Extinguishing firewall hyperbole
Are new firewall technologies improvements or complications? Evaluate the pros and cons. Part 2
The firewall industry continues to gain momentum, with new players, generations, and attention from large and small institutions alike. Are the added features useful or are firewalls turning into the next Microsoft Word -- bloated with features that add complication but are little used? This month concludes an evaluation of new firewall technologies: stateful inspection, filtering proxy gateways, and new add-on packages.
Also in Pete's Wicked World this month: The bookstore, has some interesting reading from the Princeton group on WWW security vulnerabilities. Also, a pointer to some interesting reading from the U.S. Army. And, if you have Solaris security questions, visit Pete's Security FAQ. (2,200 words)
pingfor instance), and therefore sites may want to pass UDP through the firewall. Consider the (simplified) case of a
pinginitiating inside a firewall. The initiator wants to see the reply information, of course, but the firewall is configured to disallow any
pingpackets from the outsite. How does the firewall know that the
pingpackets from the outside are replies to the inside
ping? The firewall maintains state, essentially making UDP stateful so it can track the original and reply packets, while still preventing unwanted UDP packets.
telnetfrom or to specific hosts, but only if the outsider is first identified via a one-time password mechanism (such as S/Key, CryptoCard, or SecureID). In this case, a proxy is needed because it must:
telnetprotocol, so it can ask for authentication via that protocol
telnetif the authentication is correct
pingthrough a true proxy gateway. Because VPN tunnels work at a lower network layer, they can pass UDP. By creating a tunnel within the firewall -- both ends living on the firewall -- UDP can be passed (and filtered) through the firewall. Protocols like
pingcan be passed from and to specific hosts, as designated by the firewall administrator. Major firewall products are adding new management, and monitoring, and extended control facilities as well. Most of these are actually third-party packages that are being melded with the firewall programs. New (usually optional) features include:
pingis a good example.
pingis a protocol like all others, and the need for its use should be considered in selecting and implementing a firewall. Finally, remember that the installation of a firewall is not the last step in securing your networks. You need to be sure the security policy (you have one, don't you?) is being enforced via testing. And you must occasionally retest. Companies such as Science Applications International Corporation (SAIC) will perform full intrusion tests against your site. There are also commercial tools such as ISS. Those willing to put up with a less functionality can still be well served by free tools such as NetCat. There is a nice checklist available that can help you compare firewalls. It's not perfect, but it's a good start. Consider adding a column labeled "don't care" to the spreadsheet, or you may be comparing features that have no importance in the security solution that you are implementing.
Bug of the Month Club
For those keeping score (or trying to keep their
server secure), BSD
sendmail is now up to release 8.8.4. Get
it before the next version is released.
The group at Princeton is again raising alarms about the (in)security of the WWW. This time they've demonstrated a man-in-the-middle attack and produced a paper that describes the problem, its effects, and the implementation. Simply put, a man-in-the-middle attack consists of an entity interposing itself between the two parties that are trying to negotiate. The middle-man can then intercept communications, attempt to pretend it is one or the other end (or both), and so on. By pretending to be one side to the other, the middle-man is spoofing the other side. Putting this attack into work, the Princeton group set up a Web server that pretended to be another site. When pages were requested of it, it simply retrieved them from the legitimate site and displayed them to the requestor. The potential damage is huge. The server could have given out misinformation, captured credit card or other financial information as if it were requested from the legitimate site, and so on. For more information on this attack and how it could make your life miserable, check out the paper. Thanks to Joel McNamara for the following posting on best-of-security. The Army site is worth a look:
From: Joel McNamara <firstname.lastname@example.org> To: email@example.com Subject: BoS: Army Cryptanalysis manual online The US Army's Field Manual on Basic Cryptanalysis (FM 34-40-2), dated September 1990 is available for downloading as an Acrobat PDF file from: http://www.atsc-army.org/cgi-win/$atdl.exe/fm/34-40-2/default.htm Fairly classic in nature (substitution, transposition, and code systems). Huge files (so far, at 28.8, after about an hour and a half, I've only been able to grab the table of contents and a couple of appendices - some kind-hearted person with a T1 or greater may want to get everything, then zip and mirror to save us bandwidth challenged folks the pain). Also, for the complete listings of almost 300 downloadable FMs through the Army's Digital Training Library (ATDL), check out: http://www.atsc-army.org/cgi-win/$atdl.exe?type=fm&header=%2F atdl%2Fbrowse%2Ffm.htm Have fun! Joel Note: This site isn't wholly reliable. It seems to regularly go up and down, and sometimes the bandwidth is terrible. Probably worth your patience though.
There's also a mirror site O'Reilly and Associates has done a statistical study of Web sites to determine the state of WWW commerce. It makes for interesting reading. To summarize, they found that although there are quite a few Web sites running SSL servers, most of these sites don't have digital certificates available to allow their authentication by clients. For more information visit http://www.ora.com/research/. Next month we'll look at the world of penetration testing.
About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at firstname.lastname@example.org.
If you have technical problems with this magazine, contact email@example.com