What firewalls can (and can't) do for you Advanced firewall technology can save you security grief By Mark Pace Summary Chances are, your enterprise network depends on some form of firewall technology to protect critical data from outside attack while allowing your users legitimate Internet access. It's your responsibility to understand the general principles, advantages, and disadvantages of such technology so you can plan your network and application development around it. We provide you with a basic technical overview of how firewalls work and what they can -- and can't -- do to protect your Web site. (2,168 words)

February  1998

f you're the one responsible for your company's Web presence, most of your time is probably spent on debugging pages, changing content, and dealing with the requirements of the people who fund your efforts. With all that free time on your hands, you probably haven't had a chance to bone up on the latest firewall technologies. Firewalls exist to protect your work, however, and your understanding of them can be crucial to you and your security experts when something goes wrong. In addition to laying out the basics of firewall technology, this article shows you the right questions to ask to make sure you're truly protected. TCP/IP review Before delving into the three basic types of firewalls, a quick review of TCP/IP is in order. The real building block of the protocol suite is IP (Internet protocol). IP has two basic jobs: to deliver packets to a destination and to perform fragmentation and reassembly of packets. It doesn't check to make sure packets arrive, nor does it resend information if there is a problem -- this error checking is left to the higher-level protocols that run on top of IP. To provide for the open-ended ability to add protocols on top of IP, IP uses a protocol type identifier. TCP (transmission control protocol), IP type 6, was one of the first higher-level protocols created for IP. It performs error checking and handles retransmissions if there is a failure. Most services have their own registered TCP ports -- for example, SMTP e-mail uses port 25, and HTTP uses port 80. As a client computer connecting to a server, you usually open a "high" port (a port greater than 1024) and connect to the server's registered port; i.e., port 23 if you're using telnet. Data then passes back and forth between your client system and the server, using these ports for the duration of a connection. UDP (user datagram protocol), IP type 17, was the answer to a few of the shortcomings in TCP. While it does provide very reliable, stable delivery of information, TCP doesn't offer the quickest delivery of information. TCP's lengthy error-checking routines ensure correct delivery of packets; UDP was created to reduce transmission time. To gain this delivery speed, UDP foregoes ensuring the delivery of packets; all error checking is left to whatever service is using UDP. For example, Sun's NFS uses UDP and provides its own error checking. Protocols that are more likely to have problems because of timing tend to use UDP. For instance, streaming audio programs usually use UDP because they would rather drop a tiny bit of information than stop the stream for retransmission. UDP employs the same client-to-server port structure as TCP. More IP protocols have been springing up recently, including Microsoft's PPTP and the new standard for IP tunneling, IPsec. These additions have caused problems for many firewalls, since most were designed for TCP and UDP only. Newer releases of certain firewalls have, however, been adding support for new protocols. Types of firewalls: The packet filtering system The first and most traditional form of firewall technology is packet filtering. Packet filtering is most commonly implemented in a router on the border of a network. Of the three basic firewall technologies, packet filtering is the most basic, easiest to configure, and in most cases requires no special configuration of client and server machines on your local network. With packet filtering, the router decides whether to block or allow access to different machines on the protected network by consulting a list of rules. These rules can allow or disallow traffic based on source and destination. They can also filter by IP protocol type, TCP, or UDP port numbers. For example, if you wanted to allow SMTP e-mail into a particular server, you would allow any IP address on the Internet to send packets to TCP port 25 on your mail server. For another example, if you didn't want anyone telneting to your Unix servers, you would block TCP port 23 from coming through the filter. In most cases, you would explicitly allow traffic to those ports below 1024 that were used by your services (turning off all other ports below 1024), and allow all ports above 1024 through. This makes it possible for client machines to use any services they like on the Internet while still protecting the servers on your local network. It's important to note here that there are some services that use ports above 1024 -- a good example being Microsoft's SQL Server, which uses TCP port 1433. If you use SQL Server on your network, you'll want to disallow that port. Whenever you configure a new service, it's prudent to note which TCP or UDP ports that particular service uses, and then make the decision whether to let your firewall allow traffic to that port or block it to protect your server. The biggest drawback of packet filtering devices is that they leave you vulnerable to attack on ports that are allowed through the firewall. In most cases, this happens when someone accidentally or innocently set up a machine that exposes your network, because they simply don't know they're doing something that is a potential security risk. In other cases people will intentionally configure services that allow access through. For example, a disgruntled employee can easily set up an FTP server on a port higher than 1024. It would then be snap to pipe all the data on your server right out over this FTP server to anyone who knows what port it's running on. The proxy server system After packet filtering technology arose, the proxy server firewall method was invented. This method offered some unique advantages over packet filtering. Unlike packet filters, however, proxied networks usually require special configuration of the client machines. Proxy servers work on the principle that the client machines on the network should have no direct access to the Internet. The proxy server and any servers that you intend to access from the Internet reside on a separate network that has access to the Internet; this network is called the DMZ (demilitarized zone). To gain access to the Internet, the client machines make requests to the proxy server which then, if allowed by its list of rules, retrieves the requested information and returns it to the client. The advantage of the proxy server is that it allows a network configuration where the clients have no direct access to the Internet. This keeps all unwanted traffic out of the local network and ensures that only traffic that meets the access rules you've configured is allowed to pass in and out of the network. There is no chance of someone configuring a machine on the local network that allows outside traffic in without custom configuration of the proxy server. Some proxy servers also have the ability to cache commonly requested data, freeing up valuable Internet bandwidth. Proxy servers also make it possible to use an unregistered network number for your local network, conserving IP addresses -- only the proxy server itself requires a registered IP address. Proxy servers do have a few distinct disadvantages. Unlike simple packet filtering firewalls, proxy servers require the same management and maintenance as any other server. Proxy servers also have difficulty using the vast number of latest-and-greatest Internet tools being released every day -- many of these new services do not support proxy servers, or require custom written proxies that are always released much later than the actual service. Stateful firewall systems A relatively new technology, and certainly the most secure and advanced, is the stateful firewall. This kind of firewall combines many advantages of both the packet filter and the proxy server. Like the packet filtering set up, no client configuration is required. The stateful firewall analyzes network traffic that traverses it. For example, if a user sets up an FTP server on a TCP port higher than 1024, the firewall, knowing that this is FTP traffic, will allow or disallow it based on the rules that you've configured. These firewalls actually understand the protocols that pass through them, so they can securely allow or disallow traffic as well as securely authenticating the use of services. Because these firewalls are protocol-aware, other services can be added to them, such as anti-virus technology to scan protocols that are susceptible to viruses. You configure stateful firewalls with a set of rules that allow and disallow traffic. The distinction between this system and the packet filtering system is the fact that these more advanced firewalls allow and disallow based on traffic type, not based on TCP or UDP port numbers. Stateful firewalls come in different flavors; some are as easy to manage as packet filtering firewalls while others are robust servers which take time and energy to configure and manage. Like the proxy server, these firewalls give you the ability to run an unregistered network behind the firewall, again conserving IP addresses and giving you the ability to configure a large number of machines without the hassles of subnetting. But like proxy servers, stateful firewalls do not support new protocols immediately as they come out. Each protocol must be analyzed by the firewall manufacturer and programmed into the firewall so that it understands what is passing through it. One advantage stateful firewalls have over the proxy server is that you can halt the firewall's analysis by traffic type, simply allowing or disallowing traffic based on IP protocol type, TCP, or UDP port. While this isn't as secure as using the programmed protocol rules, it does give you the ability to get something up and running fast if you need to. Stateful firewalls offer an additional advantage over packet filters and proxies: they provide the capability to set up virtual private networks over the Internet. Using a virtual private network, different corporate sites can send information back and forth using encryption to protect data. Also, remote users can gain encrypted access to the local network, allowing them to dial into a local ISP and forgo costly long distance calls. Security measures behind the firewall Firewalls do a good job, but they can't solve all of your security holes. You have to be aware of their limitations and make the extra effort to plug possible security leaks if you want a watertight Web site. Most firewalls do an excellent job at blocking unwanted traffic. But, of course, they're totally useless if they don't allow traffic in as well. Unfortunately, once traffic slips through, the firewall has no control over that service. Stateful firewalls add extra protection by ensuring the allowed traffic is indeed running the right protocol, but that's not always enough. Your Web site's security is only as strong as you make it. This means testing your site for security problems is a must. Turning off unwanted features is a good starting place -- for example, you probably don't want the directory browsing service running on your public site. Another security measure to consider is using authentication methods other than clear text passwords. You also have the option of authenticating users on the firewall before allowing them to use your Web servers. For sites with a public audience, this is usually not very practical, but for some more private or business-to-business sites, it can be quite useful. Unfortunately, recent studies show that there are easily as many security risks behind your firewall as there are outside. Disgruntled employees are one of the biggest security risks companies face these days. Unfortunately, the firewall can't protect you from such people unless it isolates your machine on a DMZ. This can be a good choice for anyone working in an environment with a large number of employees or high employee turnaround. Almost last but not least are all the security risks associated with today's quickly produced and constantly upgraded operating systems. Be sure to stay on top of the latest patches for security on the operating system you use. Read the security newsgroups to find out about the latest problems, and consider visiting hacker-related sites like www.rootshell.com. Finally, you should be aware of one more problem -- physical security. A surprising number of people never think of this. They spend hours coming up with complex schemes for protecting their servers, implementing all the latest technology and the most powerful firewalls, carefully calculating what they'll allow or disallow on their networks, and setting up encrypted links to protect data flowing across the Internet -- and after all this, someone just walks off with the server. Also this month in Netscape Enterprise Developer - Netscape frees its browser - Java security: Too much or too little? - Application servers empower your Web applications - Which platform should you choose for e-commerce? - Using old page layout tricks with new technologies - Netnews: Links to the latest stories the Web has to offer - Netscape plays for high stakes - A free database can boost your site - Netscape's Kiva acquisition pays off with Application Server - EDI struggles to enter the extranet market

Mail this article to a friend

About the author
Mark Pace is vice-president of Action Systems Inc., a computer consultancy. He is an expert on Internet protocols and security. Reach Mark at mark.pace@ne-dev.com.

If you have problems with this magazine, contact webmaster@ne-dev.com
URL: http://www.ne-dev.com/ned-02-1998/ned-02-firewall.html
Last modified: Thursday, June 17, 1999 HYIP Monitor