Worried about potential security gaps? Follow these seven steps to make sure your installation won’t melt under fire.
Set Up a Flame-Proof Firewall
Worried about potential security gaps? Follow these seven steps to make sure your installation won’t melt under fire.
- By Roberta Bragg
- 12/01/1999
I can still remember when most people thought a firewall
was a special wall placed in a building to prevent the
spread of fire. Now it’s just what the doctor ordered
to protect your company from those heinous hacker homies,
and sooner or later it’s going to be your job to put one
into operation. Are you up to the job? Do you know how
to install a flame-proof firewall? Here are seven sure-fire
tips on how to set up a firewall right the first time.
1. Know Why You’re Installing the Firewall
Was this your choice? Been fighting for a firewall? Has
it just become company policy? The consultants who brought
in the Web site insisted on a firewall? Your boss handed
you a box and said, “Here, go install this?” If you know
what a firewall is and why you’re installing it, this
can help dictate which features to choose during installation
and configuration, and even where you place the firewall
in your network. So that we’re on the same page, I define
a firewall as a service that limits access between the
Internet and a private network, between pairs or groups
of private networks, or between sensitive and less-sensitive
parts of private networks.
More than any other system you’ll configure, a firewall
has only one purpose in life, and its purpose may seem
to be opposite that availability/usability/ease-of-use
credo you’ve had hammered into your head all this time.
After all, by definition, a firewall blocks information
flow. So ask the question, why are we installing this
firewall? You don’t want to make it harder for people
to get information, do you?
Time to wake up. Information flow has to be controlled
like everything else. The peace, free love, and freedom
of information banner just doesn’t fly well in corporate
America. Just as we don’t want our precious laptops and
automobiles to be “borrowed” by someone else, information
in your company is critical to its survival. As rapidly
as we expand the boundaries of information access to include
our suppliers and customers, we must protect our private
information (and theirs).
| The
Proxy Server Connection |
| Proxy services are applications
that run on a firewall. User requests
for Internet services such as FTP, telnet,
and http are received and forwarded, according
to security policy. Proxy servers, therefore,
act as gateways and replace connections.
The client doesn’t “talk” directly to
the service. In fact, use of a proxy service
is usually transparent to the user. Proxy
services are implemented via software
and thus should be used with a mechanism
that physically prevents or restricts
direct communication between internal
and external systems. Examples of such
mechanisms are a dual-homed host (a host
with two network interfaces) and/or packet
filtering. Proxy servers require proxy
clients. Web browsers can be configured
to act as proxy clients. |
|
|
But again, why are you installing a firewall now? Are
you setting up a perimeter defense for your corporate
network? Creating a DMZ (demilitarized zone) where Web
servers and other systems that need to be accessed by
your business partners or customers can reside? Putting
up a wall around sensitive areas of your company to assure
only the select, authorized, vetted few can get in? Firewalls
are often used for all these purposes. Knowing who’s supposed
to get in, and who’s not, will help you properly configure
the firewall, as well as monitor how well it’s performing.
Understanding the type of systems that sit on either
side of the firewall helps you determine which ports to
open or close. After all, not all access is determined
by user ID. Understanding the way services and applications
communicate machine-to-machine can help us control access.
Most communication relies on connection to a standard
port number (see “Consider These Weaknesses”). Block the
wrong port and authorized work can’t continue; leave the
wrong ones open and your firewall’s got holes large enough
for dragons to fly through.
Take the time to ask:
- What are you trying to protect against? Denial of
service? Information theft? Intrusion?
- Who’s likely to be attacking your systems? Vandals?
Joyriders? Braggarts? Information spies? Inexperienced
users doing stuff they shouldn’t?” (Stupidity is hardly
an attack, but the results are the same.)
2. Read the Docs—Know All about Your
Firewall
You know the old adage… if all else fails, read the documentation.
But you can’t wait for all else to fail here. Fail to
fasten your seat belt and hit a brick wall head on—it’s
a little to late to read the instructions. Fail to configure
your firewall correctly, and you may be open to an attack
that can precipitate corporate meltdown. So grab those
docs and a good cup of latte and head for a quiet place.
All firewalls are not created equal. They don’t even work
the same way. Knowing what your firewall is supposed to
do, and how to make it do so, can give you the edge you
need to set it up right the first time. Firewalls are
complex and chances are you don’t set them up every day.
Would you try to pilot a jet with your knowledge of driving
an automobile?
I wish I had a quarter for every time someone has said
to me he found the answer to the problem he spent hours
trying to figure out in the documentation. The first firewall
I installed had a printout of a sample configuration for
very close to my exact needs. Although the documentation
was a little unclear, the screenshots showed me how to
enter appropriate information and made it easier to add
additional features. If the documentation is unintelligible,
get some help. Often the manufacturer has updated docs,
FAQs, newer versions of utilities, forums, and direct
support links on its site.
By the way, this isn’t the time to question anyone’s
judgment in choosing this particular firewall. While this
intense study of its features (or lack of them), ease
of use, and the ability of its publisher to produce usable
documentation may make you aware of its shortcomings and
make you wish you or the powers that be had chosen another
firewall, chances are you’re not going to get anywhere
by grumbling. Put the system together, do the best with
what you have, and document the need for other things
to occur to make your system safe.
A good practice is to make a list of the things the firewall
can do, such as blocking services, blocking systems, controlling
who can transfer files across the firewall, and recording
information about accesses and attempted access. This
helps you with the next step.
3. Match Features of the Product to Your
Company Security Policy
Your company security policy will tell you which features
of the firewall you’ll need to implement—and let you know
the things that the firewall can’t do. See No. 6. Don’t
know what your corporate security policy is? Find out.
Implementing a flame-proof firewall isn’t so hot if what
the company really wants to do is to toast marshmallows.
Typical implementations require you to:
- Set up filters to block services.
Does your company allow Internet Relay Chat (IRC)? Probably
not. IRC servers can be used to access IRC client machine
files, processes, and programs. Don’t let IRC users
apply these features against the unsuspecting. Do you
want ping, telnet, FTP , traceroute, or http services
to enter your network? How about providing internal
users use of these services across the Internet? Fortunately,
firewalls are usually set up on the “least privilege”
security principle and the “that which isn’t expressly
permitted is prohibited” proverb—all ports are blocked.
You don’t have to close down those with possible malicious
use; you have to open those that you want to allow.
Your security policy will tell you which ones to choose.
- Insist that your company establish
a security policy. Somebody got a great big dose
of security awareness somewhere, or the money wouldn’t
have been spent. Tell the powers-that-be that a policy
is required for proper setup. If no one will write one,
do it yourself. Having a written policy—title it, “This
is how I’m going to configure the firewall”—starts the
conversation. And, oh, get it approved. Can’t get it
approved? Well, they did tell you to set up the firewall,
didn’t they? You were going to have to make the choices
anyway. Now you’re documenting what you did and allowing
management to pass on it.
- Monitor log activity. Once
you know which logs are activated or able to be activated
and what’s being logged, you can decide how much of
this information is necessary to fulfill policy requirements.
However, don’t forget another good use of logs: maintenance.
You may want to start out logging more information than
you think you need and reducing it if you don’t feel
it adds anything to the picture. Once again, this may
be part of your security policy.
4. Get the Advice of Peers; Take a Class;
Hire an Expert
If you haven’t already joined security lists, now’s the
time to do it. A good one is ntbugtraq (www.ntbugtraq.com).
These lists provide you with an endless stream of inane
chatter about risks and perceived risks of OSs and other
products, including firewalls. You’re going to have to
filter the information, but it does provide a ready source,
and a place for you to ask specific information about
your firewall and its perceived features, benefits, and
holes.
Visit your vendor’s Web site for the latest information
and for responses to security-list tirades and public
media reviews. In our “new world,” vendors take a proactive
approach and alert users to possible holes and fixes for
their products. Visit other Web sites as well and see
what holes, fixes, and features they offer. Remember,
don’t bemoan your boss’ lack of sophistication for picking
this product; instead find out how best to implement and
use it to protect your network. A frying pan can knock
out an intruder as efficiently as a can of mace; you just
have to get a little closer.
Talk to your co-workers, talk to your friends. Attend
a seminar, meeting, conference, or class. Talk to your
fellow attendees; you may find that one of them has experience
with this product too. Get the advice of peers, but be
sure to follow the advice of experts.
At this point you’re in a great position to judge whether
or not a class will help you. If a vendor or third-party
instruction is available on your product, check it out.
Since you’ve done your homework, you stand a better chance
of finding one that fits. Ask for a curriculum outline
and match it against your requirements. Don’t be afraid
of extra topics. You’re the learner here, right? You’ll
also be better prepared for class. You know the features
you need to implement—if they aren’t covered, ask why.
Many instructors can give additional help that’s not part
of the official curriculum, but some may not. The time
to ask is before you plunk down your money.
Should you hire an expert to install the system for you?
It depends. You now should be in a better position to
judge if this is necessary and/or advisable. After all,
you need to manage the firewall when it’s up. Don’t isolate
yourself from the initial installation and configuration
process. If you feel you want to hire an expert, or if
you’ve been told to do so, now you’ll be able to judge
better the type of expert to get. Make sure that transfer
of knowledge is required. You don’t want to have to call
the expert back for every change you make. You also want
to be able to monitor the system. Although it should be
obvious by now that security policies may vary with the
company and an external expert should ask you for this
type of advice, some may not. Find out your so-called
experts’ willingness to follow your rules before they’re
hired.
| Packet-Filtering
Firewall vs. Screening Router |
A packet-filtering system
selectively routes packets between hosts
in a way that implements a network’s security
policy. A packet encapsulates data sent
across a network. Each packet contains
a set of headers with information necessary
for its passage. Header information includes:
- IP source address
- IP destination address
- Protocol (TCP, UDP, ICMP)
- TCP or UDP source
- Destination port
- ICMP message type
Routers also know the interface the
packet arrived on and which interface
the packet will go out on. A regular
router looks at the destination address
of each packet and picks the best way
to get that packet to its destination.
Either the router knows how to send
the packet and thus sends it on or it
doesn’t and returns it with a “destination
unreachable” message.
A screening router examines the packet
more thoroughly. It asks the question,
“Should I send this packet on its way?”
Since Internet services (http, telnet,
ping, and so on) reside at standard
port numbers, the router can be configured
to block or allow Internet connections
by specifying the port number. A screening
router may be configured, for example,
to block all connections from the Internet
except SMTP. (You do want to receive
email, don’t you?) Or you could configure
it to block all connections from certain
systems, or allow email and FTP, but
block TFTP, RPC, IRC, and the like.
A screening router can’t be configured
to let some operations of a service
pass but block others. It’s an all-or-nothing
approach.
|
|
|
5. Isolate, Install, Test
Ready to go for it? Don’t immediately set the firewall
in its chosen place on the network. Even an attack dog
needs to be tested for his response to your commands.
Place the system in a test lab. Don’t have one? Make a
temporary lab with minimum configuration, say, one client,
the firewall, and the Internet access line. Keep the rest
of the network out of the picture for now. Armed with
your policy, notes, and extensive knowledge, install and
configure the system.
Now test it. If it’s supposed to block external users
from telnet access to internal hosts, come at it from
outside and use the telnet command. If you can get to
the internal host, you probably configured the system
wrong. Find out why and correct it.
Do all users have unlimited access to the Internet? Create
some typical user accounts, one with each type of access
you’ve designed. Then log on as those users and test.
Not sure what services applications cutting across barriers
need to use? Run them and test as well. You’ve got the
idea now. You must intimately document each feature once
again and develop test scenarios, then apply them. As
you tweak your firewall configuration, retest using each
test scenario once again. Check the firewall logs for
information gathered and lessons learned.
When your system passes your rigorous testing, it’s time
to move it to the real world. You may want to allow access
a little at a time to make sure all applications, users,
and services have access, but only the access they should
have.
6. Monitor the Firewall and Network Access
Once you’re up and running, the rule is to monitor constantly.
Don’t just monitor the firewall, monitor network access
as well. Remember, a firewall is really just a perimeter
defense. It can’t protect against all types of attack,
and it’s not the only soldier in your arsenal. A firewall
can’t protect your network from access that doesn’t go
through its system. Many current attack exploits were
carried out with social engineering and the use of viruses
or Trojans—things that firewalls usually can’t examine
packets to detect.
| Firewall
Architectures |
- Dual-homed host.
A computer with at least two network
interfaces. To use this architecture
in a firewall implementation, routing
between these interfaces is disabled.
Therefore, packets from the Internet
interface can’t be routed directly
to the internal, private network.
Systems on either network can communicate
with the dual-homed host, but not
with each other. When accessing either
the external from the internal or
vice-versa is necessary, proxy services
are used.
- Screened host
or bastion host. This host
sits on the internal network. Packet
filtering at the screening router
is set up to allow external hosts
(Internet) to access the bastion host
and no other systems on the internal
network. The typical use of this system
might be an email server. The bastion
host is also allowed to make certain
types of connections to the external
world. Internal systems can connect
directly to the bastion host.
- Screened subnet
or perimeter network. This
architecture implements a perimeter
network to isolate the internal network
from the Internet. The bastion host
can easily come under attack since
it’s accessible from the Internet.
Conquering the bastion host can mean
wide-open access to your internal
network. Thus, a screened subnet can
provide further protection. A minimum
of two screening routers are used
to implement this solution—one router
between the internal network and the
perimeter network, the other between
the perimeter network and the Internet.
|
|
|
7. Lather, Rinse, Repeat!
You’ve heard the joke about the programmer who was found
dead in the shower? He had a bottle of shampoo with him
and it said, “Lather, rinse, repeat.” As you should know
by now, network defense never ends.
Consider These Weaknesses
| Internet
Service |
Description |
Port |
Exploit |
| SMTP |
Electronic mail |
25 |
Mail spoofing, penetrating
your network with mail exploits |
| FTP |
File transfer |
20/21 |
Access to internal information,
no strong authentication |
| NNTP |
Usenet news |
119 |
Denial of service |
| telnet |
Remote terminal access |
23 |
No authentication |
| http |
World Wide Web access |
80 |
Access to improperly protected
files |
| DNS |
Host name address lookup |
53 |
Information about your internal
network |
| Gopher |
Text-based, menu-oriented
tools help users find information |
70 |
Information |
| WAIS |
Wide area information service,
allows multiple queries such as for documents
that contain a phrase; www.ai.mit.edu/the-net/wais.html
is a site that provides a WAIS gateway |
210 |
Information |
| Archie |
Indexes of anonymous FTP
servers for file and directory names,
service via telnet and email, and Archie
clients pp or Web browsers at http-Archie
gateways; www.archie.emnet.co.uk/ |
1525 |
Allowing access to Archie
might allow access directly to NFS and
mis/yp servers |
| Finger |
Looks up info about a user
who has an account on the machine being
queried: real name, login phone number,
office location, when and where most recently
logged in |
79 |
Information |
| POP, POP2, POP3 |
Internet mail |
109,110 |
Password in clear issues |
| whois |
Information about hosts,
networks, domains, and administrators |
43 |
Information |
| talk |
Two people to hold conversation |
517 |
No authentication, so easy
way to do social engineering |
| IRC |
IRC Internet relay chat;
IRC user uses IRC client or telnet; IRC
services many people at the same time |
6667 |
Many servers means access
to client files, processes, programs |
| MBONE |
Multicast backbone; expanding
real-time conference services for audio,
video, and electronic whiteboard; uses:
Internet Engineering Task Force meetings,
space shuttle flight operations |
Protocol number a, filter
by this |
Can the tunnel be used as
a backdoor? |
| Name services |
Used over TCP/IP to establish
identity, locate a systems, and notify
network that NetBIOS system has shut down |
137,138 |
Find easily accessed hosts
on system, learn what services are used
on hosts |
| ICMP |
Internet control message |
Filter by message code |
Information source, denial
of service attack |
| Ping |
Check if can reach host;
uses ICMP |
|
Verify there is such a host |
| Traceroute or tracert |
Sees route packet takes
on way to destination; uses ICMP; find
location, names of routers, SNMP; manages
routers, bridges, concentrators, hubs,
hosts |
|
Find location, names of
routers. |
| SNMP |
Manages routers, bridges,
concentrators, hubs, hosts |
161,162 |
Control these devices |
| Network Time Protocol |
NTP—important in synchronizing
time, preventing playback attack; Kerberos
depends on time synchronization |
37 |
Lack of use of or spoofing
the NTP could result in denial of service
attacks |
| NFS |
Network file system |
2049 |
Clients can read and change
files stored on server without having
to log in to the server or enter a password;
also does log transactions |
| lpr and lp |
Print to printer |
|
No reason to do this across
the Internet; allows removal of information
by printing it remotely from your servers |
|
|
Once you install the firewall, you can’t
rest. In fact, it’s not a bad idea to pull out this list
periodically and make sure you’re still following these
steps to a flame-proof firewall.