FIREWALLS:- A LAKSHMANREKHA FOR COMPUTER NETWORKS

                                                                                                              By K.V.Arun  B.E

     Internet can be described as a global web of interconnected computer network using a nonproprietary inter network standard known as TCP/IP (Transmission Control Protocol/ Internet Protocol), which allows computers to communicate with each other. The recent dramatic growth in the Internet has been driven primarily by e-mail applications and by World Wide Web. Organizations all over the world are embracing Internet as a powerful, bi-directional low cost medium for business transactions that include product marketing, advertising, online sales, customer support, etc. In addition Internet helps organizations bring their geographically dispersed offices and personnel together.
     Many view these technologies as leading edge technologies, many are unaware that the foundations on which these technologies are built are quite old and most date back to 1970's. The main criteria for developing TCP/IP technologies was to establish reliable connections, security was not a major concern as Internet was small and most users knew each other. The base technology used to construct this network contained several insecurities, most of which continue to exist today.

NEED FOR SECURITY:

        Every network is susceptible to security breaches and unauthorized access from external as well as internal sources. All networks will contain sensitive data, making network protection important for any organizations. In 1995, FBI reported that 80% of unauthorized access to corporate networks occurred using the Internet. Network security has evolved over the years in USA, but in developing countries, such as India, organizations do not have this luxury, they need a solid network security which is on par with the best in the world.

NETWORK SECURITY

 The ultimate security for a network is to disconnect from Internet, but it is retrograde step. The optimum security starts with a sound security policy taking into account network design, the sensitivity of information and the desired user access and application restrictions. Security must avoid undue complexity or restraint and should provide system administrator with adequate security auditing procedures.
 The network security policy specifies what connections are allowed between private network and external networks and the actions to be taken in event of a security breach. Once the security policy is in place, a company can begin implementing it. If the security policy is weak, then no amount of rigorous implementation will stave of attacks.

FIREWALLS

     An Internet firewall is a system that enforces the security policy between an organization' network and the Internet. A typical firewall should,

     The firewall determines which inside services may be accessed from outside, which outsiders are permitted access to permitted inside services and which outside service may be accessed by insiders.
 For a firewall to be effective all traffic to and from the Internet must pass through the firewall, where it can be inspected (see fig-1). Firewall acts like a law enforcement agency inspecting all the incoming and outgoing traffic. The firewall must permit only authorized traffic to pass. The firewall itself must be immune to attacks and penetration.

    Firewalls allow system administrators to define a centralized "choke point" that keeps unauthorized users such as hackers, crackers, vandals, spies and the like out of the protected network; prohibits potentially venerable services from entering or leaving the protected network; and provides protection from various routing attacks. A firewall offers a convenient point where Internet security and usage can be monitored and alarms generated. Firewall also provides means to audit Internet usage.

DESIGNING OF A FIREWALL
 While designing an Internet firewall, A number of decisions must be addressed by the system administrator depending on the organization's requirement. The most common ones are,

STANCE OF THE FIREWALL

     The stance of the firewall system describes the fundamental security philosophy of the organization. The Internet firewall may take one of the two diametrically opposed stances,

    Everything not specifically permitted in denied.
 
        This stance assumes that a firewall should block all traffic and that each desired service  or application should be implemented on a case to case basis. This is a recommended approach. It creates a very secure environment. The disadvantage is that it places security ahead of ease of use, limiting the number of options available to the user.
 
Everything not specifically denied is permitted.

     This stance assumes that a firewall should forward all traffic and each potentially harmful service must be shut off on a case to case basis. This approach creates a more flexible environment, with more services available to the user community. The disadvantage is that it puts ease of use ahead of security, putting the system administrator in a reactive mode and making it difficult to provide security as the size of the protected network grows.

SECURITY POLICY

     A solid security policy is the corner stone of any protection system. Each organization should develop a security policy based on its current needs, threats and future requirements.
The security policy must be based on a carefully conducted security analysis, risk assessment and the business needs. If an organization does not have a detailed security policy, the most carefully created firewall can be defeated. Implementing a firewall without a sound security policy is like placing a steel door on a tent.

COMPONENTS OF THE FIREWALL SYSTEM

         We have so far discussed about what is a firewall and what it does. Now let's take a look into the building blocks of a firewall for a better understanding of its functioning.
 A typical firewall is composed of one or more of the following building blocks.
 

        PACKET FILTERING ROUTER.

        A packet filtering router ( fig-2 ) screens every packet it receives, compares it with the packet filtering rules and makes a permit/deny decision for each packet.  The filtering rules are based on the packet header information that is made available to the IP (Internet Protocol) forwarding process. This information consists of the IP source address, IP destination address, the protocol used, the TCP/UDP (Transmission Control Protocol/ User Datagram Protocol) source port, the TCP/UDP destination port, ICMP (Internet Control Message Protocol) message type, and the incoming and outgoing interface of the packet. The header information is compared with the filtering rules. If a match is found and rules allow the packet, then the packet is forwarded. If a match is found and rules deny the packet, then the packet is discarded. If a match is not found then the packet is discarded or forwarded depending on the stance of the firewall.
         To fully understand the working of packet filtering, consider the following example illustrated in figure below.

        The host on network A with an IP address 200.0.0.1 (say) wants to send a packet to host on network B, the packet is initially sent to the routing host. The routing host receives the packet on interface 200.0.0.2. The routing software reads the header information in the packet, compares it with the filtering rules, and forwards/drops the packet based on the rules. Similarly when the host on network B send a packet to host on network A, the routing gateway receives the packet on interface 300.0.0.2 (say), compares the header information with the filtering rules, and forwards/drops the packet depending on the rules. Thus the routing gateway protects the private network from malicious packets originating from Internet.
 
        This kind of packet filtering imposes an overhead which can seriously degrade the network performance. To overcome this, a cache for screening for screening program is implemented.

        There are two methods of packet filtering, Service dependent filtering and Service independent filtering.

Service Dependent Filtering

         In service dependent filtering, the filtering rules allow a router to permit or deny traffic based on a specific service, since most service listeners reside on well known TCP/UDP number. Some of the typical filtering rules include,
 

Service Independent Filtering

        Certain types of attack are difficult to identify using basic packet header information because the attacks are service independent. Routers can be configured to protect against such attacks if we know more information about service independent attacks. Some common types of attacks are given below.

1) Source  IP address spoofing attacks.
 
        For this type of attack, the intruder transmits packets from outside that pretend to originate from an internal host i.e., the packets contain false header information such that it appears to come from an internal host. The attacker hopes that the use of spoofed source IP address will fool the router. Such attacks can be defeated by discarding all packets with an inside source IP address if it arrives on one of the router's outside interfaces.
 
2) Source Routing attacks.

         Here the attacker specifies the route to be taken by the packet as it traverses the Internet. This attack will fool the service dependent filtering rules and will penetrate the network. A source routing attack can be defeated by discarding all packets that contain the source route option.
 
3) Tiny Fragment attacks.

         In this type of attack, the intruder uses the fragmentation feature to create extremely small fragments and force the TCP header information into a separate packet fragment. The hacker hopes that the filtering router will examine only the first fragment and will allow other fragments to pass. This type of attack can be defeated by discarding all packets where the protocol type is TCP and the IP fragment offset is equal to 1.
         The majority of Internet firewall systems are deployed using only a packet filtering router. The main attraction is that packet filtering can be implemented in the router software and hence is a low cost option. Moreover packet filtering is included as part of  the standard router software. In most of the networks, Internet  access is provided over a WAN interface, there is little impact
on the router if the traffic is moderate and few filters are defined. However if large number of filters are defined, there will be serious degradation in network performance. To overcome this drop in performance, a separate cache is used for packet filtering. Also the packet filter  is transparent to the users and applications.
        Another drawback of packet filtering gateway, is that  it is susceptible to data driven attacks. In data driven attacks, a seemingly harmless data is first sent to the private network, the router forwards this to the internal host. The data contains hidden instructions that cause the host to modify access control and security related files, making it easier for the intruder to gain access to the system.
         Packet filtering gateway can permit or deny a particular service, but is not capable of understanding the context of a particular service. For example, it is unable to differentiate between a full Telnet access and a partial one. This type of control can be implemented at a higher layer called as Application level gateways.

APPLICATION LEVEL GATEWAYS

     As the name implies, application level gateway operate in user space at the Open System Interconnection (OSI) model, controlling the traffic between the networks. A separate gateway listens on the appropriate TCP/UDP port on the firewall for each protocol that the firewall relays. This provides high level of control over all TCP/IP services and also provides extensive logging for traffic audit. This allows only specified applications to be permitted while denying all others. For example, it is possible to allow only authenticated users to copy files from a private network using FTP PUT command, at the same time allow anyone to copy files from an external network into a private network using FTP GET command. This high level of control is also apparent in the log files which show the source and destination address ( both in IP and in Fully Qualified Domain Name (FQDN) ) , along with the commands executed, names of the files transferred and file size.
         To implement Application level gateway, a special purpose code ( commonly called as Proxy code) is installed on the firewall gateway for each application. If the proxy code is not installed for a particular application, that service is not supported and cannot be forwarded across the firewall. The proxy code can be configured to support only those specific features as per the security policy while denying the rest.
         This enhanced security comes with an increased cost as it requires a gateway hardware platform, the proxy code, time and knowledge to configure the gateway. Implementing application gateway results in a decrease in the level of service that may be provided to the users, and less user friendly system. In this situation, the system administrator has to balance between the organization's need for security and the user's demand for ease of use.

Most firewalls provide the following application level gateways.

        An application level gateway is often called as "Bastion Host"  because it is a designated system that is specifically armored and protected against attacks.   The Bastion host or Application gateway should have the following security features,
  To understand application gateway, consider an example of Telnet proxy.
 
 

        The Telnet proxy never allows the remote user to log in or have direct access to the inside server. The remote user telnets to the gateway which aunthentiates the user, after authentication, the remote user gains access to the user interface of the telnet proxy. The Telnet proxy permits only a subset of telnet commands and determines which inside hosts are available for the remote user. In addition the remote user must have an account in the internal host to access the host.
        Application gateway is advantageous over packet filtering as it gives complete control over the transactions between networks. The flip side is that the users may find it inconvenient.

CIRCUIT LEVEL GATEWAY

         A circuit level gateway is a specialized function that can be performed by an application level gateway. A circuit level gateway simply relays TCP connections without performing any filtering. As illustrated in figure, The circuit level gateway relays FTP connection through the firewall. The circuit level gateway relays the files such that it appears to be originating from the firewall. It conceals information about the protected network. Circuit level gateways are often used when system administrator trusts the inside users. This makes the firewall system easier to use for the internal users while providing security for the network.

ALARM SYSTEM
 
        Every security system should have an alarm. In case of firewalls, an alarm program monitors the events generated by the application gateways and are maintained in a log file. The alarm system usually has one or more alarms associated with each event. The alarm that is triggered depends on the current level of security awareness of the firewall, which can be set by system administrator. The alarm system notifies the system administrator when there is a breach so that appropriate security measures can be taken.

SUMMARY
 
        The basic idea of using a firewall is to provide security to the organization's network from outside attack. Firewall are man made and are liable to failure. However implementation of firewall will deter hackers and the like form attacking. Even in case of attack, firewall alarm system will enable system administrator to act before serious damage is made.
         For effective functioning of a security system, users must cooperate. A firewall can be easily defeated by an internal user. System administrator should ensure that all connections to external networks must pass through the firewall. For example, a firewall can be easily defeated if an user opts for a dial up connection to Internet. Such a connection will create a hole in the firewall and the network security is seriously affected.