A Toolkit and Methods for Internet Firewalls
Marcus J. Ranum
Frederick M. Avolio
Trusted Information Systems, Inc.
June 1994
Abstract
As the number of businesses and government agencies connecting to the Internet
continues to increase, the demand for Internet firewalls — points of security
guarding a private network from intrusion — has created a demand for reliable
tools from which to build them. We present the TIS Internet Firewall Toolkit,
which consists of software modules and configuration guidelines developed in
the course of a broader ARPA-sponsored project. Components of the toolkit,
while designed to work together, can be used in isolation or can be combined
with other firewall components. The Firewall Toolkit software runs on
UNIX ® systems using TCP/IP with the Berkeley socket interface. We
describe the Firewall Toolkit and the reasoning behind some of its design
decisions, discuss some of the ways in which it may be configured, and conclude
with some observations as to how it has served in practice.
Overview
Computer networks by their very nature are designed to allow the flow of
information. Network technology is such that, today, you can sit at a
workstation in Maryland, and have a process connected to a system in London,
with files mounted from a system in California, and be able to do your work
just as if all of the systems were in the same room as your computer. Impeding
the free flow of data is contrary to the basic functionality of the network,
but the free flow of information is contrary to the rules by which companies
and governments need to conduct business. Proprietary information and sensitive
data must be kept insulated from unauthorized access yet security must have a
minimal impact on the overall usability of the network.
The purpose of an Internet firewall is to provide a point of defense and a
controlled and audited access to services, both from within and without an
organization’s private network. This requires a mechanism for selectively
permitting or blocking traffic between the Internet and the network being
protected. Routers can control traffic at
an IP level, by selectively permitting or denying traffic based on
source/destination address or port. Hosts can control traffic at an application
level, forcing traffic to move out of the protocol layer for more detailed
examination. To implement a firewall that relies on routing and screening, one
must permit at least a degree of direct IP-level traffic between the Internet
and the protected network. Application level firewalls do not have this
requirement, but are less flexible since they require development of
specialized application forwarders known as “proxies.” This design decision
sets the general stance of the firewall, favoring either a higher degree of
service or a higher degree of isolation. [1]
A proxy for a network protocol is an application that runs on a firewall host
and connects specific service requests across the firewall, acting as a
gateway. Figure 1 represents a minimal TELNET service proxy, in which the proxy
forwards user’s keystrokes to a remote system, and maintains audit records of
connections. Proxies can give the illusion to the software on both sides of a
direct point-to-point connection. Since many proxies interpret the protocol
that they manage, additional access control and audit may be performed as
desired. As an example, the FTP proxy can block FTP export of files while
permitting import of files, representing a granularity of control that
router-based firewalls cannot presently achieve. Router-based firewalls can
provide higher throughput, since they operate at a protocol level, rather than
an application level, but practical experience running firewalls on modern RISC
processors shows that with a T-1 connection, the bottleneck tends to remain the
T-1 link rather than the firewall itself.
Figure 1: An Application Proxy
Proxies exist for a wide variety of services, such as X, FTP, TELNET, etc.
Perhaps the most significant security benefit of employing proxies is that they
provide a convenient opportunity to require authentication. For example, when
connecting into a protected network from the Internet, one must typically first
connect to the proxy, authenticate to it, and then complete a connection to a
host within the protected network. The proxy protects the firewall host itself,
by eliminating the need for the user to log into the firewall itself, and it
protects the network by permitting only authenticated users to gain access from
the outside. While hosts on the private network may still be rife with security
holes, restricting the incoming traffic to authenticated users only is a good
step in the right direction.
Other services, such as Internet (SMTP) mail and USENET news, act as
store-and-forwarders already, and fit in with the proxy approach to firewalls.
These service daemons sometimes run with system privileges and may contain bugs
that an attacker can exploit. Many existing firewalls rely on approximate
assessment of privileged systems software for their trustworthiness. This is
sufficient if there are “well known working versions” of common programs such
as the FTP server, ftpd. In some cases, however, the server can itself
compromise security. A recent version of the WUArchive ftpd[2]
contained a bug that permitted anyone on the Internet to gain super-user access
to systems on which it was running. In our design, we attempt to sidestep the
issue by providing proxies that can run locked into a specific subdirectory by
means of “chroot” — a UNIX system call that permanently restricts the working
filesystem of a process. Proxies are also designed to run without special
system privileges, to further reduce the chance that they might be able to
damage the system. Ideally it should be impossible for an outside user to ever
interact with a privileged process. Practically speaking, the Internet service
master daemon inetd, which is responsible for starting other service
daemons, needs to run with privileges, but outside users cannot interact
directly with it. There is a possibility that the kernel may have trapdoors or
hidden network services built into it, but it is impractical to attempt to
obtain and examine kernel sources for such flaws. Instead, make every effort to
remove unnecessary kernel services at system build time.
Design Philosophy
The TIS Firewall Toolkit (hereafter referred to as “the toolkit”) is designed
to be informally verified for correctness as a whole or at a component level.
Since the firewall consists of discrete components, each providing a single
service, each may be examined separately from the rest of the system.
Components of the toolkit are as simple as possible in their implementation,
and are distributed in source code form to encourage peer review. This appears
to be a fairly novel approach for a network firewall, as many existing firewall
systems rely on software that is “known to be good” or that is considered
trustworthy because it has been used extensively for a long time.
One problem with the “known to be good” approach is that historically it hasn’t
been very reliable. Certain software components are frequently exploited in
break-ins, no matter how carefully they are maintained. Problem programs are
usually complex pieces of software, implemented in tens of thousands of lines
of code, which require system privileges in order to operate. As a step
towards addressing this, the firewall toolkit operates in accordance with the
following general firewall design principles:
Even if there is a bug in the implementation of a network service, it should
not be able to compromise the system. Services that are misconfigured should
not work at all, rather than opening holes.
Hosts on the untrusted network should not be able to connect directly to
network services that are running with privileges.
Network services are implemented with a minimum of features and complexity.
The source code is simple enough to be reviewed thoroughly and quickly.
There should be reasonable and pragmatic means of testing that the system is
correctly installed.
The toolkit is designed to be used with a host-based security policy, but its
components can be used with router-based firewalls. In this paper, we will
focus on the former. In a host-based firewall, the security of the host is
crucial; once it is compromised the entire network is open to attack. Still, we
believe that a host-based firewall is superior to other solutions because of
the ease with which it can be maintained, configured, customized and audited.
When the toolkit is used with router-based firewalls, it is assumed that the
toolkit software is running on a secure host that is permitted some degree of
access between the protected network and the Internet, by means of routers.
This leaves the option of configuring the routers to provide additional avenues
between the protected network and the Internet for whatever reason; such
additional avenues are outside the scope of the toolkit and should be provided
only after careful security analysis.
The toolkit may be used in conjunction with router-based screening as extra
security. To minimize risks, the services that are provided on the external
machine, which we will refer to as a “bastion host”, following the terminology
proposed by Ranum[3]. are sharply curtailed and each service is subjected to
review. On the “standard” firewall configuration, the only services supported
are SMTP, FTP, NNTP, and TELNET. Other proxies such as Digital Equipment
Corporation’s X Window System proxy [4] can be added to this architecture.
SMTP service is supported through a non-privileged front end that runs locked
in a “safe directory” via chroot. FTP is supported via a proxy that runs
without requiring special privileges. NNTP is supported via a “tunnel” server
that permits traffic between a host on the inside and its news server on the
outside. TELNET service is via a proxy that runs unprivileged. Since all other
services on the system are disabled selectively, it is only these four services
that must be analyzed for risk. By analyzing of the security of each service
in isolation, we are able to gain a degree of trust in the system beyond merely
being able to state “Well, we don’t think there are any bugs.” With all
the services running unprivileged we can make a stronger statement, to wit,
“The security of an individual service is irrelevant to the overall security,
as the server is running in a captive mode.”
Configuration and Components
Figure 2 represents the toolkit installed in an environment that combines
routers and a firewall bastion host. The implementation of the security
controls is shared (in this example) between the routers and the firewall: the
routers are responsible for controlling network-level access, and the bastion
host provides application-level control. A simpler firewall configuration would
consist of a dual-homed gateway, in which a workstation with two network
interfaces is connected to both networks, and has IP forwarding disabled. Dual
homed gateways are less flexible than firewalls that combine routers and hosts,
since the option to route services at a network level is generally not
available. On the other hand, with a
dual-homed gateway, the administrator can have a higher degree of confidence
that no network traffic will be able to somehow “leak” through a router, since
routers are no longer an integral part of the security system.
Figure 2: A Screened Host Firewall
The toolkit is designed to build a host-based firewall, with
security being enforced by a single bastion host. For ease of management, all
the proxies and access control tools use a single configuration file with a
regular syntax. We thought this was useful due to the generally complex
configuration of various publicly available firewall tools, of which no two are
configured in the same way. The configuration rules are designed to provide
both configuration and service and access permissions information, being read
top-to-bottom and left-to-right. Hostnames or IP addresses including simple
wildcards can be used in configuration rules, but IP addresses are preferred
since DNS addresses are vulnerable to spoofing.
# Example ftp gateway rules:
# ————————–
ftp-gw: authserver 127.0.0.1 7777
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
ftp-gw: permit-hosts 192.33.112.100
ftp-gw: deny-hosts 128.52.46.*
ftp-gw: permit-hosts 192.33.112.* -log { retr stor } -auth { stor }
ftp-gw: permit-hosts * -authall
The firewall toolkit functionality can be broken down into six areas: logging,
electronic mail, the Domain Name Service, FTP, TELNET, and TCP access control.
Logging
Significant security events and audit records are logged to a protected host on
the internal network via the syslog facility. The version of syslogd
that the toolkit uses is based on the BSD “net2” sources, with some
modifications to support pattern-matching and program execution on matched
patterns. Many systems administrators have batch processes set up on their
systems to alert them of possible security problems by searching the system
logs at regular intervals. By permitting the system manager to add regular
expressions to the syslogd configuration, security-related log messages can be
identified instantly. Syslogd contains further modifications that permit
an arbitrary command to be invoked with any specified logging rule, so that,
for example, vitally important security log events can be delivered to the
system manager’s beeper or delivered by electronic mail. Adding command
execution to syslogd implies that the syslogd configuration file
must be protected against unauthorized modification.
Electronic Mail
Mailers are one of the favorite points of attack against UNIX systems. The
Morris Internet worm exploited a well-known hole in the standard UNIX SMTP
server, sendmail. Many systems running sendmail, including those
with Internet firewalls, were penetrated by the worm. A few that had replaced
sendmail with other SMTP servers were not. Since that time, a variety
of other security holes have been identified in sendmail and fixed in
more recent releases.
The problem with mailers is twofold: they are complex and perform file system
activity, and they require privileges so that they can manipulate mailboxes or
execute mail processing programs on the behalf of users. To help secure mail
service, direct network access to sendmail is prevented. A simple program that
implements a skeleton of the SMTP protocol is presented on the SMTP port on the
mail server. This SMTP proxy, called smap, is small enough to be
subjected to a code review for correctness (unlike sendmail) and simply
accepts all incoming messages and writes them to disk in a spool area. Rather
than running with permissions, the proxy runs with a restricted set of
permissions and runs “chrooted” to the spool area. A second process is
responsible for scanning the spool area and delivering the mail messages to the
real sendmail for delivery — a mode of operation in which
sendmail can operate with reduced permission. Many Internet firewalls
run sendmail and rely on “trustworthy” versions of the software; running
the mail software in a reduced-permissions mode is a more general solution to
the problem, side-stepping the issue of whether or not a given version of
sendmail contains bugs.
While smap answers all valid SMTP commands sent to it, it does not
execute any of them except those directly involved with mail exchange: HELO,
FROM, RCPT, DATA, and QUIT. Other commands, such as VRFY and EXPN return a
polite error message. Smap preserves sendmail’s functionality,
while preventing an arbitrary user on the network from communicating directly
with it. Analyzing sendmail’s 20,000 lines of source code for bugs is a
sizable task when compared to analyzing smap’s 700 lines. Smap is
not a panacea, however, as firewalls remain vulnerable to data-driven attacks
in which messages may be mailed to hosts on the private network, possibly
triggering security holes in internal mailers. Since many of these attacks have
a distinctive signature, smap or the firewall’s mailer can be configured
to attempt to identify these letter-bombs, but the security administrator is
forced into the unfortunate position of an arms-race in which a reactive role
must be taken as new attacks are invented. To reduce the risk of attacks that
exploit mailing through programs, the mailer on the firewall itself is
configured so that program execution is disabled. Disabling program execution
is often an unacceptable solution on a multi-user system, but since the
firewall is not a general use host, we prefer to reduce the risk of someone
being able to execute arbitrary commands from afar.
Domain Name Service (DNS)
The name service software available for UNIX implements an in-memory read-only
database. As such, it cannot be used to gain unauthorized access to a system.
Some past attacks on firewalls have used name service spoofing as a technique
for impersonating trusted network hosts. In order to remove the threat of name
service spoofing, the firewall does not rely on name service for any security
related information. The name server software is necessary for high performance
large-scale mail systems and is configured so that the only application that
relies on name service for addressing is the electronic mail system. DNS names
are also used in audit records, but are always presented along with host
network addresses; mismatches are flagged as possible spoofing attempts.
FTP
The FTP application gateway is a single process that mediates FTP connections
between two networks. Since it performs no disk access other than reading its
configuration file and is a small and relatively uncomplicated program, it can
be argued that it is not capable of compromising the security of the system.
Just to be certain, the application gateway runs as a non-privileged user,
after “chrooting” itself to a private directory on the system. To control FTP
access, the application gateway reads a configuration file, containing a list
of FTP commands that should be logged, and a description of what systems are
allowed to engage in FTP traffic. All traffic can be logged and summarized.
Optionally, the gateway can permit FTP traffic from the Internet to the campus
network for users who first authenticate themselves to the system.
TELNET
The TELNET application gateway is a small, simple application that mediates
TELNET traffic. As with the FTP application gateway, the only file accessed is
the configuration file that is read at start-up. Immediately after the
configuration file is read, the TELNET application gateway is “chrooted” to a
restricted directory, where it runs as a non-privileged process. The TELNET
gateway’s configuration file allows specification of which systems or networks
can use it, and what systems or networks it will permit connection to.
Initially, it will be configured to permit campus systems to use the gateway to
connect to Internet systems, but not vice-versa. Optionally, the TELNET gateway
can require authentication before permitting use. All connections and their
durations are logged.
UDP-Based Services
Since we decided that no direct traffic would be permitted between an outside
system and an inside system, and since UDP is connectionless and point-to-point
(and so cannot be used through network proxies), UDP services are not allowed.
Many UDP-based services such as NTP and DNS can be provided transparently
through a firewall by configuring the servers to act as forwarders for queries
originating within the protected network.
TCP Access and Use
On BSD-based UNIX systems, most network processes are started up by an initial
connection to a general-purpose network listener inetd, which
establishes a connection between the incoming request and the program to
service the request. For example, an incoming request for the TELNET service
is “heard” by the running network listener. The program, according to
inetd’s configuration file and the entry for TELNET, is executed and
connected to the incoming request.
Inetd, the Internet services daemon, performs no function other than to
invoke specified processes to manage network services when a system attempts to
connect to them. Some vendor implementations permit a systems administrator to
specify the user-id that the service should be invoked as, but there is no
provision for limiting access based on the source of the request. A variety of
implementations of “wrapper” processes are available on the Internet with
varying functionality[5].
The toolkit uses a “wrapper” process called netacl, which provides
support for all TCP-based services. (If only TCP-based services are supported,
UDP services are disabled and are no longer a threat worth worrying about.)
Netacl has no great advantages over other versions of TCP wrappers,
other than its minimal size (240 lines of code, including a large copyright
header and comments), its lack of support for UDP (purposely), and its sharing
a common configuration mechanism with the other tools in the toolkit.
TCP Plug-Board Connection Server
Certain services such as Usenet news are often provided through a firewall. In
such a situation, the administrator has the choice of either running the
service on the firewall machine itself or installing a proxy server. Since
running news on the firewall itself might expose the system to any bugs in the
news software, it is safer to use a proxy to gateway the service onto a “safe”
system on the campus network. Plug-gw is a general purpose proxy that
“plugs” two services together transparently. Its primary use is for supporting
Usenet news, but it can be employed as a general-purpose proxy if desired.
Plug-gw is configurable, as are the other proxy servers. Since it only
acts as a data pipe, it performs no local disk I/O and invokes no subshells or
processes. Like the other proxy servers, it logs all connections.
Plug-boarding TCP connections through one’s firewall should be undertaken with
a degree of caution, since plug-gw uses no authentication other than the host
address of the client, and does no examination of the traffic passing across
it. In the case of NNTP, for example, a security flaw in the NNTP server on the
internal host could still be exploited. The firewall will make it much harder
for an attacker to gain access to the internal system to further exploit the
hole; if the flawed NNTP server were running on the firewall bastion host
itself, the entire firewall might be vulnerable. Alternate approaches, such as
engineering the news server to run “chrooted” are potential areas for future
research. From a standpoint of systems administration, we have found that news
administration is simplified by running it a readily accessible internal
server.
User Authentication
The network authentication server authsrv provides a generic
authentication service for toolkit proxies. Its use is optional, required only
if the firewall FTP and TELNET proxies are configured to require
authentication. Authsrv acts as a piece of “middleware” that integrates
multiple forms of authentication, permitting an administrator to associate a
preferred form of authentication with an individual user. This permits
organizations that already provide users with authentication tokens to enable
the same token for authenticating users to the firewall. A secondary goal of
authsrv was to provide a simple programming interface for authentication
service, since commercial authentication systems tend to have unique,
nonstandard, interfaces. Several forms of challenge/response cards are
supported, along with software-based one-time password systems, and plaintext
passwords. Use of plaintext passwords over the internet is strongly
discouraged, due to the threat of password sniffing attackers.
A simple administrative shell is included that permits the authentication
database to be manipulated over a network, with optional support for encryption
of authentication transactions. The authsrv database supports a basic
form of group management; one or more users can be identified as the
administrator of a group of users, and can add, delete, enable, or disable
users within that group. Authsrv internally maintains information about
the last time a user authenticated to the server and how many failed attempts
have been made. It can automatically disable or time-lock accounts that have
multiple failures. Extensive logs are maintained of all authsrv transactions.
Authsrv is intended to run on a secured host, such as the bastion host
itself, since its database must be protected from attack.
Testing Firewalls
Throughout the design of the toolkit, we tried to design each component so that
it relied wherever possible on protections in the UNIX environment, rather than
on elaborate code designed to check and deter threats. While the toolkit
software doesn’t include a test suite, it is designed to be easy to verify that
each component operates as it is intended. As an example, the SMTP proxy smap
runs “chrooted” to a subdirectory as an unprivileged process. It stands to
reason that if the proxy performs this operation properly, all files will be
created in the proper directory, with the proper user permissions. If the
administrator verifies that this is indeed the case, he can rely on the
security of the operating system’s support for “chroot” and user file
permissions. By examining the assumptions of each service proxy, a degree of
assurance that the firewall is well protected can be gained. This does not
address the problem of possible bugs or protocol errors in the proxy
implementations that might still permit a service to pass through the firewall.
To attempt to address this, every effort is made to keep the implementation of
the proxies, especially the parts that deal with access control, as simple as
possible.
Firewall administration requires a seasoned UNIX systems manager. While the
toolkit is fairly easy to install, it assumes an amount of expertise on the
part of the administrator, since he must know how to interpret error
conditions, configure the system, and disable potentially threatening services.
While it is a temptation to make the toolkit software self-installing and
self-configuring, doing so raises the possibility that someone might install it
who lacks the basic skills necessary to know if they have in fact secured their
network. Packaging the toolkit as a set of components that can be used freely
has proven effective, since it fills a need on the part of those experienced
system managers who would have had to design, write, debug, and test their own
implementations if ours were not available.
Future Directions
In the future we will focus on the problem of adding newer interactive
information retrieval services such as Gopher, WAIS and World Wide Web and
broadcast services such as MBONE. Possible avenues for future research include
integrating cryptography with the firewall software to permit
firewall-to-firewall service and firewall-to-firewall authentication, possibly
using kerberos protocols. Support for IP-on-demand services like PPP pose a
problem for firewalls: is the dial-up user to be treated as an untrusted
Internet host or as a part of the protected network? Adding support for
authenticated and encrypted PPP service on the firewall itself is being
examined.
Observations
In practice, we find that running servers without special system privileges
increases our assurance that the firewall is secure. More importantly, the
methodology of turning off all services but a minimum, and then auditing each
one on a case-by-case basis further increases confidence that the system is
harder to break into. The basic design decisions in setting up a firewall (to
route or not to route, to rely on the host or the router) remain unchanged, but
the toolkit will work with either model.
Firewalls are a stop-gap measure that is needed because many services are
developed that operate either with poor security or no security at all. Perhaps
the most important lesson we can learn from firewalls is the need for strong
session-level authentication in applications and well-designed application
protocols.
Availability
The TIS Internet Firewall Toolkit is available in source form via anonymous FTP
from ftp.tis.com: /pub/firewall/toolkit/fwtk.tar.Z. Information is available
from the authors at fwall-support@tis.com. Send mail to
fwall-users-request@tis.com to be added to the firewall toolkit user’s
mailing list. Future enhancements to the toolkit will be announced on
fwall-users and other relevant mailing lists.
Acknowledgements
This work was done, in part, under a contract from the U. S. Department of
Defense, Advanced Research Projects Agency (ARPA), number DABT 63-92-C-0020. [6]
References
[1] Marcus J. Ranum, “Thinking About Firewalls,” Proceedings of Second
International Conference on Systems and Network Security and Management
(SANS-II), April, 1993
[2] Washington University Saint Louis, FTP server daemon. Available for FTP
from wuarchive.wustl.edu
[3] Marcus J. Ranum — “An Internet Firewall,” Proceedings of First
International Conference on Systems and Network Security and Management
(SANS-I), Nov, 1992
[4] G. Winfield Treese and Alec Wolman, “X Through the Firewall, and Other
Application Relays,” Proceedings of USENIX Summer Conference, 1993. Also
available as Cambridge Research Lab Technical Report 93/10, Digital Equipment
Corporation, May 3, 1993.
[5] Wietse Venema, “TCP WRAPPER, network monitoring, access control, and booby
traps,” UNIX Security Symposium III Proceedings (Baltimore), September 1992
[6] Frederick M. Avolio and Marcus J. Ranum, “A Network Perimeter With Secure
External Access,” Internet Society Symposium on Network and Distributed Systems
Security, February 1994.
William Cheswick, “The Design Of a Secure Internet Gateway,” Proceedings of the
3rd USENIX Security Symposium, September 1992.
Stephen M. Bellovin and William Cheswick, “Firewalls and Internet Security:
Repelling the Wily Hacker,” Addison-Wesley, Spring 1994
About the Authors
Frederick M. Avolio is a principal analyst with Trusted Information
Systems, Incorporated, and active in network security consulting and product
development. He has lectured on the subject of Internet gateways and firewalls
and electronic mail configuration and has performed consulting services in
these areas, both for government and in the private sector. He has worked in
the UNIX and TCP/IP communities since 1979.
Mr. Avolio has an undergraduate degree in Computer Science from the University
of Dayton and a Master of Science from Indiana University.
Marcus Ranum is a senior scientist at Trusted Information Systems. He is
the chief architect of the firewall toolkit and spends most of his time on
Internet security issues.
UNIX is a registered trademark of X/Open Company, Ltd.