|
Extinguishing firewall hyperboleAre new firewall technologies improvements or complications? Evaluate the pros and cons. Part 2 |
The firewall industry continues to gain momentum, with new players, generations, and attention from large and small institutions alike. Are the added features useful or are firewalls turning into the next Microsoft Word -- bloated with features that add complication but are little used? This month concludes an evaluation of new firewall technologies: stateful inspection, filtering proxy gateways, and new add-on packages.Also in Pete's Wicked World this month: The bookstore, has some interesting reading from the Princeton group on WWW security vulnerabilities. Also, a pointer to some interesting reading from the U.S. Army. And, if you have Solaris security questions, visit Pete's Security FAQ. (2,200 words)
Mail this article to a friend |
|
|
|
|
ping
for instance), and therefore sites may want to pass UDP
through the firewall.
Consider the (simplified) case of a ping
initiating
inside a firewall. The initiator wants to see the reply information, of
course, but the firewall is configured to disallow any ping
packets from the outsite. How does the firewall know that the
ping
packets from the outside are replies to the inside
ping
? The firewall maintains state, essentially making UDP
stateful so it can track the original and reply packets, while still
preventing unwanted UDP packets.
telnet
from or to specific hosts, but only if the outsider is first identified
via a one-time password mechanism (such as S/Key, CryptoCard, or
SecureID). In this case, a proxy is needed because it must:
telnet
protocol, so it can ask for authentication via that
protocol
telnet
if the authentication is correct
ping
through a true
proxy gateway. Because VPN tunnels work at a lower network layer, they can
pass UDP. By creating a tunnel within the firewall -- both ends living on
the firewall -- UDP can be passed (and filtered) through the firewall.
Protocols like ping
can be passed from and to specific hosts,
as designated by the firewall administrator.
ping
is a good example.
ping
is a protocol like all others, and the need for its use
should be considered in selecting and implementing a firewall.
Finally, remember that the installation of a firewall is not the last
step in securing your networks. You need to be sure the security policy
(you have one, don't you?) is being enforced via testing. And you must
occasionally retest. Companies such as Science Applications International
Corporation (SAIC) will perform full
intrusion tests against your site. There are also commercial tools such as
ISS. Those willing to put up with a less
functionality can still be well served by free tools such as NetCat. There is a nice checklist available that
can help you compare firewalls. It's not perfect, but it's a good start.
Consider adding a column labeled "don't care" to the spreadsheet, or you
may be comparing features that have no importance in the security solution
that you are implementing.
Bug of the Month Club
For those keeping score (or trying to keep their sendmail
server secure), BSD sendmail
is now up to release 8.8.4. Get
it before the next version is released.
The Bookstore
The group at Princeton is again raising alarms about the (in)security of
the WWW. This time they've demonstrated a man-in-the-middle attack and
produced a paper that describes the problem, its effects, and the
implementation. Simply put, a man-in-the-middle attack consists of an
entity interposing itself between the two parties that are trying to
negotiate. The middle-man can then intercept communications, attempt to
pretend it is one or the other end (or both), and so on. By pretending to
be one side to the other, the middle-man is spoofing the other side.
Putting this attack into work, the Princeton group set up a Web server
that pretended to be another site. When pages were requested of it, it
simply retrieved them from the legitimate site and displayed them to the
requestor. The potential damage is huge. The server could have given out
misinformation, captured credit card or other financial information as if
it were requested from the legitimate site, and so on. For more
information on this attack and how it could make your life miserable, check
out the paper.
Thanks to Joel McNamara for the following posting on best-of-security.
The Army site is worth a look:
From: Joel McNamara <joelm@eskimo.com> To: best-of-security@suburbia.net Subject: BoS: Army Cryptanalysis manual online The US Army's Field Manual on Basic Cryptanalysis (FM 34-40-2), dated September 1990 is available for downloading as an Acrobat PDF file from: http://www.atsc-army.org/cgi-win/$atdl.exe/fm/34-40-2/default.htm Fairly classic in nature (substitution, transposition, and code systems). Huge files (so far, at 28.8, after about an hour and a half, I've only been able to grab the table of contents and a couple of appendices - some kind-hearted person with a T1 or greater may want to get everything, then zip and mirror to save us bandwidth challenged folks the pain). Also, for the complete listings of almost 300 downloadable FMs through the Army's Digital Training Library (ATDL), check out: http://www.atsc-army.org/cgi-win/$atdl.exe?type=fm&header=%2F atdl%2Fbrowse%2Ffm.htm Have fun! Joel Note: This site isn't wholly reliable. It seems to regularly go up and down, and sometimes the bandwidth is terrible. Probably worth your patience though.
There's also a mirror site O'Reilly and Associates has done a statistical study of Web sites to determine the state of WWW commerce. It makes for interesting reading. To summarize, they found that although there are quite a few Web sites running SSL servers, most of these sites don't have digital certificates available to allow their authentication by clients. For more information visit http://www.ora.com/research/. Next month we'll look at the world of penetration testing.
|
Resources
About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook.
Reach Peter at peter.galvin@sunworld.com.
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-01-1997/swol-01-security.html
Last modified: