MOST BUSINESSES TODAY have learned that an Internet connection sharpens their competitive edge by giving them (and their customers) timely access to information. But connecting to the Internet spawns a new set of responsibilities for IS departments: They must deliver reliable Internet services to corporate users while ensuring that systems and information stay secure from outside threats--such as hackers--that an Internet connection exposes them to. An important tool for protecting a corporate network from Internet intrusions is a firewall--an intelligent device that controls traffic between two or more networks for security purposes.
Just as a firewall blocks the spread of a real fire, a network firewall is a hardware/software barrier between a corporate network and the Internet. The firewall gives you control over who can access the connection and how they can access it. A firewall usually consists of a UNIX or Windows NT computer running special firewall software, though other hardware platforms such as routers can also run firewall software. Although this software is usually associated with Internet connections, you can use firewalls to control traffic between parts of an intranet or between networks of different corporations.
Before you set up a firewall, you need a risk analysis to determine whether your organization is a candidate for a firewall and you need to draft an Internet security policy. For information about these issues, see "Who Needs a Firewall?" page 120, and "Drafting an Internet Policy Document," page 125.
Different organizations have different firewall needs. Based on those differing needs, firewall features fall into five major categories:
The rest of this article explores the significant issues in each category and examines the features specific to NT firewalls. (For more information about NT firewall products, see "Windows NT-based Firewall Vendors," page 122. And for information about National Computer Security Association--NCSA--certification for firewall products, see "Can Your Firewall Take the Heat? " page 124.)
A basic firewall lets corporate-network users access common Internet services while preventing unauthorized outside users from accessing internal systems. A firewall needs to let a security administrator set up rules for the types of allowed and prohibited connections. In addition, a firewall needs to ensure that internal IP addresses remain invisible to the Internet and allow the IP address range that you use inside the firewall to be different from and larger than your company's registered Class A, B, or C IP address range. (For more information on NT and IP addressing, see Mark Minasi, "How to Set Up IP," February 1996; "IP Routing with NT," March; "NT Workstations Using an IP Router," May; and "DHCP and Assigning IP Addresses," August.)
Firewalls also log network activity in detail, filter the log to produce meaningful reports, and alert a network administrator when the network has reached a predefined suspicious-activity threshold. Make sure your firewall software supports at least the following Internet services: Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Gopher, Simple Mail Transfer Protocol (SMTP), Telnet. Your firewall also needs a way to provide Domain Name System (DNS) name resolution (preferably by letting you run DNS on the firewall and on an internal system).
In addition, a basic firewall system needs to be easy to use. In particular, adding rules to firewall software needs to be easy and, more important, examining and understanding previously entered rules needs to be easy.
A firewall should have a graphical interface, especially if the firewall will be administered by a staff member who is used to NT. Finally, a firewall needs high-quality documentation that clearly explains how to configure each type of Internet service and explains address-related issues such as setting up DNS and configuring Web browsers.
Packet Filters and Proxy Systems
The two main methods for providing a basic firewall are packet filters and proxy systems. A packet filter is a device (usually a router with traffic-filtering capabilities) that controls traffic based on the IP source/destination addresses and the TCP source/destination port in the header information of each TCP/IP packet sent across a network (a port is a number that identifies the service the packet is using). For example, you can set up a traffic filter on a router that allows IP traffic only with a source or destination IP address that corresponds to the Dynamic Host Configuration Protocol (DHCP) scope you use for client workstations. You can add another filter that specifically disallows TCP port 139, the port number NetBIOS uses for connections over TCP/IP--the port number Windows clients use to log on to servers (remember that even NT Workstation clients can run the NT Server service). Finally you can filter User Datagram Protocol (UDP) on ports 137 and 138, which NT uses to advertise computer names and related information. With these steps, you build a simple packet filter that goes some of the way toward preventing outsiders from directly connecting to an internal server, while allowing internal users to access Internet services.
This packet filter is far from perfect. For example, suppose a hacker tries to connect to each machine in your DHCP that uses FTP on TCP port 21. In your DHCP scope, the hacker might find a machine running FTP server software. The hacker could then upload a file to that machine. He or she might upload an executable file with a similar name to a file the user has recently downloaded but that produces unexpected results when the user accidentally clicks on it. A better security approach is to disallow all TCP and UDP ports except those your users need (such as TCP port 80 for HTTP).
Even when you create a filter that permits only essential traffic, packet-filtering devices alone usually don't provide adequate security. The reason for this inadequacy is that packet filters can't establish whether an IP source address is valid (a hacker can use a forged address) nor ensure a TCP source port will be used only for the service commonly associated with that port. A hacker can run any client or server program on a source port running through your packet filter. However, packet filters are well-suited to supplementing the protection that a firewall provides. For example, you can place routers with packet filters on one or both sides of a firewall to increase overall security and limit your organization's dependence on a single machine.
The proxy system shown in Figure 1 provides a more secure firewall than a packet filter alone. The proxy system (sometimes called an application-level gateway) consists of a host running both a proxy server program and a proxy client program (the proxy server and proxy client are also called a proxy service, or proxy). The firewall host usually has two network adapter cards: one that communicates between the firewall system and an internal network and another that communicates between the firewall and an external network such as the Internet (this setup is a dual-homed gateway). For more information on how a proxy works and Microsoft's proxy server, Internet Access Server, see Mark Edwards, "Microsoft's Internet Access Server," September 1996; "Configuring Internet Access Server," October; and "Exploring Internet Access Server Software," page 74.
A user connecting to the Internet first connects to the proxy server running on the firewall. Then on behalf of the real client, the proxy client (also running on the firewall) establishes a session with the destination host. For example, to establish a Web connection, a Web browser connects to a proxy Web server running on the firewall machine. After verifying that this connection is allowed, the proxy Web server starts a proxy Web client, which then connects to the destination Web server. Most proxy system firewalls support transparent connection, which means the firewall is not apparent to an authorized user.
A proxy system is a secure solution because it protects an internal corporate network from the hazards of a direct IP connection. To Internet hackers, a site with a proxy system appears as only one computer and IP address establishing Internet connections; the firewall hides the rest of a site's Internet-connected systems and IP addresses.
Besides providing security, a proxy system conserves IP address space. Because the number of Internet-connected systems worldwide is huge and still growing, the number of IP addresses is limited. Each Internet-connected system must have a unique IP address (often an Internet Service Provider--ISP--assigns, clears, and registers the address and class range through InterNIC Registration Services. For more on registering with InterNIC, see Richard Reich, "Registering a Domain Name Is Easy," September 1996). With a proxy system, you need only one unique IP address--that of the proxy; you can use any addressing scheme you want for your internal systems. (If you don't use a proxy system firewall, you must make sure your firewall can map internal addresses to unique IP addresses.)
Proxy systems provide a simple, secure way to implement basic Internet services. So, many firewall products use this approach or combine proxy systems with other methods. If you have to connect a small organization to Internet email and the Web, a simple proxy-based firewall will probably meet your needs.
Additional Internet Services
Proxy systems are a secure, but basic, firewall solution. A disadvantage of the proxy approach is that you must use a separate proxy service for each Internet service you want to support. Many firewalls include proxies for the most common Internet services (HTTP, FTP, Gopher, SMTP, Telnet), but firewalls often do not provide proxies for less common services such as RealAudio, Internet Relay Chat (IRC), and even news protocols. Perhaps this lack of services is because the proxy firewall vendor has not yet developed the proxy or because the Internet service is not well suited to a proxy solution. Services based on connection oriented TCP are usually better suited to a proxy solution than are connectionless UDP-based services, because the proxy approach is connection oriented: A proxy client establishes a connection with the real destination based on an already established connection between the real client and the proxy server.
Because of proxy system limitations, many firewall products provide ways to connect through an Internet gateway or to use an alternative approach. For example, the Eagle NT firewall by Raptor Systems not only provides predefined proxies for FTP, Gopher, HTTP, SMTP, and Telnet but also lets an administrator custom-define uni- or bidirectional service-passing proxies for supporting less common services.
CheckPoint's FireWall-1 uses a different architecture, stateful inspection. The company claims it supports 120 different applications, protocols, and services. Stateful inspection works like packet filtering but may provide better security because it examines application-level information within IP packets and keeps track of a connection's context. To explain the difference between packet filtering and stateful inspection, let me use TCP-based FTP as an example.
An FTP client opens a TCP connection to port 21 (the FTP command port) on the FTP server. The FTP client also picks a random TCP port (usually greater than 1024) for the data channel and tells the FTP server (via the command port) that the client will listen for data on that port. The FTP server then opens a TCP connection to that high TCP port on the client and transfers the data. To let this service pass with a simple packet filter, you need to allow a destination TCP port of 21 for connections originating from the client to the server and allow all destination TCP ports above 1024 for connections from the server to the client. You can tighten this design a little because the FTP service definitions also tell us that the client source port for the command phase is above 1024 and that the server sends data from port 20. However, if you want to let users download files from anywhere on the Internet, you still need to let a host on the Internet establish a session from its port 20 to any port above 1024 on your internal clients.
The problem is that you have no way of telling whether that connection is being used for FTP data transfer or some malicious purpose. This flaw is because such packet filters provide no way of tracking the context of the connection. Checkpoint's FireWall-1, in contrast, does keep track of context or state. When FireWall-1 sees an attempt to connect to port 21 (assuming a rule in the FireWall-1 rule base permits FTP), the program examines the application information in the packet to confirm the packet is FTP. The program then allows packets from the destination FTP server (with a source port of 20) back to destination ports above 1024 on the client that originated the connection. In short, the program keeps track of which FTP data connections are associated with which FTP command connections and allows only those high TCP destination port connections that have a valid reason to be there.
Products that let you configure custom services or use state-oriented architectures provide greater flexibility and security than products that provide only a limited number of predefined proxy services. Consider seriously the more flexible products if your users must access less common or more sophisticated Internet protocols or if your users are so numerous that you must allow for unforeseen requirements. If you have these needs, also look for firewall products that provide many predefined services.
Advanced Security and Control
Many firewalls provide security beyond source-, destination-, and service-based rules. For example, some firewalls allow rules based on time of day, day of week, and date ranges. Other firewalls provide features such as configuration verification and virus scanning. Some firewall products also monitor what processes are running on the firewall system and halt unknown processes.
Another type of advanced firewall security is user-oriented authentication-- the ability to allow or deny certain connections based on a username and password combination or a more advanced scheme for identifying individual users. Some NT-based firewall products that support user-oriented authentication include Eagle NT, FireWall-1, Global Internet's Centri Firewall for Windows NT, and Microsoft's proxy server (Internet Access Server code named Catapult).
Various authentication technologies are available. The simplest forms require entering a username and a reusable password. This method is suitable for controlling only outbound Internet access, because a hacker will guess and eavesdrop to get passwords and user names.
For inbound access, one-time passwords that follow a scheme such as Bellcore's S/KEY provide more security. The S/KEY scheme calculates a six-word, one-time password based on a sequence number, firewall-supplied seed word, and a user's secret password. Users enter a different password each time they connect.
Better still, some firewalls provide integration with one or more credit card-sized, handheld token generators that automatically generate and display the next password the user will enter. Examples include Security Dynamics's SecurID, Digital Pathways's SecureNet Keys (SNKs), CRYPTOCard's CRYPTOCard RB-1, and Digipass S.A.'s Digipass. In addition, watch for firewall systems that support Cisco's TACACS+ or Livingston's RADIUS schemes (predominantly for authenticating users dialing into access servers via the public telephone network). Such support will soon be available for NT--both Checkpoint and Raptor promise support in their respective next releases later this year.
Many organizations also want to control employee access to non business-related Internet sites. Limiting such outbound access is called content filtering. NT-based firewall products currently let you filter content by manually maintaining lists of allowed and prohibited universal resource locators (URLs). This is a tedious process, but advanced content-filtering capabilities will appear in the next releases of products. The first vendor to provide such capabilities will probably be Raptor, which promises CyberPatrol support in its Release 4.0, due this month. Implementing content filtering without using the firewall is also possible. Indeed, because this is a productivity and legal issue rather than a security issue, you can choose to keep the firewall simple and perform the content filtering elsewhere. One alternative is to use specialized content filtering servers, which sit between the users and the firewall (or between the firewall and the Internet) and use a database of URLs supplied by a third-party vendor that classifies sites for you. You can then allow or disallow classes of sites, such as adult, gambling, sports, and leisure, based on criteria such as time of day. Another alternative is to rely on content providers to use RSACi (the Recreational Software Advisory Council's Internet content rating system) to rate their sites. A RSACi-enabled browser (currently, that means Internet Explorer--IE--3.0) lets you set up the browser to allow access only to rated sites that meet your criteria.
Remote Users and Virtual Private Networking
If your company's mobile users or telecommuters must connect to your corporate systems via the Internet, or if you want to establish Internet links with business partners, suppliers, or customers, you must use encryption between the remote locations and your firewall. This use of encryption to enable private communications across the Internet is a Virtual Private Network (VPN). Unfortunately, no NT firewall product supports emerging VPN encryption standards. Instead, vendors use proprietary encryption techniques. So all members of your VPN must use products from the same vendor.
Encryption standards are especially important for Internet connections among trusted business partners (e.g., to support EDI applications). With such standards in place, partners need not have the same firewall to exchange information.
The Internet Engineering Task Force (IETF) has already defined the main set of VPN encryption standards, the IP Security (ipsec) standards. They include the Encapsulation Security Payload (ESP) protocol--RFC 1827--or encryption and the authentication header (AH) protocol--RFC 1826--for authenticating TCP/IP packets. Encryption vendor RSA Data Security has introduced S/WAN, an alternative to ipsec. S/WAN uses the proprietary RC5 encryption protocol. The IETF continues to evaluate standards for a key-management protocol, the method by which encryption keys are automatically passed between computers. (For more on encryption and key management, see Lawrence Hughes, "Secure Enterprise Email," May 1996; "Digital Envelopes and Signatures," September; and "Exchange Email," October.)
If you plan to connect to other organizations across the Internet in the next year or two, find out whether the firewall vendors you're considering have participated in VPN standards interoperability testing and whether they plan to introduce ipsec support (including Internet Security Association and Key Management Protocol--ISAKMP--/OAKLEY key management, which, because of strong support from Cisco Systems and other vendors, is likely to be the key management standard the IETF will choose). Both FireWall-1 and Raptor claim that the next release of their NT firewall products will include ipsec support.
If you want to establish a VPN that includes only your company's sites, you can use proprietary VPN technologies to implement a secure working solution right now. Similarly, if you want to let remote users connect via dial-in Point-to-Point Protocol (PPP), many vendors can provide a solution that uses software on a remote PC to provide an encrypted path back to the firewall. Another common approach is to provide encryption between a remote system and a server inside the firewall. However, this approach requires establishing a path through the firewall, which can open a security hole.
Large organizations usually require an enterprise-capable firewall that includes multiple firewalls and multiple interfaces on those firewalls. An enterprise-capable firewall lets a network administrator centrally manage remote firewalls over an encrypted path and as one entity, with a central point for logging network information. Many firewall products achieve this configuration by separating the management interface program from the rule-processing engine. Some firewall vendors, including CheckPoint and Raptor, also let you download packet filters to routers such as those from Bay Networks and Cisco Systems. An enterprise-capable firewall also needs to provide realtime notification of suspicious activity via email and pager and needs to generate Simple Network Management Protocol (SNMP) traps that you can integrate with the enterprise network management system. (SNMP is a standard protocol that network management systems use to collect information from network devices.)
If you plan to run your firewall on NT, answers to a few additional questions will determine your firewall product needs. For instance, during the product's installation, does it automatically configure NT to maximize security (e.g., does the firewall disable IP forwarding, nonessential services such as the server service, and the guest account)? Is the product tightly coupled with native NT features such as User Manager for Domains, Event Viewer, and Perfmon? Will the product run on the Digital Equipment Alpha version of NT? Will it run on NT 4.0? Is the product integrated with Microsoft's DNS Server, or does it require a different DNS server? (This question is more important if you intend to use NT 4.0, which includes Microsoft's DNS Server.)
Start with the Basics
When evaluating your organization's firewall requirements, start with the basics and add more complexity as needed. A basic firewall that consists of a proxy system and packet-filtering device and supports common Internet services can be enough for a small organization. Large organizations and those with sophisticated users can require multiple firewalls that support more Internet services. Stay tuned for an upcoming article that will review several NT-based firewall products in tests in a real-world, corporate NT environment.
|Windows NT-based Firewall Vendors RELEASED PRODUCTS|
BateTech Software * 303-763-8333
Borderware Firewall Server|
BorderWare * 416-368-7157
CheckPoint Software Technologies
* 415-562-0400 or 800-429-4391
Devon Software * 613-5670-2281 or 800-845-1140
Centri NT Firewall for Windows NT|
Global Internet * 800-682-5550
NetGuard * 214-738-6900
Eagle NT |
Raptor Systems * 617-487-7700
|IN BETA RELEASE|
AltaVista Firewall for Windows NT 3.51|
Digital Equipment Corporation * 800-344-4825
Catapult (Internet Access Server)|
Microsoft * 206-882-8080
Network-1 * 212-293 3068 or 800-638-9751
Trusted Information Systems
* 301-527-9500 or 888-347-3925