FIREWALLS: SECURING NT NETWORKS FROM INTERNET INTRUDERS
by Philip Carden and Charles Kelly
Most businesses today have learned that an Internet connection sharpens their competitive edge by giving them (and their customers) timely access to information. But connecting to the Internet spawns a new set of responsibilities for IS departments: They must deliver reliable Internet services to corporate users while ensuring that systems and information stay secure from outside threats — such as hackers — that an Internet connection exposes them to. An important tool for protecting a corporate network from Internet intrusions is a firewall — an intelligent device that controls traffic between two or more networks for security purposes.
Just as a firewall blocks the spread of a real fire, a network firewall is a hardware/ software barrier between a corporate network and the Internet. The firewall gives you control over who can access the connection and how they can access it. A firewall usually consists of a Unix or Windows NT computer running special firewall software, though other hardware platforms such as routers can also run firewall software. Although this software is usually associated with Internet connections, you can use firewalls to control traffic between parts of an intranet or between networks of different corporations.
Before you set up a firewall, you need a risk analysis to determine whether your organization is a candidate for a firewall and you need to draft an Internet security policy. For information about these issues, see “Who Needs a Firewall?” and “Drafting an Internet Policy Document.”
Firewall Features
Different organizations have different firewall needs. Based on those differing needs, firewall features fall into five major categories:
basic requirements
support for additional Internet services
advanced security and control
remote users and virtual private networking
enterprise-level functionlity
The rest of this article explores the significant issues in each category and examines the features specific to NT firewalls.
WHO NEEDS A FIREWALL?
To determine whether your organization needs a firewall for Internet security, you must first assess the risks of your Internet connections. The four most common types of Internet connectivity in organizations are
dial-up Internet email connections using the Unix-to-Unix CoPy (UUCP) utility
individual dial-up accounts with online service providers (e.g., Prodigy, America Online, CompuServe)
individual dial-up PPP connections to an ISP
a full-time leased line (i.e., dedicated connection) to an ISP
Although all these connections represent a potential security hazard, the most risky are those that use TCP/IP as the end-to-end transport mechanism. This risk results from TCP/IP transport mechanisms supporting a range of services, including services that hackers use. Full-time leased lines and dial-up PPP connections use such TCP/IP connections. UUCP and online service provider connections are generally safer because they use specialized transport protocols for part of the connection. Such specialized transport protocols usually support only the intended application and so limit the number of attacks possible over the connection.
Note that individual accounts with online services can sometimes use TCP/IP as the end-to-end transport mechanism. If your organization uses such accounts for Internet access, you can expose your internal network to significant threats, even if your service provider implements security measures (e.g., a firewall between the service’s system and the Internet). If online service provider accounts or dial-up PPP accounts are starting to appear in your organization, the time has probably come to move to a dedicated Internet connection that you can protect with a firewall.
Some ISPs provide a firewall service, which may be a cost-effective option for small companies. However, operating your own firewall lets you more easily meet users’ Internet-access needs so they won’t be tempted to secretly install dangerous dial-up accounts. Any organization that’s large enough to have an internal IS staff and must provide Internet access beyond simple email needs a full, dedicated Internet connection that an onsite firewall controls. In addition, any organization that must tightly control access to or from particular departments or provide a dedicated network connection to an external organization over the Internet needs a firewall.
DRAFTING AN INTERNET POLICY DOCUMENT
An effective way to mitigate the risk of connecting to the Internet is to make sure your network security policy is up to date and security procedures are working correctly. So before you connect your business systems to the Internet, draft an Internet policy document that states how employees may use the Internet and explains the responsibilities of users and the IS department for maintaining security. This document needs to state
who may use the company’s Internet resources
how employees may and may not use the Internet (with examples)
who is authorized to grant access and approve use
who has firewall system-administration privileges
The policy draft needs to begin by explaining why Internet security and control are important. For example,
Any connection between the ACME corporate network and the Internet presents the opportunity for non-ACME employees to attempt to access corporate systems and information. It is therefore extremely important that such a connection is secure, controlled, and monitored. It is also important that employees use the Internet to increase productivity rather than for nonbusiness purposes that may adversely affect the responsiveness of critical business systems on the network.
The policy also needs to clearly state that, after a trial period, no connection to the Internet is permitted except via the firewall (e.g., no dial-up PPP connections to ISPs) and any use not expressly permitted is prohibited. The policy also needs to inform users that IS will log and audit Internet use to ensure compliance.
After drafting the Internet policy document, IS needs to let user representatives give feedback on the policy before IS selects a firewall product. This process ensures that IS clearly understands user requirements and, more important, lets IS clearly set expectations for the Internet capabilities they will make available to users.
Users are often surprised to learn about limits on the types of Internet access they can have. However, try to accommodate valid business needs for Internet access. Table A gives examples of the permitted and prohibited uses of four typical Internet services. Note that the policy elements address not only security but also performance issues.
Basic Requirements
A basic firewall lets corporate-network users access common Internet services while preventing unauthorized outside users from accessing internal systems. A firewall needs to let a security administrator set up rules for the types of allowed and prohibited connections. In addition, a firewall needs to ensure that internal IP addresses remain invisible to the Internet and allow the IP address range that you use inside the firewall to be different from and larger than your company’s registered Class A, B, or C IP address range.
Firewalls also log network activity in detail, filter the log to produce meaningful reports, and alert a network administrator when the network has reached a predefined suspicious-activity threshold. Make sure your firewall software supports at least the following Internet services: Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Gopher, Simple Mail Transfer Protocol (SMTP), and Telnet. Your firewall also needs a way to provide Domain Name System (DNS) name resolution (preferably by letting you run DNS on the firewall and on an internal system).
In addition, a basic firewall system needs to be easy to use. In particular, adding rules to firewall software needs to be easy and, more important, examining and understanding previously entered rules needs to be easy.
A firewall should have a graphical interface, especially if the firewall will be administered by a staff member who is used to NT. Finally, a firewall needs high-quality documentation that clearly explains how to configure each type of Internet service and explains address-related issues such as setting up DNS and configuring Web browsers.
Packet Filters and Proxy Systems
The two main methods for providing a basic firewall are packet filters and proxy systems. A packet filter is a device (usually a router with traffic-filtering capabilities) that controls traffic based on the IP source/destination addresses and the TCP source/destination port in the header information of each TCP/IP packet sent across a network (a port is a number that identifies the service the packet is using). For example, you can set up a traffic filter on a router that allows IP traffic only with a source or destination IP address that corresponds to the Dynamic Host Configuration Protocol (DHCP) scope you use for client workstations. You can add another filter that specifically disallows TCP port 139, the port number NetBIOS uses for connections over TCP/IP — the port number Windows clients use to log on to servers (remember that even NT Workstation clients can run the NT Server service). Finally you can filter User Datagram Protocol (UDP) on ports 137 and 138, which NT uses to advertise computer names and related information. With these steps, you build a simple packet filter that goes some of the way toward preventing outsiders from directly connecting to an internal server, while allowing internal users to access Internet services.
This packet filter is far from perfect. For example, suppose a hacker tries to connect to each machine in your DHCP that uses FTP on TCP port 21. In your DHCP scope, the hacker might find a machine running FTP server software. The hacker could then upload a file to that machine. He or she might upload an executable file with a similar name to a file the user has recently downloaded but that produces unexpected results when the user accidentally clicks on it. A better security approach is to disallow all TCP and UDP ports except those your users need (such as TCP port 80 for HTTP).
Even when you create a filter that permits only essential traffic, packet-filtering devices alone usually don’t provide adequate security. The reason for this inadequacy is that packet filters can’t establish whether an IP source address is valid (a hacker can use a forged address) nor ensure a TCP source port will be used only for the service commonly associated with that port. A hacker can run any client or server program on a source port running through your packet filter. However, packet filters are well-suited to supplementing the protection that a firewall provides. For example, you can place routers with packet filters on one or both sides of a firewall to increase overall security and limit your organization’s dependence on a single machine.
The proxy system shown in Figure 1 provides a more secure firewall than a packet filter alone. The proxy system (sometimes called an application-level gateway) consists of a host running both a proxy server program and a proxy client program (the proxy server and proxy client are also called a proxy service, or proxy). The firewall host usually has two network adapter cards: one that communicates between the firewall system and an internal network and another that communicates between the firewall and an external network such as the Internet (this setup is a dual-homed gateway). For more information on how a proxy works and Microsoft Proxy Server, see “Microsoft’s Proxy Server: Introduction and Installation” and “Configuring Microsoft’s Proxy Server” later in this section.
A user connecting to the Internet first connects to the proxy server running on the firewall. Then on behalf of the real client, the proxy client (also running on the firewall) establishes a session with the destination host. For example, to establish a Web connection, a Web browser connects to a proxy Web server running on the firewall machine. After verifying that this connection is allowed, the proxy Web server starts a proxy Web client, which then connects to the destination Web server. Most proxy system firewalls support transparent connection, which means the firewall is not apparent to an authorized user.
A proxy system is a secure solution because it protects an internal corporate network from the hazards of a direct IP connection. To Internet hackers, a site with a proxy system appears as only one computer and IP address establishing Internet connections; the firewall hides the rest of a site’s Internet-connected systems and IP addresses.
Besides providing security, a proxy system conserves IP address space. Because the number of Internet-connected systems worldwide is huge and still growing, the number of IP addresses is limited. Each Internet-connected system must have a unique IP address (often an Internet Service Provider — ISP — assigns, clears, and registers the address and class range through InterNIC Registration Services). With a proxy system, you need only one unique IP address — that of the proxy; you can use any addressing scheme you want for your internal systems. (If you don’t use a proxy system firewall, you must make sure your firewall can map internal addresses to unique IP addresses.)
Proxy systems provide a simple, secure way to implement basic Internet services. So, many firewall products use this approach or combine proxy systems with other methods. If you have to connect a small organization to Internet email and the Web, a simple proxy-based firewall will probably meet your needs.
Additional Internet Services
Proxy systems are a secure, but basic, firewall solution. A disadvantage of the proxy approach is that you must use a separate proxy service for each Internet service you want to support. Many firewalls include proxies for the most common Internet services (HTTP, FTP, Gopher, SMTP, Telnet), but firewalls often do not provide proxies for less common services such as RealAudio, Internet Relay Chat (IRC), and even news protocols. Perhaps this lack of services is because the proxy firewall vendor has not yet developed the proxy or because the Internet service is not well suited to a proxy solution. Services based on connection-oriented TCP are usually better suited to a proxy solution than are connectionless UDP-based services, because the proxy approach is connection oriented: A proxy client establishes a connection with the real destination based on an already established connection between the real client and the proxy server.
Because of proxy system limitations, many firewall products provide ways to connect through an Internet gateway or to use an alternative approach. For example, the Eagle NT firewall by Raptor Systems not only provides predefined proxies for FTP, Gopher, HTTP, SMTP, and Telnet but also lets an administrator custom-define uni- or bidirectional service-passing proxies for supporting less common services.
CheckPoint’s FireWall-1 uses a different architecture, stateful inspection. The company claims it supports 120 different applications, protocols, and services. Stateful inspection works like packet filtering but may provide better security because it examines application-level information within IP packets and keeps track of a connection’s context. To explain the difference between packet filtering and stateful inspection, let me use TCP-based FTP as an example.
An FTP client opens a TCP connection to port 21 (the FTP command port) on the FTP server. The FTP client also picks a random TCP port (usually greater than 1024) for the data channel and tells the FTP server (via the command port) that the client will listen for data on that port. The FTP server then opens a TCP connection to that high TCP port on the client and transfers the data. To let this service pass with a simple packet filter, you need to allow a destination TCP port of 21 for connections originating from the client to the server and allow all destination TCP ports above 1024 for connections from the server to the client. You can tighten this design a little because the FTP service definitions also tell us that the client source port for the command phase is above 1024 and that the server sends data from port 20. However, if you want to let users download files from anywhere on the Internet, you still need to let a host on the Internet establish a session from its port 20 to any port above 1024 on your internal clients.
The problem is that you have no way of telling whether that connection is being used for FTP data transfer or some malicious purpose. This flaw is because such packet filters provide no way of tracking the context of the connection. Checkpoint’s FireWall-1, in contrast, does keep track of context or state. When FireWall-1 sees an attempt to connect to port 21 (assuming a rule in the FireWall-1 rule base permits FTP), the program examines the application information in the packet to confirm the packet is FTP. The program then allows packets from the destination FTP server (with a source port of 20) back to destination ports above 1024 on the client that originated the connection. In short, the program keeps track of which FTP data connections are associated with which FTP command connections and allows only those high TCP destination port connections that have a valid reason to be there.
Products that let you configure custom services or use state-oriented architectures provide greater flexibility and security than products that provide only a limited number of predefined proxy services. Consider seriously the more flexible products if your users must access less common or more sophisticated Internet protocols or if your users are so numerous that you must allow for unforeseen requirements. If you have these needs, also look for firewall products that provide many predefined services.
Advanced Security and Control
Many firewalls provide security beyond source-, destination-, and service-based rules. For example, some firewalls allow rules based on time of day, day of week, and date ranges. Other firewalls provide features such as configuration verification and virus scanning. Some firewall products also monitor what processes are running on the firewall system and halt unknown processes.
Another type of advanced firewall security is user-oriented authentication—the ability to allow or deny certain connections based on a username and password combination or a more advanced scheme for identifying individual users. Some NT-based firewall products that support user-oriented authentication include Eagle NT, FireWall-1, Global Internet’s Centri Firewall for Windows NT, and Microsoft’s proxy server (Internet Access Server code named Catapult).
Various authentication technologies are available. The simplest forms require entering a username and a reusable password. This method is suitable for controlling only outbound Internet access, because a hacker will guess and eavesdrop to get passwords and user names.
For inbound access, one-time passwords that follow a scheme such as Bellcore’s S/KEY provide more security. The S/KEY scheme calculates a six-word, one-time password based on a sequence number, firewall-supplied seed word, and a user’s secret password. Users enter a different password each time they connect.
Better still, some firewalls provide integration with one or more credit card-sized, handheld token generators that automatically generate and display the next password the user will enter. Examples include Security Dynamics’s SecurID, Digital Pathways’s SecureNet Keys (SNKs), CRYPTOCard’s CRYPTOCard RB-1, and Digipass S.A.’s Digipass. In addition, watch for firewall systems that support Cisco’s TACACS+ or Livingston’s RADIUS schemes (predominantly for authenticating users dialing into access servers via the public telephone network).
Many organizations also want to control employee access to non business-related Internet sites. Limiting such outbound access is called content filtering. NT-based firewall products currently let you filter content by manually maintaining lists of allowed and prohibited universal resource locators (URLs). Implementing content filtering without using the firewall is also possible. Indeed, because this is a productivity and legal issue rather than a security issue, you can choose to keep the firewall simple and perform the content filtering elsewhere. One alternative is to use specialized content filtering servers, which sit between the users and the firewall (or between the firewall and the Internet) and use a database of URLs supplied by a third-party vendor that classifies sites for you. You can then allow or disallow classes of sites, such as adult, gambling, sports, and leisure, based on criteria such as time of day. Another alternative is to rely on content providers to use RSACi (the Recreational Software Advisory Council’s Internet content rating system) to rate their sites. A RSACi-enabled browser (currently, that means Internet Explorer — IE — 3.0 or higher) lets you set up the browser to allow access only to rated sites that meet your criteria.
Remote Users and Virtual Private Networking
If your company’s mobile users or telecommuters must connect to your corporate systems via the Internet, or if you want to establish Internet links with business partners, suppliers, or customers, you must use encryption between the remote locations and your firewall. This use of encryption to enable private communications across the Internet is a Virtual Private Network (VPN). Unfortunately, no NT firewall product supports emerging VPN encryption standards. Instead, vendors use proprietary encryption techniques. So all members of your VPN must use products from the same vendor.
Encryption standards are especially important for Internet connections among trusted business partners (e.g., to support EDI applications). With such standards in place, partners need not have the same firewall to exchange information.
The Internet Engineering Task Force (IETF) has already defined the main set of VPN encryption standards, the IP Security (ipsec) standards. They include the Encapsulation Security Payload (ESP) protocol — RFC 1827 — or encryption and the authentication header (AH) protocol — RFC 1826 — for authenticating TCP/IP packets. Encryption vendor RSA Data Security has introduced S/WAN, an alternative to ipsec. S/WAN uses the proprietary RC5 encryption protocol. The IETF continues to evaluate standards for a key-management protocol, the method by which encryption keys are automatically passed between computers. (For more on encryption and key management, see “Digital Envelopes and Signatures” and “Secure Enterprise Email” later in this section.)
If you plan to connect to other organizations across the Internet in the next year or two, find out whether the firewall vendors you’re considering have participated in VPN standards interoperability testing and whether they plan to introduce ipsec support.
If you want to establish a VPN that includes only your company’s sites, you can use proprietary VPN technologies to implement a secure working solution right now. Similarly, if you want to let remote users connect via dial-in Point-to-Point Protocol (PPP), many vendors can provide a solution that uses software on a remote PC to provide an encrypted path back to the firewall. Another common approach is to provide encryption between a remote system and a server inside the firewall. However, this approach requires establishing a path through the firewall, which can open a security hole.
Enterprise-Level Functionality
Large organizations usually require an enterprise-capable firewall that includes multiple firewalls and multiple interfaces on those firewalls. An enterprise-capable firewall lets a network administrator centrally manage remote firewalls over an encrypted path and as one entity, with a central point for logging network information. Many firewall products achieve this configuration by separating the management interface program from the rule-processing engine. Some firewall vendors, including CheckPoint and Raptor, also let you download packet filters to routers such as those from Bay Networks and Cisco Systems. An enterprise-capable firewall also needs to provide realtime notification of suspicious activity via email and pager and needs to generate Simple Network Management Protocol (SNMP) traps that you can integrate with the enterprise network management system. (SNMP is a standard protocol that network management systems use to collect information from network devices.)
NT-Specific Features
If you plan to run your firewall on NT, answers to a few additional questions will determine your firewall product needs. For instance, during the product’s installation, does it automatically configure NT to maximize security (e.g., does the firewall disable IP forwarding, nonessential services such as the server service, and the guest account)? Is the product tightly coupled with native NT features such as User Manager for Domains, Event Viewer, and Perfmon? Will the product run on the Digital Equipment Alpha version of NT? Will it run on NT 4.0? Is the product integrated with Microsoft’s DNS Server, or does it require a different DNS server? (This question is more important if you intend to use NT 4.0, which includes Microsoft’s DNS Server.)
Start with the Basics
When evaluating your organization’s firewall requirements, start with the basics and add more complexity as needed. A basic firewall that consists of a proxy system and packet-filtering device and supports common Internet services can be enough for a small organization. Large organizations and those with sophisticated users can require multiple firewalls that support more Internet services. Stay tuned for an upcoming article that will review several NT-based firewall products in tests in a real-world, corporate NT environment.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
