The software development or procurement cost can be very significant. Even if you elect to use free firewall software, it is up to you to compile it and make it work. This means you must have the internal resources to get the sortware compiled and operating initially.

These costs of setting up and maintaining a firewall must be weighed against the costs of not having a firewall, including:

The cost considerations vary greatly, from the value of the information that could be compromised or lost to the level of expertise available for handling the implementation and maintenance of the firewall. Each organization must assess these questions for itself before embarking upon the firewall journey.

What Do You Need to Protect?

Information is the lifeblood of the computer age, and organizations of all types and sizes use computers for their information storage. The security perimeter to be enforced is the "fence" that surrounds the organization's computing environment. However, the fence must allow guarded gate access to users with a legitimate need for the services offered by the organization. The perimeter becomes difficult to define and manage when the organization's network connects to other networks over which the administrator has no control.

Telecommuting and home office computing further compound the difficulty of defining a security perimeter. Because the user may be operating from a hotel or from his/her home, it becomes necessary to extend the perimeter to that remote location. If you neglect to do this, the opportunity for the perimeter to be breached through this extension of the network is significantly increased.

In the remote computing situation the security perimeter can consist of several extensions. For example, the modems used to establish the link may be encrypting modems, which encrypt packet information prior to transmitting it on the line (though, this technology is expensive). The actual data on the hard disk of the remote computer could also be encrypted. In this case if the computer were stolen, the data would be meaningless, unless the user had left the decryption key with the computer!

The Building Materials: Firewall Architecture

Once you've defined your security perimeter, the next issue is whether and how a firewall can be built to protect it. Different types of firewalls are appropriate to different circumstances: the type of firewall to be used should be matched to the problem, or to the security policies that the organization wishes to enforce. In this section, I examine the major types of firewalls, explaining what they are and how they perform, and describing any pitfalls that are known about them. I won't make recommendations here, since what works in one situation may not work in another.

The Gate and Choke

The gate in a network functions like a gate in a fence. It exists to pass data between the Internet and the private network. The choke is the opposite: it typically blocks all packets from the Internet to the private network unless they are destined for the gate, and blocks all packets going from the private network to the outside unless they are destined for the gate. The choke is like a fence around a queue at an amusement park: there is only one entrance to the ride, and all attepts to go around the queue are blocked by the fence.

The gate and the choke can exist on separate computers or on one single computer. There can be multiple gates -- one for each protocol that is being supported for example -- or there can be one single gate. Multiple gates provide a small measure of increased security, but this is countered by the extra complexity and administration involved.

The gate and the choke are built into many different firewalls. For a truly effective firewall both must be present.

The Air Gap

The air gap is probably the best firewall that can be devised, and it is used by many security and law enforcement agencies. In air gap implementation, any computer connected to the Internet cannot be connected to any other computer or network in the organization. While this may sound paranoid, it means that break-ins and viruses can only affect the systems connected to the Internet. Since these machines are not connected to any other host in the organization, the attacker cannot proceed any further.

An air gap creates a problem with respect to getting useful information to the users in the organization. The problem can be solved in one of two methods: by hand or by disk. The first method, by hand, involves printing the relevant information and then typing it back in on a machine that is connected to the network. The advantage here is that the "seal" is very tight: no air or viruses being carried in the air can escape into the internal network. The second method involves saving the information to a disk, copying it back onto a networked system, and then distributing the information from that system.

While these methods provide very tight security, they will also frustrate and alienate the users in the organization unless there is a very specific need for such heavy security. Users want to be able to correspond with colleagues on the Internet, and the prospect of having to re-input all of their information in order to send it out is not one they will welcome.

The Screening Router

The screening router is a basic component of most firewalls. It can be either a commercial router, or a host-based router that has some form of packet-filtering capability. Many screening routers are able to block traffic between networks, between specific hosts, or on an IP port level. The screening router is situated between the two networks, as shown in Figure 1.

A filter is used to monitor packets and decide which ones will be allowed past the router. The filter is capable of allowing or denying both inbound and outbound packets. Thus, the system administrator can not only deny packets coming from a particular external host, but also prevent connections to specific external systems from an internal machine.

The filter is also able to allow or prevent connections to a particular IP service port. This means that you could block telnet or rlogin services while allowing FTP connections to an anonymous ftp server. Setting up packet filtering can be a frustrating and even dangerous experience. Developing an effective packet filtering configuration requires intimate knowledge of the TCP and UDP service ports. If the tables are inadvertently misconfigured, the packet filtering implementation may actually make it easier for vandals to gain access.

Morningstar Technologies has built packet filtering capabilities into its PPP implementation (see Figure 2). These capabilities allow the system administrator to permit or deny certain types of traffic. A glance at this file, makes it clear that, to prevent or restrict traffic flow, you must be able to anticipate what will be coming in over your router. Whatever the mechanism, many firewalls consist of nothing more than a screening router between the internal network and the Internet. The pitfall is that this makes the network highly vulnerable to attack. Since there is direct communication from the Internet to the internal network, the exposure in the event of an attack is equal to the number of hosts in the network. Further, unless each host is being regularly examined for attack, the likelihood of an attack's being discovered is low.

To make matters worse, most commercial routers have no logging capabilities, which makes detection of problems with the firewall virtually impossible. Screened routers are by no means the most secure solution, but they are one of the most popular because they provide virtually unrestricted access to the Internet for internal users. If there are trade secrets or sensitive information on hosts within the private network, a screening router will not provide the level of security needed.

The Bastion Host

A bastion is a defensive strong hold. An electronic bastion is a strong point in a network's security. Typically, a bastion host has a high degree of security, such as C2; undergoes regular system and security audits; and may in fact have modified software. As shown in Figure 3, the bastion host is often situated in a position similar to the screening router.

The bastion host supports a configuration for each network and allows traffic for each network to be passed through. Because of its exposure, the bastion host is often the subject of attacks from vandals. Despite this, the bastion host is frequently used in other firewall configurations to deliver the protection desired.

The Dual-Homed Gateway

The dual-homed gateway is a firewall that is implemented without a screening router; it is probably the most common method of providing a firewall. As Figure 4 shows, a dual-homed gateway essentially consists of a bastion host system that allows no IP forwarding between two networks.

Under a dual-homed gateway, the only way to access the internal network is to negotiate the connection with the bastion host and then initiate a connection with the internal host. Another way of looking at this is that hosts on the internal network can communicate wih the gateway, as can hosts on the Internet, but direct traffic between the two networks is blocked. From the Internet, the dual-homed gateway looks like all of the machines in the private network, and from the private network, it looks like all of the machines in the Internet. The dual-homed gateway effectively acts as a service gateway, providing support for electronic mail and other services: it is, by definition, a bastion host.

This is a popular firewall configuration, as it is fairly easy to set up and it provides a complete block between the Internet and the private network. The degree of user friendliness depends on how the system administrators set up access between the networks. Services such as SMTP must have the mail delivered to the gateway, which then forwards the message on to the destination machine. Other services, such as telnet and rlogin must be configured to have accounts on the gateway to which that users log in, or must provide application-level relays to redirect the packets to the appropriate host.

As an example, consider the sample login profile shown in Figure 5. The code in this figure is executed when a user logs in to the gateway using the user name telnet. The idea here is to allow rlogin access to a system in the private network without having to provide an account on the gateway. This is extremely important as there should be no user accounts on the machine that is functioning as your firewall. When users log in, they must provide a user name and the name of the machine they want to connect to. Before the rlogin command is executed, the session is logged for later reference. Figure 6 illustrates what the caller sees when using this facility.

The sample output in Figure 6 illustrates how a telnet or, more appropriately, an rlogin service could be configured on a dual-homed gateway. The major advantage to such a scheme is that there are no user login accounts on the gateway. Another advantage is that damage control in the event of an attack is much easier, because if a user other than those permitted on the gateway is logged in, the login becomes a noteworthy security event.

In fact, the script shown in Figure 5 can be considered to be a proxy, as it accepts packets and sends them on to the recipient machine. Most firewall software offers proxy agents that allow traffic to be passed through the firewall in either direction, so long as the user who initiates the traffic is able to provide some level of authentication of his/her identity.

Another benefit is that, because most dual-homed gateways will be operating on a computer system, the operating system can be adapted to provide system and event logs. Such logs make it easier to detect and track vandals and security breaches after a break-in, though they may not help the administrator determine which other hosts were breached from the gateway.

A dual-homed gateway is not vandal-proof. An attacker who successfully obtains access to the dual-homed gateway has what amounts to local network access on your private network, and at this point all of the standard security holes become available. Misconfigurations or improper permissions on NFS-mounted filesystems, .rhosts files, automatic software distribution systems such as rdist, network backup programs and other administrative shell scripts become tools to help the attacker gain a presence on your gateway. Once that presence is established, it will only be a matter of time before all of the systems in your network are compromised.

With a dual-homed gateway, if the firewall is destroyed, the attacker may be able to alter the routing and expose the entire network. Since most UNIX-based dual-homed gateways disable TCP/IP forwarding by modifying the kernel parameter IPFORWARDING, the attacker might want simply to defeat the gateway and change this. If root privileges on the gateway can be obtained, then this is most certainly the first choice of attack. Once the new kernel is linked, the intruder can force a reboot during the night and gain access to your network without having to access the gateway first.

The Screened Host Gateway

The screened host gateway is similar to the dual-homed gateway, but is considered very secure while remaining relatively easy to implement. While the dual-homed gateway consists of a single machine, the screened subnet, as shown in Figure 7, is more complicated to establish, and requires additional equipment. In a screened host gateway, the bastion host is part of the private network. The screening router is configured so that incoming packets are blocked unless they are destined for the bastion host. The only connections that are permitted to the private network are those to the bastion host. With the bastion host being part of the private network, the connectivity needs of local users can be met with little inconvenience to them. In addition, because this implementation is not subject to the esoteric problems created by weird routing configurations, the administrator's job is easier.

The screened host gateway is particularly useful in a virtual extended local network -- that is, a network that has no subnets or internal routing. As long as the private network uses a set of legitimately assigned network addresses, the screened host gateway will work without any changes at all to the private network.

The major trouble spot in the screened host gateway configuration is the bastion host, as this is the only machine that is accessible from the Internet. The security of the bastion host is determined by the security offered by the operating system software. If the attacker is fortunate enough to gain access to the bastion host, a wide range of options become available, because the rest of the private network is exposed to the bastion host. Many of the same problems and pitfalls that exist for the dual-homed gateway also apply to the screened host gateway approach, because they share similar failure points and design considerations.

The Screened Subnet

A screened subnet is a network that is situated between the private network and the Internet. Typically, screening routers isolate this network and prevent direct traffic to the private network. Often, the routers imlement differing levels of filtering. The screened subnet is configured in such a way that the Internet and the private network both can access the screened subnet, but there is no direct communication between the Internet and the private network -- thus the name, screened subnet. As shown in Figure 8, some versions of screened subnets include a bastion host configured to support either interactive terminal sessions or application level gateways.

As Figure 8 also shows, a screened subnet defines a zone of exposure that is fairly small to the attacker. As the attacker essentially sees only the bastion host and a screening router on the subnet, there are few options for attack. In most cases, the only point of access in this configuration is the bastion host. Everything else is blocked, either by the screening router, or through the use of additional routing to enforce the screening. Under this approach, all of the services that are to be shared between the Internet and the private network must be processed through the bastion host.

This strategy involves the use of application-level gateways or the use of servers on the screened subnet. For example, if the organization wishes to support other services for customers or the general Internet population -- such as anonymous FTP, gopher, or World Wide Web -- then a machine or machines can be added to the screened subnet for this purpose. An example is shown in Figure 9.

To invade a screened subnet with the intent of breaking into the bastion host, an attacker would have to reconfigure the routing on three networks: the Internet, the screened subnet, and the private network. All this would have to be done without setting off any alarms, and without disconnecting from or being locked out of the network. If the screened routers have been configured to accept no network connections, or to accept them only from specific hosts, the attacker would be forced to invade the bastion host, break into a machine on the private network, and then go through the screening router.

There are other advantages to the screened subnet. If an organization didn't apply for a registered IP address but chose its own, either for simplicity's sake or because of the need for a private TCP/IP network, the screened subnet becomes the easiest way to access the Internet. Because the internal private network is entirely invisible to the Internet, it is easy for the system administrator to slowly re-address the IP addresses of the internal machines.

The Application Level or Proxy Gateway

A lot of software in the networking community relies upon a store-and-forward approach: UUCP, electronic mail, USENET news. The application collects the information, examines it, and then forwards it to the remote destination. Application-level gateways are service-specific forwarders or reflectors which operate at a user level rather than a protocol level. When these services are running on a firewall, they become an essential element in the security of the entire private network.

The theory behind the application-level or proxy gateway is to restrict user interaction to a machine that does not itself provide the service the user is accessing. The proxy host provides additional authentication of the user, and keeps an audit trail to improve logging and allow the network administrator to see what the users of the various services are doing. The external user never sees the internal network, and therefore has no means of attacking it.

The advantage of this approach, in combination with any of the others, is that for each type of service you want to allow, you must add a gateway. For example, if you wanted to allow telnet services, then you would need to install a telnet proxy gateway, and similarly for FTP, and so on. In this situation, if the proxy service does not exist, then the application will not be permitted and access to the appropriate service will be denied.

The disadvantage is that the development of these proxy gateway services is not trivial, and can be a serious stalling point. However, many of the software vendors who offer firewalls can provide application-level and proxy gateway services.

The Hybrid Gateway

The hybrid gateway falls into a category other than those mentioned earlier. An example would be a serial connection to the Internet with a terminal server on the private network side. The more difficult the access to the internal network, the less likely that an attacker will spend the time necessary to break in. The hybrid gateway allows for the introduction of some rather esoteric ideas, such as tunneling one protocol over another, or using custom-designed software to monitor and examine the connections that are in place. An example is a site where the firewall consists of a hybrid gateway combined with a bastion host.

Hybrid gateways come in different shapes and sizes, and tend to be somewhat specific to the organization, so it isn't possible to describe exactly what such a gateway would look like. The obvious advantage to a hybrid gateway is that, if the security approach is nonstandard, then it becomes harder for an attacker to figure it out and more likely that the attacker will be discovered.

The trade-off here is security through obscurity versus the benefits of a well-documented and thoroughly understood security configuration. The more esoteric the scheme, the more difficult it becomes for the administrator to remember how it works and how the pieces fit together. The danger increases when the administrator is replaced by someone who was not involved in the process of designing the obscure gateway. It may ultimately be better to take a security approach that is easy to understand, document, and control.

Since hybrids are by definition eclectic, it isn't possible to generalize about their vulnerability to attack or about the risk involved in running this type of firewall. One obvious requirement is that the organization have the internal resources to design, build, and maintain the system without having to rely upon outside resources. It seems likely that with the continued expansion of the Internet, methods for developing hybrid gateways will become better known and will allow more security options for the administrator.

Firewall Tools

There are vast collections of tools and numerous vendors who offer software and security products and services. Even though firewalls are relatively new, they are fast becoming a major part of the network security business. I recommend that you examine publicly available code very carefully before trusting it to protect your network. This caution is not meant to imply that the code itself may be questionable, but to ensure that what you think you are getting is actually what you want. The sidebar, "Publicly Available Tools," lists a number of popular tools and explains how to get them.

Conclusions

If you are considering whether or not to use a firewall, be sure to answer these questions:

Once you have addressed these questions, the issue becomes a matter of selecting the firewall method that best meets the needs of your organization, its users, and clients.

Acknowledgments

Much of the material in this article was conceived during the creation of the book Internet Firewalls and Network Security, published by New Riders Publishing. The book is scheduled for release in February 1995.

About the Author

Chris Hare is the Operations Manager for i*internet Inc., a Canadian Internet Service provider. He has worked in the UNIX environment since 1986, and in 1988 became the first SCO Authorized Instructor in Canada. He is a co-auther of the book Inside UNIX, and he is currently focused on networking, security, and perl.