Are We Asking Too Much?
a new service through a firewall is easy. Doing it while maintaining the same
high level of security isn't.
BY FREDERICK M. AVOLIO
Another magazine cover story
on firewalls? Aren't they old news by now? In Internet time, don't they fall
into the category of "old, stable technology?"
It's true that Internet
firewalls have been around a long time, particularly when measured in Internet
years. Firewalls are also the oldest Internet security sub-industry (yes, antivirus
software has been around longer, but it started on, and still primarily protects,
But that doesn't mean Internet
firewalls are stable, old technology. Still necessary for Internet security,
firewalls continue to change—to add new features and evolve—as the needs of
the Internet community grow and change. Change comes about because of increased
use of the Internet as well as new service requirements, each of which comes
with its own set of vulnerabilities and threats.
Many of the changes and
additions are useful. Some are just responses to market demand. Others may be
dangerous. It's possible to add feature upon feature to an Internet firewall,
thereby decreasing rather than increasing a network's security. But I'm getting
a little ahead of myself, so let's back up and start with some basics.
Days: Separating "Us" From "Them"
The original, and still
useful, definition of an Internetwork firewall came from Bill Cheswick and Steve
Bellovin in their book, Firewalls and Internet Security: Repelling the Wily
Hacker (Addison-Wesley, 1994). To paraphrase, Cheswick and Bellovin said
that a firewall is a single point between two or more networks (a) through which
traffic must pass (a chokepoint),
(b) with which traffic can be controlled and often authenticated and (c) in
which all traffic is logged. The earliest firewalls were network routers; as
they segmented LANs, they limited the damage that could spread from one sub-network
to another (e.g., due to misconfiguration).
The first security firewalls
were also built on routers. Filtering rules on the routers allowed "permit
and deny" decisions to be made based on the source, destination and type
of IP packet.
As more businesses connected
to the Internet, awareness of Internet security issues
grew. Incidents such as the Morris Worm, which demonstrated just how vulnerable
we really were, spurred this growth. The need for better (read: more granular)
security caused some vendors (notably, DEC and AT&T) to develop their own
solutions to the need for secure Internet access. Some of these solutions were
then made into commercial products. These early firewalls—from DEC, Raptor,
ANS and TIS—concentrated on securely providing the basics: Telnet, FTP, e-mail
and Usenet news.
Then, everything changed,
beginning with the definition of "the basics." To the above list users
added Web access, streaming audio and video services, news and weather feeds,
audio and video conferencing, voice-over IP and other services. Firewalls were
no longer called upon merely to "separate ‘us' from ‘them,'" for arbitrary
values of ‘them,'" in the oft-quoted words of Dr. Bellovin.
The evolution of how we
use firewalls mirrors the changes in how we use computers. Our use has evolved
from mainframes in glass rooms to PCs on our desks to networked computers and
Internet access. The requirements have always included "access"—first
to computer cycles, then to a computer, then to a network, then to the Internet.
Sharing information and communications has always been a requirement as well.
But the objects of communications moved from on-site co-workers to co-workers
in other cities to business partners to customers and, finally, to prospective
customers—indeed, to the whole world.
Responding to this change
in requirements, firewall technology has become more complex. It would be nice
to say that firewalls started off as simple packet filters, moved toward more
security with application gateways, branched off into stateful inspection, and
evolved to today's superior "hybrid" firewall. It makes a nice diagram.
But unfortunately, it's not true. Today, we can talk of filter-based, proxy-based
and hybrid firewalls, from simple appliances all the way to multipurpose servers.
At the same time, firewalls
have had new services added to their basic set of duties, as mentioned above.
In addition to new network services, firewalls have become the base system for
other network and security
of the first additions to firewalls was user-level authentication. This made
sense, since firewalls were asked to control access through the firewall from
the untrusted network, allowing users from home or elsewhere to access information
and other assets on the private side of the firewall. Authentication was a reasonable
extension to the role of firewall as access control.
Encryption. The next
"add-on" was firewall-to-firewall (and then firewall-to-mobile
PC) encryption. Virtual private networks (VPNs) provide confidentiality of
transmissions (as well as authentication and integrity). While there are stand-alone
VPN devices, making the VPN mechanism a part of the firewall is also a reasonable
extension. To work well, there has to be close interaction between the devices.
While a firewall is primarily an access control device, both firewalls and VPNs
are, generally speaking, prevention devices. Close interaction allows
VPN access to the entire internal network from the outside (as in office-to-office
VPNs), or confidentiality with the firewall enforcing access control (as in
connections between a consumer and a supplier).
QoS. Recently, some
firewalls have rolled out quality of service (QoS) features as well. QoS allows
the owner of the Internetwork gateway to control how much of a particular network
connection will be dedicated to (or allowed by) a particular service. For example,
you could ensure that incoming Web connections—say, from a customer or supplier—were
given priority over inside-out connections. Or, you could make sure that someone
downloading a very large file—say, the latest version of Internet Explorer or
Communicator—doesn't clog up the Internet gateway, making access miserable for
Arguably, QoS is a function
that should be handled by the Internet router. On the
other hand, it is an access control function, and thus fits on a firewall platform.
Moreover, some vendors, notably Check Point, have built their QoS engine using
the same technology that's in their firewall. The philosophy here seems to be,
access control is
screening is now a part of just about every firewall's architecture. Content
screening includes virus scanning, URL (Web site) filtering and screening for
key words (typically in inside-to-outside e-mail). Though some have argued that
virus scanning on the desktop, even with marginal coverage, is more beneficial
than scanning at the gateway, gateway scanning fits nicely into a perimeter
defense model. If there weren't such a performance hit, it would be a non-issue.
Is Too Much?
Authentication, VPNs, QoS,
content filtering—as if these security-related add-ons weren't enough, lately
there's a tendency to add non-security-related functions to the firewall as
well. Firewalls now come with built-in Web servers, FTP servers and e-mail systems.
Even non-security-related proxies are added to firewalls (e.g., proxy servers
for streaming audio and video).
While this sort of all-in-one
system has its attractive qualities, we have to keep in mind a fundamental tenet
of security: Security and complexity are often inversely proportional.
Also, it's usually good practice to separate functions (e.g., Web management
from security management). The only practical exception to this advice is in
the case of a very small organization, in which the firewall administrator is
the Webmaster as well as the sysadmin for all systems. Still, the more the firewall
does, the more that can go wrong. The more the services, the larger the log
file. The more people logging into the firewall box to administer it, the greater
the possibility a mistake will be made.
While I'll leave the market
prognostications to the experts (see sidebar), I will venture a few predictions
about the next generation of firewall technology. Currently, there are two interesting
developments (or modifications) to the firewall model that amount to more than
simply adding on another feature or increasing performance.
The first of these is something
I will call "adaptive firewalls." As mentioned earlier, hybrid firewalls—those
that mix filters, circuit gateways and proxies—have been around since the first
commercial firewalls. They are still around today. Since filters are less granular
than circuit gateways (which, in turn, are less granular than application gateways),
hybrid firewalls do not necessarily increase security, though they often increase
functionality. We have to keep in mind that security mechanisms added in parallel
with each other do not usually increase security. However, putting security
mechanisms in series—one after the other—often does.
Adaptive firewalls tie filters,
circuit gateways and proxies together in series. They operate in such a way
that the firewall administrator has greater control over the level of security
used for different services—or, at different points in the use of those services.
For example, the administrator
may decide that the security of an application gateway is required for setting
up an FTP connection and processing the commands. During the actual file transfer,
however, he may decide that speed is more important, thus dropping down to the
granularity of a packet filter. Then, once the file is transferred, he may put
the connection back into "high security" mode.
The second development is
with what I call "reactive firewalls." In the world of prevention,
detection and response systems, firewalls are primarily prevention systems.
They do some detection (e.g., connections to unused ports and login attempts)
and responding (e.g., logging), but these are not their primary purpose.
In reactive firewalls, intrusion
detection and help desk products work in concert to allow the firewall to be
more active than passive. With these additions, a firewall can not only police
access and services, but also change its security posture (and that of the whole
network), issue pages and sound alarms.
More or Less?
As business requirements
change and threats and risks from the Internet grow, firewalls can certainly
keep up. The question is, can they keep up and stay secure? Allowing
a new service through a firewall is easy. Doing so while maintaining the same
high level of security is difficult. Adding complexity to a system makes it
that much harder to trust.
The pulls for change in
firewalls come from many different directions: Internet users behind the firewall
have new business requirements; outside crackers have new attacks; the number
of targets for attack grows as more and more businesses connect to the Internet;
the number of possible avenues of attack increases as we grant access to different
kinds of users.
Some additions to firewalls
make sense, because they enhance security. Others are almost always a bad idea.
They may represent cost savings in the short run, but over time they almost
always represent a decrease in security and an increase in vulnerability.
Frederick M. Avolio is
a computer and network security consultant (www.avolio.com). He can be reached
has an opinion on how to make your firewall more secure. Here are 10 sure-fire
ways to make it less secure.
1. Add other
services because users say they "need" them.
There should always
be a clear business requirement for any new Internet service. Learn to
separate "needs" from "wants." Even a seemingly benign
service increases the administration load of a firewall while potentially
adding another avenue of attack.
on the firewall while ignoring other security measures.
Firewalls are not
enough. Some organizations still have a security checklist that has the
word "firewall" next to the word "security"—with a
large checkmark next to it. Firewalls are part of the arsenal, not all
3. Ignore the
When the firewall
was purchased, "good audit trails" was listed as a requirement.
But if those logs are never read, they're practically useless.
4. Turn off
Alarms and warnings
are there for a reason. By disabling them, you're damaging the security
perimeter of your network.
5. Allow users
on the firewall system.
Firewalls should be
as simple as possible. Users add complexity. Every user account is a potential
avenue of attack. Every user is a potential attacker. Every keystroke
of every user has the potential for opening a breach in the firewall through
6. Allow a lot
of people to administer the firewall.
Too many cooks can
spoil the broth. The same goes for firewalls. Every sysadmin is a potential
attacker—and an admin usually can do more damage than a user.
7. Two words:
Every dial-in modem
behind the firewall potentially circumvents the security perimeter. Every
dial-in modem inside the firewall perimeter is a potentially unguarded
entrance to the organization's network.
the firewall security and proper-use policy (i.e., prop the back door
The firewall must
match the security policy. It must help implement the security policy.
Making modifications to the firewall that don't match the security policy
could be disastrous.
9. Ignore the
existing computer and network security policy.
If you have one, use
it. If the firewall doesn't seem to fit in it, then modify the policy.
Then, support the revised policy with the firewall.
10. Don't have
a computer and network security policy.
Okay, so you don't
have one and you need a firewall anyway. Come up with a basic policy,
implement it in the firewall, and then review, modify and expand it as
time goes by. But without a set of rules, how will you ever make security
decisions? Yes, by the seat of your pants, and under the pressure of users
or an attack in progress. Better to do it now and have it before you need
a Firewall Appliance, Anyway?
"appliance" is loosely applied to a whole range of security
products. Here's how to tell one from another.
BY PETE CAFARCHIO
One trend changing
the landscape of the firewall market is the emergence of firewall appliances.
GartnerGroup expects this market segment to comprise about 45 percent
of the total firewall market by 2002. However, the term "appliance"
is loosely applied to a whole range of products, which can lead to confusion.
When most people think
of an appliance, they think of a dedicated device that has software already
loaded on it. However, some software-only vendors also market their products
as appliances. Adding to the confusion is the emergence of other kinds
of network appliances that perform a whole range of functions. Some of
these appliances come with firewalls, some don't—and which is which isn't
To help understand
the emergence of firewall appliances, it's helpful to know something about
basic firewalls. Firewalls are deployed to protect trusted computer networks
from untrusted networks. Typically, this is between a LAN and the Internet
or between two departments within a corporation. They act as security
guards by blocking or passing network traffic using packet filters, application
proxies, stateful inspection or a combination of these technologies. The
first commercial firewalls were expensive boxes designed for large enterprises.
Because they required in-depth knowledge of networking and of
the underlying operating system, these firewalls required highly skilled
personnel to configure and maintain them.
In time, firewalls
became more popular and also more specialized to meet the demands of different
market segments. "Shrink-wrapped firewalls" (easily configured,
often NT-based, software solutions) and firewall appliances emerged with
ease-of-use in mind. There are a wide variety of products in the appliance
category, and "appliance" has become a trendy term with several
shades of meaning.
In general, an appliance
can be defined as a product that comes pre-installed on hardware. In terms
of the firewall product market, appliances can be grouped into three categories,
based on the size of the networks they are meant to serve.
1. Large Enterprises
Computing's Sidewinder; Lucent's Managed Firewall; Cisco System's PIX.
These are what you
typically think of as "classic" firewalls, and although they
have become easier to manage, they need dedicated security personnel to
maintain them. I only mention them here because they ship pre-installed
on a machine, and in some circles they are referred to as appliances.
2. Small to Medium-Sized
Enterprises (50-1,000 Users) and Branch Offices
Interceptor; Watchguard's Firebox, Internet Devices' Ft. Knox Policy Router,
NetScreen's NetScreen-10; Sonic System's SonicWall.
Typically plug 'n
play, these products have fewer configuration options, and don't allow
users to modify the hardened OS. The philosophy behind these appliances
is that fewer choices lead to better security for those with limited skills
(i.e., users can't hurt themselves by unknowingly introducing vulnerabilities).
Today, vendors are offering features that vary greatly from a bare-bones
firewall to products that include VPN capabilities, Web caching, content
filtering, traffic management, virus scanning and even patches and advisories
that are delivered automatically. Some of these products may rely on a
user's ISP to handle services such as DNS, and there's quite a range in
the level of logging detail.
A firewall appliance
of this type can be a very good fit for an organization that has limited
in-house technical expertise. They are less expensive than large enterprise
firewalls, and because they're easier to manage, they should have a lower
total cost of ownership. However, these are dedicated devices, so unlike
a software-only solution, you won't have a PC you can recycle when the
product has outlived its usefulness.
3. Small Office
Home Office (SOHO) (5-50 Users)
IPAD; Freegate's OneGate 150; Whistle Communication's InterJet.
The newest products
to arrive on the scene are designed for small networks. Typically, these
appliances host multiple services on the same machine—such as a firewall,
Web server and e-mail server—and support T1 or slower connections (such
as ISDN). Hence, they are not often sold primarily as firewalls, but as
devices to connect a small enterprise to the Internet that happen to have
a (limited) firewall built in. The customer base for these products doesn't
know security very well, and probably won't anytime soon.
SOHO appliances provide
an inexpensive way to connect a small LAN to the Internet, and some have
decent firewall capabilities. Since these products combine many functions
in one unit, however, buyers should do their homework to determine exactly
how the vendor defines "firewall." Ask them what technology
the firewall employs, and if it has been tested by third parties.
Most security experts
do not recommend hosting any other services on a firewall machine. If
you want to use a SOHO appliance, make sure the machine's other hosting
services can be disabled while still allowing the firewall to function
properly. Another potential drawback is the fact that these products tend
to lack robust security logging and reporting capabilities.
the Right Product
It's easy to get overwhelmed
by the diversity and range of today's firewall appliance
offerings. So, how do you choose the right one for your setup? Start with
your corporate security policy: The right product for you is one that
matches your current and future business and security needs, and fits
the skill sets of your IT personnel.
A properly chosen
firewall appliance can be an effective part of your network security strategy.
As vendors continue to offer more features, users aren't nearly as limited
as they were in the past. In the near future, market forces and customer
demands will bring even more diversity and specialization to this growing
(email@example.com) is the ICSA technology program manager for network
security. Commercial products mentioned as examples in this sidebar are
for discussion purposes only. For a listing of firewall products certified
by ICSA, see www.icsa.net/services/consortia/
Sonic System's SonicWALL PRO.