PERIMETER SECURITY
Firewalls: Are We Asking Too Much?
Allowing a new service through a firewall is easy. Doing it while maintaining the same high level of security isn't.

BY FREDERICK M. AVOLIO

Another magazine cover story on firewalls? Aren't they old news by now? In Internet time, don't they fall into the category of "old, stable technology?"

It's true that Internet firewalls have been around a long time, particularly when measured in Internet years. Firewalls are also the oldest Internet security sub-industry (yes, antivirus software has been around longer, but it started on, and still primarily protects, the desktop).

But that doesn't mean Internet firewalls are stable, old technology. Still necessary for Internet security, firewalls continue to change—to add new features and evolve—as the needs of the Internet community grow and change. Change comes about because of increased use of the Internet as well as new service requirements, each of which comes with its own set of vulnerabilities and threats.

Many of the changes and additions are useful. Some are just responses to market demand. Others may be dangerous. It's possible to add feature upon feature to an Internet firewall, thereby decreasing rather than increasing a network's security. But I'm getting a little ahead of myself, so let's back up and start with some basics.

Early Days: Separating "Us" From "Them"

The original, and still useful, definition of an Internetwork firewall came from Bill Cheswick and Steve Bellovin in their book, Firewalls and Internet Security: Repelling the Wily Hacker (Addison-Wesley, 1994). To paraphrase, Cheswick and Bellovin said that a firewall is a single point between two or more networks (a) through which all

traffic must pass (a chokepoint), (b) with which traffic can be controlled and often authenticated and (c) in which all traffic is logged. The earliest firewalls were network routers; as they segmented LANs, they limited the damage that could spread from one sub-network to another (e.g., due to misconfiguration).

The first security firewalls were also built on routers. Filtering rules on the routers allowed "permit and deny" decisions to be made based on the source, destination and type of IP packet.

As more businesses connected to the Internet, awareness of Internet security issues grew. Incidents such as the Morris Worm, which demonstrated just how vulnerable we really were, spurred this growth. The need for better (read: more granular) security caused some vendors (notably, DEC and AT&T) to develop their own solutions to the need for secure Internet access. Some of these solutions were then made into commercial products. These early firewalls—from DEC, Raptor, ANS and TIS—concentrated on securely providing the basics: Telnet, FTP, e-mail and Usenet news.

Then, everything changed, beginning with the definition of "the basics." To the above list users added Web access, streaming audio and video services, news and weather feeds, audio and video conferencing, voice-over IP and other services. Firewalls were no longer called upon merely to "separate ‘us' from ‘them,'" for arbitrary values of ‘them,'" in the oft-quoted words of Dr. Bellovin.

The Demand for Add-Ons

The evolution of how we use firewalls mirrors the changes in how we use computers. Our use has evolved from mainframes in glass rooms to PCs on our desks to networked computers and Internet access. The requirements have always included "access"—first to computer cycles, then to a computer, then to a network, then to the Internet. Sharing information and communications has always been a requirement as well. But the objects of communications moved from on-site co-workers to co-workers in other cities to business partners to customers and, finally, to prospective customers—indeed, to the whole world.

Responding to this change in requirements, firewall technology has become more complex. It would be nice to say that firewalls started off as simple packet filters, moved toward more security with application gateways, branched off into stateful inspection, and evolved to today's superior "hybrid" firewall. It makes a nice diagram. But unfortunately, it's not true. Today, we can talk of filter-based, proxy-based and hybrid firewalls, from simple appliances all the way to multipurpose servers.

At the same time, firewalls have had new services added to their basic set of duties, as mentioned above. In addition to new network services, firewalls have become the base system for other network and security services.

Authentication. One of the first additions to firewalls was user-level authentication. This made sense, since firewalls were asked to control access through the firewall from the untrusted network, allowing users from home or elsewhere to access information and other assets on the private side of the firewall. Authentication was a reasonable extension to the role of firewall as access control.

Encryption. The next "add-on" was firewall-to-firewall (and then firewall-to-mobile PC) encryption. Virtual private networks (VPNs) provide confidentiality of transmissions (as well as authentication and integrity). While there are stand-alone VPN devices, making the VPN mechanism a part of the firewall is also a reasonable extension. To work well, there has to be close interaction between the devices. While a firewall is primarily an access control device, both firewalls and VPNs are, generally speaking, prevention devices. Close interaction allows VPN access to the entire internal network from the outside (as in office-to-office VPNs), or confidentiality with the firewall enforcing access control (as in connections between a consumer and a supplier).

QoS. Recently, some firewalls have rolled out quality of service (QoS) features as well. QoS allows the owner of the Internetwork gateway to control how much of a particular network connection will be dedicated to (or allowed by) a particular service. For example, you could ensure that incoming Web connections—say, from a customer or supplier—were given priority over inside-out connections. Or, you could make sure that someone downloading a very large file—say, the latest version of Internet Explorer or Communicator—doesn't clog up the Internet gateway, making access miserable for everyone else.

Arguably, QoS is a function that should be handled by the Internet router. On the other hand, it is an access control function, and thus fits on a firewall platform. Moreover, some vendors, notably Check Point, have built their QoS engine using the same technology that's in their firewall. The philosophy here seems to be, access control is access control.

Screening. Content screening is now a part of just about every firewall's architecture. Content screening includes virus scanning, URL (Web site) filtering and screening for key words (typically in inside-to-outside e-mail). Though some have argued that virus scanning on the desktop, even with marginal coverage, is more beneficial than scanning at the gateway, gateway scanning fits nicely into a perimeter defense model. If there weren't such a performance hit, it would be a non-issue.

How Much Is Too Much?

Authentication, VPNs, QoS, content filtering—as if these security-related add-ons weren't enough, lately there's a tendency to add non-security-related functions to the firewall as well. Firewalls now come with built-in Web servers, FTP servers and e-mail systems. Even non-security-related proxies are added to firewalls (e.g., proxy servers for streaming audio and video).

While this sort of all-in-one system has its attractive qualities, we have to keep in mind a fundamental tenet of security: Security and complexity are often inversely proportional. Also, it's usually good practice to separate functions (e.g., Web management from security management). The only practical exception to this advice is in the case of a very small organization, in which the firewall administrator is the Webmaster as well as the sysadmin for all systems. Still, the more the firewall does, the more that can go wrong. The more the services, the larger the log file. The more people logging into the firewall box to administer it, the greater the possibility a mistake will be made.

What's Next?

While I'll leave the market prognostications to the experts (see sidebar), I will venture a few predictions about the next generation of firewall technology. Currently, there are two interesting developments (or modifications) to the firewall model that amount to more than simply adding on another feature or increasing performance.

The first of these is something I will call "adaptive firewalls." As mentioned earlier, hybrid firewalls—those that mix filters, circuit gateways and proxies—have been around since the first commercial firewalls. They are still around today. Since filters are less granular than circuit gateways (which, in turn, are less granular than application gateways), hybrid firewalls do not necessarily increase security, though they often increase functionality. We have to keep in mind that security mechanisms added in parallel with each other do not usually increase security. However, putting security mechanisms in series—one after the other—often does.

Adaptive firewalls tie filters, circuit gateways and proxies together in series. They operate in such a way that the firewall administrator has greater control over the level of security used for different services—or, at different points in the use of those services.

For example, the administrator may decide that the security of an application gateway is required for setting up an FTP connection and processing the commands. During the actual file transfer, however, he may decide that speed is more important, thus dropping down to the granularity of a packet filter. Then, once the file is transferred, he may put the connection back into "high security" mode.

The second development is with what I call "reactive firewalls." In the world of prevention, detection and response systems, firewalls are primarily prevention systems. They do some detection (e.g., connections to unused ports and login attempts) and responding (e.g., logging), but these are not their primary purpose.

In reactive firewalls, intrusion detection and help desk products work in concert to allow the firewall to be more active than passive. With these additions, a firewall can not only police access and services, but also change its security posture (and that of the whole network), issue pages and sound alarms.

Firewalls: More or Less?

As business requirements change and threats and risks from the Internet grow, firewalls can certainly keep up. The question is, can they keep up and stay secure? Allowing a new service through a firewall is easy. Doing so while maintaining the same high level of security is difficult. Adding complexity to a system makes it that much harder to trust.

The pulls for change in firewalls come from many different directions: Internet users behind the firewall have new business requirements; outside crackers have new attacks; the number of targets for attack grows as more and more businesses connect to the Internet; the number of possible avenues of attack increases as we grant access to different kinds of users.

Some additions to firewalls make sense, because they enhance security. Others are almost always a bad idea. They may represent cost savings in the short run, but over time they almost always represent a decrease in security and an increase in vulnerability.

Frederick M. Avolio is a computer and network security consultant (www.avolio.com). He can be reached at fred@avolio.com.

FIREWALL "GOTCHAS"


Everyone has an opinion on how to make your firewall more secure. Here are 10 sure-fire ways to make it less secure.

1. Add other services because users say they "need" them.

There should always be a clear business requirement for any new Internet service. Learn to separate "needs" from "wants." Even a seemingly benign service increases the administration load of a firewall while potentially adding another avenue of attack.

2. Concentrate on the firewall while ignoring other security measures.

Firewalls are not enough. Some organizations still have a security checklist that has the word "firewall" next to the word "security"—with a large checkmark next to it. Firewalls are part of the arsenal, not all of it.

3. Ignore the log files.

When the firewall was purchased, "good audit trails" was listed as a requirement. But if those logs are never read, they're practically useless.

4. Turn off the warnings.

Alarms and warnings are there for a reason. By disabling them, you're damaging the security perimeter of your network.

5. Allow users on the firewall system.

Firewalls should be as simple as possible. Users add complexity. Every user account is a potential avenue of attack. Every user is a potential attacker. Every keystroke of every user has the potential for opening a breach in the firewall through user error.

6. Allow a lot of people to administer the firewall.

Too many cooks can spoil the broth. The same goes for firewalls. Every sysadmin is a potential attacker—and an admin usually can do more damage than a user.

7. Two words: dial-in modems.

Every dial-in modem behind the firewall potentially circumvents the security perimeter. Every dial-in modem inside the firewall perimeter is a potentially unguarded entrance to the organization's network.

8. Circumvent the firewall security and proper-use policy (i.e., prop the back door open).

The firewall must match the security policy. It must help implement the security policy. Making modifications to the firewall that don't match the security policy could be disastrous.

9. Ignore the existing computer and network security policy.

If you have one, use it. If the firewall doesn't seem to fit in it, then modify the policy. Then, support the revised policy with the firewall.

10. Don't have a computer and network security policy.

Okay, so you don't have one and you need a firewall anyway. Come up with a basic policy, implement it in the firewall, and then review, modify and expand it as time goes by. But without a set of rules, how will you ever make security decisions? Yes, by the seat of your pants, and under the pressure of users or an attack in progress. Better to do it now and have it before you need it.

—Fred Avolio

 

SHRINK-WRAPPED FIREWALLS?

What's a Firewall Appliance, Anyway?

The term "appliance" is loosely applied to a whole range of security products. Here's how to tell one from another. BY PETE CAFARCHIO

One trend changing the landscape of the firewall market is the emergence of firewall appliances. GartnerGroup expects this market segment to comprise about 45 percent of the total firewall market by 2002. However, the term "appliance" is loosely applied to a whole range of products, which can lead to confusion.

When most people think of an appliance, they think of a dedicated device that has software already loaded on it. However, some software-only vendors also market their products as appliances. Adding to the confusion is the emergence of other kinds of network appliances that perform a whole range of functions. Some of these appliances come with firewalls, some don't—and which is which isn't always clear.

To help understand the emergence of firewall appliances, it's helpful to know something about basic firewalls. Firewalls are deployed to protect trusted computer networks from untrusted networks. Typically, this is between a LAN and the Internet or between two departments within a corporation. They act as security guards by blocking or passing network traffic using packet filters, application proxies, stateful inspection or a combination of these technologies. The first commercial firewalls were expensive boxes designed for large enterprises. Because they required in-depth knowledge of networking and of the underlying operating system, these firewalls required highly skilled personnel to configure and maintain them.

In time, firewalls became more popular and also more specialized to meet the demands of different market segments. "Shrink-wrapped firewalls" (easily configured, often NT-based, software solutions) and firewall appliances emerged with ease-of-use in mind. There are a wide variety of products in the appliance category, and "appliance" has become a trendy term with several shades of meaning.

In general, an appliance can be defined as a product that comes pre-installed on hardware. In terms of the firewall product market, appliances can be grouped into three categories, based on the size of the networks they are meant to serve.

1. Large Enterprises (1,000+ Users)

Examples: Secure Computing's Sidewinder; Lucent's Managed Firewall; Cisco System's PIX.

These are what you typically think of as "classic" firewalls, and although they have become easier to manage, they need dedicated security personnel to maintain them. I only mention them here because they ship pre-installed on a machine, and in some circles they are referred to as appliances.

2. Small to Medium-Sized Enterprises (50-1,000 Users) and Branch Offices

Examples: Technologic's Interceptor; Watchguard's Firebox, Internet Devices' Ft. Knox Policy Router, NetScreen's NetScreen-10; Sonic System's SonicWall.

Typically plug 'n play, these products have fewer configuration options, and don't allow users to modify the hardened OS. The philosophy behind these appliances is that fewer choices lead to better security for those with limited skills (i.e., users can't hurt themselves by unknowingly introducing vulnerabilities). Today, vendors are offering features that vary greatly from a bare-bones firewall to products that include VPN capabilities, Web caching, content filtering, traffic management, virus scanning and even patches and advisories that are delivered automatically. Some of these products may rely on a user's ISP to handle services such as DNS, and there's quite a range in the level of logging detail.

A firewall appliance of this type can be a very good fit for an organization that has limited in-house technical expertise. They are less expensive than large enterprise firewalls, and because they're easier to manage, they should have a lower total cost of ownership. However, these are dedicated devices, so unlike a software-only solution, you won't have a PC you can recycle when the product has outlived its usefulness.

3. Small Office Home Office (SOHO) (5-50 Users)

Examples: eSoft's IPAD; Freegate's OneGate 150; Whistle Communication's InterJet.

The newest products to arrive on the scene are designed for small networks. Typically, these appliances host multiple services on the same machine—such as a firewall, Web server and e-mail server—and support T1 or slower connections (such as ISDN). Hence, they are not often sold primarily as firewalls, but as devices to connect a small enterprise to the Internet that happen to have a (limited) firewall built in. The customer base for these products doesn't know security very well, and probably won't anytime soon.

SOHO appliances provide an inexpensive way to connect a small LAN to the Internet, and some have decent firewall capabilities. Since these products combine many functions in one unit, however, buyers should do their homework to determine exactly how the vendor defines "firewall." Ask them what technology the firewall employs, and if it has been tested by third parties.

Most security experts do not recommend hosting any other services on a firewall machine. If you want to use a SOHO appliance, make sure the machine's other hosting services can be disabled while still allowing the firewall to function properly. Another potential drawback is the fact that these products tend to lack robust security logging and reporting capabilities.

Choosing the Right Product

It's easy to get overwhelmed by the diversity and range of today's firewall appliance offerings. So, how do you choose the right one for your setup? Start with your corporate security policy: The right product for you is one that matches your current and future business and security needs, and fits the skill sets of your IT personnel.

A properly chosen firewall appliance can be an effective part of your network security strategy. As vendors continue to offer more features, users aren't nearly as limited as they were in the past. In the near future, market forces and customer demands will bring even more diversity and specialization to this growing space.

Pete Cafarchio (pcafarchio@icsa.net) is the ICSA technology program manager for network security. Commercial products mentioned as examples in this sidebar are for discussion purposes only. For a listing of firewall products certified by ICSA, see www.icsa.net/services/consortia/ firewalls/certified_products.shtml.

Sonic System's SonicWALL PRO.