Introduction to Network Security

Matt Curtin* March 1997 Reprinted with the permission of Kent Information Services, Inc.

Abstract Network security is a complicated subject, historically only tackled by well-trained and experienced experts. However, as more and more people become "wired", an increasing number of people need to understand the basics of security in a networked world. This document was written with the basic computer user and information systems manager in mind, explaining the concepts needed to read through the hype in the marketplace and understand risks and how to deal with them. Some history of networking is included, as well as an introduction to TCP lIP and internetworking. We go on to consider risk management, network threats, firewalls, and more special-purpose secure networking devices. This is not intended to be a "frequently asked questions" reference, nor is it a "hands-on" document describing how to accomplish specific functionality. It is hoped that the reader will have a wider perspective on security in general, and better understand how to reduce and manage risk personally, at home, and in the workplace.

'This

work completed

while at Megasoft Online, for Kent Information

Services.

1

2 Packet Filtering 5.4 Lessons Learned .3. Dial-Back Systems. 4. 1.2 Attacks Against IP .4.3 TCP 2.2 The ISO/OSI Reference Model . 2.1 Understanding IP 2. TCP lIP: The Language of the Internet 2.1 Types of Firewalls . 4.1 Denial-of-Service .4.1 UUCP .2.1 Guaranteed Packet Delivery .3.Contents 1 Introduction to Networking 1.2 Don't put data where it doesn't need to be 4.1 What is a Network? . 2.3 Destructive Behavior ..2 The Internet ..1 Hope you have backups 4. .1 Executing Commands Illicitly.4..4. .2 Confidentiality Breaches 4. 2. 5.3 Where Do They Come From? . 1.1.1 Single Points of Failure Secure Network Devices 6.2 Crypto-Capable Routers . 4.2.. 6.3 Some Words of Caution 5. 4. .2. 4..4.1.3. what's best for me? 5.2.1 Lower Overhead than TCP Risk Management: The Game of Security 3 3 3 4 4 5 6 6 2 7 7 7 7 8 8 8 8 9 9 9 9 3 4 Types And Sources Of Network Threats 4.5 Watch for relevant security advisories .. 5.2 IP .2 So. .3 Hybrid Systems. 4.3 Avoid systems with single points of failure.2 Unauthorized Access .1 Secure Modems.6 Have someone on staff be familiar with security practices Firewalls 5. .3 What are some Popular Networks? 1.3.3 Virtual Private Networks Conclusions 10 10 10 10 10 11 11 11 11 11 11 12 12 13 13 13 14 14 14 14 15 15 15 5 6 7 2 .1.4 UDP 2.4 Stay current with relevant operating system patches 4.4. 6.1 Application Gateways 5.1 Open Design . 2.4. 1. 4.2.. 4.

1 What is a Network? A "network" has been defined[l] as "any set of interlinking lines resembling a net. a network of alliances.) The telephones. and the wires that connect the cards together. Once you answer the phone. we'll cover some of the foundations of computer networking. and dial your number. I pick up the receiver. (In the ISO /OSI model. all the way down to the physical network hardware. then move on to an overview of some popular networks. 1. are useless unless they have the ability to translate the sound into electronic pulses that can be transferred over wire and back again. we need a device like a telephone. 3 . This number specifies which central office to which to send my request. computer networks function exactly the same way. we'll go back and discuss some of the threats that managers and administrators of computer networks need to confront." This definition suits our purpose well: a computer network is simply a system of interconnected computers.Application Presentation Session Transport Network Data Link Physical Figure 1: The ISO/OSI Reference Model 1 Introduction to Networking A basic understanding of computer networks is requisite in order to understand the principles of network security. there are a number of ways to do this. 1. In this section. Once we've covered this.2 The ISO/OSI Reference Model The International Standards Organization (ISO) Open Systems Interconnect (OSI) Reference Model defines seven layers of communications types. and our session has begun. Following that. but it's useful to know that they exist. the network protocol suite that is used to run the Internet and many intranets.) Each layer depends on the services provided by the layer below it. and then some tools that can be used to reduce the exposure to the risks of network computing. How they're connected is irrelevant. Conceptually. An easy way to look at this is to compare this model with something we use daily: the telephone. a network of roads II an interconnected system. we'll take a more in-depth look at TCP /IP. we get down to the physical connection: both must be plugged into an outlet that is connected to a switch that's part of the telephone system's network of switches. we begin talking. (These functions are provided in layers below the application layer. of course. In order for you and I to talk when we're out of earshot. such as the computer's network interface card. and then which phone from that central office to ring. If I place a call to you. this is at the application layer. (See Figure 1. and that each layer cannot work without the services provided by the layer below it. and as we'll soon see.) Finally. and the interfaces among them. It isn't important for you to memorize the ISO/OSI Reference Model's layers.

Figure 2 shows a sample UUCP network. users are identified in the format host! userid. everything in the queue is processed. UUCP networks are commonly built using dial-up (modem) connections.3. Now. Additionally. or piece of email. and so on. Because there is no direct link between your host (E) and mine (A). a connection must be established with at least one of the hosts on the network. Implementation Environment. 1. to connect D to the network. Naturally. The "public" UUCP network is simply a huge worldwide network of hosts connected to each other. Adding on to the network is simple. Apple IIs. and even some things you can't. a number of networks and network protocols have been defined and used. A bangpath is a string of host(s) and a userid like A!cmcurt in or C!B!A!cmcurt in. including an Internet connection. everything else you can name. then it must be configured to talk to A and/or B. anything that C talks to must be made aware of C's existence before any connections will work. 4 . in order for us to communicate. UUCP has since been ported to many different architectures. you can address me as C!B! A!cmcurtin. Building a UUCP network is a simple matter of configuring two hosts to recognize each other. including PCs. The "!" character (pronounced "bang" in networking circles) is used to separate hosts and users.3 What are some Popular Networks? Over the last 25 years or so. we need to do so through a host (or hosts!) that has connectivity to both E and A. you would address it to C!A!cmcurt in. Batch-Oriented Processing. or they can use types of networks to connect their own hosts (computers) together. and then at some specified time.1 UUCP UUCP (Unix-to-Unix CoPy) was originally developed to connect Unix (surprise!) hosts together. I might be known as A!cmcurt in and you as E! you. Macs. Or. Anyone can connect to either of these networks. If I am a user on host A and you are a user on host E. This doesn't have to be the case though: UUCP can be used over any sort of connection between two computers. to send me a file. both of which are "public" networks. if hosts called A and B have a UUCP network between them. VMS hosts. So. We're going to look at two of these networks. In a UUCP network. Amigas. and C would like to join the network. a number of systems have been developed around the same principles as UUCP. UUCP and similar systems are batch-oriented systems: everything that they have to do is added to a queue. and know how to get in touch with each other. Each type takes a very different approach to providing network services. In our sample network. without connecting to the public networks. C has the connectivity we need. if you feel like taking the long way around.A B c E Figure 2: A Sample UUCP Network 1.

documents. 1. I'll need to connect. that is a network of our networks. We have a number of networks.3. and that a connection is allowed at that time. Movies. a network of extremely fast (and incredibly overloaded!) network components. If. and most its bugs have been discovered. UUCP. there are still many people whose needs for email and netnews are served quite well by UUCP.) Interactive protocols (that make applications such as the World Wide Web possible) have become much more the norm. The public UUCP network has been shrinking in size over the years. UUCP typically works by having a system-wide UUCP user account and password.Figure 3: A Simple Local Area Network Popularity. though. Identifying a host beyond that point has traditionally been little more than a matter of trusting that the host is who it claims to be.not a network of hosts. you connect to a network that is eventually connected to the Internet backbone. you don't really connect to the Internet. Any system that has a UUCP connection with another must know the appropriate password for the uucp or nuucp account. like any other application. which are all connected together on a backbone. Additionally. A simple network can be constructed using the same protocols and such that the Internet uses without actually connecting it to anything else. and it's therefore more difficult to trick into doing something it shouldn't. 5 . I want to impersonate host C. there is a fair bit of delay in getting data from one user on a UUCP network to a user on the other end of the network. While this might not be a trivial attack. and practically every other sort of media imaginable has dealt with the Internet recently. daily. Our backbone is then connected to other networks. newspapers. I know the uucp password on host A. UUCP isn't very flexible. email. has security tradeoffs. hope that I've done so at a time that A will allow it. it isn't possible for someone on host E to directly make contact with host B. On the other hand. and try to guess the correct sequence number for the session. whereby both hosts must have the same sequence number. and are preferred in most cases. I might be allowed to put one of my hosts on one of my employer's networks. books. This is an important point: the Internet is a network of networks . More recently. it's been around a long time. Some strong points for its security is that it is fairly limited in what it can do. as it's used for simply copying files (which can be netnews. or weekly. if I run host B. and its integration into the Internet has greatly reduced the amount of cumbersome addressing that had to be accomplished in times past. identify myself as C. When you want to access the resources offered by the Internet. However. analyzed. since UUCP connections are typically made hourly. one of which is to an Internet Service Provider (ISP) whose backbone is connected to other networks. with the rise of the availability of inexpensive Internet connections. that is a number that is incremented each time a connection is made. there has been an additional layer of authentication. etc. one of which is the Internet backbone.2 The Internet Internet: This is a word that I've heard way too often in the last few years. Security. What is the Internet? The Internet is the world's largest network of networks. Such a basic network is shown in Figure 3. and take advantage of that connection to do something naughty. Hence. television programs. it isn't considered very secure. magazines. and fixed. and because UUCP networks are made up of occasional connections to other hosts.

and you were looking at my web page. and then from another ISP somewhere on the Internet. OS/2. but in the same ISP cloud. In Figure 4. and the same would happen in reverse: packets would traverse all of the connections until they found their way back to your computer. including every imaginable type of hardware and software. from supercomputers to personal computers. Consequently. and to the exact network my host is on.1 Open Design One of the most important features of TCP /IP isn't a technological one: The protocol is an "open" protocol. 2. My host would then respond appropriately. This shows how the hosts on that network are provided connectivity to other hosts on the same LAN. and so on. Their time is typically donated by their companies. Engineers and scientists from all over the world participate in the IETF (Internet Engineering Task Force) working groups that design the protocols that make the Internet work. 6 . and so on. and anyone who wishes to implement it may do so freely. which is connected to another. or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the network. a host that has TCP /IP functionality (such as Unix. you are actually connecting your computer to one of their networks. Anything that can learn to "speak TCP /IP" can play on the Internet. the network shown in Figure 3 is designated "LAN I" and shown in the bottom-right of the picture. Underlying services and protocols would send packets (small datagrams) with your query to your ISP's network. How do all of these computers understand each other and work together? 2 TCP lIP: The Language of the Internet TCPlIP (Transport Control Protocol/Internet Protocol) is the "language" of the Internet. This is functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO /OSI Reference Model. To use a service from my host. and the result is work that benefits everyone. and then a network they're connected to. outside of the company.I nternet Backbone ISP Backbone Another ISP Backbo e Company Z Backbone Your Company Backbone LAN 3 LAN 2 LAN 1 Figure 4: A Wider View of Internet-connected Networks If you have a connection "to the Internet" through a local ISP. The Internet is made up of a wide variety of hosts. MacOS. such as a web server. until it found a path to my employer's backbone. you would tell your web browser to connect to my host. within the same company.

where the user is reading his email.2. The naughty person on host H watches the traffic between A and G. Perhaps this is a telnet session. Additionally. being in the control of the attacker. the attacker can still take over the session. After a few seconds of this. and may simply login again. which is proving that a packet came from where it claims it did. If the user was in the middle of email. if the attack is successful. This can be solved by replacing standard telnet-type applications with encrypted versions of the same thing. or using a Unix shell account from home.weak. In this case. the lack thereof. these exploit the fact that IP does not perform a robust mechanism for authentication. perhaps trying to convince it that G is no longer on the net (which might happen in the event of a crash. This is the layer that allows the hosts to actually "talk" to each other. mapping the Internet address (such as 10. or more specifically.2. our purposes. but it is an important point. applications that require strong host authentication (such as cryptographic applications) do this at the application layer. perhaps causing it to take some sort of action.at best . let's return to our large network of networks in Figure 4. This is where one host claims to have the IP address of another.) Because TCP and IP 7 . This isn't necessarily a weakness. These are both good examples how trusting untrustable layers can provide security that is . because it means that the facility of host authentication has to be provided at a higher layer on the ISO / OSI Reference Model. This is very dangerous. naughty person has "hijacked" the session of our user. and at the same time tells A to shut up. 2.2.2. Anything that the user can do legitimately can now be done by the attacker. Typically. and will. Somewhere in the network between A and B sits host H which is run by a naughty person. and routing. the attacker is looking at the email. first described by Steve Bellovin [3]. we're going to focus on the security of IP. For the description of the attack.3. This is a relatively sophisticated attack. illegitimately. this is a useful technique to an attacker: he can send packets to a host. though. The attacker will not have the needed cryptographic key(s) to decrypt the data stream from G. As far as G knows.4) to a physical network address (such as 08:00:69:0a:ca:8f). which takes care of making sure that all of the devices that have Internet connectivity can find the way to each other.1 Understanding IP For IP has a number of very important features which make it an extremely robust and flexible protocol. and then can execute any commands he wishes as the attacked user. because there are now toolkits available in the underground community that allow otherwise unskilled bad-guy-wannabes to perpetrate this attack.2 IP As noted. In this attack. per se. and was designed to ride atop IP. but he'll see only "gibberish" because the session is encrypted. and runs a tool which starts to impersonate A to G. among other things. nothing has happened. however.2 Attacks Against IP A number of attacks against IP are possible. The attacked user simply sees his session dropped. 2. or major network outage). some applications allow login based on the IP address of the person making the request (such as the Berkeley r-commands )[2]. A packet simply claims to originate from a given address. a user on host A is carrying on a session with host G. IP Session Hijacking is an attack whereby a user's session is taken over. TCP packets. 2. Since many systems (such as router access control lists ) define which packets may and which packets may not pass based on the sender's IP address.3 TCP TCP is a transport-layer protocol. IP Session Hijacking. Such things as carrying datagrams. and there isn't a way to be sure that the host that sent the packet is telling the truth. IP Spoofing. (Just as IP was designed to carry. therefore. perhaps not even noticing that the attacker is still logged in and doing things. Today. be unable to do anything with the session. It needs to sit on top of a network-layer protocol. IP is a "network layer" protocol.

4. 2. If I happen to be upstairs at home. I'm not going to jump out the window. etc. and that it gets every packet sent back. whether they ever made it to their destination. even if this means occasional slight delays in responsiveness while a lost packet is resent. this isn't terribly practical. Yes.were designed together and wherever you have one. power supply. after which. This is suited well toward a number of applications. A will resend the packet. or any other mechanism. either: the Internet is a bad neighborhood now. 2. you typically have the other. When we get on an airplane." Again. When we get in a car and drive to work. and in order. in the right order.e.4 UDP UDP (User Datagram Protocol) is a simple transport-layer protocol. the entire suite of Internet protocols are known collectively as "TCP lIP. 2.. Because it doesn't need to keep track of the sequence of packets. or while out-of-order packets are rearranged. A user wants to be sure every keystroke is received by the remote host. there's a certain risk that we're taking. because of a host res ending a packet presumed lost). it has lower overhead than TCP. it does have much more applicability in other applications than the more reliable and robust TCP. This is another reason why it's more suited to streaming-data applications: there's less screwing around that needs to be done with making sure all the packets are there. but the risk of injury outweighs the advantage of convenience. As noted. passwords. and thrown at the bottom of the ocean. such as a telnet session. since the data stream will be paused while the lost packet is being resent. However. A machine with absolute access is extremely convenient to use: it's simply there. It's possible that something completely out of control will cause us to become part of an accident on the highway. it isn't terribly useful to you." TCP itself has a number of important features that we'll cover briefly. Once the lost packet is received. and want to leave for work. In these. and it isn't long before some bonehead will tell the computer to do something like self-destruct. It does not provide the same features as TCP. without questions. and that sort of thing. This is no different from our daily lives. and will do whatever you tell it. one simply cannot say "what's the best firewall?" There are two extremes: absolute security and absolute access.1 Lower Overhead than TCP One of the things that makes UDP nice is its simplicity.3. we're accepting the level of risk involved as the price of convenience. most people have a mental picture of what an acceptable risk is. although this is unsuitable for some applications. Unfortunately. Host A sending packets to host B expects to get acknowledgments back for each packet. Unfortunately. however. it will be put in the proper slot in the data stream. and won't go beyond that in most circumstances. it will be resent by A. it doesn't really matter if a packet is lost (a lost packet in a stream of 100 won't be distinguishable) but it does matter if they arrive late (i. and if packets arrive out of order. it would be more convenient. It is not suited well toward other applications. authorization. We constantly make decisions about what risks we're willing to accept. The closest we can get to an absolutely secure machine is one unplugged from the network. If B does not send an acknowledgment within a specified amount of time. B will arrange them in proper order before passing the data to the requesting application.1 Guaranteed Packet Delivery Probably the most important is guaranteed packet delivery. Applications on host B will expect a data stream from a TCP session to be complete. locked in a safe.. and then passed up to the application. if a packet is missing. such as streaming audio or video. and is thus considered "unreliable. it isn't terribly useful in this state. 3 Risk Management: The Game of Security It's very important to understand that in security. 8 .

This might. a host might be a web server. However. 4. but are now becoming less popular. These are the nastiest. then. On the other hand. 4. must enforce that policy uniformly. and then some things that can be done to protect yourself against various threats.2 Unauthorized Access "Unauthorized access" is a very high-level term that can refer to a number of different sorts of attacks. then.0. perhaps forging the packet's header information that says where the packet came from. Obviously forged packets would include those that claim to come from your own hosts.2.0. we'll get into the types of threats there are against networked computers. and the attacker is sending 50 per second.0). difficult (sometimes impossible) to track. we've covered enough background information on networking that we can actually get into the security aspects of all of this.) that an attacker should not be able to do. Some things that can be done to reduce the risk of being stung by a denial of service attack include • Not running your visible-to-the-world servers at a level too close to capacity • Using packet filtering to prevent obviously forged packets from entering into your network address space. Everything that is done in the name of security. and then dropping the connection. For example. the attacker will need to gain administrator privileges on the host. There are two main classifications of the severity of this problem: normal user access. obviously the host will be unable to service all of the attacker's requests.1 Executing Commands Illicitly It's obviously undesirable for an unknown and untrusted person to be able to execute commands on your server machines. that host should not provide command shell access without being sure that the person making such a request is someone who should get it. and should provide anyone with requested web pages. mail them to other people. be all the access that an attacker needs. Such attacks were fairly common in late 1996 and early 1997. and administrator access. The goal of these attacks is to access some resource that your machine should not provide the attacker. In this case. for example). A policy needs to articulate this. etc. If the host is able to answer 20 requests per second. The premise of a DoS attack is simple: send more requests to the machine than it can handle.Every organization needs to decide for itself where between the two extremes of total security and total access they need to be. and most difficult to address. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. First of all. 4 Types And Sources Of Network Threats Now. 9 . putting a start-up script in place to cause the machine to shut down every time it's started. much less any legitimate requests (hits on the web site running there. • Keeping up-to-date on security-related patches for your hosts' operating systems. such as a local administrator. and the loopback network (127.1 Denial-of-Service DoS (Denial-of-Service) attacks are probably the nastiest. The attacker's program simply makes a connection on some service port. 4. A normal user can do a number of things on a system (such as read files. and then define how that will be enforced with practices and such. and it isn't easy to refuse the requests of the attacker. addresses reserved for private networks as defined in RFC 1918 [4]. because they're very easy to launch. without also refusing legitimate requests for service. an attacker might wish to make configuration changes to a host (perhaps changing its IP address. or something similar).

2.4. how can any of your numbers from that time period be trusted? How far back do you have to go before you think that your data is safe? Data Destruction. and this should be closely coordinated with a disaster recovery plan. the impact on your computing capability . Some of those perpetrate attacks are simply twisted jerks who like to delete things. An accounting procedure might turn up a discrepancy in the books three or four months after the fact. there are two major categories. Perhaps he's toying with the numbers in your spreadsheets. (Additionally. we can divine a relatively short list of high-level practices that can help prevent security disasters. Similarly. or a breakin that changes or otherwise damages your data. or changing the dates in your projections and plans. data phone numbers. though. (How do you know that one of the temps that you've brought in to help with the data entry isn't really a system cracker looking for passwords. rare is the case when you'll come in to work one day. and simply know that something is wrong.) 4. In these cases. vulnerabilities and anything else that can get him access to your equipment?) In order to be able to adequately address security.3 Destructive Behavior Among the destructive sorts of break-ins and attacks. This includes Internet connections. and to help control the damage in the event that preventative measures were unsuccessful in warding off an attack. Maybe he's changing the account numbers for the auto-deposit of certain paychecks. dial-up modems. In these cases. keep in mind that it's possible that someone who is normally interested in nothing more than the thrill could be persuaded to do more: perhaps an unscrupulous competitor is willing to hire such a person to hurt you. these can be useful in recovering your data in the event of an electronic disaster: a hardware failure. does an attacker gain access to your equipment? Through any connection that you have to the outside world. and once that problem is discovered. etc. Data Diddling. In any case. you'll be able to carryon your business from another location. or obtaining information that can be used against the company.1 Hope you have backups This isn't just a good idea from a security point of view.4 Lessons Learned From looking at the sorts of attacks that are common. it's possible that compromise of a normal user's account on the machine can be enough to cause damage (perhaps in the form of PR.can be nothing less than if a fire or other disaster caused your computing equipment to be completely destroyed. 4. 4. all possible avenues of entry must be identified and evaluated.and consequently your business . and even physical access. there are those who are more malicious. 4.3 Where Do They Come From? How. Trying to track the problem down will certainly be difficult. an enemy. 10 . The data diddler is likely the worst sort.4. as we'll consider next.) While many of the perpetrators of these sorts of break-ins are merely thrill-seekers interested in nothing more than to see a shell prompt for your computer on their screen. since the fact of a break-in might not be immediately obvious.2 Confidentiality Breaches We need to examine the threat model: what is it that you're trying to protect yourself against? There is certain information that could be quite damaging if it fell into the hands of a competitor. such that if an airplane crashes into your building one night. The security of that entry point must be consistent with your stated policy on acceptable risk levels.2. or the public. Operational requirements should dictate the backup policy.

Such a person would then be a wise one to consult with on security related issues. This person should also know the "dos" and "don'ts" of security.5 Watch for relevant security advisories In addition to watching what the vendors are saying." [5] 5 Firewalls As we've seen in our discussion of the Internet and similar networks. completely removed. and this can needlessly increase the severity of a break-in dramatically. In security. A firewall is simply a group of components that collectively form a barrier between two networks. old bugs is still one of the most common (and most effective!) means of breaking into systems.4. As a result. 4.6 Have someone on staff be familiar with security practices Having at least one person who is charged with keeping abreast of security developments is a good idea. gOY ciac / t> 11 .4 Stay current with relevant operating system patches Exploiting Be sure that someone who knows what you've got is watching the vendors' security advisories. org/ > Incident Advisory Capability. these are hosts running a flavor of the Unix operating system that has been customized in order to reduce its functionality to only what is necessary in order to support its functions. etc. as he'll be the one who knows if web server software version such-and-such has any known problems. a TCP lIP network. 4.3 Avoid systems with single points of failure Any security system that can be broken by breaking through anyone component isn't really very strong. 4. information that doesn't need to be accessible from the outside world sometimes is.4. cert . 1Computer 2Computer Emergency Response Team. Bastion host. so let's introduce them all together. from reading such things as the "Site Security Handbook. and keep track of various problems that arise. Many of the general-purpose features have been turned off. as proprietary information is often displayed freely within a corporate intranet (that is. Typically. Routers also handle certain functions.llnl. A general-purpose computer used to control access between the internal (private) network (intranet) and the Internet (or any other untrusted network). Make sure that at least one person (preferably more) is subscribed to these mailing lists 4.4. keep a close watch on groups like CERT1 and CIAC2. firewalls have been employed. A number of terms specific to firewalls and networking are going to be used throughout this section. connecting an organization to the Internet provides a two-way flow of traffic. This need not be a technical wizard. in order to improve the security of the machine. and can help you protect your organization from a minor security breach becoming a catastrophe. In order to provide some level of separation between an organization's intranet and the Internet. a degree of redundancy is good.4. or managing the traffic on the networks they connect. modeled after the Internet that only works within the organization). Router.4.4. <http: / / ciac .2 Don't put data where it doesn't need to be Although this should go without saying. such as routing. <http://www . and in many cases. A special purpose computer for connecting networks together. this doesn't occur to lots of folks. but could be someone who is simply able to read advisories issued by various incident response teams. This is clearly undesirable in many organizations.

These are made up of bastion hosts that run special software to act as a proxy server. must know how to use the proxy. destination service port. because they don't allow anything to pass by default. 12 . and return the result to the client.net/> web page. the browser will make a connection to the proxy server. Many routers now have the ability to selectively perform their duties. Figure 5 shows a application gateway. by various components within the DMZ. These are also typically the slowest.Connection to ISP Access Router External Gateway LAN Internal Gateway LAN Choke Router Your Company Backbone LAN 3 Figure 5: A sample application gateway Access Control List (ACL). These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network.1. and so on. 5. This software runs at the Application Layer of our old friend the ISO / OSI Reference Model. all hosts on the intranet are able to access resources on the Internet without having the ability to direct talk to the Internet. because more processes need to be started in order to have a request serviced. and be configured to do so) in order to use Internet services. hence the name. when a host on the intranet wishes to fetch the <http://www. This includes things like origination address. Traditionally. 5. and we'll consider each of them.1 Application Gateways The first firewalls were application gateways. The proxy server will fetch the document. and are sometimes known as proxy gateways.interhack. based on a number of facts about a packet that comes to it. and host on the intranet might be configured to be proxy clients. This is the process of having one host act in behalf of another. destination address. this is a network that connects the The importance of a DMZ is tremendous: someone who breaks into your should have to get through several layers in order to successfully do so. But. for example. Clients behind the firewall must be proxitized (that is. Proxy. Demilitarized Zone (DMZ). but need to have the programs written and turned on in order to begin passing traffic. In this situation. untrusted to the trusted. A host that has the ability to fetch documents from the Internet might be configured as a proxy server. In this way. and request the given URL. network from the Internet Those layers are provided The DMZ is a critical part of a firewall: it is a network that is neither part nor part of the trusted network.1 Types of Firewalls There are three basic types of firewalls. of the untrusted network. these have been the most secure.

an attacker. though. and the choke router. Figure 6 shows a packet filtering gateway. Because we're working at a lower level. the bastion host. because the feature of access control is performed at a lower ISO I OSI layer (typically. what's best for me? Lots of options are available. new connections must be authenticated and approved at the application layer. where packet filters watch the connection to ensure that only packets that are part of an ongoing (already authenticated and approved) conversation are being passed. and can 13 .2 So. either in-house.1. Due to the lower overhead and the fact that packet filtering is done with routers. using this method. which are specialized computers optimized for tasks related to networking. and vice versa. TCP lIP has absolutely no means of guaranteeing that the source address is really what it claims to be. As a result. but with two layers of packet filters. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network. the transport or session layer). Other possibilities include using both packet filtering and application layer proxies. or is a simple matter of allowing a specific packet type to pass through the gateway.erns In an attempt to marry the security of the application layer gateways with the flexibility and speed of packet filtering. We can't get all the way down to the actual host. opening things up this way might very well compromise your level of security below what your policy allows. By default. Once this has been done. In some of these systems. Remember.3 Hybrid Syst. The benefits here include providing a measure of protection against your machines that provide services to the Internet (such as a public web server). the remainder of the connection is passed down to the session layer. or an experienced consultant who can take the time to understand your organization's security policy. and it makes sense to spend some time with an expert.) There are problems with this method. There is less overhead in packet filtering than with an application gateway. Additionally. and will do so without any sort of restrictions. but we can't get more specific than that. a router will pass all traffic sent it. We can identify which network the packet came from with certainty. will have to break through the access router. as well as provide the security of an application layer gateway to the internal network. supporting new applications either comes automatically. a packet filtering gateway is often much faster than its application layer cousins. we have to use layers of packet filters in order to localize the traffic. (Not that the possibility of something automatically makes it a good idea. 5. we can differentiate between a packet that came from the Internet and one that came from our internal network.1. 5. some vendors have created systems that use the principles of both. in order to get to services on the internal network.Connection to ISP Choke Router Your Company Backbone Figure 6: A sample packet filtering gateway 5.2 Packet Filtering Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on.

it's important to note that many consultants these days have become much less the advocate of their clients. or network device that provides dial-up access to your network needs to be actively administered.S. can provide an easy means for an attacker to sneak around (rather than through) your front door (or. and call the authenticated user back at a known telephone number. 14 . This doesn't mean that it was loaded with the vendor's software at the time. There are some remote access systems that have the feature of a two-part procedure to establish a connection. certifications. Ask any consultants you talk to about their vendor affiliations. 5. bad Internet. Taking a little bit of time to talk to some knowledgeable folks can go a long way in providing you a comfortable level of security between your private network and the big. and such all simply mean that an organization was able to configure a machine to pass a series of tests. Along with commodity markets come lots of folks who are looking for a way to make a buck without necessarily knowing what they're doing.3. In order to try to quantify the potential security of firewalls. vendors compete with each other to try and claim the greatest security. or that the machine was even usable. Department of Defense "Orange Book" standards. and the like are no guarantees of security or quality. In short. B-1.not ones that can be guessed.3 Some Words of Caution The business of building firewalls is in the process of becoming a commodity market. 5. an attacker has only one thing to break (or fool!) in order to gain complete access to your internal networks. The certification of a firewall means nothing more than the fact that it can be configured in such a way that it can pass a series of tests. The term "firewall" refers to a number of components that collectively provide the security of the system. Once the remote user's system answers that call. one vendor has been claiming their operating system is "C-2 Certified" didn't make mention of the fact that their operating system only passed the C-2 tests without being connected to any sort of network devices. the connection is established. and scalability might factor in to the final design. The system will then drop the connection.design and build a firewall architecture that best implements that policy. Modems. C-2. some organizations have taken to firewall certifications. The terminal server. and its logs need to be examined for strange behavior. but can be problematic for users wishing to dial in from hotel rooms and such when on business trips. your network needs to be protected at all of its entry points. and providing the correct userid and password. This works well for folks working at home. Its password need to be strong . and more of an extension of the vendor. Ask what difference it makes to them whether you choose one product over another.1 Secure Modems. In fact. Additionally. and the user is on the network. and vice versa. if you allow them to answer incoming calls. Accounts that aren't actively used should be disabled. Dial-Back Systems If modem access is to be provided. Additionally. certification. Such gauges as market share. Other issues like services required. firewall). the easiest to administer. Just as castles weren't built with moats only in the front. And then ask yourself if a consultant who is certified in technology XYZ is going to provide you with competing technology ABC. this should be guarded carefully. and whatnot. convenience. it's the easiest way to get into your network from remote: guard it carefully. claims about meeting or exceeding U. 6 Secure Network Devices It's important to remember that the firewall only one entry point to your network. and the least visible to end users. 6. feeling safe and secure. The first part is the remote user dialing into the system. Similarly.1 Single Points of Failure Many "firewalls" are sold as a single component: a bastion host. even if ABC best fits your needs. or some other black box that you plug your networks into and get a warm-fuzzy. Any time there is only one component paying attention to what's going on between the internal and external networks.

and they must be tracked. and find out how what the vendors have to offer will help you enforce your security policy effectively. Everyone has a different idea of what "security" is. is private (because the link is encrypted). either directly with their base product. and only with everyone's cooperation. 15 .3 Virtual Private Networks Given the ubiquity of the Internet." a string of between six and eight numbers. ideas for evaluating cryptographic products. and the link is convenient. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around. It's important to get their feedback to understand what can be improved. He then presses enter. and it becomes much simpler to decide whether what is proposed will conflict with your security policies and practices. an expensive data line had to be leased in order to provide direct connectivity between the two offices. the sorts of risks that are deemed unacceptable. although going over the Internet. but do not want to be bothered with it when it gets in their way. and consistent practices. without requiring dial-back access. 6. VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. and if all is correct. such that there can be secure routes. and is presented with a "challenge. A number of firewall vendors are including the ability to build VPNs in their offerings. Security is everybody's business. of course. these have their own problems. this might very well be the best way to do it. many organizations have been building VPNs (Virtual Private Networks). The user types the response. Many people pay great amounts of lip service to security. 6. much like building and office keys. Once that has been defined. and how to determine which will most likely meet your needs. These are useful devices for solving the problem of good passwords. a solution that is often more economical is to provide both offices connectivity to the Internet. Users who find security policies and systems too restrictive will find ways around them. The key for building a secure network is to define what security means to your organization. as they require the user to carry them. because each can see each others' internal resources without showing them off to the entire world. See the Snake Oil FAQ [6] for a description of cryptography. Projects and systems can then be broken down into their components. The danger in doing this. he login will proceed. Take a look at your options. and it's difficult to provide the other office access to "internal" resources without providing those resources to everyone on the Internet. 7 Conclusions Security is a very difficult topic. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him.2 Crypto-Capable Routers A feature that is being built into some routers is the ability to session encryption between specified routers. and a "response" is displayed on the LCD screen. an intelligent policy. No doubt many other schemes exist. will it be achievable. If you have need to connect several offices together. Traditionally. The session between them. is that there is no privacy on this channel. or as an add-on. and what has been done to minimize the organization's exposure to them. However. the two offices can communicate.Other possibilities include one-time password schemes. for an organization to provide connectivity between a main office and a satellite one. and what levels of risk are acceptable. and it's important to let them know why what's been done has been. everything that goes on with the network can be evaluated with respect to that policy. where the user enters his userid. these are advantageous for providing connectivity between two sites. Now. using the Internet as the medium. and the considerable expense in private leased lines. Then. He types this challenge into a small device that he carries with him that looks like a calculator.

2BSD Unix TCP/IP Software. crypt> Fre- Software to Avoid. Science Technical Review. Murray Hill. 32-48. Communication E.K. New Jersey. Morris. Karrenberg.P.References [1] The New Lexicon Webster's Encyclopedic Dictionary of the English Language. G.M. 19. [2] R. Computer Vol. No.2. April 1989. pp. Security Problems in the TCP/IP Protocol Suite. Computing Report No. Holbrook. New York: Lexicon." USENET 16 . 1985. Rekhter. Internets." [6] M. "Site Security Handbook. "Snake Oil Warning Signs: Encryption quently Asked Questions File. A Weakness in the 4. AT&T Bell Laboratories. Moskowitz. 117. [3] S. Lear. Bellovin. "Address Allocation for Private [5] J. D. [4] Y. J. R. Curtin. <sci." RFC 1918. RFC 1244.T. Reynolds. de Groot.

Sign up to vote on this title
UsefulNot useful