WWW.ABSTRACT.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Abstract, dissertation, book
 
<< HOME
CONTACTS



Pages:   || 2 | 3 |

«mjr Trusted Information Systems, Inc. Glenwood, Maryland Abstract Generally, he who occupies the field of battle first and awaits his enemy ...»

-- [ Page 1 ] --

mjr@tis.com

Trusted Information Systems, Inc.

Glenwood, Maryland

Abstract

Generally, he who occupies the field of battle first and awaits his enemy is at ease. ⎯ Sun Tzu

Many companies connect to the Internet, guarded by "firewalls" designed to prevent

unauthorized access to their private networks. Despite this general goal, firewalls span a continuum

between ease of use and security. This paper describes some of the considerations and tradeoffs in

designing firewalls. A vocabulary for firewalls and their components is offered, to provide a common ground for discussion.

Why a Firewall?

Against those skilled in the attack, an enemy does not know where to defend. Against the experts in defence, the enemy does not know where to attack. ⎯ Sun Tzu The rationale for installing a firewall is almost always to protect a private network against intrusion. In most cases, the purpose of the firewall is to prevent unauthorized users from accessing computing resources on a private network, and often to prevent unnoticed and unauthorized export of proprietary information. In some cases export of information is not considered important, but for many corporations that are connecting this is a major though possibly unreasoning concern. Many organizations will want simply to address the problem by not connecting to the Internet at all. This solution can be difficult to implement. If the private network is loosely administered or decentralized, a single enterprising individual with a high speed dialup modem can quickly effect an Internet SLIP connection which can compromise the security of an entire network.

Often it is safe to say that a firewall needs to be put in place for the "CYA"1 factor. Even though an employee could compromise proprietary information by carrying it offsite on a DAT or floppy disk, the Internet represents a tangible threat, populated with dangerous "vandals."2 It could very easily cost a network manager his job if a break-in occurs via this route, even if the damage is no more extensive than could have been inflicted over a dialup line or by a disgruntled employee. Generally, for a would-be Internet site, the technical difficulties of implementing a firewall are greatly outweighed by the public relations problems of "selling" upper management on the idea. In summary, because Internet services are so highly visible, they are much more likely to require official oversight and justification.

Design Decisions Examine your environment ⎯ Miyamoto Musashi In configuring a firewall, the major design decisions with respect to security are often already dictated by corporate or organizational policy; specifically, a decision must be made as to whether security is more important than ease-of-use, or vice versa. There are two basic approaches that summarize the

conflict:

• That which is not expressly permitted is prohibited.

• That which is not expressly prohibited is permitted.

The importance of this distinction cannot be overemphasized. In the former case, the firewall must be designed to block everything, and services must be enabled on a case-by-case basis only after a careful assessment of need and risk. This tends to impact users directly, and they may see the firewall as a hindrance. In the second case, the systems administrator is placed in a reactive mode, having to predict what kinds of actions the user population might take that would weaken the security of the firewall, and preparing defenses against them. This essentially pits the firewall administrator against the users in an endless arms race that can become quite fierce. A user can generally compromise the security of their login if they try or aren't aware of reasonable security precautions. If the user has an open access login on the firewall system itself, a serious security breach can result. The presence of user logins on the firewall system tends to magnify the problem of maintaining the system's integrity. A second important statement of policy is implicit in the "that which is not expressly permitted is prohibited" stance. This stance is more "fail safe," since it accepts that the administrator is ignorant of what TCP ports are safe, or what holes may exist in the manufacturer's kernel or applications. Since many vendors are slow to publicise security holes, this is clearly a more conservative approach. It is an admission of the fact that what you don't know can hurt you.

Levels of Threat If ignorant both of your enemy and yourself, you are certain in every battle to be in peril ⎯ Sun Tzu There are several ways in which a firewall can fail or be compromised. While none of them are good, some are decidedly worse than others. Since the purpose of many firewalls is to block access, it's a clear failure if someone finds a loophole through it which permits them to probe systems in the private network. An even more severe situation would result if someone managed to break into the firewall and reconfigure it such that the entire private network is reachable by anyone. For the sake of terminology, this type of attack will be referred to as "destroying" a firewall, as opposed to a mere "break-in." It is extremely difficult to quantify the damage that might result from a firewall's destruction. An important measure of how well a firewall resists threat is the information it gathers to help determine the course of an attack. The absolute worst thing that could happen is for a firewall to be completely compromised without any trace of how the attack took place. The best thing that can happen is for a firewall to detect an attack, and inform the administrator politely that it is undergoing attack, but that the attack is going to fail.





One way to view the result of a firewall being compromised is to look at things in terms of what can be roughly termed as "zones of risk." In the case of a network that is directly connected to the Internet without any firewall, the entire network is subject to attack. This does not imply that the network is vulnerable to attack, but in a situation where an entire network is within reach of an untrusted network, it is necessary to ensure the security of every single host on that network. Practical experience shows that this is difficult, since tools like rlogin that permit user-customizable access control are often exploited by vandals to gain access to multiple hosts, in a form of "island hopping" attack. In the case of any typical firewall, the zone of risk is often reduced to the firewall itself, or a selected subset of hosts on the network, significantly reducing the network manager's concerns with respect to direct attack. If a firewall is broken into, the zone of risk often expands again, to include the entire protected network. A vandal gaining access to a login on the firewall can begin an island hopping attack into the private network, using it as a base. In this situation, there is still some hope, since the vandal may leave traces on the firewall, and may be detected. If the firewall is completely destroyed the private network can undergo attack from any external system and reconstructing the course of an attack becomes nearly impossible.

In general, firewalls can be viewed in terms of reducing the zone of risk to a single point of failure. In a sense, this seems like a bad idea, since it amounts to putting all of one's eggs in a single basket, but practical experience implies that at any given time, for a network of non-trivial size, there are at least a few hosts that are vulnerable to break-in by even an unskilled attacker. Many corporations have formal host security policies that are designed to address these weaknesses, but it is sheer foolishness to assume that publishing policies will suffice. A firewall enhances host security by funneling attackers through a narrow gap where there's a chance of catching or detecting them first. The well-constructed medieval castle had multiple walls and interlocking defense points for exactly the same reason.

Firewalls and Their Components There may be a hundred combat postures, but there is only one purpose: to win. ⎯ Heiho Kaden Sho In discussing firewalls there is often confusion of terminology since firewalls all differ slightly in implementation if not in purpose. Various discussions on USENET indicate that the term "firewall" is used to describe just about any inter-network security scheme. For the sake of simplifying discussion,

some terminology is proposed, to provide a common ground:

Screening Router ⎯ A screening router is a basic component of most firewalls. A screening router can be a commercial router or a host-based router with some kind of packet filtering capability. Typical screening routers have the ability to block traffic between networks or specific hosts, on an IP port level. Some firewalls consist of nothing more than a screening router between a private network and the Internet.

Bastion host ⎯ Bastions are the highly fortified parts of a medieval castle; points that overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.

Dual Homed Gateway ⎯ Some firewalls are implemented without a screening router, by placing a system on both the private network and the Internet, and disabling TCP/IP forwarding.

Hosts on the private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between the networks is blocked. A dual homed gateway is, by definition, a bastion host.

–  –  –

Screened Host Gateway ⎯ Possibly the most common firewall configuration is a screened host gateway. This is implemented using a screening router and a bastion host. Usually, the bastion host is on the private network, and the screening router is configured such that the bastion host is the only system on the private network that is reachable from the Internet. Often the screening router is configured to block traffic to the bastion host on specific ports, permitting only a small number of services to communicate with it.

Figure 2: A typical Screened Host Gateway

–  –  –

Screened Subnet ⎯ In some firewall configurations, an isolated subnet is created, situated between the Internet and the private network. Typically, this network is isolated using screening routers, which may implement varying levels of filtering. Generally, a screened subnet is configured such that both the Internet and the private network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked. Some configurations of screened subnets will have a bastion host on the screened network, either to support interactive terminal sessions or application level gateways.

Figure 3: A typical Screened Subnet

–  –  –

Application Level Gateway (or "proxy gateway") ⎯ Much of the software on the Internet works in a store-and-forward mode; mailers and USENET news collect input, examine it, and forward it. Application level gateways are service-specific forwarders or reflectors, which usually operate in user mode rather than at a protocol level. Generally, these forwarding services, when running on a firewall, are important to the security of the whole. The famous sendmail hole that was exploited by the Morris Internet worm is one example of the kinds of security problems an application level gateway can present. Other application level gateways are interactive, such as the FTP and telnet gateways run on the Digital Equipment Corporation firewalls. In general, the term "application level gateway" will be used to describe some kind of forwarding service that runs across a firewall, and is a potential security concern. In general, crucial application level gateways are run on some kind of bastion host.

Hybrid Gateways ⎯ Hybrid gateways are the "something else" category in this list. Examples of such systems might be hosts connected to the Internet, but accessible only through serial lines connected to an ethernet terminal server on the private network. Such gateways might take advantage of multiple protocols, or tunneling one protocol over another. Routers might maintain and monitor the complete state of all TCP/IP connections, or somehow examine traffic to try to detect and prevent an attack. The AT&T corporate firewall[1] is a hybrid gateway combined with a bastion host.

Taking the components described above, we can accurately describe most of the forms that firewalls take, and can make some general statements about the kinds of security problems each approach presents. Assuming that a firewall fulfills its basic purpose of helping protect the network, it is still

important to examine each type of firewall with respect to:

Damage control ⎯ If the firewall is compromised, to what kinds of threats does it leave the private network open? If destroyed, to what kinds of threats does it leave the private network open?

Zones of risk ⎯ How large is the zone of risk during normal operation? A measure of this is the number of hosts or routers that can be probed from the outside network.

Failure mode ⎯ If the firewall is broken into, how easy is this to detect? If the firewall is destroyed, how easy is this to detect? In a post mortem, how much information is retained that can be used to diagnose the attack?

Ease of use ⎯ How much of an inconvenience is the firewall?



Pages:   || 2 | 3 |


Similar works:

«Clonality Analysis in B-Cell Chronic Lymphocytic Leukemia (B-CLL) Associated with Richter’s Syndrome Dissertation zur Erlangung des naturwissenschaftlichen Doktorgrades der Bayerischen Julius-Maximilians-Universität Würzburg vorgelegt von Zhengrong Mao aus Hangzhou, China Würzburg 2006 Eingereicht am: 11. Sep. 2006 Mitglieder der Prüfungskommission: Vorsitzender: Prof. Dr. M. Müller Gutachter: Prof. Dr. Hans Konrad Müller-Hermelink Gutachter: PD. Dr. Andreas Rosenwald Gutachter: PD. Dr....»

«TAKE THIS BOOK DEFENDANT AND FAMILY HANDBOOK Provided by: The Office of the Metropolitan Public Defender 404 James Robertson Parkway Suite 2022, Parkway Towers Nashville, TN 37219 615-862-5730 Dawn Deaner, Metropolitan Public Defender INTRODUCTION The Metropolitan Public Defender's Office is pleased to offer this book to assist our clients, their families, and members of the public to better understand how our local criminal justice system works. I hope it answers any questions you have, but I...»

«      A University of Sussex DPhil thesis   Available online via Sussex Research Online:   http://eprints.sussex.ac.uk/  This thesis is protected by copyright which belongs to the author.  This thesis cannot be reproduced or quoted extensively from without first  obtaining permission in writing from the Author    The content must not be changed in any way or sold commercially in any ...»

«Columbia College Online Campus P a g e |1 MATH 150 DEB College Algebra March Session 14-54 March 23 to May 16, 2015 Course Description Fundamental agebraic concepts are examined in the context of real world applications. Linear, quadratic, polynomial, exponential, and logarithmic functions are explored with emphasis on their numerical, graphical, and algebraic properties. Prerequisite: Grade of C or higher in MATH 106 OR a score of 21 or higher on the math portion of the ACT (or if the ACT was...»

«3 Conventional Ammunition Marking Pablo Dreyfus Overview This chapter focuses on marking practices applicable to conventional ammunition. It is intended to present, in brief, the utility of systematic ammunition marking for improving the safety and security of conventional ammunition stocks, particularly in relation to the risk of accidents (including explosive and incendiary risks) and the potential for illicit diversion. The chapter also provides an overview of common marking methods and the...»

«195 УДК 130.2 : 001.891 С. Г. Селетков Морфология диссертации В статье рассматриваются структура и компоненты диссертации. Показывается, что состав её известных компонентов слабо меняется от диссертации к диссертации. Это дает основание говорить о существовании морфологии...»

«23 October 2002 Commission Merger Control Analysis Again Severely Sanctioned by the European Court in the Schneider Case The Judgment On 22 October 2002, the European Court of First Instance (CFI) annulled the European Commission’s prohibition of the Schneider/Legrand merger. The Court based its judgment1 on two main grounds: • First, the factual analysis underlying the Commission’s assessment of the impact of the transaction on the relevant national product markets outside of France was...»

«Laki László A NEM IPARI MUNKÁSOK IPARI MUNKAKÖRNYEZETBE VALÓ BEILLESZKEDÉSÉNEK PSZICHIKAI PROBLÉMÁI A nem ipari m u n k á s o k az ipari m u n k a k ö r n y e z e t b e való beilleszkedé­ sük folyamán elsősorban a fizikai adaptáció problémáival találják ma­ gukat szembe. E z a folyamat, bár sok nehézséget okoz a beilleszkedés során, viszonylag mégis könnyebb, mint a pszichikai adaptáció. A pszichikai adaptáció valójában nem más, mint az ipari termelési...»

«ACCEPTANCES Page 1 of 19 December 2012 LoAR THE FOLLOWING ITEMS HAVE BEEN REGISTERED: ÆTHELMEARC Marija Kotok. Device change. Gules, a Ukrainian trident head and a bordure argent. This device is not in conflict with the device of Eric Ragnarsson, Counter-ermine, a double-bitted axehead within a bordure argent. There is a DC for the change in field, and at least a DC between a Ukrainian trident head and a double-bitted axehead. Her previous device, Azure, in pale a lion-dragon passant Or and...»

«2015|22 GESIS Papers Forschungsdatenzentrum Internationale Umfrageprogramme Jahresbericht 2014 Berichtszeitraum 01.01.2014 – 31.12.2014 Insa Bechert, Evelyn Brislinger, Meinhard Moschner, Markus Quandt, Evi Scholz & Ivet Solanes Ros kölkölölk GESIS Papers 2015|22 Forschungsdatenzentrum Internationale Umfrageprogramme Jahresbericht 2014 Berichtszeitraum 01.01.2014 – 31.12.2014 Insa Bechert, Evelyn Brislinger, Meinhard Moschner, Markus Quandt, Evi Scholz & Ivet Solanes Ros GESIS –...»

«Faculty of Engineering, University of Porto Environment-Aware System for Alzheimer’s Patients Ana Rita Cardoso de Almeida Barreto FINAL REPORT Preparation for Dissertation for the degree of Master of Science in Electrical and Computer Engineering Supervisor: Prof. Dr. Artur Capelo Cardoso Co-Supervisor: Prof. Dr. Cândido Duarte Fraunhofer AICOS: Renato Oliveira © Ana Rita Barreto, 2014 ii Abstract The aim of the thesis, which is going to be developed at Fraunhofer Portugal and of which this...»

«MQP GFP 1201 New WPI Suite Architecture A Major Qualifying Project Report: submitted to the faculty of the WORCESTER POLYTECHNIC INSTITUTE in partial fulfillment of the requirements for the degree of Bachelor of Science by _ Michael Della Donna _ Brian Gaffey _ Ryan Hamer _ Tyler Wack Date: April 25, 2013 Approved: Keywords: 1. Software Engineering 2. WPISuite 3. Client Server Architecture Professor Gary F. Pollice, Major Advisor ABSTRACT WPISuite is a program developed for students enrolled in...»





 
<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.