How To Build And Run A FirewallDocument Transcript
How To Build And
Run A Firewall
We take a look at some of the issues involved in choosing, setting-up and running a firewall.
By Simon Bisson
N ow that corporate access to the
Internet is seen as a business
advantage, more and more
companies are finding themselves
Keeping the network itself secure is
the job of the bastion host. Taking its
name from the fortified gateways of a
extra services should be disabled, and
user accounts kept to a minimum. If it
is possible to only allow logins from
trusted hosts or the system console, all
having to think long and hard about other access routes should be removed.
the security implications of a connec- feudal Norman castle, this is what is Some firewall packages make the
tion. often thought of as the firewall but is DMZ more secure by using a third net-
With attacks on business computer really only part of a layered firewall work interface to host public services
systems becoming more visible (and architecture. and using the firewall software to pro-
potentially more expensive), and with The bastion host is a machine with tect them rather than a choke router.
holes in operating systems more pub- only one purpose: to pass packets be-
lic, some form of Internet security pol- tween your network and the Internet.
Usually, it’s a dedicated machine with
icy is essential. This can include
everything from limiting the number two separate network interfaces. The It’s sometimes best to think of In-
of machines and systems with an In- bastion host will act as an active router, ternet security policies in terms of the
ternet connection, to controlling what linking your private network to the “Four Ps”, namely Paranoia, Pragma-
files can enter or leave a company net- Internet, monitoring the state of con- tism, Permissiveness and Promiscuity.
work. A security policy alone won’t nection and blocking packets that Each approach is the result of a differ-
prevent attacks and intrusions, so don’t meet the rules you have defined. ent assessment of the risks involved in
some form of defence is required, often If you use it for anything else than opening a corporate network to the
implemented in the form of a firewall. as an Internet gateway, you may be Internet:
adding weaknesses to a security archi-
tecture. For example, if you use the q A Paranoid network is never con-
Definition machine for reading email, it’s possible nected to the Internet.
A firewall is a set of tools designed for someone to send an email with an q A Pragmatic network only permits
to prevent unauthorised access to a embedded ActiveX control so that, selected applications and services
network, and can mix hardware and when you read the message, the con- access to the Internet, and blocks all
software solutions to provide a layered trol turns off the firewall. others.
defence. A typical firewall architecture You must make sure that the q A Permissive network lets all appli-
is based around two concepts: the bastion’s operating system is config- cations have access to the Internet,
“choke router” and the “bastion host” ured to prevent any packets being except for those specifically seen as
[refer also to Understanding Firewalls, routed directly between its network in- a threat.
File S0499, PCNA Issue 86 - Ed.]. terfaces. Most commercial packages will q A Promiscuous network is con-
Most routers allow you to define handle this for you, but if you are un- nected directly to the Internet, and
access control lists, which can control sure, you can configure most dialects lets all applications and services
exactly which IP packets are routed of Unix to stop any internal routing. have full access to and from the In-
and to where. Whilst choking an In- ternet.
ternet connection this way is an all-or- The DMZ
nothing security mechanism, you can One of the best techniques for secur-
use router access control lists to explic- Between the choke router and the ing a network is to hide it from the
itly deny access to your network for bastion host lies the “Demilitarised Internet. A range of IP addresses is
specific packet types, or to make sure Zone”. The DMZ is a partially pro- reserved for intranet use, and allows
that certain packets are only delivered tected area, where you can install pub- you to build as large a network as you
to specific machines so that, for exam- lic services. Machines in the DMZ like, as long as you use some form of
ple, mail is only delivered to your mail should not be fully trusted, and should network address translation to allow
server or Web access is only to your only be used for single purposes - such packets to travel into and out of your
public Web server or Web proxies. as a Web server or an ftp server. Any network.
Issue 95 (May 1998) Page 3
PC Network Advisor File: T1803.1
Documented in RFC 1918 “Address rules (see Figure 1). powerful GNATbox, to the heavy-hit-
Allocation for Private Internets”, the At a higher level, application- and ting corporate firewalls from Digital
reserved addresses are allocated in circuit-level gateways act as routers with AltaVista Firewall 97 and Check-
three ranges: a single Class A address that pass only specific packets on to point’s Firewall-1, as well as Raptor’s
from 10.0.0.0 to 10.255.255.255; 16 specific machines (eg, HTTP requests Eagle and TIS’s (now part of Network
Class B addresses from 172.16.0.0 to to a Web server, or SMTP packets to a Associates) Gauntlet.
172.31.255.255; and 255 Class C ad- mail server). You can use application
dresses from 192.168.0.0 to gateways to transmit only application- Next Steps
192.168.255.255. specific data across a firewall, which
The available address space is can be processor-intensive. Circuit- Once you’ve built a firewall, you
larger than most companies will ever level gateways open a virtual circuit on can add extra features. One useful ad-
need, and allows you to develop your receiving a valid handshake, but do dition is the use of a virus checker like
own network numbering scheme not analyse packet traffic, and in some MIMEsweeper between an email gate-
quickly. Moving an existing network cases require use of modified software way and your SMTP mailer, so all en-
to one of these address schemes is a - especially true in the case of the com- capsulated files are virus-checked
tricky process, but if handled correctly monly used SOCKS gateway package. before entry into a system.
can be achieved with little or no distur- These gateway techniques have a con-
bance. Using these reserved addresses, siderable advantage over packet filter- Not Firewalls
and an address-translating firewall, ing techniques in that the true network
you can keep your internal systems address of a protected machine is al- Remember that a gateway tool or a
from direct external access, providing ways hidden from any external net- proxy server is not a firewall. Packages
pathways through the firewall only to works (see Figure 2). like Wingate or the Microsoft Proxy
trusted hosts or to specific services. There are a large number of firewall Server make it easy for you to connect
Network address translation is a tools available, for virtually every op- a small network to the Internet. How-
standard feature with most modern erating system. It’s worth looking at ever, they don’t protect it from intru-
application gateway-based firewalls, the various Internet resources avail- sion or from malicious use of your
or can be added as an optional extra to able before choosing a firewall, and resources. There have been an increas-
packet filter-based systems. then trying one or two evaluation cop- ing number of cases where spammers
ies before you decide what to use. have used proxied mail servers to relay
Choosing A Firewall You’ll find there are tools that suit unsolicited commercial email, at con-
every budget, from the free TIS Fire- siderable cost to the owners of the sys-
Two basic technologies are used to wall Toolkit, through to the cheap and tems that were hijacked.
build active firewalls, namely stateful
packet filters and application gate-
ways. These operate in different ways,
and have different effects on how you
run your Internet connection.
It is relatively simple to block access
using packet filtering techniques,
which can allow or prevent access to
services from specific machines. This
can be carried out either at a high level
on a site’s access routers or specifically
on a firewall machine. A router alone
cannot fully control a stream of IP
packets, as it cannot monitor the state
of incoming and outgoing packets - so
some protocols like ftp which use more
than one datastream present problems
for a router-based firewall.
Things get worse when you use a
connectionless protocol like UDP,
which forms the basis of essential In-
ternet services like DNS. In order to
control UDP streams in a firewall, you
need to add some form of state moni-
toring to a packet filter, so that the
firewall can control access based on
packet requests and sophisticated Figure 1 - State Monitoring.
PC Network Advisor Issue 95 (May 1998) Page 4
Running A Firewall ies must be configured before being alerts for your system administration
started, allowing you to build a prag- team. Log files are created daily, and
Once you’ve chosen a firewall, you matic security policy. are stored in date-specific directories.
can begin to define the rules and pro- They are not deleted automatically,
cedures you will use to defend your and will need to be deleted manually.
systems. As an example, I’ll look in
more detail at Digital’s AltaVista Fire- AltaVista Firewall is designed to con-
wall 97 package. One of the more com-
trol access to services on internal and
mon firewalls, it is available both for external networks. This is achieved by The AltaVista Firewall continually
most major Unix dialects and Windows using trusted proxies for all services monitors firewall activity. When a po-
NT. AltaVista Firewall 97 is based that require a connection. In this envi- tentially dangerous event is detected,
around the linked concepts of trusted ronment, users and systems on your the alarm system is used to determine
hosts, and application- and circuit- internal network do not connect di- the action to be taken. Each service has
level gateways. Using these, you can rectly to the Internet, and direct exter- a default alarm configuration. You can
control access to the Internet from your nal access is prevented, with all internal fine-tune these from the firewall GUI.
internal systems, and also to your in- and external connections carried Alarms are built around user-defined
ternal systems from the Internet. through the firewall’s trusted proxies. rules, and are used to trigger various
A trusted host is a machine that you The AltaVista trusted proxies carry responses, up to and including closing
have allowed access to your resources out the following security checks: down all firewall activity (thus not al-
from the Internet, and is owned and lowing any traffic through).
operated either by your organisation q The proxy checks the IP number of
or a partner company. You can allow the requesting system. If it is not
these systems limited access through
authorised, connections will be re-
the firewall, usually on a specific serv- jected. AltaVista Firewall uses the system
ices basis. An application gateway acts q Some proxies limit the available op- logs to generate various reports on sys-
as a secure proxy, and limits access to erations to a subset of the full serv- tem activity and security. By default, a
Internet services, either by authorising ice. summary report is mailed to the sys-
users or by trusted hosts. Application q All connections and attempted con- tem administrator, but you can cus-
gateways will also monitor the behav- nections are logged. tomise report types, and their
iour of a connection, and flag warnings destination and frequency. Reports
if specific alarm thresholds are crossed. You’ll find that AltaVista installs can be automatically mailed daily,
Once you’ve installed it, AltaVista the following proxies: weekly or monthly, and are generated
Firewall will start up in a “paranoid” just after midnight. Individual reports
mode, with all access through the fire- q HTTP - for Web connections. can indicate:
wall disabled, apart from the basic q ftp - for file transfers.
Web and mail proxies. All other prox- q Telnet - for remote terminal access. q The 10 largest transfers.
q SMTP - for Internet email. q The 10 longest transfers.
q NNTP - for access to news servers. q The 10 most frequent users.
q RealAudio - for cross-Internet mul- q The 10 days with most frequent
q Generic - for custom applications.
q SQL*Net - for access to Oracle data-
q Finger - to see if someone is online. The AltaVista Firewall WWW
proxy acts as a gateway from internal
You probably will only require a systems to the Internet at large. The
limited number of these proxies. In- proxy accepts connections from inter-
itially internal desktop systems should nal systems, rewrites the network ad-
only be allowed access to World Wide dress, and requests data from the
Web connections, with specific sys- target external Web servers. You can
tems being given ftp access if required. configure the WWW proxy to allow
access from specific IP addresses, and
Event Logs so control access by your users, by add-
ing and removing IP addresses to and
You can use AltaVista Firewall to from a list.
log all significant events. These include You can also use the WWW proxy
network connections, mail transactions as a Web cache to improve Web access
and all uses of proxies. You can use the for users. A heavily-used cache can
Figure 2 logs to produce reports and to generate take up a lot of disk space, so initially
Issue 95 (May 1998) Page 5
PC Network Advisor File: T1803.3
the Web proxy should be configured den DNS environments, and “From:” Internet connection. Whilst SATAN is
without a cache. If log analysis shows headers are rewritten to ensure com- easy to use, you’ll need a Unix machine
that certain sites are accessed regu- pliance with any corporate standards. and some Perl skills to get it working.
larly, you can then setup a cache. It’s a If you’d prefer to use a commercial
good idea to set the cache lifetime to a Generic Proxy package, then ISS’s SAFEsuite is de-
week, and sites with a high number of signed to scan a wide range of different
dynamic pages should be excluded If you’re using Internet applications systems, and will run on most major
from the cache. that AltaVista Firewall doesn’t have a dialects of Unix and Windows NT. A
If casual Internet use is a problem, built in proxy for, you can use the ge- key component of SAFESuite is the
AltaVista Firewall can be used to block neric proxy to create custom proxies System Security Scanner, which will
access to specific sites. This list is then for these services. AltaVista Firewall’s run on both internal and external sys-
applied globally to all outgoing HTTP generic TCP proxy uses the TCP/IP tems, and highlight any security vul-
proxy connections. In order to prevent protocol’s port and socket model to nerabilities, including verifying that
access to a banned site the site name or allow connections for a specific port to the latest operating system patches
IP address will need to be specified, be relayed from one side of the firewall have been added. You can also use
with wild cards to prevent access to to another. You can create multiple tools like this to make sure that no
specific directories. As AltaVista only proxies, with unique names and port Trojan Horse backdoors have been in-
has explicit blocks, to ensure that sites numbers. A generic proxy can be asso- stalled on your system by attackers.
are completely blocked they should be ciated with specific source and desti- There’s also a dedicated firewall
listed by both name and IP number, nation addresses, allowing application test utility, which will highlight every-
otherwise your users could find a way tunnels to be created. This can be used thing from minor configuration errors
around your blocks. to prevent unauthorised access to spe- to potential back doors to cases where
If you want to use ftp, you’ll find cific applications and services, by lim- someone has simply forgotten to
that by default the AltaVista firewall iting access to specific hosts or subnets. switch the firewall on. Details can be
proxy prevents access from external found at http://www.iss.net.
systems to internal resources. You can Testing A Firewall
apply time restrictions to the proxy, so Conclusion
you can limit access to normal working Once you’ve built and installed a
hours. Unless a user is required to use firewall, it’s never safe to assume that A firewall alone is no substitute for
ftp as part of his or her everyday tasks your network is completely secure. Re- a good security policy. To keep a com-
it is recommended that details of how cent figures indicate that a substantial pany safe and secure, the hardware
to connect to the ftp proxy only be percentage of intrusions are into sites and software must be backed up with
given when required, and that the fire- that have firewalls. You should regu- policies and procedures designed to
wall ftp logs are monitored for unau- larly test your firewall with the latest keep watch on the latest operating sys-
thorised usage. security scanning tools, as well as tem bugs and intrusions, and the latest
If you’re using Windows NT, access keeping up to date with the security tools and techniques used by crackers.
to ftp can be limited to users who have community’s latest bulletins by sub- Of course, never forget that most at-
authenticated NT user IDs. This will scribing to the BUGTRAQ and Fire- tacks on computer systems are carried
require that the server is part of an NT walls mailing lists. out from inside an organisation, by its
domain, and that you’ve set up Al- One of the best tools, and most no- employees.
taVista Firewall to use NT user authen- torious, is Dan Farmer’s SATAN. One
tication. You can also use a blacklist to of the most respected Internet security
prevent specific machines from access- professionals, Farmer worked with
ing ftp resources. The blacklist is a list long-time collaborator (and author of
of DNS names and IP numbers, and is the powerful TCP Wrapper firewall
common to the ftp, telnet, generic, tool) Wietse Venema to produce a pro-
news, RealAudio, SQL*Net and finger gram to automate various techniques
proxies, but can be applied to these that probe a network’s defences, and to PCNA
proxies only when required. produce a report of its weaknesses.
The firewall can be used as a stand- Freely available over the Internet,
ard SMTP mail relay, passing mail be- SATAN is easy to use, and can be used
tween internal and external systems. It to create a database of vulnerabilities
will check all incoming mail to ensure for every machine on your public In-
that it is sent from a valid host, it is not ternet-facing network - including your The Author
being sent to a file or a program and it firewall. As SATAN can be used by
contains no forbidden SMTP key- both network administrators and Simon Bisson is an Internet system
words. Outgoing mail is processed to crackers, it’s sensible to scan your sys- architect and was previously tech-
ensure that it is a valid SMTP message, tem with SATAN and patch any vul- nical manager for an Internet serv-
received headers are removed for hid- nerabilities as soon as you set up any ice provider.
PC Network Advisor Issue 95 (May 1998) Page 6
New Reviews from Tech Support Alert
Anti-Trojan Software Reviews
A detailed review of six of the best anti trojan software programs. Two products
were impressive with a clear gap between these and other contenders in their
ability to detect and remove dangerous modern trojans.
Inkjet Printer Cartridge Suppliers
Everyone gets inundated by hundreds of ads for inkjet printer cartridges, all
claiming to be the cheapest or best. But which vendor do you believe? Our
editors decided to put them to the test by anonymously buying printer cartridges
and testing them in our office inkjet printers. Many suppliers disappointed but we
came up with several web sites that offer good quality cheap inkjet cartridges
with impressive customer service.
Windows Backup Software
In this review we looked at 18 different backup software products for home or
SOHO use. In the end we could only recommend six though only two were good
enough to get our “Editor’s Choice” award
The 46 Best Freeware Programs
There are many free utilities that perform as well or better than expensive
commercial products. Our Editor Ian Richards picks out his selection of the very
best freeware programs and he comes up with some real gems.
Tech Support Alert
Let LinkedIn power your SlideShare experience
Let LinkedIn power your SlideShare experience
Customize SlideShare content based on your interests
We will import your LinkedIn profile and you will be visible on SlideShare.
Keep up to date when your LinkedIn contacts post on SlideShare