CSI, the Computer Security Institute, conducts an
annual survey concerned with computer security issues. The results
of a survey, done late in 1995 revealed the following:
The survey results were based on 320 responses from
information security professionals in Fortune 500 corporations,
universities and government agencies. Sixty-six percent have 1,000
or more employees. Thirty-two percent have more than $1 billion
in annual revenues.
Computer Security Institute, established in 1974,
is the oldest international membership organisation concerned
specifically with information security.
The most startling point which can be noticed from the survey is that almost 40 percent of sites have no firewall whatsoever. That means that the amount of sensitive data available to even the most inadequate of crackers is remarkable.
There are many reasons why networked computer systems
need to be secured.
Firstly, there is the obvious reason of protecting
the system from crackers (note: see the glossary below). Precious
resources and sensitive data are all at risk. A cracker who has
compromised a computer completely has access to all files, data
and resources. Quite often the cracker also knows what to do
with this data. Furthermore, a compromised system can be used
as a launchpad for attacks against other systems.
The second reason for securing a system, even if it is not connected to the Internet at large, is to protect the internal network from new, possibly buggy software. There are plenty of horror stories about supposedly tested, reviewed and mature programs wreaking havoc through some irreplaceable data.
Perhaps the most important decisions that must be made with regard to security are those of policy. Naturally, the more secure a system becomes the less convenient it is for the users of that system. Security policy determines what is important to the users of the system and at what cost certain services are to be denied. The tighter the security, the less open the system is to the attackers and the users. For example, most firewalls do not allow X11 (the popular windowing system) protocol messages through. There are other things to consider when determining security policy. For example, there should be a clever password checking mechanism in place. You might think it is important for users to change their password frequently. Alternatively you could use some sort of one time password scheme. You may not want users to login from outside the office at all. These things must all be considered as part of the security policy.
A firewall is a defence mechanism against accidental or purposeful attack against a computer system. It is not a single product and does not necessarily run on a single computer but is usually a collection of programs to prevent access to unauthorised users and to log activities on various computers.
A packet filter, or a packet filtering gateway, provides
a cheap base-level security mechanism. As described in a previous
article, the Internet Protocol (IP), breaks network messages into
small elements called packets. These packets are sent around
the Internet to their destination and are reassembled there.
A packet filtering gateway would typically sit between
your network and the Internet and filter out particular types
of packets according to a set of rules. These rules involve allowing
or denying particular connections to and from particular ports.
For example, in order to allow all incoming and outgoing
mail connections a packet filtering rule might look like this:
| rule number | source | source port | destination | destination port | allow? |
| 1 | { hosts } | * | * | 25 | yes |
| 2 | * | 25 | { hosts } | * | yes |
The notation { hosts } means any single host from
a list of hosts, or computers, on the network. An asterisk, *,
means all possible values are acceptable. In the case of ports
it means that all ports may be connected to or from, and in the
case of hosts it means that all hosts are allowed.
Rule number 1, above, says that any port on any host from the list of { hosts } may connect to port number 25, the mail port, on any destination.
Rule number 2, above, says that any incoming connection
from port 25 on any host may connect to any port on any host in
the list { hosts }.
Say telnet packets from a particular network, 134.18.*
were to be blocked as this network was known to harbour crackers.
A rule to achieve this would be:
| rule number | source | source port | destination | destination port | allow? |
| 3 | 134.18.* | * | { hosts } | 23 | no |
Typically there would be a catchall rule as well
which would pick up any missed packets. This rule would look
something like:
| rule number | source | source port | destination | destination port | allow? |
| 4 | * | * | * | * | no |
Generally the rules have precedence in the order
they are defined, rule 1 having the highest precedence. That
means that rule 4 would not allow any connections to or from any
hosts on any ports unless they were explicitly defined earlier.
Packet filtering gateways provide a fast method of filtering out the most basic unwanted connections. This, however, provides only the most rudimentary type of protection against attack. This is because a packet filter does not have any knowledge beyond the discrete packet. An attack that is targeted at the application level will go undetected by a packet filtering gateway.
An application level gateway, as the name implies,
works at the application layer. Each Internet service is represented
at the gateway by some proxy. All incoming and outgoing connections
pass through a proxy application which is located on the gateway.
Each application requires a specialised proxy application
to be running on the gateway. For example an FTP client on a
users machine would not connect directly to a remote host somewhere
across the net, but rather it would connect directly to the gateway
which in turn would make the connection to the remote host.
There are several advantages to this approach. Firstly,
all incoming and outgoing connections can be logged because all
connections are centralised at the proxy. Secondly, any attack
to the local network would also have to pass through the proxy,
so as long as the proxy can remain secure the local network is
also secure. Thirdly, the gateway can perform any sort of filtering
of incoming and outgoing packets. One possible application of
this is with the electronic mail service. All outgoing messages
can be filtered to hide any kind of information about the local
network. The messages can all be made to look like they have
been sent from name@company.com.au
(rather than, say, name@machine.domain.company.com.au)
so that outsiders cannot find out the names, addresses or any
other information about hosts on the local network.
The major limitation of application level gateways
is that if some new service becomes available on the Internet
at large, it will not be available to local users until a specialised
proxy application is written. It may never become available at
all. Policy decisions usually rule out certain services such
as talk and irc (Internet Relay Chat).
There are some application level gateways that provide
generic proxies. These generic proxies offer some of the advantages
of the specialised proxies, such as logging information, but they
cannot possibly provide the same sort of protection as is provided
by a specialised proxy.
Another drawback of Application Level Gateways is that because there is an intermediary between the user and the Internet, applications will run slower than if the proxy was absent.
A popular type of firewall combines the Application
Level Gateway with the Packet Filter. This sort of firewall package
is obviously more costly than either of its components. As well,
it is more complex to install and maintain This sort of firewall,
however, provides better protection than either the Application
Level Gateway or the Packet Filtering Gateway.
A Bastion Host Firewall provides yet another layer
of protection and another layer of complexity on top of the above
firewall architectures. This architecture consists of one or
more hosts on a private network. This private network sits between
the local network and the Internet. At each end of the private
network is a packet filter.
The packet filter between the bastion host and the
local network filters out those services not provided by the local
network. The other packet filter, between the bastion host and
the Internet, filters out those services not provided by the local
network or the bastion host. The bastion host provides services
to the Internet such as a web server and anonymous FTP. The bastion
host is considered to be expendable. It is configured to resist
attacks but should it be compromised the local network is still
safe.
There are plenty of other security measures available.
The best way to find out about the latest breakthroughs in Internet
security is to keep an eye on the various Usenet newsgroups dealing
with these matters. These include: alt.security, comp.security.misc,
comp.security.1 and sci.crypt.
The ssh (Secure Shell) package is a relatively new
security mechanism gaining a lot of popularity in the Internet
security field. To quote the ssh FAQ: "Ssh (Secure Shell)
is a program to log into another computer over a network, to execute
commands in a remote machine, and to move files from one machine
to another. It provides strong authentication and secure communications
over insecure channels. It is intended as a replacement for rlogin,
rsh and rcp." This package provides protection against packet
sniffing, which is one way crackers obtain passwords and other
sensitive data, by encrypting data being sent across the network.
The CSI survey, mentioned above, reported results
on a range of questions, including the following:
| Questions | yes | no | n/a |
| Does your organisation use the Internet? | 78% | 22% | |
| Does your organisation use a firewall? | 48% | 34% | 18% |
| Has your company experienced an Internet security incident? | 20% | 75% | 5% |
| If so, was it prior to firewall installation? | 52% | 30% | 18% |
| How is the Internet used in your organisation? | research | 84% | |
| mail to professional peers | 70% | ||
| software support | 60% | ||
| marketing | 48% | ||
| mail to customers | 39% | ||
| financial transactions | 8% | ||
| other | 8% | ||
| What features are available to all employees? | 83% | ||
| ftp | 50% | ||
| www | 53% | ||
| gopher | 41% | ||
| newsgroups | 39% | ||
| wais | 20% | ||
The following two books contain an easy to read, in depth analysis of firewall theory as well as a lot of practical examples:
cracker I use the word cracker to mean those people who actively seek to compromise a computer by breaking or other means.
hacker This word is used to describe a particularly adept programmer, who can solve a problem in minimal time with maximum skill.
packet A packet is a general term referring to a message that is transported around a network. It usually refers to part of some larger message. We normally talk about data being broken into packets. Normally, a message is broken up into packets and sent at one end of a network connection. At the other end packets are reassembled into a message.
router A router is a computer, or a special purpose device, which forwards packets between distinct networks.
gateway A gateway performs all the tasks a router
does with the addition of being able to translate between protocols.
For example, a gateway would sit between a TCP/IP network and
a DECnet (Digital Equipment Corporation's proprietary network
communications protocol) network and be able to pass messages
between them. In other words, the gateway speaks more than one
language.