• A recent survey conducted by the Chicago-based information technology law firm of Gordon & Glickson revealed that less than half of the respondents performed routine security checks and only 44% had the ability to track access to sensitive data. Only one-third of the respondents used any form of encryption.
• Of these surveyed companies, 98% provide access to the Internet and 97% provide remote access to their corporate networks. Sixty-one percent of these companies host their own Web sites.
• In addition, there are little or no controls on employees’ access to on-line services or the Internet and few restrictions on downloads.

• Unknown and unauthorized individuals are increasingly attacking and gaining access to highly sensitive unclassified information on the DOD computer systems ... as many as 250,000 attacks last year ... successful 65% of the time.”
• “Attackers have seized control of entire Defense systems ... stolen and modified and destroyed data and software ...[and] installed unwanted files and ‘back doors’ which circumvent normal system protection.... They have shut down and crashed entire systems and networks, denying service to users who depend on automated systems to help meet critical missions.”
• “Numerous Defense functions have been adversely affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, health, and payroll.”

If the government sees these intrusions as a serious threat, why doesn’t corporate America?

The Internet Factor

Whether it is viruses, Trojan Horses, or penetration of internal networks, the most important factor affecting network security today is clearly the “Internet.” If your network is connected to the Internet, you have a whole new set of problems - some of which only serve to exacerbate preexisting conditions. But, even if your network is not connected to the Internet, you are most likely facing pressure to make that connection available.

Connecting to the Internet is a bit like seeing your favorite bar in the light of day. While it is dimly lit, it looks like a nice, cozy place. However, when scrutinized in full daylight, you can see the jury-rigged electrical system and the nasty looking stuff in the crooks and crannies. Likewise, put your network on the Internet and you’ll notice that the security measures you thought were sufficient are like candy to hackers: unprotected guests accounts and obvious passwords. It’s only a question of when and not if the hackers are going to find you. Any weaknesses you have will be exploited. The word will pass very quickly through the hackers’ grapevine that you’re an easy target. Recently a large regional ISP in the Midwest was running a “secure” operating system and implemented good physical security measures but the hackers found the weakness. The news of the vulnerability spread at the speed of electrons, resulting in rapidly escalating attacks and system abuse. The reported incidents represent more than kids getting their kicks with modems and speed dialers.

Systematic and automated probing of new Internet connections is being carried out by a shady cast of characters that include hackers-for-hire, information brokers, and foreign governments. One in five companies responding to a recent security survey by Information Week and Ernst & Young admitted that intruders had broken into, or had tried to break into, their corporate networks. Most experts agree that a majority of break-ins go undetected. For example, about eight months ago the Defense Information Systems Agency attacked 9,000 Department of Defense computer systems. Of those attacks, 88% were successful but only 5% of the attacks were detected by the targets. Of those organizations that recognized the attacks, only 5% actually reacted to the attack.

Suppose you win the argument and are allotted a decent budget for security. The problem now lies in finding the experts to help you. The fact is that the network talent you so badly require is also required by your competitors. The Web, in both Internet and Intranet incarnations, is soaking up this talent at an increasing rate. Those network-savvy employees who may have matured into information security personnel at your company are leaving in droves for the greener pastures of Web- related ventures. Information security professionals are in high demand that they can be harder to find than you had anticipated.

The Need for Firewalls

So how do you deal with Internet connections, planned or present? For a start, all connections between your organization’s network and the Internet should be protected with a firewall. But, just what is a firewall? Is it a box or software or what? According to Rich Kosinski, president and founder of Internet Security Corporation, a firewall is a form of access control technology which “prevents unauthorized access to information resources by placing a barrier between and organization’s network and an unsecured network” such as the Internet. In addition, a firewall can be used to keep people out and keep proprietary information in. In other words, it functions as a gateway which can control traffic in both directions. That’s a good definition, but it still doesn’t tell you if a firewall is larger than a breadbox or smaller than a sandwich. The answer to that is: it’s either/or and depends on what type of firewall you install. In either case it is a collection of components or a system that sits between the Internet and your network and it possesses the following properties:

1. all traffic from inside to outside, and vice-versa, must pass through it
2. only authorized traffic, as defined by the local security policy, is allowed to pass through it
3. the system itself is immune to penetration

1. packet-filtering routers
2. application level (proxy) servers
3. stateful inspection

Packet-Filtering Routers

These are generally the smallest and the simplest form of firewall. In some cases the router, about the size of a small VCR, sits between your host and the Internet. Its sole purpose is to check the source address, destination address, and ports in individual IP “packets.” For example, if the router determines that the packet has originated from an IP address which is not on its list of acceptable or “trusted” sources, the connection is simply refused. The strengths of packet filtering routers are that they are generally very fast and is usually transparent to the user (i.e., no additional screens or log-ins). The downside is large, however. It is very easy for hackers to set up an “IP spoof” - pretend to be someone they’re not. In addition to that weakness, routers are difficult to monitor and do not provide adequate logging and alerting mechanisms. That being said, it’s still better than nothing at all.

Application Level Server

Also known as “proxy” servers, these firewalls actually run the same Internet applications that a user may have on his desktop machine - like Telnet or FTP - but it’s a more restrictive version of the application in which rules are set as to the verification of the user(s) and the destination(s), etc. Once the user has been verified to use Telnet, for example, the proxy Telnet then completes the connection. These firewalls also filter packets to a certain extent and can perform detailed logging and auditing of traffic passing through them. Application level servers can be multiple servers acting as host and proxy or it could be one machine with two network cards installed. Again, these machines are usually placed between the host and the Internet, but there are no hard and fast rules concerning the configuration. It really requires an expert hand. You can build these systems yourself or buy a system from a firewall vendor. NCSA runs a certification program for firewalls which tests the firewalls with a series of attacks. Details and lists of certified products can be found at their web site.

As with any complicated system, there are bound to be drawbacks and Application Level Servers are not exempt. There is limited connectivity since each program run needs its own proxy and some applications may not be supported by a proxy. Depending on the speed of your Internet connection, there may be a discernible difference in performance. Some proxies may be vulnerable to operating system or application bugs, too.

Stateful Inspection

While the other firewall models query packets coming through, a Stateful Inspection gives the packet the third degree. This is the “Grand Inquisitor” of firewalls and nothing comes in or goes out that isn’t thoroughly inspected. Not only are all packets inspected inside and out, the application, the user, and the transportation method are all queried and verified. That information is maintained so that all future transmissions are inspected and compared to past transmissions. If both the “state” of the transmission and the “context” in which it is used deviate from the norm, connection is refused. In addition, most of these firewalls will include a real-time security alert and logs are generated.

Stateful Inspection firewalls also support connectionless protocols such as PRC and UDP; something that routers and application firewalls do not. This is done by tracking the port numbers used by these routines and caching them for future comparison. While this is a very powerful firewall model, you may experience a performance “hit” due to the serious inspection going on and proper use requires a good deal of configuration ability.

The Costs?

Costs vary widely in this area from almost free to well into five-figures. First, you have to set your priorities and determine what it is you really need. Just how paranoid are you and how paranoid do you want your system to be? At the relatively “free” end of the scale you can reconfigure a Cisco router - all you need is the knowledgeable staff and lots of Mountain Dew and chocolate candy bars. If you decide to build an application gateway from scratch and have both the equipment and the skilled crew about, it could take you several weeks to get the system running. A lot of trial and error should be built into the time frame for a “home-made” system. On the other hand, it may be well worth the sting of the cost to have a trusted firewall vendor install your system and provide support and training. Trying to get the budget approved is the big “if.”

Firewalls and Security Policies

Much of the firewall literature focuses on the workings and configurations of routers, host systems, interfaces, and sub-nets. But, bear in mind that any firewall is primarily an implementation of a company’s Information Security Policy. (If your organization doesn’t have one, it should.) Furthermore, all firewalls should be integrated into that policy. There is no point building or buying a firewall unless you already have a comprehensive Information Security Policy. That policy should cover everything from site access controls to modems; document tracking to magnetic media authorization. Your organization’s decision to connect to the Internet is an excellent point at which to provide valuable input on issues such as encryption, authentication, remote access, internal and external security auditing, and - very importantly - logging. Even the most basic of firewalls, the packet filter, can provide some information about traffic in and out of the company network. With good logs you can detect suspicious activity, both internal and external, and hopefully trace it to its source.

Some firewalls include audit tools for analysis of logs and alarm programs to report suspicious activity. Implementing a firewall provides an exciting opportunity to greatly increase your company’s information security, well beyond control of internetwork traffic. It could be your excuse to overhaul outdated practices or to rein in lax compliance. The design, installation and use of a firewall system is directly affected by network policy operating at two levels:

1. The Network Service Access Policy defines those services that will be allowed or explicitly denied from the restricted network. This will also define how the services are to be used.
2. The Firewall Design Policy defines how the firewall will actually go about restricting the access and filtering the services as defined in the network service access policy.

The Network Service Access Policy covers more than just internetwork services. It documents all outside network access such as dial-in and SLIP/PPP connections. When you restrict one means of network access people will tend to use others. For example, if restricting access to the Internet via a gateway prevents Web browsing, users may turn to dial-up PPP connections. According to one anonymous network manager at a major company, “They buy a $100 modem with petty cash, plug it into a PC on the network and, since our machines are already running TCP/IP, just turn on SLIP or PPP and dial out to a local service provider. What they don’t realize is that they have just made the company network part of the Net.”

Network Service Access Policy should be an extension of a strong Site Security Policy and an overall policy regarding the protection of information resources in the organization. This includes everything from document shredders to virus scanners and floppy disk tracking.

Firewall Design Policy, which implements the Network Service Access Policy, must be designed in relation to, and with full awareness of, issues such as firewall capabilities and limitations - as well as the threats and vulnerabilities associated with TCP/IP. Firewall policies generally implement one of two basic design policies:

1. Permit any service unless it is expressly denied; or
2. Deny any service unless it is expressly permitted.

Clearly, given the current level of dubious activity on the Internet and a growing tendency of insiders to abuse company computers, you are safer if you go for the latter.

Conclusion

Firewalls have been called “condoms for corporate networks.” They are digital protection for participants in the packet-level intercourse. As with condoms, a lot of people have heard about them or know they exists, but few actually use them. Some who do use them are not using them correctly. Both of these scenarios will eventually result in unwanted guests traipsing through your network. Education and implementation are the keys. Use it or lose it.

Historical footnote: Chey coded the original "Firewall Product Functional Summaries" located on the ICSA site referenced above, based on a format devised by Marcus Ranum. Stephen and Chey also produced the first version of the Firewall Buyers Guide the current version of which manages to avoid mentioning this altogether. While the above article dates from 1996, we think it is still a useful introduction to the subject.