Click on our Sponsors to help Support SunWorld
Security: Pete's Wicked World by Peter Galvin

Avoid firewall pitfalls

Poor planning can result in nonfunctional firewalls and broken networks. We give you a firewall implementation checklist and tell you how to stay clear of common mistakes

June  1997
[Next story]
[Table of Contents]
Subscribe to SunWorld, it's free!

One of the common mistakes made in implementing a firewall is concentrating too much on the firewall functionality. Obviously, you need to consider the network entities and rules, but the integration of the firewall into the existing environment is equally important and equally fraught with pitfalls. If the integration is not carefully planned, it can result in nonfunctional firewalls and broken networks. This month, we provide a list of steps to take when planning a firewall implementation and some examples of what can go wrong in integrating a firewall with your facility.

Also in Pete's Wicked World this month: In the buglist, some more buffer overrun exploits on Solaris. In the toolbox, a new secure telnet tool. The bookstore has some hot links to security Web pages.

And don't forget to check out Pete's recently updated Security FAQ. (2,700 words)

Reminder: There is a lot happening at the Sun User Group conference in Boston on June 2-4.

Mail this
article to
a friend

Beware the unplanned firewall implementation. In previous columns, we've discussed the hazards of attempting to secure a facility without having a security policy in place. Unfortunately, a good policy, like a bad movie, only takes you halfway there. The implementation of the security policy needs careful attention to detail and careful network integration planning.

For example, consider some of the complex problems that can occur when a firewall is rolled into a facility. At one site, the ISP had provided some network addresses. These addresses were actually part of a Class-A network address that had been subnetted into Class-Cs. Unfortunately, those Class-Cs were active both inside and outside of this site. Using the "KISS" principle (Keep it simple, Stupid), the firewall was going to use only static routes. (The use of static routes also improves security, especially resilience to denial-of-service attacks.) The bottom line was that the firewall needed static routes to Class-C networks inside the company, but the Class-Cs were subnets of a Class-A. Solaris (and most other operating systems, I believe), doesn't allow a netmask to be specified via the route command, so there was no (easy) way to tell the Solaris-based firewall how to route packets to a remote, internal, Class-A subnetted network while still allowing packets to reach the external parts of that Class-A network. Because the firewall in this case allowed address translation, the final solution was to renumber the internal network to an RFC-1597 private subnet range.

A lack of a thorough understanding of the firewall's functionality, combined with a lack of planning, can lead to other unfortunate circumstances. For instance, some proxy gateway-based firewalls cannot pass a protocol that is not proxied. No assumptions can be made about what the firewall will do. Consider the utility of the ping and traceroute commands. Now imagine the consternation of system administrators when they realize that the newly-installed firewall does not allow those protocols to pass.


The checklist
Before embarking on a firewall implementation, you would be wise to work your way through this checklist of issues to consider.

This list should help you avoid the common problems seen in firewall implementation.

The Bookstore
Bill Wall has put together some very complete links to Web security and computer resources. Check them out at and

Bug of the Month Club
AUSCERT is reporting two new buffer-overflow-allowing-root-access bugs in Solaris 2.x. The vulnerabilities are in ps and chkey. Information is available from CIAC. The only current fix is to remove the setuid-bit from these two programs. AUSCERT has gone one better and written a generic wrapper than can be used when running setuid-programs to prevent them from having buffer overflow exploits.

While you're visiting CIAC, check out report H-56. It describes another Solaris bug, this one in lp, that allows users to gain lp rights.

If you have Creator-3D graphics on your computers, then try this command: /usr/bin/pkginfo -l SUNWffbcf. If you do not receive an error, then you have the SUNWffbcf package installed, and it has a security hole. Sun has a patch to fix the problem.

The Toolbox
If you are interested in secure telnet sessions, take a look at stelnet. It's similar to ssh and SSLTelnet, but claims to be based on a more recent telnet code base. It uses SSL to create an authenticated, encrypted telnet channel.

Click on our Sponsors to help Support SunWorld


About the author
[Peter Galvin's photo] Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Subscribe to SunWorld, it's free!
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: