considered thoroughly, before rushing into shop to buy the maximum security systems. The firewalls, proxies etc. do not make life easier, but more secure.

---

References

[1] Andersson, Carl Adam, Industriell Ekonomi, LiTH, Nätverk Säkerhet, Kryptering och Brandväggar, 11.5.1997. [Referenced 30.9.1998] <http://www.island.liu.se/~i93caran/projekt.html>

[2] Anon, Description of Cisco Solutions, Cisco Systems Inc., 1998. [Referenced 30.9.1998] <http://www.datelec.com/sourcefiles/secucisco_centri.html>

[3] Anon, What is an Internet Firewall? Fujitsu Canada, Inc., 26.9.1998 [Referenced 30.9.1998] <http://www.fujitsu.ca/solution/sentry.htm>

[4] Anon, Ziff-Davis Publishing Company, If you can reach them, they can reach you. 1995. [Referenced 30.9.1998] <http://www.zdnet.com/pcweek/sr/0619/tfire.html>

[5] Miikkulainen Jari, Internetin turvallisuus ja palomuurit. [Referenced 30.9.1998] <http://keskus.hut.fi/opetus/s38116/1997/esitelmat/40545w/>

[6] Savinainen Timo, Tuomainen Arto, Borderware Firewall 4.0 - palomuuripalvelimen asennus ja konfigurointi, Loppuharjoitustyö, 7.4.1997. [Referenced 30.9.1998] <http://www.pspt.fi/kurssit/lht/unix1/palomuuri/>

[7] Wack John, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, US Department of Commerce, National Institute of Standards and Technology, 9.2.1995. [Referenced 30.9.1998] <http://csrc.ncsl.nist.gov/nistpubs/800-10/>