Network Security and Firewalls

A Summary

B.Sc. Degree in IT Management

Institute of Technology, Carlow

(Prepared by Paul Barry)
Network Security and Firewalls

As the Internet becomes all-persuasive, the nature of the activities occur-

ring on the Internet are increasingly becoming critical to the health of the
organizations that connect their own networks to it. Gone are the days of
connecting a network to the Internet, establish connectivity then moving onto
others things. The Internet is not the safe, friendly, academic world it used
to be. In addition to enabling improved business-to-business and business-to-
customer communications (among other things), connecting to the Internet
opens up a network to an increasingly sophisticated community of computer
crackers1 , viruses, electronic eavesdroppers and sundry other attacks.

Once attached to the Internet, in addition to taking advantage of its many

benefits, the ‘connected organization’ needs to protect itself from electronic
attack. Network security has, as a consequence, become an important disci-
pline within the Internet-connected world, and within computing in general.
In this essay, a survey of the network security techniques available to todays
network manager are presented, with an emphasis toward the latter part of
this essay on Firewall technologies.

1.1 A Taxonomy of Security Attacks

There are four main categories of network security attack:

Interruption - an attack on the availability of a network asset.

Interception - an attack on the confidentiality of network data.
Modification - an attack on the integrity of network resources.
Fabrication - an attack on the authenticity of a network user.
1
Also known as script-kiddies.

1
 2

Network attacks can further be categorized as being either passive or active.

Passive attacks occur within a setting that makes in impossible (or imprac-
tical) to identify the occurrence of the attack. Traffic Analysis is an example
of a passive attack - a copy of transmitted data is taken and analyzed in
an attempt to determine some useful information. Active attacks are more
blatant, in that they result in active changes to the transmitted data, mak-
ing them easier to identify (usually after the fact, when it is far too late).
Examples of this type of attack include masquerading, replay, modification
and denial-of-service.

1.2 Dealing With Attacks: Security Services

When it comes to protecting a network against attacks, a classification of

security services has been defined:

Confidentiality - protecting transmitted data against passive at-

tacks and network analysis. Typically, cryptographic technolo-
gies are employed.
Authentication - ensuring that the communication is indeed au-
thentic. This service assures a recipient that any received data
is from the source that it claims to be from (and vice-versa).
Integrity - ensuring that messages are received in exactly the same
form that they were sent, i.e. without any unauthorized changes.
Non-repudiation - providing a means by which neither the sender
nor the receiver can deny a transmitted message.
Access Control - limiting and controlling an authenticated users
access to network resources. Typically, access control is tailored
to an individual’s access rights.
Availability - implementing countermeasures to guard against the
loss or reduction of a network service.

1.3 Network Security Models

Two broad models have been defined for discussing Network Security. In the
first, there is one insecure communications channel and four participants.
The participants are:
 3

Sender - one of the two principals in the transaction, this participant

wishes to use the insecure channel to send data securely to the
other principal.
Receiver - the other principal in the transaction, this participant will
receive data over the insecure channel from the other principal.
Trusted Third Party - depending on the security services chosen
and how they are implemented, a trusted third party may be
required to enable secure communications between the two prin-
cipals.
Opponent - the bad guy (or girl), intent on capturing and interpret-
ing the data being transmitted between the principals, and - if
this is not possible - disruption of the insecure channel may also
be a goal (resulting in a denial-of-service attack).

The other model relates to network access. In this model, there is a collection
of (hopefully) protected information systems. A mechanism is implemented to
protect these systems from unwanted access from an insecure network. This
mechanism is essentially a gatekeeper function and is typically manifested
in some type of firewall system. The single participant in this model is the
Opponent, who is intent in achieving unauthorized access to the information
systems on some protected internal network. On the Internet, the Opponent is
typically a human, however, a growing collection of automated software tools
(and, in some cases, computer viruses) would also be classed as a participant
in this model.

1.4 The Role of Cryptography

In order to provide the security services identified above, security managers

and implementors rely heavily on the Science of Cryptography. The ability to
securely encrypt data prior to transmission and then decrypt it upon receipt
are key techniques within the Network Security world. This section briefly
describes these important techniques.

1.4.1 Conventional Symmetric Encryption

Conventional encryption technologies are thousands of years old, and they

all operate in a common way. A shared secret key is used to encrypt the data
 4

to be transmitted using a published algorithm. The data is then transmitted

over the insecure channel by the Sender, then the Receiver decrypts the data
using the shared secret key and another published algorithm.

Typically, conventional encryption technologies are strong at ensuring con-

fidentiality within an insecure network. The strength of any particular con-
ventional encryption technology is directly related to the size of the shared
secret key. Due to the mathematics involved, it becomes computationally
infeasible to break a conventional encryption technology by brute-force tech-
niques. A small key-size, say 56 bits, is easily breakable by brute-force. For
example, DES (the Data Encryption Standard), which uses 56 bit keys, was
publicly broken in 1998 by the Electronic Frontier Foundation. However, it
is relatively easy to prove that a key of 128 bits or greater is all but impos-
sible to break by brute-force, which explains why most modern conventional
encryption technologies use a key-size of 128 bits or more. Triple-DEA (the
successor to DES) uses 168 bits. Of course, if the algorithm is compromised,
it does not matter how large the key-size is. And, it is a case of “pack-up
and go home” if the shared secret key becomes public. The practice of se-
cure shared secret-key distribution is an important aspect of conventional
encryption technology.

1.4.2 Public-key Cryptography

Like conventional encryption technologies, public-key cryptography uses a

published encryption and decryption algorithm. Unlike conventional encryp-
tion technologies, public-key cryptography has two keys, one private (which
is kept secret) and one public (which is widely published, in fact, essentially
given away). Data that is to be transmitted can be encrypted with either the
public-key or the private-key.

Typically, public-key cryptography is strong at providing authentication se-

curity services. Key-size again plays an important role in public-key cryptog-
raphy , the longer the key, the stronger the encryption. With the public-key
being so widely distributed, a trusted third party is often employed to verify
that the public-key does in fact belong to the Sender or Receiver claiming to
own it.

Public-key cryptography is also applied to the production of digital signa-

tures.
 5

1.5 Security Applications

In response to the growing threat of Internet attack, a number of security

applications and tools have been developed. Two common classifications can
be identified: infrastructural and application-specific.

1.5.1 Infrastructural Security Tools

This type of tool provides protection to an entire network, from an infras-

tructural point-of-view. Two network-based (application-layer) authentica-
tion technologies are popular, and these are the Kerberos system and the
X.509 standard. At the network-layer, the IPsec enhancement to IPv4 pro-
vides an encryption service to all IP-bound network traffic. When it comes to
managing a diverse, heterogeneous network, Release 3 of the Simple Network
Management Protocol (SNMP) has been built to operate securely.

1.5.2 Application-Specific Security Tools

This type of tool provides protection to one specific application domain. On

the Internet, tools to assist in the protection of electronic mail messages and
web-based transactions have recently come to prominence. Electronic mail
security technologies include Pretty Good Privacy (PGP) and the security
extensions to MIME, called S/MIME. Web-based transactions can be pro-
tected by Secure Sockets Layer (SSL) technologies (built into most modern
web browsers and web servers), whereas credit-card transactions (and all of
the participants in the transaction) can be protected by conformance to the
Secure Electronic Transaction (SET) standard.

1.6 Firewalls

Taking their name from the construction industry, the network firewall is a
network device that is positioned between a network to be protected and the
Internet. In effect, a firewall is a manifestation of an organization’s security
policies as they relate to in-bound network traffic arriving from the Internet,
and out-bound network traffic going to the Internet, from a protected internal
network.
 6

1.6.1 Firewall Design Goals

Modern firewall technology has a number of design goals, as follows:

Checking All Traffic - network traffic to and from the Internet must
be passed through the firewall so that it can be checked against
the organizations security policies. This checking is referred to
as filtering.
Forwarding Authorized Traffic Only - network traffic that satis-
fies the organizations security policies may pass. All other net-
work traffic is logged, then discarded, as it is treated as suspect.
Better to be safe than sorry.
Avoiding Being Compromised - the firewall itself needs to be de-
veloped in such a way that it itself is immune to penetration.
Under no circumstances should a ‘faulty’ firewall allow any net-
work traffic to bypass the security policies2 .

When it comes to using a firewall to control access, four types of control (or
filters) can be identified, thus:

Service - based on the protocol port-number associated with a par-

ticular Internet service, application-layer network traffic is either
blocked or allowed to pass. Additionally, traffic can be filtered by
IP address (or IP address range), both for inbound and outbound
network traffic.
Direction - network traffic can be filtered on inbound connections,
outbound connections, or both inbound and outbound connec-
tions.
User - based on the identity of a user, network traffic can flow through
the firewall assuming the user is authorized to generate network
traffic of an approved type. Generally, this control filter is applied
to users on the protected network side of the firewall.
Behaviour - filters are applied to control how a particular service is
used. For example, web pages may be scanned for Java applets
(and the applets discarded), or incoming e-mail may be scanned
for known viruses, while outgoing e-mails may be scanned for
inappropriate use of language.
2
Although this seems like an unlikely occurrence, the http://www.cert.org website
recently highlighted security problems with firewalls based upon the Gauntlet technol-
ogy, which forms the basis of many commercial firewall products. For more details see:
http://www.cert.org/advisories/CA-2001-25.html.
 7

In providing these filter and control services, a firewall can be thought of

as a single choke-point on a network, though which all inbound and out-
bound network traffic passes. As such, it is the ideal location within which
to implement a site-wide auditing and logging facility.

1.6.2 Firewall Types

As firewall technology has developed, a number of distinct types of imple-

mentation have come to prominence. Each type will now be discussed.

The Packet-Filtering Router/Firewall

Adding packet-filtering rules to an appropriately sophisticated router is one

of the most effective means of implementing a network firewall (and most
modern routers support such setting of rules).

In essence, the router is configured to inspect every chunk of inbound and

outbound network traffic. The chunk of network traffic is then checked against
each of the rules, looking for a match. If a match is not found, the default
policy configured on the router is enacted, with a default policy of discard
being the most conservative and safest option. If a match is found, the router
then examines the policy associated with the rule to decide what to do with
the chunk of network traffic, either discard the chunk or forward the chunk.

When processing IP datagrams, UDP datagrams or TCP segments, the

packet-filtering router is primarily interested in examining the header fields of
the datagram or segment. The actual data (or application protocol data) is of
lesser interest to the packet-filtering router. (As is the case with most routers
- they typically do not concern themselves with application-layer data, as
they are designed to route Internet datagrams as quickly as possible, with-
out delay).

A few example rules should help clarify how packet-filtering routers are typ-
ically configured. A rule may look like this:

block;payroll;*;www.hotmail.com;*;

which blocks (discards) network traffic from the internal system called payroll
 8

using any protocol port-number (the * wild-card) to the www.hotmail.com

Internet server using any protocol port-number (the * wild-card, again)3 .

Here is another example rule:

allow;mailsys;25;*;*;

which allows (forwards) network traffic to the internal system called mailsys
using protocol port-number 25 (the well-known protocol port-number for
SMTP, the Simple Mail Transfer Protocol, which is used by all Internet-
based e-mail systems). Network traffic is allowed from any Internet server
(the * wild-card) using any protocol port-number (the * wild-card, again).

A final example is:

block;*;*;*;>1023;

which blocks (discards) all network traffic from any internal system (the *
wild-card) using any protocol port-number (the * wild-card, again) to any
system (the * wild-card, yet again) using a protocol port-number that is
greater that 1023 (that is, a protocol port-number outside the range of the
well-known protocol port-number assignments).

Packet-filtering routers have a number of advantages:

Simplicity - it is relatively straightforward to configure packet-filtering

on modern routers (and the recent move toward web-based router
configuration tools makes this even easier).
Transparency - as the firewall mechanism is ‘centralized’ in the
router (at the edge of the organization’s network), users are gen-
erally unaware of its existence. That is, it is transparent to them,
and this is a good thing.
Good Performance - routers are designed and optimized to pro-
cess chunks of network data as quickly as possible and, as long
as the packet-filtering rule-set is kept to a relatively small size,
implementing packet-filtering does not add significantly to the
router’s processing overhead.
3
Remember that each end of an Internet connection (when using TCP) has its own
individual protocol-port number, which explains the double use of the * wild-card in this
and subsequent examples.
 9

Packet-filtering routers also have some disadvantages:

Incorrectly Specified Rules - getting the rule-set right can be dif-

ficult, and sometimes strange combinations of seemingly correct
rules can be easily compromised.
Lack of Authentication - network traffic either passes through the
packet-filtering router or it does not. There’s no real notion of
the network traffic being authenticated.

Despite these disadvantages, deploying a packet-filtering router as a firewall

is very popular due mainly to the importance placed on the advantages.
Packet-filtering routers are also open to a number of attacks.

The IP Spoofing attack attempts to send network traffic from the Internet
through the firewall by tinkering with the Source IP Address of the sending
IP datagram. By changing the source IP address to an IP address on the
protected side of the firewall (that is, an IP address of an internal network
device), a packet-filtering router that has been configured to allow all traffic
with a source IP address on the protected network to pass through the firewall
may allow the spoofed network traffic onto the protected network. This can
be easily dealt with by arranging that the packet-filtering router only allow
network traffic through if the IP datagram claiming to be from the protected
internal network is in fact arriving on the protected internal network’s router
interface.

The Source Route attack exploits a mechanism built into IPv4 which allows a
network device to explicitly direct an IP datagram to follow a specified route
into or out of the protected internal network. This can sometimes result in
the packet-filtering router allowing such traffic through. The solution to this
attack is to disallow the use of this option with any IP datagram, whether
the network traffic is inbound or outbound.

The Small Fragment attack creates IP datagrams that are two things: frag-
mented and very small. So small in-fact that the TCP header information
will not fit into a single IP datagram, but is instead fragmented into a col-
lection of IP datagram fragments. If the packet-filtering router is not con-
figured to watch for datagrams like this, some traffic may pass through the
packet-filtering router that ought not to. The solution is to inspect all IP
datagrams and discard any that indicate that fragmentation has occurred
and that also indicate that TCP header information is in the IP datagram
 10

fragment. A further precaution would be to automatically treat as suspi-

cious any IP datagrams that are very small and part of a larger, fragmented
original.

The Application-Level Gateway/Firewall

Unlike firewalls that are based on packet-filtering technology, and which oper-
ate at the Network and Transport Layer, the Application-Level Gateway acts
as a proxy on behalf of users on the protected side of the internal network,
and on behalf of unknown users on the Internet. In effect, the application-
level gateway pretends to be the internal network user when communicating
with the insecure Internet for inbound and outbound network traffic.

For example, if a HTTP application-level gateway in installed on the pro-

tected internal network, a user on the network that starts a web-browser and
then requests a connection to a website on the Internet, would have the re-
quest relayed to the application-level gateway (the proxy). If the application-
level gateway has been configured to allow such a request to succeed, it (that
is, the proxy) contacts the website in question and requests the resource re-
quested by the user’s web-browser on behalf of the user. Once received, the
resource is then transferred to the user’s web-browser. In addition to pro-
viding a mechanism whereby the request can be checked prior to it being
fulfilled, the application-level gateway can log and audit the entire communi-
cation. This is seen as a prime advantage of this approach. It is also generally
regarded as easier to configure an application-level gateway than it is to con-
figure a packet-filtering router, as anything not covered by the Application
Layer rule-set configured on the application-level gateway is discarded. By
operating at a higher, more abstract level, the configuration is regarded by
many to be easier and less prone to error. The prime disadvantage is the
additional overhead introduced to all the communications that pass through
the application-level gateway.

The Circuit-Level Gateway/Firewall

The Circuit-Level Gateway does not allow TCP connections between two end-
points (one internal and the other external) to come into existence. Instead,
the circuit-level gateway establishes two TCP connections: one between the
circuit-level gateway and a user of the internal protected network, and an-
other between the circuit-level gateway and an external network device on
 11

the Internet. These connections are only established if they are determined to
be allowed, and if they are, and once they are established, all network traffic
flows from the internal user to the external network device without further
checking. What constitutes an ‘allowed’ connection is determined by the lo-
cal network manager and his/her level of trust of the users of the internal
protected network.

1.6.3 The Role of the Bastion Host

The term Bastion Host is used to refer to a networked system that plays
a central role in enabling the implementation of a firewall on a protected
internal network. In effect, the bastion host runs the application-level gateway
or the circuit-level gateway. The bastion host has a number of characteristics.
It typically runs on a secure operating system (often referred to as a trusted
system). Only those services required are installed as proxies on the bastion
host, and they are usually configured to allow a restricted set of functionality,
in addition to running within chrooted sand-boxes. Each proxy is designed
to operate in isolation: if a proxy is compromised or goes off-line, the other
proxies installed on the bastion will not be affected by this.

1.7 Selected Firewall Configurations

Of course, it is far from the case that only one of the types of firewall system
discussed in the last section are deployed in an attempt to secure a protected
internal network. Typically, sites implement a combination of firewall mech-
anisms. Three popular configurations are described in the subsections which
follow.

1.7.1 Bastion/Packet-Filtering Combo

In this setup, a single packet-filtering router connects the organization’s pro-

tected internal network to the Internet. On the internal side of the packet-
filtering router, a single bastion host is deployed. The packet-filtering router is
configured to accept (that is, forward) inbound network traffic that contains
an IP destination address of the bastion host, as well as accept outbound
network traffic with a source IP address of the bastion host. All other net-
 12

work traffic is blocked (that is, discarded). Note that, with this configuration,
both network-level and application-level filtering is occurring (as the bastion
host is acting a the sole proxy to services on the Internet and services on
the protected internal network). This is seen as this configurations greatest
advantage, coupled with the fact that an intruder needs to compromise two
firewall systems in order to attack the protected internal network.

Note that the bastion host is connected to the protected internal network
with a single connection (that is, the bastion host is single-homed ). This
can, under extreme circumstances, cause security problems. Specifically, if
the packet-filtering router is compromised, network traffic will no longer be
‘forced’ to travel through the bastion host, but could instead travel to any
network-attached device which shares the bastion host’s LAN segment.

1.7.2 Dual-Homed Bastion/Packet-Filtering Combo

This firewall configuration is essentially the same as the previous configura-

tion, but for the fact that the bastion host now has two separate network
connections (that is, the bastion host is dual-homed ). On a standard PC, this
configuration can easily be implemented by installing two network interface
cards (NICs) into the bastion host. One network interface is connection to
a small LAN segment that contains the packet-filtering router that connects
to the Internet. The other network interface connects to the protected in-
ternal network. As before, the packet-filtering router is configured to accept
inbound network traffic that contains an IP destination address of the bastion
host, as well as accept outbound network traffic with a source IP address of
the bastion host. All other network traffic is blocked (that is, discarded). If,
with this configuration, the packet-filtering router is compromised, the only
physical path the network traffic can take is to still go through the bastion
host, where it would (presumably) be filtered, determined to be suspect, and
subsequently discarded (as well as logged and audited).

1.7.3 Dual Bastion/Dual Packet-Filtering Combo

The most paranoid of all firewall configurations involves adding a second

packet-filtering router to the previous setup. The second packet-filtering
router is installed on between the bastion host and the protected internal
network, and in configured to only accept outbound and inbound network
 13

traffic to and from the bastion host from the protected internal network.

There are now three levels of protection: a packet-filtering router connected

to the Internet, a packet-filtering router connected to the protected internal
network and the dual-homed bastion host on its own LAN segment in the
middle4 . Critically, the protected internal network is effectively invisible to
the Internet, and the Internet is effectively invisible to the protected internal
network. The key point is this: if an internal network cannot be seen from
the Internet, how can it possibly be attacked?

1.8 Conclusion

Network security is a complicated business. As more advanced and sophisti-

cated mechanisms are developed to protect Internet-attached network re-
sources, equally determined efforts are made to compromise the security
mechanisms in place. A healthy dose of security paranoia should fester in-
side all network managers responsible for network security, as complacency
will inevitably lead to disaster. No network can claim to be totally secure
(as such a notion is folly). However, a network can claim to be as protected
as is humanly possible. Security policies need to be constantly reviewed and
revised. Hardware and software firewall systems need to be kept up-to-date.
It is a case of “it’s only a matter of time” for the network manager that
fails to develop the skills and practices that keep them one step ahead of the
Internet crackers and script-kiddies. If you are a network manager, be afraid,
be very afraid. Foster paranoia, and trust no one.

4
Such as LAN segment is often referred to as a demilitarized zone or DMZ.
Bibliography

[1] Simon Singh, The Code Book: The Science of Secrecy from Ancient
Egypt to Quantum Cryptography, Fourth Estate Ltd., 1999. ISBN: 1-
85702-879-1. (This is a book on cryptography that is written for those
of us that do not have a third-level qualification in Mathematics but still
need to understand this important technology).

[2] William Stallings, Network Security Essentials: Applications and Stan-

dards, Prentice-Hall Inc., 2000. ISBN: 0-13-016093-8. (An excellent
overview of the entire field).

14