[Originally published in BUSINESS COMMUNICATIONS REVIEW, January 1994]

January 1994

The Internet has been discovered — big time. It wasn’t too long ago that only university and government researchers were familiar with it. But now the national media mentions the Internet nearly every week. The current fascination with the Internet involves the growing attention to a national "Information Highway," and from new, more visible users, like U.S. President Bill Clinton and Vice President Al Gore. Their Internet mail addresses are, respectively, president@whitehouse.gov and vice-president@whitehouse.gov.

Expanded interest is also coming from business users and commercial ventures. But whether a user is in business, government or education, the Internet performs essentially the same basic functions: electronic mail, electronic data interchange, sharing of information and remote access to specialized information services and databases.

With all the attention focused on the Internet, it’s easy to forget that it first achieved national exposure because of a security breach-the infamous "Internet Worm" in November 1988. As discussed below, concern over Internet security remains high.

Before we discuss the security problems associated with connecting to the Internet — or to any internetwork — there are a few basics to cover. First, an internetwork is a network of networks. The networks are connected by routers, which ensure that data packets make it from their originating network to their destination network.

To someone sitting at a PC on a LAN, routers make it appear as if all the separate networks that form the internetwork are on a single wire. This characteristic of networks and routers is what makes internetworking possible, but it is also what causes the greatest security threats.

The primary goal of network hardware is to allow smooth communication between computers. But most organizations require privacy of certain computer-stored personal or, proprietary information. These two goals are often in direct conflict. Connecting a private network with an outside network usually means that every computer on the private network becomes vulnerable to invasion or attack. Further, any information that moves from one network to another, possibly via a third, fourth or fifth network in between, is subject to capture and examination at any point on that route.

Computer crackers and network eavesdroppers can exploit the same communication paths that carry valid data transactions. Data on the wire can also be modified as they pass over a network.

Network security concerns can be expressed in terms of "zones of risk": • What are the potential angles of attack? • How will an attacker escalate the attack if he or she finds a way in? • How do you maintain auditing capabilities and boost the integrity of network defenses during an attack?

When a private network is connected to an outside network, each and every computer on the private network can be attacked. And once an attack is successful, the violated computer can be used as a jumping off point for further break-ins.

While the ultimate protection is to make every computer on every desktop completely secure, that isn’t practical. The primary means of network protection is called an internetwork "firewall," and it concentrates its protection on data and on maintaining the integrity of private networks that are connected to outside networks.

The term "firewall" is commonly used, but the image it evokes is not very accurate. The firewall in your car that protects passengers from the engine compartment or the firewall that separates your house from the garage act as simple shields. But today’s network-protection technology works more like gatehouse — a choke point for entrance into a castle.

Today’s "firewalls" come in many different shapes and sizes, but they all provide a specific point to control access between the private network and the outside internets. They provide your last and best defense. Usually this also entails audit trails.

The simplest firewalls are built using screening routers, which provide data and connection screens. These firewalls are widely supported by vendors such as Cisco (Menlo Park, CA), Proteon (Westborough, MA) and Wellfleet (Bedford, MA). Managers configure router-based access rules that use network identification numbers, host numbers, services desired, etc., to determine where connections may be established and by whom. The filtering rules allow each described combination be set to "yes" or "no." Screening routers are also the most common type of firewall on the Internet today — mainly for economic reasons. Since routers are needed to interconnect networks, screening routers don’t add any additional expenses except for the expense and time for someone to learn how to configure and manage it.

But simple screening routers often don’t let you gather or customize audit trails. And no customization is possible, apart from the filter rules, because there is no source code to modify and no operating system to add functions to.

Virtually all firewalls make some use of screening router-type capability, but they can be packaged in different ways. For example, general-purpose computers (for example, running Unix) can replace screening routers, providing a combination host, router and filter in a single package. These firewalls provide the protection of the screening router, but they usually add the following functions:

• Customizable remote audit logging of security and other related data.
• Application gateways on a "bastion host" (bastion hosts are discussed below).

Audit logs that can be sent from the firewall to internal machines or to different media (such as printers or write-once disks) improve security. If the audit log is stored on the firewall system itself, a cracker who successfully breaks in can cover his or her tracks. With a flexible logging scheme, a security administrator can match the level and content of the audit data gathered with the requirements of the site-security policy and procedures.

Application gateways are an important component of a strong Internet firewall and are built on a "bastion host." A bastion host serves as a network strong point-a place where strict enforcement of security policy is concentrated. Typically, a bastion host will have few or no user accounts.

The bastion host’s role is to absorb risk that would otherwise be dispersed throughout a network. Without a bastion host, a network’s zone of risk includes all of its hosts. A bastion host becomes a network’s sole zone of risk, since all communications into and out of the network are channeled through it. The only local host that outside machines can connect to is the bastion host, and the only outside host that internal machines can connect to is the bastion host.

Thus, there is never a connection from any outside machine to any inside machine except via the bastion host. Network routing rules ensure that the bastion host is the only assailable host.

A fundamental, vitally important rule separates this class of firewall from the screening router: No direct connection is ever allowed between any external host and any internal host. Instead, application gateway software on the bastion host allows for auditable services, controlled via an access list, to pass between outside and inside computers.

The application gateway thus acts as a silent sentry. All supported services (for example, electronic mail, remote terminal access and file transfer) work as they would in a directly connected configuration. Some of the gateway software might provide complex services — controlling transmission speeds, for instance — while other software elements are little more than electronic patch panels. All may require heavy duty system or user identification before use is allowed. Finally, application gateway software handles traffic at an application level: The software "knows" the protocol of the application and, unlike screening rules in routers, it can be configured accordingly.

There are two types of bastion host/application gateway firewalls: "black boxes" and "crystal boxes." A "black box" firewall is typically provided with fully configured hardware and software. The software and hardware are usually proprietary, and source code is almost never available.

Black box solutions offer the advantage of hiding the configuration details and security-related software from prying eyes. But that includes the eyes of the buyer. The network security software is proprietary, so it cannot be examined. You have to trust the vendor, the vendor’s reputation, and the vendor’s installed base.

Examples of "black box" firewalls are Interlock by ANS CO+RE Systems (Elmsford, NY) and Raptor’s (Wilmington, DE) family of security boxes. Both are functionally similar and both are widely used on the Internet. Both companies have also earned customer trust and satisfaction.

In a "crystal box," the software that makes up the firewall is open and available for examination and, sometimes, modification-at least by the purchaser. While functionally similar to the "black box" solutions, a "crystal box" solution depends on strong software development methods and security verification rather than obscurity.

With this approach, for example, all security-critical software on which a network’s integrity is trusted can be examined and tested. The source code is available to the customer and can be examined for "trap doors" or other holes or problems for example, to fix bugs or make software modifications.

Examples of "crystal box" approaches are Digital Equipment Corporation’s DEC Seal and Trusted Information Systems’ (TIS — Glenwood, MD) Internet Firewall Toolkit. DEC Seal enjoys wide popularity, and while some of its software is proprietary, source code for all security-related modules is available. TIS’s toolkit provides commercial quality firewall building blocks that promote internetwork security. The toolkit is available on the Internet free of charge for use as a standalone product and is available for licensing for inclusion in other products.

All types of firewalls are harder to set up than they are to maintain. Once in place, the main duty of a firewall administrator is to maintain the security policy, watch the logs and make modifications based on changes in business practices, new security policies or threats and attacks.

While firewalls protect the integrity and data of the network that sits behind it from outside attacks, internetworks present other dangers, for example, eavesdropping. There are ways to protect data, and all involve cryptography.

Privacy Enhanced Mail, for example, is an Internet standard that provides message privacy through encryption and integrity checking through digital signatures. Electronic mail can be sent in such a way that only the intended recipient can read it and any tampering with the message can be detected.

If across-the-board network service encryption is needed for services like FTP or Telnet, encryption devices are employed. These devices examine every network packet before it leaves the private network, and if a packet is destined for outside networks specified by a security administrator, the data portion of the packet is encrypted. Anyone capturing that data packet as it travels over an outside network connection is unable to read it.

When the packet reaches its destination, an encryption device examines it to see if it is sent from its 46 encryption partner" list. If so, the data are decrypted.

Tamper detection is also accomplished with cryptography. Commercial products exist for point-to-point internetwork encryption from UUNET Technologies (Falls Church, VA), Semaphore (Santa Clara, CA), Karlbridge (Columbus, OH) and ANS.

By the end of the decade, a new generation of computer-intrusion detection technology may be available for firewalls and host-based security. Intrusion detection software is under development that will detect possible attacks in progress as well as nonroutine use of a computer. For example, it will note that you are using computer commands that you’ve never used before or running your computer at an unusual time of day or day of the week.

Firewalls will probably also be built on computer systems that can withstand modification attempts (for example, read-only media or "controlled-execution" systems). All of this development work follows this maxim: If the bastion host is your single point of defense, it will also be the main point of attack.

Internet firewalls have proved that they can perform their function they provide protection and make an excellent barrier. But technological mechanisms alone cannot create a successful security perimeter. Sound security policies and procedures must also be developed and implemented, coupled with:

• A clear statement of the business mission, with assumptions and risks articulated. This includes formulating a list of risks to defend against, ranging from things you absolutely cannot permit to happen down to things that can be ignored. Each identified risk should have an associated solution/policy, even if the policy is to ignore that particular risk.
• Simple, understandable source code for all security-critical functions. If the source code for a security-related program is too large and complex to be checked within a couple of minutes, it’s too complicated to be secure.
• Assurance that software failures won’t cause a security breach. You shouldn’t feel comfortable about entrusting your network security to software that has been "hammered on enough that there aren’t likely to be any more bugs." Employ configuration and testing practices such that, even if your software has bugs, an attacker cannot use it to compromise the system. For example, network servers can be run in a "closed" environment like an electronic steel cage-such that even if an attacker were to exploit a bug in the software and break out into the system, the zone of risk is a small, unusable subset of the real bastion host.
• Minimized risk. You must accept that what you don’t know can hurt you. However, a network service that is disabled can’t hurt you. It is impossible for anyone to postulate all the potential risks a system might be susceptible to through network connectivity. Thus, trying to find and disable all network services likely to be at risk is ineffective. It is better to shut down all services and restart only those that are needed-after security measures have been added.
• System verification. Once you’ve shut down all of the network services that aren’t required by your users or by the system, you need procedures in place to verify that the services actually are shut off. Potential security holes are often found by such verification.

As security expert Bill Cheswick of AT&T Bell Laboratories has pointed out: "The Internet supports a vast and growing community of computer users around the world. Unfortunately, this network can provide anonymous access to this community by the unscrupulous, careless or dangerous." In short, the Internet is an exciting, extremely useful place, but it can be dangerous.

Government agencies, financial institutions, pharmaceutical houses, chemical companies and others are connecting private networks to the Internet every day. Some do so with a zone of risk that covers every desktop in the organization. Others use one of the proven mechanisms that exist today to provide excellent protection for their private and proprietary networks. They are sharing in the adventure while minimizing the risks.