«mjr Trusted Information Systems, Inc. Glenwood, Maryland Abstract Generally, he who occupies the field of battle first and awaits his enemy ...»
Trusted Information Systems, Inc.
Generally, he who occupies the field of battle first and awaits his enemy is at ease. ⎯ Sun Tzu
Many companies connect to the Internet, guarded by "firewalls" designed to prevent
unauthorized access to their private networks. Despite this general goal, firewalls span a continuum
between ease of use and security. This paper describes some of the considerations and tradeoffs in
designing firewalls. A vocabulary for firewalls and their components is offered, to provide a common ground for discussion.
Why a Firewall?
Against those skilled in the attack, an enemy does not know where to defend. Against the experts in defence, the enemy does not know where to attack. ⎯ Sun Tzu The rationale for installing a firewall is almost always to protect a private network against intrusion. In most cases, the purpose of the firewall is to prevent unauthorized users from accessing computing resources on a private network, and often to prevent unnoticed and unauthorized export of proprietary information. In some cases export of information is not considered important, but for many corporations that are connecting this is a major though possibly unreasoning concern. Many organizations will want simply to address the problem by not connecting to the Internet at all. This solution can be difficult to implement. If the private network is loosely administered or decentralized, a single enterprising individual with a high speed dialup modem can quickly effect an Internet SLIP connection which can compromise the security of an entire network.
Often it is safe to say that a firewall needs to be put in place for the "CYA"1 factor. Even though an employee could compromise proprietary information by carrying it offsite on a DAT or floppy disk, the Internet represents a tangible threat, populated with dangerous "vandals."2 It could very easily cost a network manager his job if a break-in occurs via this route, even if the damage is no more extensive than could have been inflicted over a dialup line or by a disgruntled employee. Generally, for a would-be Internet site, the technical difficulties of implementing a firewall are greatly outweighed by the public relations problems of "selling" upper management on the idea. In summary, because Internet services are so highly visible, they are much more likely to require official oversight and justification.
Design Decisions Examine your environment ⎯ Miyamoto Musashi In configuring a firewall, the major design decisions with respect to security are often already dictated by corporate or organizational policy; specifically, a decision must be made as to whether security is more important than ease-of-use, or vice versa. There are two basic approaches that summarize the
• That which is not expressly permitted is prohibited.
• That which is not expressly prohibited is permitted.
The importance of this distinction cannot be overemphasized. In the former case, the firewall must be designed to block everything, and services must be enabled on a case-by-case basis only after a careful assessment of need and risk. This tends to impact users directly, and they may see the firewall as a hindrance. In the second case, the systems administrator is placed in a reactive mode, having to predict what kinds of actions the user population might take that would weaken the security of the firewall, and preparing defenses against them. This essentially pits the firewall administrator against the users in an endless arms race that can become quite fierce. A user can generally compromise the security of their login if they try or aren't aware of reasonable security precautions. If the user has an open access login on the firewall system itself, a serious security breach can result. The presence of user logins on the firewall system tends to magnify the problem of maintaining the system's integrity. A second important statement of policy is implicit in the "that which is not expressly permitted is prohibited" stance. This stance is more "fail safe," since it accepts that the administrator is ignorant of what TCP ports are safe, or what holes may exist in the manufacturer's kernel or applications. Since many vendors are slow to publicise security holes, this is clearly a more conservative approach. It is an admission of the fact that what you don't know can hurt you.
Levels of Threat If ignorant both of your enemy and yourself, you are certain in every battle to be in peril ⎯ Sun Tzu There are several ways in which a firewall can fail or be compromised. While none of them are good, some are decidedly worse than others. Since the purpose of many firewalls is to block access, it's a clear failure if someone finds a loophole through it which permits them to probe systems in the private network. An even more severe situation would result if someone managed to break into the firewall and reconfigure it such that the entire private network is reachable by anyone. For the sake of terminology, this type of attack will be referred to as "destroying" a firewall, as opposed to a mere "break-in." It is extremely difficult to quantify the damage that might result from a firewall's destruction. An important measure of how well a firewall resists threat is the information it gathers to help determine the course of an attack. The absolute worst thing that could happen is for a firewall to be completely compromised without any trace of how the attack took place. The best thing that can happen is for a firewall to detect an attack, and inform the administrator politely that it is undergoing attack, but that the attack is going to fail.
One way to view the result of a firewall being compromised is to look at things in terms of what can be roughly termed as "zones of risk." In the case of a network that is directly connected to the Internet without any firewall, the entire network is subject to attack. This does not imply that the network is vulnerable to attack, but in a situation where an entire network is within reach of an untrusted network, it is necessary to ensure the security of every single host on that network. Practical experience shows that this is difficult, since tools like rlogin that permit user-customizable access control are often exploited by vandals to gain access to multiple hosts, in a form of "island hopping" attack. In the case of any typical firewall, the zone of risk is often reduced to the firewall itself, or a selected subset of hosts on the network, significantly reducing the network manager's concerns with respect to direct attack. If a firewall is broken into, the zone of risk often expands again, to include the entire protected network. A vandal gaining access to a login on the firewall can begin an island hopping attack into the private network, using it as a base. In this situation, there is still some hope, since the vandal may leave traces on the firewall, and may be detected. If the firewall is completely destroyed the private network can undergo attack from any external system and reconstructing the course of an attack becomes nearly impossible.
In general, firewalls can be viewed in terms of reducing the zone of risk to a single point of failure. In a sense, this seems like a bad idea, since it amounts to putting all of one's eggs in a single basket, but practical experience implies that at any given time, for a network of non-trivial size, there are at least a few hosts that are vulnerable to break-in by even an unskilled attacker. Many corporations have formal host security policies that are designed to address these weaknesses, but it is sheer foolishness to assume that publishing policies will suffice. A firewall enhances host security by funneling attackers through a narrow gap where there's a chance of catching or detecting them first. The well-constructed medieval castle had multiple walls and interlocking defense points for exactly the same reason.
Firewalls and Their Components There may be a hundred combat postures, but there is only one purpose: to win. ⎯ Heiho Kaden Sho In discussing firewalls there is often confusion of terminology since firewalls all differ slightly in implementation if not in purpose. Various discussions on USENET indicate that the term "firewall" is used to describe just about any inter-network security scheme. For the sake of simplifying discussion,
some terminology is proposed, to provide a common ground:
Screening Router ⎯ A screening router is a basic component of most firewalls. A screening router can be a commercial router or a host-based router with some kind of packet filtering capability. Typical screening routers have the ability to block traffic between networks or specific hosts, on an IP port level. Some firewalls consist of nothing more than a screening router between a private network and the Internet.
Bastion host ⎯ Bastions are the highly fortified parts of a medieval castle; points that overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.
Dual Homed Gateway ⎯ Some firewalls are implemented without a screening router, by placing a system on both the private network and the Internet, and disabling TCP/IP forwarding.
Hosts on the private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between the networks is blocked. A dual homed gateway is, by definition, a bastion host.
Screened Host Gateway ⎯ Possibly the most common firewall configuration is a screened host gateway. This is implemented using a screening router and a bastion host. Usually, the bastion host is on the private network, and the screening router is configured such that the bastion host is the only system on the private network that is reachable from the Internet. Often the screening router is configured to block traffic to the bastion host on specific ports, permitting only a small number of services to communicate with it.
Figure 2: A typical Screened Host Gateway
Screened Subnet ⎯ In some firewall configurations, an isolated subnet is created, situated between the Internet and the private network. Typically, this network is isolated using screening routers, which may implement varying levels of filtering. Generally, a screened subnet is configured such that both the Internet and the private network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked. Some configurations of screened subnets will have a bastion host on the screened network, either to support interactive terminal sessions or application level gateways.
Figure 3: A typical Screened Subnet
Application Level Gateway (or "proxy gateway") ⎯ Much of the software on the Internet works in a store-and-forward mode; mailers and USENET news collect input, examine it, and forward it. Application level gateways are service-specific forwarders or reflectors, which usually operate in user mode rather than at a protocol level. Generally, these forwarding services, when running on a firewall, are important to the security of the whole. The famous sendmail hole that was exploited by the Morris Internet worm is one example of the kinds of security problems an application level gateway can present. Other application level gateways are interactive, such as the FTP and telnet gateways run on the Digital Equipment Corporation firewalls. In general, the term "application level gateway" will be used to describe some kind of forwarding service that runs across a firewall, and is a potential security concern. In general, crucial application level gateways are run on some kind of bastion host.
Hybrid Gateways ⎯ Hybrid gateways are the "something else" category in this list. Examples of such systems might be hosts connected to the Internet, but accessible only through serial lines connected to an ethernet terminal server on the private network. Such gateways might take advantage of multiple protocols, or tunneling one protocol over another. Routers might maintain and monitor the complete state of all TCP/IP connections, or somehow examine traffic to try to detect and prevent an attack. The AT&T corporate firewall is a hybrid gateway combined with a bastion host.
Taking the components described above, we can accurately describe most of the forms that firewalls take, and can make some general statements about the kinds of security problems each approach presents. Assuming that a firewall fulfills its basic purpose of helping protect the network, it is still
important to examine each type of firewall with respect to:
Damage control ⎯ If the firewall is compromised, to what kinds of threats does it leave the private network open? If destroyed, to what kinds of threats does it leave the private network open?
Zones of risk ⎯ How large is the zone of risk during normal operation? A measure of this is the number of hosts or routers that can be probed from the outside network.
Failure mode ⎯ If the firewall is broken into, how easy is this to detect? If the firewall is destroyed, how easy is this to detect? In a post mortem, how much information is retained that can be used to diagnose the attack?
Ease of use ⎯ How much of an inconvenience is the firewall?