How To Build And Run A Firewall

Tutorial:Internet How To Build And Run A Firewall We take a look at some of the issues involved in choosing, setting-up and running a firewall. By Simon Bisson N ow that corporate access to the Internet is seen as a business advantage, more and more companies are finding themselves Bastion Host Keeping the network itself secure is the job of the bastion host. Taking its name from the fortified gateways of a extra services should be disabled, and user accounts kept to a minimum. If it is possible to only allow logins from trusted hosts or the system console, all having to think long and hard about other access routes should be removed. the security implications of a connec- feudal Norman castle, this is what is Some firewall packages make the tion. often thought of as the firewall but is DMZ more secure by using a third net- With attacks on business computer really only part of a layered firewall work interface to host public services systems becoming more visible (and architecture. and using the firewall software to pro- potentially more expensive), and with The bastion host is a machine with tect them rather than a choke router. holes in operating systems more pub- only one purpose: to pass packets be- lic, some form of Internet security pol- tween your network and the Internet. Usually, it’s a dedicated machine with Firewall Policies icy is essential. This can include everything from limiting the number two separate network interfaces. The It’s sometimes best to think of In- of machines and systems with an In- bastion host will act as an active router, ternet security policies in terms of the ternet connection, to controlling what linking your private network to the “Four Ps”, namely Paranoia, Pragma- files can enter or leave a company net- Internet, monitoring the state of con- tism, Permissiveness and Promiscuity. work. A security policy alone won’t nection and blocking packets that Each approach is the result of a differ- prevent attacks and intrusions, so don’t meet the rules you have defined. ent assessment of the risks involved in some form of defence is required, often If you use it for anything else than opening a corporate network to the implemented in the form of a firewall. as an Internet gateway, you may be Internet: adding weaknesses to a security architecture. For example, if you use the q A Paranoid network is never con- Definition machine for reading email, it’s possible nected to the Internet. A firewall is a set of tools designed for someone to send an email with an q A Pragmatic network only permits to prevent unauthorised access to a embedded ActiveX control so that, selected applications and services network, and can mix hardware and when you read the message, the con- access to the Internet, and blocks all software solutions to provide a layered trol turns off the firewall. others. defence. A typical firewall architecture You must make sure that the q A Permissive network lets all appli- is based around two concepts: the bastion’s operating system is config- cations have access to the Internet, “choke router” and the “bastion host” ured to prevent any packets being except for those specifically seen as [refer also to Understanding Firewalls, routed directly between its network in- a threat. File S0499, PCNA Issue 86 - Ed.]. terfaces. Most commercial packages will q A Promiscuous network is con- Most routers allow you to define handle this for you, but if you are un- nected directly to the Internet, and access control lists, which can control sure, you can configure most dialects lets all applications and services exactly which IP packets are routed of Unix to stop any internal routing. have full access to and from the In- and to where. Whilst choking an In- ternet. ternet connection this way is an all-or- The DMZ nothing security mechanism, you can One of the best techniques for secur- use router access control lists to explic- Between the choke router and the ing a network is to hide it from the itly deny access to your network for bastion host lies the “Demilitarised Internet. A range of IP addresses is specific packet types, or to make sure Zone”. The DMZ is a partially pro- reserved for intranet use, and allows that certain packets are only delivered tected area, where you can install pub- you to build as large a network as you to specific machines so that, for exam- lic services. Machines in the DMZ like, as long as you use some form of ple, mail is only delivered to your mail should not be fully trusted, and should network address translation to allow server or Web access is only to your only be used for single purposes - such packets to travel into and out of your public Web server or Web proxies. as a Web server or an ftp server. Any network. Issue 95 (May 1998) Page 3 PC Network Advisor File: T1803.1

Tutorial:Internet Documented in RFC 1918 “Address rules (see Figure 1). powerful GNATbox, to the heavy-hit- Allocation for Private Internets”, the At a higher level, application- and ting corporate firewalls from Digital reserved addresses are allocated in circuit-level gateways act as routers with AltaVista Firewall 97 and Check- three ranges: a single Class A address that pass only specific packets on to point’s Firewall-1, as well as Raptor’s from 10.0.0.0 to 10.255.255.255; 16 specific machines (eg, HTTP requests Eagle and TIS’s (now part of Network Class B addresses from 172.16.0.0 to to a Web server, or SMTP packets to a Associates) Gauntlet. 172.31.255.255; and 255 Class C ad- mail server). You can use application dresses from 192.168.0.0 to gateways to transmit only application- Next Steps 192.168.255.255. specific data across a firewall, which The available address space is can be processor-intensive. Circuit- Once you’ve built a firewall, you larger than most companies will ever level gateways open a virtual circuit on can add extra features. One useful ad- need, and allows you to develop your receiving a valid handshake, but do dition is the use of a virus checker like own network numbering scheme not analyse packet traffic, and in some MIMEsweeper between an email gate- quickly. Moving an existing network cases require use of modified software way and your SMTP mailer, so all en- to one of these address schemes is a - especially true in the case of the com- capsulated files are virus-checked tricky process, but if handled correctly monly used SOCKS gateway package. before entry into a system. can be achieved with little or no distur- These gateway techniques have a con- bance. Using these reserved addresses, siderable advantage over packet filter- Not Firewalls and an address-translating firewall, ing techniques in that the true network you can keep your internal systems address of a protected machine is al- Remember that a gateway tool or a from direct external access, providing ways hidden from any external net- proxy server is not a firewall. Packages pathways through the firewall only to works (see Figure 2). like Wingate or the Microsoft Proxy trusted hosts or to specific services. There are a large number of firewall Server make it easy for you to connect Network address translation is a tools available, for virtually every op- a small network to the Internet. How- standard feature with most modern erating system. It’s worth looking at ever, they don’t protect it from intru- application gateway-based firewalls, the various Internet resources avail- sion or from malicious use of your or can be added as an optional extra to able before choosing a firewall, and resources. There have been an increas- packet filter-based systems. then trying one or two evaluation cop- ing number of cases where spammers ies before you decide what to use. have used proxied mail servers to relay Choosing A Firewall You’ll find there are tools that suit unsolicited commercial email, at con- every budget, from the free TIS Fire- siderable cost to the owners of the sys- Two basic technologies are used to wall Toolkit, through to the cheap and tems that were hijacked. build active firewalls, namely stateful packet filters and application gateways. These operate in different ways, and have different effects on how you run your Internet connection. It is relatively simple to block access using packet filtering techniques, which can allow or prevent access to services from specific machines. This can be carried out either at a high level on a site’s access routers or specifically on a firewall machine. A router alone cannot fully control a stream of IP packets, as it cannot monitor the state of incoming and outgoing packets - so some protocols like ftp which use more than one datastream present problems for a router-based firewall. Things get worse when you use a connectionless protocol like UDP, which forms the basis of essential In- ternet services like DNS. In order to control UDP streams in a firewall, you need to add some form of state monitoring to a packet filter, so that the firewall can control access based on packet requests and sophisticated Figure 1 - State Monitoring. File: T1803.2 PC Network Advisor Issue 95 (May 1998) Page 4

Tutorial:Internet Firewalls Running A Firewall ies must be configured before being alerts for your system administration started, allowing you to build a prag- team. Log files are created daily, and Once you’ve chosen a firewall, you matic security policy. are stored in date-specific directories. can begin to define the rules and pro- They are not deleted automatically, cedures you will use to defend your and will need to be deleted manually. systems. As an example, I’ll look in Application Gateways more detail at Digital’s AltaVista Fire- AltaVista Firewall is designed to con- wall 97 package. One of the more com- Alarms trol access to services on internal and mon firewalls, it is available both for external networks. This is achieved by The AltaVista Firewall continually most major Unix dialects and Windows using trusted proxies for all services monitors firewall activity. When a po- NT. AltaVista Firewall 97 is based that require a connection. In this envi- tentially dangerous event is detected, around the linked concepts of trusted ronment, users and systems on your the alarm system is used to determine hosts, and application- and circuit- internal network do not connect di- the action to be taken. Each service has level gateways. Using these, you can rectly to the Internet, and direct exter- a default alarm configuration. You can control access to the Internet from your nal access is prevented, with all internal fine-tune these from the firewall GUI. internal systems, and also to your in- and external connections carried Alarms are built around user-defined ternal systems from the Internet. through the firewall’s trusted proxies. rules, and are used to trigger various A trusted host is a machine that you The AltaVista trusted proxies carry responses, up to and including closing have allowed access to your resources out the following security checks: down all firewall activity (thus not al- from the Internet, and is owned and lowing any traffic through). operated either by your organisation q The proxy checks the IP number of or a partner company. You can allow the requesting system. If it is not these systems limited access through Reports authorised, connections will be re- the firewall, usually on a specific serv- jected. AltaVista Firewall uses the system ices basis. An application gateway acts q Some proxies limit the available op- logs to generate various reports on sys- as a secure proxy, and limits access to erations to a subset of the full serv- tem activity and security. By default, a Internet services, either by authorising ice. summary report is mailed to the sys- users or by trusted hosts. Application q All connections and attempted con- tem administrator, but you can cus- gateways will also monitor the behav- nections are logged. tomise report types, and their iour of a connection, and flag warnings destination and frequency. Reports if specific alarm thresholds are crossed. You’ll find that AltaVista installs can be automatically mailed daily, Once you’ve installed it, AltaVista the following proxies: weekly or monthly, and are generated Firewall will start up in a “paranoid” just after midnight. Individual reports mode, with all access through the fire- q HTTP - for Web connections. can indicate: wall disabled, apart from the basic q ftp - for file transfers. Web and mail proxies. All other prox- q Telnet - for remote terminal access. q The 10 largest transfers. q SMTP - for Internet email. q The 10 longest transfers. q NNTP - for access to news servers. q The 10 most frequent users. q RealAudio - for cross-Internet mul- q The 10 days with most frequent timedia. connections. q Generic - for custom applications. q SQL*Net - for access to Oracle data- Application Gateways bases. q Finger - to see if someone is online. The AltaVista Firewall WWW proxy acts as a gateway from internal You probably will only require a systems to the Internet at large. The limited number of these proxies. In- proxy accepts connections from inter- itially internal desktop systems should nal systems, rewrites the network ad- only be allowed access to World Wide dress, and requests data from the Web connections, with specific sys- target external Web servers. You can tems being given ftp access if required. configure the WWW proxy to allow access from specific IP addresses, and Event Logs so control access by your users, by adding and removing IP addresses to and You can use AltaVista Firewall to from a list. log all significant events. These include You can also use the WWW proxy network connections, mail transactions as a Web cache to improve Web access and all uses of proxies. You can use the for users. A heavily-used cache can Figure 2 logs to produce reports and to generate take up a lot of disk space, so initially Issue 95 (May 1998) Page 5 PC Network Advisor File: T1803.3

Tutorial:Internet the Web proxy should be configured den DNS environments, and “From:” Internet connection. Whilst SATAN is without a cache. If log analysis shows headers are rewritten to ensure com- easy to use, you’ll need a Unix machine that certain sites are accessed regu- pliance with any corporate standards. and some Perl skills to get it working. larly, you can then setup a cache. It’s a If you’d prefer to use a commercial good idea to set the cache lifetime to a Generic Proxy package, then ISS’s SAFEsuite is de- week, and sites with a high number of signed to scan a wide range of different dynamic pages should be excluded If you’re using Internet applications systems, and will run on most major from the cache. that AltaVista Firewall doesn’t have a dialects of Unix and Windows NT. A If casual Internet use is a problem, built in proxy for, you can use the ge- key component of SAFESuite is the AltaVista Firewall can be used to block neric proxy to create custom proxies System Security Scanner, which will access to specific sites. This list is then for these services. AltaVista Firewall’s run on both internal and external sys- applied globally to all outgoing HTTP generic TCP proxy uses the TCP/IP tems, and highlight any security vul- proxy connections. In order to prevent protocol’s port and socket model to nerabilities, including verifying that access to a banned site the site name or allow connections for a specific port to the latest operating system patches IP address will need to be specified, be relayed from one side of the firewall have been added. You can also use with wild cards to prevent access to to another. You can create multiple tools like this to make sure that no specific directories. As AltaVista only proxies, with unique names and port Trojan Horse backdoors have been in- has explicit blocks, to ensure that sites numbers. A generic proxy can be asso- stalled on your system by attackers. are completely blocked they should be ciated with specific source and desti- There’s also a dedicated firewall listed by both name and IP number, nation addresses, allowing application test utility, which will highlight every- otherwise your users could find a way tunnels to be created. This can be used thing from minor configuration errors around your blocks. to prevent unauthorised access to spe- to potential back doors to cases where If you want to use ftp, you’ll find cific applications and services, by lim- someone has simply forgotten to that by default the AltaVista firewall iting access to specific hosts or subnets. switch the firewall on. Details can be proxy prevents access from external found at http://www.iss.net. systems to internal resources. You can Testing A Firewall apply time restrictions to the proxy, so Conclusion you can limit access to normal working Once you’ve built and installed a hours. Unless a user is required to use firewall, it’s never safe to assume that A firewall alone is no substitute for ftp as part of his or her everyday tasks your network is completely secure. Re- a good security policy. To keep a com- it is recommended that details of how cent figures indicate that a substantial pany safe and secure, the hardware to connect to the ftp proxy only be percentage of intrusions are into sites and software must be backed up with given when required, and that the fire- that have firewalls. You should regu- policies and procedures designed to wall ftp logs are monitored for unau- larly test your firewall with the latest keep watch on the latest operating sys- thorised usage. security scanning tools, as well as tem bugs and intrusions, and the latest If you’re using Windows NT, access keeping up to date with the security tools and techniques used by crackers. to ftp can be limited to users who have community’s latest bulletins by sub- Of course, never forget that most at- authenticated NT user IDs. This will scribing to the BUGTRAQ and Fire- tacks on computer systems are carried require that the server is part of an NT walls mailing lists. out from inside an organisation, by its domain, and that you’ve set up Al- One of the best tools, and most no- employees. taVista Firewall to use NT user authen- torious, is Dan Farmer’s SATAN. One tication. You can also use a blacklist to of the most respected Internet security prevent specific machines from access- professionals, Farmer worked with ing ftp resources. The blacklist is a list long-time collaborator (and author of of DNS names and IP numbers, and is the powerful TCP Wrapper firewall common to the ftp, telnet, generic, tool) Wietse Venema to produce a pro- news, RealAudio, SQL*Net and finger gram to automate various techniques proxies, but can be applied to these that probe a network’s defences, and to PCNA proxies only when required. produce a report of its weaknesses. The firewall can be used as a stand- Freely available over the Internet, ard SMTP mail relay, passing mail be- SATAN is easy to use, and can be used tween internal and external systems. It to create a database of vulnerabilities will check all incoming mail to ensure for every machine on your public In- that it is sent from a valid host, it is not ternet-facing network - including your The Author being sent to a file or a program and it firewall. As SATAN can be used by contains no forbidden SMTP key- both network administrators and Simon Bisson is an Internet system words. Outgoing mail is processed to crackers, it’s sensible to scan your sys- architect and was previously tech- ensure that it is a valid SMTP message, tem with SATAN and patch any vul- nical manager for an Internet serv- received headers are removed for hid- nerabilities as soon as you set up any ice provider. File: T1803.4 PC Network Advisor Issue 95 (May 1998) Page 6

New Reviews from Tech Support Alert Anti-Trojan Software Reviews A detailed review of six of the best anti trojan software programs. Two products were impressive with a clear gap between these and other contenders in their ability to detect and remove dangerous modern trojans. Inkjet Printer Cartridge Suppliers Everyone gets inundated by hundreds of ads for inkjet printer cartridges, all claiming to be the cheapest or best. But which vendor do you believe? Our editors decided to put them to the test by anonymously buying printer cartridges and testing them in our office inkjet printers. Many suppliers disappointed but we came up with several web sites that offer good quality cheap inkjet cartridges with impressive customer service. Windows Backup Software In this review we looked at 18 different backup software products for home or SOHO use. In the end we could only recommend six though only two were good enough to get our “Editor’s Choice” award The 46 Best Freeware Programs There are many free utilities that perform as well or better than expensive commercial products. Our Editor Ian Richards picks out his selection of the very best freeware programs and he comes up with some real gems. Tech Support Alert http://www.techsupportalert.com

How To Build And Run A Firewall

by Sandra4211

Accessibility

Upload Details

Usage Rights

Statistics