Chapter 3: Proxy Servers and Firewalls

3.1    Introduction

While Internet connectivity offers enormous benefits in terms of increased availability and access to information, Internet connectivity is not always a good thing, especially for sites with low levels of security. In fact, the Internet suffers from glaring security problems that, if ignored, could have disastrous impacts for unprepared sites. Inherent problems with the TCP/IP protocols and services, the complexity of host and site configuration, vulnerabilities introduced in the software development process, and a variety of other factors all contribute to making unprepared sites open for intruder activities.

Host security is generally hard to achieve and does not scale well in the sense that as the number of hosts increases , the ability to ensure that security is at a high level for each host usually decreases. Given the fact that secure management of just one single system can be a demanding task, managing many such systems could easily result in mistakes and omissions. A contributing factor is that the role of system administration is often undervalued and performed in a difficult situation. As a result of this situation, some systems will be less secure than others, and these systems will probably be the ones that ultimately break the security of either a site or an entire corporate intranet. This book does not address host and site security. There is an informational RFC document specifying a site security handbook [2]. You may refer to this document for a comprehensive overview about issues related to host and site security.

In days of old, brick walls were built between buildings in apartment complexes so that if a fire broke out, it would not spread from one building to another. Quite naturally, these walls were called firewalls .

Today, when a private network (i.e., an intranet) is connected to a public network (i.e., the Internet), its users are usually enabled to communicate with the outside world. At the same time, however, the outside world can also interact with the private network and its computer systems. In this situation, an intermediate system can be plugged between the private network and the public network to establish a controlled link, and to erect a security wall or perimeter. The aim of the intermediate system is to protect the private network from attacks that may originate from the outside world, and to provide a single choke point where security and audit can be imposed. Note that all traffic in and out of the private network can be enforced to pass through this single, narrow choke point. Also note that this point provides a good place to collect information about system and network use and misuse. As a single point of access, the intermediate system can record what occurs between the private network and the outside world. In analogy to physical firewalls, these intermediate systems are called firewall systems , or firewalls for short. In other literature, Internet firewalls are sometimes also referred to as secure Internet gateways or security gateways . In essence, a firewall system represents a blockade between a privately owned and protected network, which is assumed to be secure and trustworthy, and another network, typically a public network or the Internet, which is assumed to be insecure and untrustworthy. The purpose of the firewall is to prevent unwanted and unauthorized communications into or out of the protected network.

There are several possibilities to more formally define the term firewall . For example, according to [3], a firewall refers to ˜ ˜an internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be ˜inside the firewall) and thus protects that network s system resources against threats from the other network (the one that is said to be ˜outside the firewall). This definition is fairly broad and not too precise.

In their pioneering book [4] and article [5] on firewalls and Internet security, William Cheswick and Steven Bellovin defined a firewall (system) as a collection of components placed between two networks that collectively have the following three properties:

1. All traffic from inside to outside, and vice versa, must pass through the firewall.

2. Only authorized traffic, as defined by the local security policy, will be allowed to pass.

3. The firewall itself is immune to penetration.

Note that these properties are design goals. A failure in one aspect does not necessarily mean that the collection is not a firewall, simply that it is not a good one. Consequently, there are different grades of security that a firewall can achieve. In either case, there must be a security policy for the firewall to enforce.

If one wants to exclude the fact that a simple packet filter can be called a firewall, one has to come up with an even more complex definition for the term firewall . In this case, a system can be called a firewall if it is able:

• To enforce strong authentication for users who wish to establish inbound or outbound ^[1] connections;

• To associate data streams that are allowed to pass through the firewall with previously authenticated and authorized users.

Again, it is a policy decision if a data stream is allowed to pass through. Thus, this definition also leads to the necessity of an explicitly specified firewall policy, similar to the definition of Cheswick and Bellovin.

In this book, we make a clear distinction between packet filters (i.e., static or dynamic packet filters) and application gateways (i.e., circuit-level gateways or application-level gateways). It is interesting to note at this point that the last definition of a firewall requires the use of application gateways. Because application gateways operate at the higher layers of the OSI reference model, they typically have access to more information than packet-filtering devices and can therefore be programmed to operate more intelligently and to be more secure. Some vendors , perhaps for marketing reasons, blur the distinction between a packet filter and a firewall to the extent that they call any packet filtering device a firewall. This practice must be considered with care.

From a practical point of view, a firewall refers to a collection of hardware, software, and policy that is placed between a private network, typically a corporate intranet, and an external network, typically the Internet. As such, the firewall implements parts of a network security policy by enforcing that all data traffic is directed or routed to the firewall, where it can be examined and evaluated accordingly . A firewall seeks to prevent unwanted ^[2] and unauthorized communications into or out of a corporate intranet, and to allow an organization to enforce a policy on traffic flowing between the intranet and the Internet. Typically, a firewall also requires its users to authenticate themselves before any further action is deployed. The last definition given above has made this requirement mandatory. In this case, strong authentication mechanisms are used to replace password-based or address-based authentication schemes.

The general reasoning behind firewall usage is that without a firewall, a site is more exposed to inherently insecure host operating systems, TCP/IP protocols and services, and probes and attacks from the Internet. In a firewall-less environment, network security is a function of each host, and all hosts must, in a sense, cooperate to achieve a uniformly high level of security. The larger the network, the less manageable it usually is to maintain all hosts at the same level of security. As mistakes and lapses in security become more common, break-ins can occur not only as a result of complex attacks, but also because of simple errors in configuration files and inadequately chosen passwords. Assuming that software is buggy , one can conclude that most host systems have security holes that can eventually be exploited by intruders. Firewalls are designed to run less software, and hence may potentially have fewer bugs , vulnerabilities, and security holes than conventional hosts. In addition, firewalls generally have advanced logging and monitoring facilities and can be professionally administered. With firewall usage, only a few hosts ^[3] are exposed to attacks from the Internet, which considerably simplifies the task of securing the intranet environment.

Later in this chapter, we will discuss the advantages and disadvantages of the firewall technology as a whole. Probably one of the main disadvantages is due to the fact that a firewall cannot protect sites and corporate intranets against insider attacks. For that matter, internal firewalls may be used to control access between different administration and security domains, or to protect sensitive parts of a corporate intranet. Internal firewalls are sometimes also called intranet firewalls . From a technical point of view, there is nothing that distinguishes an intranet firewall from an Internet firewall except for the policy it enforces.

More recently, the notion of decentralized or personal firewalls has become popular. A personal firewall protects a single system (e.g., a personal computer or laptop system) from network-based attacks. As such, personal firewalls are most often simple packet filters that can be configured by each user individually. Similar to intranet firewalls, personal firewalls work like ˜ ˜normal firewalls and are not discussed separately in this book.

There are many books available that address firewall technologies (e.g., [1]). As a matter of fact, most books that have addressed Internet and intranet security in the past are actually books on firewalls [4, 6, 7], or put the main emphasis on firewalls [8]. There are also many research papers and reports that address specific topics related to firewalls. You may refer to the proceedings of any conference or workshop related to network security. As part of the Centre for Education and Research on Information Assurance and Security (CERIAS) at Purdue University, many resources related to Internet firewalls are available. In addition, there is the Firewalls Mailing List that is archived at several sites. ^[4] Finally, a more or less comprehensive list of firewall products is available at http://www.thegild.com/firewall.