Most systems for providing UNIX network security that we have discussed in this book are designed to protect an individual UNIX host from a hostile network. We have also explored systems such as Kerberos and Secure RPC , which allow a set of hosts to communicate securely in a hostile environment.
As an alternative to protecting individual computers on a network, many organizations have opted for a seemingly simpler solution: protecting an organization's internal network from external attack.
The simplest way to protect a network of computers is with physical isolation . Avoid the problems of networks by not connecting your host to the Internet and not providing dial-in modems. Nobody from the outside will be able to attack your computers without first entering your physical premises. Although this approach completely ignores the damage that insiders can do, it is nevertheless a simple, straightforward policy that has been used by most organizations for years. In many environments, this is still the best way to approach network security - there is little to be gained from connection to outside networks, and much to lose.
Recently, however, the growth of the Internet has made physical isolation more difficult. Employees in organizations want email, they want access to Usenet news, and they want to browse the World Wide Web. In addition, organizations want to publish information about themselves on the Web. To allow partial connection to the Internet, while retaining some amount of isolation, some organizations are using firewalls to protect their security.
Firewalls are powerful tools, but they should never be used instead of other security measures. They should only be used in addition to such measures.
A firewall gives organizations a way to create a middle ground between networks that are completely isolated from external networks, such as the Internet, and those that are completely connected. Placed between an organization's internal network and the external network, the firewall provides a simple way to control the amount and kinds of traffic that will pass between the two.
The term firewall comes from the construction industry. When apartment houses or office buildings are built, they are often equipped with firewalls - specially constructed walls that are resistant to fire. If a fire should start in the building, it may burn out of control in one portion, but the firewall will stop or slow the progress of the fire until help arrives.
The same philosophy can be applied to the protection of local area networks of machines from outside attack. Used within an organization, a firewall can limit the amount of damage: an intruder may break into one set of machines, but the firewall will protect others. Erected between an organizational network and the Internet at large, a firewall prevents a malicious attacker who has gained control of computers outside the organization's walls from gaining a foothold on the inside. Firewalls seem to make sense because there is always a "fire" burning somewhere on the Internet.
The fundamental function of a firewall is to restrict the flow of information between two networks. To set up your firewall, you must therefore define what kinds of data pass and what kinds are blocked. This is called defining your firewall's policy . After a policy is defined, you must then create the actual mechanisms that implement that policy.
There are two basic strategies for defining firewall policy:
There are advantages and disadvantages to both default permit and default deny. The primary advantage of default permit is that it is easier to configure: you simply block out the protocols that are "too dangerous," and rely on your awareness to block new dangerous protocols as they are developed (or discovered). With default deny, you simply enable protocols as they are requested by your users or management. Any protocol that isn't being used by your organization might as well be blocked.
Neither default permit nor default deny is a panacea. With both policies, you can create a firewall that is either secure or unsecure, by permitting (or failing to deny) "dangerous" protocols.
Firewalls are part of a good defense in depth strategy. The idea is to place several layers of protection between your machines and the potential threats. There are some obvious threats from the outside, so you should naturally place a firewall between the outside and your internal network(s).
Because a firewall is placed at the intersection of two networks, it can be used for many other purposes besides simply controlling access. For example:
Fundamentally, all firewalls consist of the following two kinds of components:
Many network servers can also function as proxies. They can do so because they implement simple store-and-forward models, allowing them to forward queries or messages that they cannot handle themselves. Some servers that can operate easily as proxies include SMTP (because email messages are automatically forwarded), NNTP (news is cached locally), NTP (time is maintained locally), and DNS (host addresses are locally cached). The following sections explore a variety of different kinds of firewall configurations in use today.
The first Internet firewalls were UNIX computers equipped with two network ports: one for the internal network, and one for the external network (see Figure 21.1 ).
In this configuration, the UNIX computer functions as both the choke and the gate. Services are provided to internal users in one of two ways:
To ensure that the computer functions as a choke, the computer must not forward packets from the external network to the internal network and vice versa. On most UNIX systems using Berkeley-derived TCP/IP , you can do so by setting the kernel variable ip_forwarding to 0. Unfortunately, some UNIX systems will still forward packets that have IP source-routing options set. Thus, you should carefully examine any dual-ported UNIX system that is used as a choke to make sure that it will not forward packets from one interface to another.
On a Solaris machine, you can disable both IP forwarding and forwarding of source-routed packets by including the following commands in some start-up file (e.g., in the appropriate file in /etc/rc2.d ):
ndd -set /dev/ip ip_forwarding 0 ndd -set /dev/ip ip_forward_src_routed 0
Note that under SunOS, you need to set ip_forwarding = 0 in the kernel configuration. If you don't, the kernel will still IP forward under some conditions even if you've set the ip_forwarding variable to 0.
A simple firewall can be built from a single choke (see Figure 21.2 .) For example, some organizations use the packet filtering features available on some routers to block the TCP and UDP packets for certain kinds of services.
Programming the choke is straightforward:
This is a simple configuration very popular on today's Internet. Many organizations use a single choke (usually a router) as a firewall for the entire organization.
Packet filtering has a number of advantages:
Packet filters have several disadvantages:
In addition to these disadvantages, there are several fundamental design weaknesses with packet filters:
You can build a more secure firewall using a choke and a gate. The gate is a specially chosen computer on your network at which you run your mail server and any user proxy programs. ( WWW servers and anonymous FTP servers should be run on separate computers, outside the firewall.) The choke can be a router with two interfaces. For example, a router with two Ethernet interfaces can partition one network from another. Alternatively, a router with an Ethernet and a high-speed interface can serve both as a gate and as an organization's connection with an off-site Internet service provider ( ISP ). (See Figure 21.3 .)
Programming is somewhat more complex in this arrangement.
With this configuration, the choke is configured so that it will only pass packets between the outside network and the gate. If any computer on your inside network wishes to communicate with the outside, the communication package must pass through a special "proxy" program running on the gate. Users on the outside network must connect to the gate before bridging through to your internal network.
For a higher degree of security, some sites have implemented a firewall built from two chokes, as shown in Figure 21.4 .
In this configuration, both the external choke and the gate are programmed as before. What's new is the addition of an internal choke. This second choke is a fail-safe: in the event that an attacker breaks into the gate and gains control over it, the internal choke prevents the attacker from using the gate to launch attacks against other computers inside the organization's network.
Programming is similar to that of a single choke:
Instead of using a single gate, you can use several gates - one for each protocol. This approach has the advantage of making the gates easier to administer. However, this approach also increases the number of machines that must be carefully watched for unusual activity. A simpler approach might be to have a single gate, but to create individual servers within your organization's network for specific services such as mail, Usenet, World Wide Web, and so forth.
Instead of putting all your organization's machines on a single local network, you can separate your installation into sets of independent local area networks. These networks can communicate through gateway machines, routers, or full-blown firewalls. Alternatively, they can communicate with each other through independent links to the Internet, using an appropriate encryption system to prevent eavesdropping by your ISP and others.
Internal firewalls make a lot of sense in a large organization. After all, there is no reason to allow your research scientists any privileged access to a computer that is used for accounting, or to allow people who are sitting in front of data-entry terminals to try their hand at breaking into the research and development department's file servers. With an internal firewall, you can place extra security where needed.
The goal in setting up independent internal networks should be to minimize the damage that will take place if one of your internal networks is compromised, either by an intruder or, more likely, by an insider. By practicing stringent isolation, you can reduce the chances that an attacker will be able to use a foothold in one network as a beachhead for breaking into others.
A firewall designed for use within an organization is very similar to one that is used to protect an organization against external threats. However, because the same management team and structure may be responsible for many networks within an organization, there is a great temptation to share information or services via an internal firewall, when such information services should in fact be blocked.
Follow these basic guidelines when setting up independent internal networks:
Internal firewall machines have many benefits:
Remember: Although most people spend considerable time and money protecting against attacks from outsiders, dishonest and disgruntled employees are in a position to do much more damage to your organization. Properly configured internal firewalls help limit the amount of damage that an insider can do.
In the following text, we'll refer to internal networks and external networks when describing a firewall, with the understanding that both networks may in fact be internal to your organization.