Firewalls in many flavors
Not only are there many firewalls available, but there are many types
Last month we dispelled the myth that firewalls are a security cure all. The correct firewall when installed properly in a well-managed system, however, can greatly increase the security of your environment.
This month we'll discuss a variety of firewall products, the categories they fall into, and evaluate of the pros and cons of each.
Also this month: a problem with
wu-ftp, the most common "secure" anonymous ftp server, and, in the Bookstore, a mailing list you may want to join. (2,200 words)
Firewall vendors have devised a number of formats for their products ranging from "grab it for free via the Internet" to "purchase our software and you get a systems engineer to install it." With this in mind, which firewall product is right for you?
The TIS toolkit is a good example of a freely available product. It's a fully functional proxy firewall, provided in source form. Of course that means it needs configuration, compilation, and configuration again to use within your environment. It also has a minimal feature set. But if you're looking for a basic proxy firewall and want to get a reasonable level of security for free, the TIS toolkit deserves a look. Support is available via the Internet (comp.security.firewalls), or can be purchased from TIS. It runs on most BSD-based Unix operating systems.
In the middle of the spectrum of product offerings is the Raptor Eagle system and associated products. Raptor sells its firewall software in the typical manner, purchase the software and use technical support when there is a problem. Products such as this need strong documentation and ease of use. Without both of those aspects, a firewall can be a disaster. Consider that without clear information on what the firewall is doing, and how to get it to do exactly what you need, the firewall could be passing packets that you do not expect, or dropping packets that you expect it to pass. Fortunately, Eagle is easy to use and well documented. My experiences with its technical support indicate that it is top-notch as well.
The Raptor product line can provide protection for an entire enterprise. Raptor Eagle is the main firewall between an insecure network and your company's networks. Eagle LAN can be configured from Eagle and intervenes between your security domains. For instance, contractors may have limited access to your corporate computers, and Eagle LAN can implement the desired restrictions. For remote, secure access to your enterprise, Eagle Nomad is PC-based software that implements swIPe to open a secure channel between the remote user and an internal system.
swIPe is a new technology (you won't find it in any of the security or firewall books); one that's useful in the war against network snoops. A normal Internet packet consists of a header and a payload (the data being sent). swIPe is a method of encoding an IP packet but still leaving it deliverable. The entire packet is encrypted, and then included as the payload of a standard IP packet. At the receiving end, the decoder (typically a firewall) unpacks the original IP packet, decrypts it, and places it on the secure wire for delivery to its original destination.
If you're looking for a product that comes complete with an engineer to install it, those are available as well. The most widely known is the TIS Gauntlet product. Gauntlet generally includes a PC running a hardened version of BSD/OS plus the firewall software plus installation at your site. On-site, TIS does some analysis to determine your security needs and learn about your security policies. TIS engineers then configure Gauntlet to implement those policies as they fit in your environment. Gauntlet also uses swIPe to allow secure connections with remote hosts. swIPe can be implemented in software or in hardware via the CE Infosys Minicrypt board, depending on your encryption performance needs.
For support of products that do not come with their own engineer, there are typically two options:
Before we go further, you should be aware of a very useful Web page. This one contains pointers to many commercial firewall vendors.
There are several other interesting firewall products you should consider before taking the plunge and installing one.
Proxy servers are usually composed of a dual-homed (two interface) host and some specialized networking software. One interface connects to the protected net and the other to the unprotected net. IP routing, the kernel mode that passes packets from one interface to the other (allowing the host to act as a router), is disabled. All packets are therefore intercepted by the proxy server software, and examined. Based on the facilities provided and a set of rules, each packet is either passed, rejected, or dropped. Each packet requires action by the proxy server to move from one interface to the next, so none are passed by accident.
For more details on proxy server functionality, see "Watch your back door," SunWorld Online December 1995.
The TIS Gaunlet Internet Firewall is used as the basis for another proxy firewall system, this one from Technologic, called Interceptor. Interceptor is a software-only proxy, available for many versions of Unix.
Normally, a router looks at the header of a packet, knows on which interface it arrived, and determines which interface to send it to. Except for the normal checksum test, it passes all packets that reach it and are destined for another network it knows about.
A packet filter, when implemented by software or by a smart "screening router" adds a step. Instead of passing all packets, it applies a set of rules to each packet to determine whether to pass or reject it. Because routers only look at packet header information, not its contents, the filters are based on the packet's
For more details on packet filter functionality, again, see "Watch your back door," SunWorld Online December 1995.
If you're interested in the minimalist approach to packet filtering, consider the NetGate package from SmallWorks. NetGate, a set of enhancements to your SunOS or Solaris gateway system, provides flexible filtering and is available in source and binary format. The rules are entered into a configuration file and read into the NetGate kernel code via a command-line interface. My experiences with NetGate have generally been positive and response from their technical support is quick.
A list of packet-filter firewalls wouldn't be complete without Firewall-1, the software Sun chose to secure its Netra product line. Firewall-1 combines flexible filtering rules with a powerful, easy-to-use GUI interface. It runs on SunOS or Solaris and is easy to install and configure.
As with all filtering firewall products, you must take care when devising the rules. One missed rule could mean your security implementation does not match your goals. Thorough testing (from outside of the firewall) is one of the few ways to verify that security is implemented as you expect. In addition, you should try breaking through your firewall with scanning software like SATAN or ISS.
If you're interested in high-availability firewalls, consider the Qualix Group SecureWatch product, based on Firewall-1. SecureWatch provides an uptime of over 99% on the Internet gateway, with automatic and almost transparent failover to a secondary server.
Smart routers can also serve as rudimentary packet-filter firewalls. Examples include TurnStyle Firewall System by Atlantic Systems Group, and Firewall IRX Router by Livingston. These devices are generally your connection to the Internet, or sit between security domains within your organization. Not only can they implement a detailed set of filter rules, but you can also turn on connection logging (via syslog) to watch the Internet traffic they allow.
BorderWare (previously Janus Firewall) produces a firewall server that combines a packet filter, proxy server software, and various application servers into a single product. The applications include a mail server, dual name servers (one for internal, one for external DNS), a news server, an anonymous FTP server, a WWW server, and a finger information server. Unfortunately, BorderWare only runs on Intel-CPU-based systems.
Sun's SunScreen is another product worth considering. SunScreen is a unique security apparatus. It's billed as a complete network security device. It's a turnkey package of hardware, software, and services. It includes a network-invisible, Sun-workstation-based unit that sits between the insecure net and the network you are working to protect. This box provides flexible packet filtering and packet vectoring. Packet vectoring allows packets to be diverted to networks or hosts they were not addressed to. What makes SunScreen different (aside from this invisible nature) is the built-in authentication and encryption. Get two of these boxes and configure them properly, and you have an authenticated, encrypted channel over the Internet. Also included in the package is a PC-based administration station. This station must be directly connected to the workstation, for security reasons. For more information on SunScreen, see "SunScreen in the real world," SunWorld Online December 1995.
Alternatively, for those of you who don't find what you need in the commercial offerings, is to create your own firewall. The TIS source code, as well as the SOCKS package, make good basis for custom firewall implementations. A SOCKS whitepaper is also available. Add to this a monitoring program such as Tripwire, TCP_Wrapper, or Tiger and you have a secure firewall system. Do not deceive yourself about the amount of time needed to build, configure, and maintain such a system, though. Rember that maintaining this type of system could require upgrading versions of several packages, tracking patch postings for them, and watching newsgroups and mailing lists for pertinent bugs.
There are also many quality security consultants available to help you determine the current security state of your systems, plan where you like to be, security-wise, and implement your dream firewall. For instance, a couple of well known security experts, Marcus Ranum and Tina Darmohray, have joined forces to form Information Warehouse!. In addition, TIS performs security consulting services, as does my company Corporate Technologies.
A stash of decent firewalls-related whitepapers can be found at http://www.tis.com/Home/NetworkSecurity/Firewalls/Firewalls.html.
Bug of the Month Club
If you are like many sites, and use
wu-ftpd as your ftp
daemon rather than the standard Unix
ftpd, then you may
have a problem. There is a new
Advisory describing a configuration problem that allows users
logging in as themselves (not as anonymous) to easily gain root
access to the system. The problem is associated with the configuration
variable _PATH_EXECPATH. It should not be set to /bin, although
it frequently is.
There is a high-quality mailing list you may want to join, especially since it is low-volume as well. Christopher Klaus at ISS maintains it, and now that he's cut off random postings, all of the postings are interesting. Most recently there's been information on security vulnerabilities with Windows NT, as well as an alarming article about "stealth scanning" -- a method to detect available system services without triggering alarms from such packages as TCP-Wrapper. To get on the mailing list send a message to firstname.lastname@example.org and in the body of the message, include
on a line by itself.
Also available on the ISS Web page (http://www.iss.net/iss/) are several useful whitepapers on topics ranging from the prevalence of hacking to security FAQs, to a case study of social engineering and the damage it can to do to otherwise secure sites.
If you don't have convenient Internet access, or don't want to spend a lot of time getting, loading, and compiling the tools I mention on the Web site, you should consider getting a copy of the Sun User Group's Security CD. It has more than 80 security-related packages in both source code and compiled versions for SunOS and Solaris.
Once you're interested in computers, ethics, and the law, you should track down a copy of Communications of the ACM December 1995, V38N12. The whole issue is devoted to ethics, technology, and privacy. How will cyberspace effect copyright laws? How ethical is it to read e-mail? And cyberspace has no national borders, so how can laws be applied to it? It's all in V38N12.
Next Month, on "As Pete's Wicked World Turns"
If you've devised a security policy and implemented it, the next step is to prepare for events that violate it. Do you have a plan in place for dealing with an attack or a break in security? Do your users know what a security threat looks like and how to react to it? Next month we'll look at incident-response, or "Tiger" teams.
About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at email@example.com.
If you have technical problems with this magazine, contact firstname.lastname@example.org