Last updated 8/3/1998
A true firewall is the hardware and software that
intercepts the data between the Internet and your computer. It is the
TCP/IP equivalent of a security gate at the entrance to your company. All
traffic (data) must pass through it, and the security guard (firewall)
there allows only authorized people (data) to pass into the facility
(LAN).
Firewall —A partition built to prevent the spread of a fire from one part of a building, a ship, etc., to another [1750-60, American term].
The firewall is a sub-system of computer software and hardware that intercepts data packets before allowing them into or out of a Local Area Network (LAN). A firewall makes decisions on whether or not to allow data to pass based upon a security policy. For each packet of data, the firewall compares known components of the packet to a security rule set and decides if the packet should be allowed to pass. In addition, a firewall may have security rules that involve altering the packet in some basic ways before passing the data. With a sensible security policy and a security rule set designed to implement that policy, a firewall can completely protect a LAN from attacks.
When you connect your computer to the Internet, you have also connected every other computer on the Internet to your computer. This means that anyone on the Internet has the same type of direct access to your computer that only other computers on your local network had before you connected to the Internet.
It can be a tense moment when you first realize that linking your computer to the Internet means that any hacker, anywhere, can spend as much time as they like poking around in your computer for gaps in its security system. Suddenly, you feel that you are in a very uncertain game of wits on a very uneven technological playing field you know little or nothing about. Even worse, you know that your adversary is probably an expert while you feel like a rookie. This feeling of personal vulnerability can be quite strong. In fact, many people have avoided connecting to the Internet altogether just because the security threat seemed overwhelming and totally beyond their control. No amount of business advantage seemed to be worth the risk involved. But there is no need to feel such vulnerability once you know the facts. Online security is a very complex topic, but let’s put some of the issues in perspective and assess the real risks.
Security problems arise from two primary threats. The first threat is
having your IP packets overheard
as they travel across
the Internet and the data in those packets stolen. The second threat is
that someone outside your immediate system will use your connectivity to
attack the operating system software on your machine. By breaching the
security of your O/S software they may gain access to your data files.
TappingTCP/IP Packets
The first of these security issues is the one most of us immediately
worry about - someone tapping
the TCP/IP data on the
network. The fear is that thousands of people can easily listen
in
to all of the data on the Internet. In fact, this is the least
likely security issue to cause you difficulty. When it does occur, it's
primarily in large educational institutions or companies where all of the
data circulates on the local area network (LAN) to the many computers
within the institution. In other words, it’s much more likely that
the guy down the hall will listen in
on your data than
someone hacking away in the next city.
Tapping into TCP/IP data is no different than tapping into a standard
voice telephone line. The person who is listening in must physically
attach to the wiring that your data flows through. The most likely place
to do this is on your local area network, and that is why employees in
large companies and students in an educational institution are the most
likely source of this activity. Once your data flows out onto the
Internet, it can travel over hundreds of thousands of logical circuits,
and travels different paths for nearly every distant computer you connect
to. Most of these intermediate points are in secure facilities, just like
the switches (routers) on your voice telephone line. If the data is
tapped
it will probably occur at one of the endpoints. In
the vast majority of cases, it happens in your facility or at the machine
you're connecting to.
There is only one way to provide security against having your
TCP/IP packets tapped
and it is the same one that you
must use if you require a totally secure voice telephone connection
— encryption. In general, it is rare that such encryption security
at the TCP/IP packet level is required unless your LAN (or the LAN of
sites you frequently contact with sensitive data) is very large and not
physically secure.
Break-insto Your Computer On the Internet
The most likely source of security problems that you will face is from
someone on the Internet breaching the operating system security of your
machine. This is an extension of the problem that arose many years ago
when people began connecting dial-up modems to computers. At that point,
anyone who found the phone number of a computer could spend hours trying
to find ways to hack past the front door
security on your
modem connection.
When modems were first connecting computers, it turned out that the computers were pretty easy to break into. Why? Simply because up until then connections between computers were only established in carefully controlled settings and security issues simply hadn't been well thought out at the operating system level. Over the intervening years, connecting a modem to a computer became commonplace, and the security issues for communications software became much more critical. The security of operating systems was equally as critical, but was dealt with much more effectively over the years.
This cycle is occurring once again in these early days of taking
the Internet public.
This time, it’s in connection with
TCP/IP software. In general, older software is more difficult to assure
security on than newer software. Your first security consideration, then,
should be with your operating system that is the first point of contact
with the Internet. It is generally true that the longer an operating
system has had TCP/IP built in, the more you need to check that
back doors
are closed. For example, if you connect a UNIX
computer system to the Internet, unless it was installed by a UNIX expert
with extensive security experience, you should assume that it has an
easily breachable back door somewhere that has not been closed.
There are two reasons for this. First, UNIX was originally designed over
25 years ago to be open and easily accessible at every level. Years of
development have gone into making locks for most of its doors, but there
are a lot of doors to lock and many of them are not obvious if you are not
very skilled in the UNIX operating system. It is extremely easy to set up
a UNIX system and accidentally leave one or more of its entry paths open,
especially when it is connected to the Internet. Secondly, UNIX is the
operating system that most college students have been taught for many
years now. Therefore any security gaps it has are the most widely known
among the hacker crowd
of any operating system. You can
buy books that purport to be about Internet security and not find any
problems mentioned in them other than UNIX entry paths that may not be
locked.
Windows NT is a newer operating system, but it still has
vulnerabilities. For example, when you put a Windows NT server on a
network you will see it show up in the Network
Neighborhood
on Windows 95 machines. What is not immediately
obvious is the fact that someone from the outside can also see this
machine if they guess a small number of items correctly. In fact, if
incorrectly configured, the hacker won’t even have to guess, your
system will give them the information they need to get in! Windows NT is
also susceptible to certain Denial of Service attacks that are
well-documented. Just like UNIX-based systems, if an expert does not set
up a Windows NT system, many back doors may be left open.
If you want to see what kind of attacks your system can be vulnerable to when running UNIX or Windows NT, check out http://www.cert.org/advisories/. The CERT advisory archive lists hundreds of ways to crash systems or to gain access to data on those systems. The advisories are highly technical, but looking at a few will give you a feel for how vulnerable most systems are, even when experts install them.
So what do you do if you need to connect your system to the Internet? Simple, either do not put any sensitive data on it, or alternatively do not let anyone you do not know reach it via TCP/IP. However, in some cases you may need to place such a machine on the Internet using a public IP address. In such cases, you can use a firewall to control access.
A true firewall is the hardware and software that intercepts the data between the Internet and your computer. It is the TCP/IP equivalent of a security gate at the entrance to your company. All traffic (data) must pass through it, and the security guard (firewall) there allows only authorized people (data) to pass into the facility (LAN).
Firewalls are typically implemented using one of four primary architectures:
stateful inspectionfirewall. In the circuit-level firewall, all connections are monitored and only those connections that are found to be valid are allowed to pass through the firewall. This generally means that a client behind the firewall can initiate any type of session, but clients outside the firewall cannot see or connect to a machine protected by the firewall.
translatingthe outgoing packets to use different addresses. In most implementations there is a single public IP address used for the entire network. PAT needs to be added to NAT in order to handle port conflicts. A disadvantage of NAT is that it can't properly pass protocols containing IP address information in the data portion of the packet.
Many firewalls use a combination of the above architectures, and the
firewall in the IPAD also incorporates this approach. The IPAD combines
and enhances the above architectures with a method we call True IP
Address Expansion.
True IP Address Expansion is a technology developed just for the IPAD which allows a large network to be completely hidden by a firewall using only a single public IP address, and no special client program configuration. It allows the firewall to be completely transparent to the users protected by the firewall, and yet keeps the network completely secure from Internet hackers. True IP Address Expansion uses the best of each type of firewall architecture, then adds a few twists.
First and foremost, Network Address Translation and Port Address
Translation are utilized. This allows the network protected by the
firewall to use private addresses that can’t be seen from the
Internet. This gives a certain amount of security by itself, but it is not
totally secure. To increase security, we add intelligent stateful
inspection to network and port address translation. This allows protected
client machines to have complete sessions with the Internet, while at the
same time keeping Internet hackers from being able to start sessions with
the client machines. But we don't stop there, we also add adaptive proxies
for protocols that won't pass through a NAT translation properly. These
include FTP, CUSeeMe, and RealAudio among others. Finally, we add standard
packet filtering that denies access to spoofed
packets.
This makes for a completely transparent firewall from the protected
network, but a completely bulletproof firewall from the Internet.
We also added the ability to enhance standard packet filters by adding
more of them. Let's take an example. Some administrators may decide they
don’t want their client computers to access the web at all. With the
IPAD, a filter can easily be put in place to deny that access. For server
machines that need to be completely protected except for specific server
functionality, we added server Passthru.
These allow a
server machine to be protected by the firewall and still be accessed from
the Internet. The server can have a hidden address, or it can have a
public IP address (the exception to the single IP address rule mentioned
under NAT above).
The end result of going these extra miles is the IPAD firewall that requires zero configuration, and yet is bulletproof. At the same time, using a simple GUI interface, the IPAD firewall can be reconfigured to deny certain services, and easily allow protected access to other servers on your LAN, without compromising overall network security.
It is not a crime to attempt to protect a computer LAN from malicious people. It is however, a crime to attempt to hack a LAN from the outside. A properly configured firewall will allow system administrators to sleep at night knowing their network is protected from intrusion.
Choosing a firewall is a big step for most system administrators. It is not a step to be taken lightly. Many items must be considered, including cost, ease of installation and reconfiguration, time to configure client computers, and most importantly the amount of security offered.
The complexity of setting up a firewall is just as important as the
system foundation it is built upon. A sensible security policy and a
security rule set designed to implement that policy can completely protect
a LAN from attacks. But if the firewall cannot easily be configured for
such a policy the policy is useless. Most firewall products can be made
very secure when properly configured, but the U.S. military recently
admitted that sixty percent of all attacks against non-sensitive
installations succeeded. The successful attacks can only be attributed to
non-functioning firewall software (unlikely), poor choice of security
policy (again, unlikely), or poor installation of the firewall. Because
most firewall products are extremely flexible, they are also extremely
difficult to configure properly. With its zero configuration
firewall the IPAD cannot be incorrectly configured to allow a breakdown in
security without a person deliberately reconfiguring the system and
knowing they are creating a possible security issue. Out of the box, the
IPAD has a fully functional firewall with a solid security rule set that
will only need to be changed under rare circumstances.