Last updated 8/3/1998

White Papers

The Firewall and Online Security

The firewall is a sub-system of computer software and hardware that intercepts data packets before allowing them into or out of a Local Area Network (LAN). A firewall makes decisions on whether or not to allow data to pass based upon a security policy. For each packet of data, the firewall compares known components of the packet to a security rule set and decides if the packet should be allowed to pass. In addition, a firewall may have security rules that involve altering the packet in some basic ways before passing the data. With a sensible security policy and a security rule set designed to implement that policy, a firewall can completely protect a LAN from attacks.

Online Security

When you connect your computer to the Internet, you have also connected every other computer on the Internet to your computer. This means that anyone on the Internet has the same type of direct access to your computer that only other computers on your local network had before you connected to the Internet.

It can be a tense moment when you first realize that linking your computer to the Internet means that any hacker, anywhere, can spend as much time as they like poking around in your computer for gaps in its security system. Suddenly, you feel that you are in a very uncertain game of wits on a very uneven technological playing field you know little or nothing about. Even worse, you know that your adversary is probably an expert while you feel like a rookie. This feeling of personal vulnerability can be quite strong. In fact, many people have avoided connecting to the Internet altogether just because the security threat seemed overwhelming and totally beyond their control. No amount of business advantage seemed to be worth the risk involved. But there is no need to feel such vulnerability once you know the facts. Online security is a very complex topic, but let's put some of the issues in perspective and assess the real risks.

Where Do Security Problems Arise?

Security problems arise from two primary threats. The first threat is having your IP packets overheard as they travel across the Internet and the data in those packets stolen. The second threat is that someone outside your immediate system will use your connectivity to attack the operating system software on your machine. By breaching the security of your O/S software they may gain access to your data files.

Tapping TCP/IP Packets

The first of these security issues is the one most of us immediately worry about - someone tapping the TCP/IP data on the network. The fear is that thousands of people can easily listen in to all of the data on the Internet. In fact, this is the least likely security issue to cause you difficulty. When it does occur, it's primarily in large educational institutions or companies where all of the data circulates on the local area network (LAN) to the many computers within the institution. In other words, it's much more likely that the guy down the hall will listen in on your data than someone hacking away in the next city.

Tapping into TCP/IP data is no different than tapping into a standard voice telephone line. The person who is listening in must physically attach to the wiring that your data flows through. The most likely place to do this is on your local area network, and that is why employees in large companies and students in an educational institution are the most likely source of this activity. Once your data flows out onto the Internet, it can travel over hundreds of thousands of logical circuits, and travels different paths for nearly every distant computer you connect to. Most of these intermediate points are in secure facilities, just like the switches (routers) on your voice telephone line. If the data is tapped it will probably occur at one of the endpoints. In the vast majority of cases, it happens in your facility or at the machine you're connecting to.

There is only one way to provide security against having your TCP/IP packets tapped and it is the same one that you must use if you require a totally secure voice telephone connection — encryption. In general, it is rare that such encryption security at the TCP/IP packet level is required unless your LAN (or the LAN of sites you frequently contact with sensitive data) is very large and not physically secure.

Break-ins to Your Computer On the Internet

The most likely source of security problems that you will face is from someone on the Internet breaching the operating system security of your machine. This is an extension of the problem that arose many years ago when people began connecting dial-up modems to computers. At that point, anyone who found the phone number of a computer could spend hours trying to find ways to hack past the front door security on your modem connection.

When modems were first connecting computers, it turned out that the computers were pretty easy to break into. Why? Simply because up until then connections between computers were only established in carefully controlled settings and security issues simply hadn't been well thought out at the operating system level. Over the intervening years, connecting a modem to a computer became commonplace, and the security issues for communications software became much more critical. The security of operating systems was equally as critical, but was dealt with much more effectively over the years.

This cycle is occurring once again in these early days of taking the Internet public. This time, it's in connection with TCP/IP software. In general, older software is more difficult to assure security on than newer software. Your first security consideration, then, should be with your operating system that is the first point of contact with the Internet. It is generally true that the longer an operating system has had TCP/IP built in, the more you need to check that back doors are closed. For example, if you connect a UNIX computer system to the Internet, unless it was installed by a UNIX expert with extensive security experience, you should assume that it has an easily breachable back door somewhere that has not been closed.

There are two reasons for this. First, UNIX was originally designed over 25 years ago to be open and easily accessible at every level. Years of development have gone into making locks for most of its doors, but there are a lot of doors to lock and many of them are not obvious if you are not very skilled in the UNIX operating system. It is extremely easy to set up a UNIX system and accidentally leave one or more of its entry paths open, especially when it is connected to the Internet. Secondly, UNIX is the operating system that most college students have been taught for many years now. Therefore any security gaps it has are the most widely known among the hacker crowd of any operating system. You can buy books that purport to be about Internet security and not find any problems mentioned in them other than UNIX entry paths that may not be locked.

Windows NT is a newer operating system, but it still has vulnerabilities. For example, when you put a Windows NT server on a network you will see it show up in the Network Neighborhood on Windows 95 machines. What is not immediately obvious is the fact that someone from the outside can also see this machine if they guess a small number of items correctly. In fact, if incorrectly configured, the hacker won't even have to guess, your system will give them the information they need to get in! Windows NT is also susceptible to certain Denial of Service attacks that are well-documented. Just like UNIX-based systems, if an expert does not set up a Windows NT system, many back doors may be left open.

If you want to see what kind of attacks your system can be vulnerable to when running UNIX or Windows NT, check out http://www.cert.org/advisories/. The CERT advisory archive lists hundreds of ways to crash systems or to gain access to data on those systems. The advisories are highly technical, but looking at a few will give you a feel for how vulnerable most systems are, even when experts install them.

So what do you do if you need to connect your system to the Internet? Simple, either do not put any sensitive data on it, or alternatively do not let anyone you do not know reach it via TCP/IP. However, in some cases you may need to place such a machine on the Internet using a public IP address. In such cases, you can use a firewall to control access.

Enter Filters and Firewalls...

A true firewall is the hardware and software that intercepts the data between the Internet and your computer. It is the TCP/IP equivalent of a security gate at the entrance to your company. All traffic (data) must pass through it, and the security guard (firewall) there allows only authorized people (data) to pass into the facility (LAN).

Firewalls are typically implemented using one of four primary architectures:

• Packet Filters — The first line of defense in firewall protection, and most basic, is the packet filter firewall. Packet filters examine incoming and outgoing packets and apply a fixed set of rules to the packets to determine whether they will be allowed to pass. The packet filter firewall is typically very fast because it does not examine any of the data in the packet. It simply examines the type of packet along with the source and destination IP address, as well as port combinations, and then it applies filtering rules. It is easy to filter out all packets destined for port 80, for example, which might normally be the port for a web server. The administrator may decide that port 80 is off limits except for specific IP sub-nets, and a packet filter would suffice for this.
• Circuit-level Gateways — This type of firewall has also been called a stateful inspection firewall. In the circuit-level firewall, all connections are monitored and only those connections that are found to be valid are allowed to pass through the firewall. This generally means that a client behind the firewall can initiate any type of session, but clients outside the firewall cannot see or connect to a machine protected by the firewall.
• Application Proxies — The application proxy firewall forces all client applications on workstations protected by the firewall to use the firewall itself as a gateway. The firewall then authorizes each packet for each protocol differently. There are some disadvantages to using this type of firewall. Every client program needs to be set up to use a proxy, and not all can do so. Also, the firewall must have a proxy in it for each type of protocol that can be used. This can mean a delay in implementing new protocols if the firewall doesn't support it. And, lastly, application proxies can be quite slow. Whereas, one distinct advantage of application proxy firewalls is that they are considered very secure.
• Network Address Translation (NAT) — Firewalls using NAT and/or Port Address Translation (PAT) completely hide the network protected by the firewall by translating the outgoing packets to use different addresses. In most implementations there is a single public IP address used for the entire network. PAT needs to be added to NAT in order to handle port conflicts. A disadvantage of NAT is that it can't properly pass protocols containing IP address information in the data portion of the packet.

Many firewalls use a combination of the above architectures, and the firewall in the IPAD also incorporates this approach. The IPAD combines and enhances the above architectures with a method we call True IP Address Expansion.

What is True IP Address Expansion?

True IP Address Expansion is a technology developed just for the IPAD which allows a large network to be completely hidden by a firewall using only a single public IP address, and no special client program configuration. It allows the firewall to be completely transparent to the users protected by the firewall, and yet keeps the network completely secure from Internet hackers. True IP Address Expansion uses the best of each type of firewall architecture, then adds a few twists.

First and foremost, Network Address Translation and Port Address Translation are utilized. This allows the network protected by the firewall to use private addresses that can't be seen from the Internet. This gives a certain amount of security by itself, but it is not totally secure. To increase security, we add intelligent stateful inspection to network and port address translation. This allows protected client machines to have complete sessions with the Internet, while at the same time keeping Internet hackers from being able to start sessions with the client machines. But we don't stop there, we also add adaptive proxies for protocols that won't pass through a NAT translation properly. These include FTP, CUSeeMe, and RealAudio among others. Finally, we add standard packet filtering that denies access to spoofed packets. This makes for a completely transparent firewall from the protected network, but a completely bulletproof firewall from the Internet.

We also added the ability to enhance standard packet filters by adding more of them. Let's take an example. Some administrators may decide they don't want their client computers to access the web at all. With the IPAD, a filter can easily be put in place to deny that access. For server machines that need to be completely protected except for specific server functionality, we added server Passthru. These allow a server machine to be protected by the firewall and still be accessed from the Internet. The server can have a hidden address, or it can have a public IP address (the exception to the single IP address rule mentioned under NAT above).

The end result of going these extra miles is the IPAD firewall that requires zero configuration, and yet is bulletproof. At the same time, using a simple GUI interface, the IPAD firewall can be reconfigured to deny certain services, and easily allow protected access to other servers on your LAN, without compromising overall network security.

A Final Word on Security

It is not a crime to attempt to protect a computer LAN from malicious people. It is however, a crime to attempt to hack a LAN from the outside. A properly configured firewall will allow system administrators to sleep at night knowing their network is protected from intrusion.

Choosing a firewall is a big step for most system administrators. It is not a step to be taken lightly. Many items must be considered, including cost, ease of installation and reconfiguration, time to configure client computers, and most importantly the amount of security offered.

The complexity of setting up a firewall is just as important as the system foundation it is built upon. A sensible security policy and a security rule set designed to implement that policy can completely protect a LAN from attacks. But if the firewall cannot easily be configured for such a policy the policy is useless. Most firewall products can be made very secure when properly configured, but the U.S. military recently admitted that sixty percent of all attacks against non-sensitive installations succeeded. The successful attacks can only be attributed to non-functioning firewall software (unlikely), poor choice of security policy (again, unlikely), or poor installation of the firewall. Because most firewall products are extremely flexible, they are also extremely difficult to configure properly. With its zero configuration firewall the IPAD cannot be incorrectly configured to allow a breakdown in security without a person deliberately reconfiguring the system and knowing they are creating a possible security issue. Out of the box, the IPAD has a fully functional firewall with a solid security rule set that will only need to be changed under rare circumstances.