Definition: A combination hardware and software buffer that many companies or organizations have in place between their internal networks and the Internet. A firewall allows only specific kinds of messages from the Internet to flow in and out of the internal network. This protects the internal network from intruders or hackers who might try to use the Internet to break into those systems.
|
HISTORY OF FIREWALLS AND INTERNET SECURITY ... continued
Circuit Gateways Circuit gateways operate at the network transport layer. Again, connections are authorized based on addresses. Like filtering gateways, they (usually) cannot look at data traffic flowing between one network and another, but they do prevent direct connections between one network and another.
Application Gateways
Application gateways or proxy-based firewalls operate at the application level and can examine information at the application data level. (We can think of this as the contents of the packets, though strictly speaking proxies do not operate with packets.) They can make their decisions based on application data, such as commands passed to FTP, or a URL passed to HTTP. It has been said that application gateways "break the client/server model."
Hybrid firewalls, as the name implies, use elements of more than one type of firewall. Hybrid firewalls are not new. The first commercial firewall, DEC SEAL, was a hybrid, using proxies on a bastion host (a fortified machine, labeled "Gatekeeper" in Figure 1), and packet filtering on the gateway machine ("Gate"). Hybrid systems are often created to quickly add new services to an existing firewall. One might add a circuit gateway or packet filtering to an application gateway firewall, because it requires new proxy code to be written for each new service provided. Or one might add strong user authentication to a stateful packet filter by adding proxies for the service or services.
No matter what the base technology, a firewall still basically acts as a controlled gateway between two or more networks through which all traffic must pass. A firewall enforces a security policy and it keeps an audit trail.
What a Firewall Can Do
A firewall intercepts and controls traffic between networks with differing levels of trust. It is part of the network perimeter defense of an organization and should enforce a network security policy. By Cheswick's and Bellovin's definition, it provides an audit trail. A firewall is a good place to support strong user authentication as well as private or confidential communications between firewalls. As pointed out by Chapman and Zwicky [2] , firewalls are an excellent place to focus security decisions and to enforce a network security policy. They are able to efficiently log internetwork activity, and limit the exposure of an organization.
The exposure to attack is called the "zone of risk." If an organization is connected to the Internet without a firewall (Figure 2), every host on the private network can directly access any resource on the Internet. Or to put it as a security officer might, every host on the Internet can attack every host on the private network. Reducing the zone of risk is better. An internetwork firewall allows us to limit the zone of risk. As we see in Figure 3, the zone of risk becomes the firewall system itself. Now every host on the Internet can attack the firewall. With this situation, we take Mark Twain's advice to "Put all your eggs in one basket and watch that basket."
Figure 2: Zone of Risk for an Unprotected Private Network
*Note:Click above for larger view
Figure 3: Zone of Risk with a Firewall
*Note:Click above for larger view
What a Firewall Cannot Do
Firewalls are terrible at reading people's minds or detecting packets of data with "bad intent." They often cannot protect against an insider attack (though might log network activity, if an insider uses the Internet gateway in his crime). Firewalls also cannot protect connections that do not go through the firewall. In other words, if someone connects to the Internet through a desktop modem and telephone, all bets are off. Firewalls provide little protection from previously unknown attacks, and typically provide poor protection against computer viruses.
Firewalls Today: Additions
The first add-on to Internet firewalls was strong user authentication. If your security policy allows access to the private network from an outside network, such as the Internet, some kind of user authentication mechanism is required. User authentication simply means "to establish the validity of a claimed identity." A username and password provides user authentication, but not strong user authentication. On a nonprivate connection, such as an unencrypted connection over the Internet, a username and password can be copied and replayed. Strong user authentication uses cryptographic means, such as certificates, or uniquely keyed cryptographic calculators. These certificates prevent "replay attacks" where, for example, a username and password are captured and "replayed" to gain access. Because of where it sits on both the "trusted" and "untrusted" networks and because of its function as a controlled gateway, a firewall is a logical place to put this service.
The next add-on to Internet firewalls was firewall-to-firewall encryption, first introduced on the ANS InterLock Firewall. Today, such an encrypted connection is known as a Virtual Private Network, or VPN. It is "private" through the use of cryptography. It is "virtually" private because the private communication flows over a public network the Internet, for example. Although VPNs were available before firewalls via encrypting modems and routers, they came into common use running on firewalls. Today, most people expect a firewall vendor to offer a VPN option. Firewalls act as the endpoint for VPNs between the enterprise and mobile users or telecommuters, keeping communication confidential from notebook PC, home desktop, or remote office.
In the past two years, it has become popular for firewalls to also act as content screening devices. Some additions to firewalls in this area include virus scanning, URL screening, and key word scanners (also known in U.S. government circles as "guards"). If the security policy of your organization mandates screening for computer viruses and it should it makes sense to put such screening at a controlled entry point for computer files, such as the firewall. In fact, standards exist for plugging antivirus software into the data flow of the firewall, to intercept and analyze data files. Likewise, URL screening firewall controlled access to the World Wide Web-and content screening of files and messages seem like logical additions to a firewall. After all, the data is flowing through the fingers of the firewall system, so why not examine it and allow the firewall to enforce the security policies of the organization? The downside to this scenario is performance. Also virus scanning must ultimately be performed on each desktop because data may come in to the desktops from paths other than through the firewall-for instance, the floppy.
Recently, some firewall and router vendors have been making the case for a relatively new firewall add-on called "flow control" to deliver Quality of Service (QoS). QoS, for example, can limit the amount of network bandwidth any one user can take up, or limit how much of the network capacity can be used for specific services (such as FTP or the Web). Once again, because the firewall is the gateway, it is the logical place to put a QoS arbitrating mechanism.
Firewalls Tomorrow
In 1997, The Meta Group, and others, predicted that firewalls would be the center of network and internetwork security [7] . After all, firewalls were the first big security item, the first successful Internet security product, and the most visible security device. They quickly became a "must have" this is good and a "good enough" this is not good because firewalls alone are not sufficient. Firewalls became synonymous with security, as mentioned above. The firewall console becoming the network security console seemed natural at that time. But this scenario has not happened, nor will it happen. The reason? The firewall is just another mechanism used to enforce a security policy. This specific enforcement device will not be the policy management device.
As organizations broaden the base of measures and countermeasures used to implement a comprehensive network and computer security policy, firewalls will need to communicate with and interact with other devices. Intrusion detection devices running on or separate from the firewall must be able to reconfigure the firewall to meet a new perceived threat (just as dynamic filtering firewalls today "reconfigure" themselves to meet the needs of a user).
Firewalls will have to be able to communicate with network security control systems, reporting conditions and events, allowing the control system to reconfigure sensors and response systems. A firewall could signal an intrusion detection system to adjust its sensitivity, as the firewall is about to allow an authenticated connection from outside the security perimeter. A central monitoring station could watch all this, make changes, react to alarms and other notifications, and make sure that all antivirus software and other content screening devices were functioning and "up to rev." Some products have started down this path already. The Intrusion Detection System (IDS) and firewall reconfiguration of network routers based on perceived threat is a reality today. Also, firewall resident IDS and help-desk software enable another vendor's system to expand from a prevention mechanism into detecting and responding. The evolution continues and firewalls are changing rapidly to address the next 100 (Internet) years.
In June 1994, the author wrote [5] , "Firewalls are a stopgap measure needed because many services are developed that operate either with poor security or no security at all." This statement is erroneous. Firewalls are not a stopgap measure. Firewalls play an important part in a multilevel, multilayer security strategy. Internet security firewalls will not go away, because the problem firewalls address-access control and arbitration of connections in light of a network security policy will not go away.
As use of the Internet and internetworked computers continues to grow, the use of Internet firewalls will grow. They will no longer be the only security mechanism, but will cooperate with others on the network. Firewalls will morphas they have from what we recognize today, just as walls of brick and mortar were eventually replaced by barbed wire, motion sensors, and video cameras and brick and mortar. But Internet firewalls will continue to be a required part of the methods and mechanisms used to enforce a corporate security policy. References
-
Avolio, F. and Ranum, M., "A Network Perimeter with Secure External Access," Proceedings of the ISOC NDSS Symposium, 1996. ( http://www.avolio.com/netsec.html )
-
Chapman, D. B. and Zwicky, E., Building Internet Firewalls, ISBN 1-56592-124-0, O'Reilly and Associates, 1995.
-
Cheswick, W. and Bellovin, S., Firewalls and Internet Security: Repelling the Wily Hacker, ISBN 0201633574, Addison-Wesley, 1994.
-
Ranum, M. and Avolio, F., "A Toolkit and Methods for Internet Firewalls," Proceedings of the summer USENIX conference, 1994. ( http://www.avolio.com/fwtk.html )
-
Shimomura, T. and Markoff, J., Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It, ISBN 0-7868-89136, Warner Books, 1996.
-
Stoll, C., The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage, ISBN 0671726889, Reprint edition, Pocket Books, 1995.
-
Meta Global Networking Strategies File 549, November 24, 1997.
|
