Firewalls

October 3, 1998

Chuan Xia
Department of Electrical and Communications Engineering
Helsinki University of Technology
cxia@cc.hut.fi

Jianling Zhang
Department of Mechanical Engineering
Helsinki University of Technology
jlzhang@cc.hut.fi


A firewall is a security mechanism that allows limited acess to your site from the internet, allowing approved traffic in and out according to a thought-out plan. This lets you select the services appropriate to your business needs, while barring others which may have significant security holes. A firewall can significantly improve the level of site security while at the same time permitting access to vital Internet services.




1 Introduction


A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy.[7, 9]

The firewall is designed specifically as a security system for preventing unauthorized communications between one computer network and another computer network and more specifically for preventing unauthorized access to a private computer network from a public computer network such as the Internet.[4]

Firewalls are also important since they can provide a single "check point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.


2 The architectures of firewalls


Firewalls are a secured gateway at the perimeter of security domains. They are a computer version of a customs checkpoint, enforcing the site's security policy to control traffic into and out of the internal networks. Safe internal connectivity is the major objective of firewalls. Some firewalls do work with protocols TCP/IP, known as TCP/IP firewalls [5].


2.1 The basic design decisions in a firewall


There are a number of basic design issues that should be addressed while designing, specifying, and implementing or overseeing the installation of a firewall.[2,7,11]

The first and most important is reflects the policy of how your company or organization wants to operate the system: is the firewall in place to explicitly deny all services except those critical to the mission of connecting to the net, or is the firewall in place to provide a metered and audited method of "queuing" access in a non-threatening manner.

The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laundry list that specifies what you plan to implement.

The third issue is financial: how much it will cost either to buy or to implement. For example, a complete firewall product may cost between $100,000 at the high end, and free at the low end. The free option, of doing some fancy configuring on a Cisco or similar router will cost nothing but staff time and cups of coffee. Implementing a high end firewall might cost several man-months, which may equate to $30,000 worth of staff salary and benefits. The systems management overhead is also a consideration. It's important, in other words, to evaluate firewalls not only in terms of what they cost now, but continuing costs such as support.

On the technical side, there are a couple of decisions to make, based on the fact that for all practical purposes what we are talking about is a static traffic routing service placed between the network service provider's router and your internal network. The traffic routing service may be implemented at an network level via something like screening rules in a router, or at an application level via proxy gateways and services.

The decision to make is whether to place an exposed stripped-down machine on the outside network to run proxy services for telnet, ftp, news, etc., or whether to set up a screening router as a filter, permitting communication with one or more internal machines. There are pluses and minuses to both approaches, with the proxy machine providing a greater level of audit and potentially security in return for increased cost in configuration and a decrease in the level of service that may be provided (since a proxy needs to be developed for each desired service).


2.2 The basic types of firewalls


There are two types of firewalls:Network level and Application level [8] .

Network level firewalls generally make their decisions based on the source, destination addresses and ports in individual IP packets. A simple router is the "traditional" network level firewall, since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern network level firewalls have become increasingly sophisticated, and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many network level firewalls is that they route traffic directly though them, so to use one you usually need to have a validly assigned IP address block. Network level firewalls tend to be very fast and tend to be very transparent to users.

Application level firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Since the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application level firewalls can be used as network address translators, since traffic goes in one "side" and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application level firewalls such as those built using the TIS firewall toolkit [10], are not particularly transparent to end users and may require some training. Modern application level firewalls are often fully transparent. Application level firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network level firewalls.


3 Conclusions


More and more companies are subscribing to online services that require Internet access, with this increasing access comes the challenge of securing previously isolated internet systems. To control this risk, most companies deploy some kind of firewall technology. Firewall implementation comes in different shapes and sizes, from network routers to expensive dedicated system using several computers and costing over $100K. Corporations place these firewalls between the internal trusted networks and the external public networks. All internal-external communications occur through these firewalls. There are many different kinds of firewalls which are used for different purposes[1,3]. Firewalls are an impediment to E-commerce via the web, they either block it or they allow it but do not improve security [6].


# References


[1] Anon, Feature comparison of several firewalls, October 1997[referred 30,September,1998]
< http://www.cz/firewall_solution/test.html >

[2] Anon, How to pick an internet firewall, January 1998 [referred 30,September,1998]
< http://www.clark.net/pub/mjr/pubs/pick >

[3] Fulmer, Catherine, Firewall Product Overview, July 1998 [referred 30,September,1998]
< http://www.access.digex.net/~bdboyle/firewall.vendor.html >

[4] Gelb Organization, In Pursuit of the User Friendly, Impenetratable,Tamperproof , Impregnable Firewall, 1998 [referred 30,September,1998]
< http:// www.gelb.com/chapter1.htm >

[5] ORACLE, SQL*Net and Firewalls, October 1995 [referred 30,September,1998]
< http://www.zeuros.co.uk/firewall/library/oracle-and-fw.pdf >

[6] Ranum, J.Marcus, Firewalls:The State of the Art, January 1998[referred 30,September,1998]
< http://www.clark.net/pub/mjr/pubs/fw-art >

[7] Ranum, J. Marcus & Curtin, Matt, Internet Firewalls Frequently Asked Questions, June 22,1998 [referred 30,September,1998]
< http:// www.clark.net/pubs/fwfaq >

[8] Ranum, J. Marcus, The Future of Firewalls, January 1998[referred 30,September,1998]
< http://www.clark.net/pub/mjr/pubs/futr-fw >

[9] Wack, P. John & Carnahan, J. Lisa, Keeping Your Site Comfortably Secure:An Introduction to Internet Firewalls, Feb 9 1995 [referred 30,September,1998]
< http://csrc.nist.gov/nistpubs/800-10/ >

[10] Young, Keith, The TIS Firewall Toolkit FAQ, 1998 [referred 30,September,1998]
< http://www.erols.com/avenger/index.html >

[11] ZDNet, Find the Right Firewall, January 1997 [referred 30,September,1998]
< http://www.zdnet.com/icom/content/anchors/970127/1.html >


# Further Information


AltaVista , AltaVista Firewall 98, September 25, 1998
Firewall products and technical overview

Anon, Thinking About Firewires V2.0: Beyond Perimeter Security, 1993
Information about the latest topics in firewalls

Mark Grennan, Firewalling and Proxy Server HOWTO, November 8, 1996
Information about building a firewall

Newman, David, Holzabaur Helen & Bishop Kathleen, Firewalls:Don't Get Burned, March 21, 1997
Test report about firewall products in terms of security, management, and performance

Outlink Inc., The firewall Report Overview, October 1997
The firewall report, Product profiles and supplier profiles

Ranum, J. Marcus, On The topic of Firewall Testing,1995
Topic of firewall certification and testing

The COAST Project, Purdue University,November 1996
The comprehensive list of resources associated with Internet firewalls

ZDNet, Windows NT Firewalls Are Born, Feburary 1997
Informations about Windows NT firewalls

ZWeb, The Rotherwick Firewall Resource
The most comprehensive firewall resource on the web