Evolution of the Firewall Industry

During the 1989-1990 timeframe, Dave Presotto and Howard Trickey of AT&T Bell Laboratories pioneered the second generation of firewall architectures with their research in circuit relays, which are also known as circuit level firewalls. They also implemented the first working model of the third generation of firewall architectures, known as application layer firewalls. However, they neither published any papers describing this architecture nor released a product based upon their work.

As is often the case in research and development, the third generation of firewall architectures was independently researched and developed by several people across the United States during the late 1980's and early 1990's. Publications by Gene Spafford of Purdue University, Bill Cheswick of AT&T Bell Laboratories, and Marcus Ranum describing application layer firewalls first appeared during 1990 and 1991. Marcus Ranum's work received the most attention in 1991 and took the form of bastion hosts running proxy services. Ranum's work quickly evolved into the first commercial product—Digital Equipment Corporation's SEAL product.

Around 1991, Bill Cheswick and Steve Bellovin began researching dynamic packet filtering and went so far as to help develop an internal product at Bell Laboratories based upon this architecture; however, this product was never released. In 1992, Bob Braden and Annette DeSchon at USC's Information Sciences Institute began independently researching dynamic packet filter firewalls for a system that they called "Visas." Check Point Software released the first commercial product based on this fourth generation architecture in 1994.

During 1996, Scott Wiegel, Chief Scientist at Global Internet Software Group, Inc., began laying out the plans for the fifth generation firewall architecture, the Kernel Proxy architecture. Cisco Centri Firewall, released in 1997, is the first commercial product based on this architecture. While the Kernel Proxy architecture is not discussed in this chapter, it is thoroughly discussed in later chapters of this guide.

The next section describes how to establish perimeter networks, which allow you to focus your security solution at defined points within your network. The concepts presented within this section are important for planning your network so that you place your firewall server correctly within your network. Specifically, we define what it means to establish a security perimeter and the differences among trusted, untrusted, and unknown networks.

If you are familiar with the concepts and terminology used to describe security perimeters, packet filters, and proxy servers, you can skip the remainder of this chapter and proceed to the next. However, in the remaining sections of this chapter, we establish terminology and concepts important to understanding the revolutionary advancements in network security provided by Cisco Centri Firewall, as well as how to position Cisco Centri Firewall within your network.

From the perspective of users on an external network, the firewall server represents all accessible computers on the trusted network. It defines the point of focus, or choke point, through which all communications between the two networks must pass.

When you set up the firewall server, you explicitly identify the type of networks that are attached to the firewall server through network adapter cards. After the initial configuration, the trusted networks include the firewall server and all networks behind it.

When you set up the firewall server, you explicitly identify the untrusted networks from which that firewall can accept requests. Untrusted networks are outside of the security perimeter and external to the firewall server.

The next section describes the evolution of technologies that have been used to provide network security in the past. Specifically, we define packet filter firewalls, circuit level firewalls, application layer firewalls, and dynamic packet filter firewalls—four common architectures for building firewalls—and explain the advantages and disadvantages of these four architectures.

Most firewall technologies provide different capabilities for auditing communication events. Usually, the firewalls generate audit records detailing the cause and circumstances surrounding the triggering of audit events. As firewall technology improves, firewalls inspect additional network packet information, use more sophisticated inspection algorithms, maintain more state information, and inspect the network packets at more network layers. As such, more mature firewall technology provides more detailed audit records, or summary information, about the network packets that are allowed through or prevented from traversing the firewall. By analyzing such audit records, administrators can often detect network security policy problems, such as attempts to break in or misconfiguration of the firewall's network security policy enforcement features. As a general rule, more detailed and descriptive audit record information yields better monitoring capabilities in a firewall product.

Before Cisco Centri Firewall, firewalls inspected network traffic using one of four architectural models, which are defined by the information that they examine to make security-relevant decisions. In the next four sections, we define these different architectures in detail.

• the physical network interface that the packet arrives on
  
  
• the address the data is (supposedly) coming from (source IP address)
  
  
• the address the data is going to (destination IP address)
  
  
• the type of transport layer (TCP, UDP, ICMP)
  
  
• the transport layer source port
  
  
• the transport layer destination port
  
  

Packet filters generally do not understand the application layer protocols used in the communication packets. Instead, they work by applying a rule set that is maintained in the TCP/IP kernel. This rule set contains an associated action that will be applied to any packets matching the criteria mentioned above.

Packet filters typically implement command sets that allow the checking of the source and destination port numbers on the TCP and UDP transport layer protocols. This check determines whether an applicable permit or deny rule exists for that specific port and protocol combination. Due to the fact that the ICMP protocol layer does not utilize port numbers for its communications protocol, it is difficult for packet filters to apply any security policy to this form of network traffic. In order to apply an effective security policy to ICMP, the packet filter must maintain state tables to ensure that an ICMP reply message was recently requested from an internal host. This ability to track communications state is one of the primary differences between simple packet filters and dynamic packet filters.

Because packet filters are implemented in the network layer, they generally do not understand how to process state information in the high-level protocols, such as FTP. The more sophisticated packet filters are able to detect IP, TCP, UDP, and ICMP. Using a packet filter that includes the TCP/UDP port filtering capability, you can permit certain types of connections to be made to specific computers while prohibiting other types of connections to those computers and similar connections to other computers.

• If no matching rule is found, then drop the network packet.
  
  
• If a matching rule is found that permits the communication, then allow peer-to-peer communication.
  
  
• If a matching rule is found that denies the communication, then drop the network packet.
  
  

Because this type of firewall does not inspect the network packet's application layer data and does not track the state of connections, this solution is the least secure of the firewall technologies. It allows access through the firewall with a minimal amount of scrutiny. In other words, if the checks succeed, the network packet is allowed to be routed through the firewall as defined by the rules in the firewall's routing table. However, because it does less processing than the other technologies, it is the fastest firewall technology available and is often implemented in hardware solutions, such as IP routers.

Packet filter firewalls often readdress network packets so that outgoing traffic appears to have originated from a different host rather than an internal host. The process of readdressing network packets is called network address translation. Network address translation hides the topology and addressing schemes of trusted networks from untrusted networks.

• Packet filters are generally faster than other firewall technologies because they perform fewer evaluations. Also, they can easily be implemented as hardware solutions.
  
  
• A single rule can help protect an entire network by prohibiting connections between specific Internet sources and internal computers.
  
  
• Packet filters do not require client computers to be specifically configured; the packet filters do all of the work.
  
  
• In conjunction with network address translation, you can use packet filter firewalls to shield internal IP addresses from external users.
  
  

• Packet filters do not understand application layer protocols. They cannot restrict access to protocol subsets for even the most basic services, such as the PUT or GET commands in FTP. For this reason, they are less secure than application layer and circuit level firewalls.
  
  
• Packet filters are stateless in that they do not keep information about a session or application-derived information.
  
  
• Packet filters have very limited abilities to manipulate information within a packet.
  
  
• Packet filters do not offer value-added features, such as HTTP object caching, URL filtering, and authentication because they do not understand the protocols being used and cannot discern one from another.
  
  
• Packet filters cannot restrict what information is passed from internal computers to services on the firewall server. Packet filters only restrict what information can go to it. Thus, intruders can potentially access the services on the firewall server.
  
  
• Packet filters have little or no audit event generation and alerting mechanisms.
  
  
• Because of the complexity of supporting most non-trivial network services, it can be difficult to test "accept" and "deny" rules.
  
  

• A unique session identifier for the connection, which is used for tracking purposes
  
  
• The state of the connection: handshake, established, or closing
  
  
• The sequencing information
  
  
• The source IP address, which is the address from which the data is being delivered
  
  
• The destination IP address, which is the address to which the data is being delivered
  
  
• The physical network interface through with the packet arrives
  
  
• The physical network interface through which the packet goes out
  
  

Using this information, the circuit level firewall checks the header information contained within each network packet to determine whether the transmitting computer has permission to send data to the receiving computer and whether the receiving computer has permission to receive that data.

Circuit level firewalls have only limited understanding of the protocols used in the network packets. They can only detect one transport layer protocol, TCP. Like packet filters, circuit level firewalls work by applying a rule set that is maintained in the TCP/IP kernel.

Circuit level firewalls allow access through the firewall with a minimal amount of scrutiny by building a limited form of connection state. Only those network packets that are associated with an existing connection are allowed through the firewall. When a connection establishment packet is received, the circuit level firewall checks its rule bases to determine whether that connection should be allowed. If the connection is allowed, all network packets associated with that connection are routed through the firewall as defined in the firewall server's routing table with no further security checks. This method is very fast and provides a limited amount of state checking.

Circuit level firewalls can perform additional checks to ensure that a network packet has not been spoofed and that the data contained within the transport protocol header complies with the definition for that protocol, which allows the firewall to detect limited forms of modified packet data.

Circuit level firewalls often readdress network packets so that outgoing traffic appears to have originated from the firewall rather than an internal host. As stated previously, this process of readdressing network packets is called network address translation, and because circuit level firewalls maintain information about each session, they can properly map external responses back to the appropriate internal host.

• Circuit level firewalls are generally faster than application layer firewalls because they perform fewer evaluations.
  
  
• A circuit level firewall can help protect an entire network by prohibiting connections between specific Internet sources and internal computers.
  
  
• In conjunction with network address translation, you can use circuit level firewalls to shield internal IP addresses from external users.
  
  

• Circuit level firewalls cannot restrict access to protocol subsets other than TCP.
  
  
• Circuit level firewalls cannot perform strict security checks on a higher-level protocol should the need arise.
  
  
• Circuit level firewalls have limited audit event generation abilities but can typically tie a network data packet to an application layer protocol by building limited forms of session state.
  
  
• Circuit level firewalls do not offer value-added features, such as HTTP object caching, URL filtering, and authentication because they do not understand the protocols being used and cannot discern one from another.
  
  
• It can be difficult to test "accept" and "deny" rules.
  
  

Proxy services never allow direct connections, and they force all network packets to be examined and filtered for suitability. Instead of communicating directly with the real service, a user communicates to the proxy server (because the user's default gateway is set to point to the proxy server on the firewall). The same is true from the perspective of the real service communicating with a user. The proxies handle all communications between the user and a real service.

A proxy service sits transparently between a user on the internal network and the real service on the external network. That is, from the user's perspective, that user is dealing directly with the real service. From the real service's perspective, it is dealing directly with a user on the proxy server (instead of the user's real computer).

Proxy services are implemented on top of the firewall host's network stack and operate only in the application space of the operating system. Consequently, each packet must pass through the low-level protocols in the kernel before being passed up the stack to application space for a thorough inspection of the packet headers and packet data by the proxies. Then, the packet must travel back down to the kernel, and then back down the stack for distribution. Because each packet in a session is subject to this process, proxy services are notoriously slow.

Like circuit level firewalls, application layer firewalls can perform additional checks to ensure that a network packet has not been spoofed, and they often perform network address translation.

• Proxy services understand and enforce high-level protocols, such as HTTP and FTP.
  
  
• Proxy services maintain information about the communications passing through the firewall server. They provide partial communication-derived sate information, full application-derived state information, and partial session information.
  
  
• Proxy services can be used to deny access to certain network services, while permitting access to others.
  
  
• Proxy services are also capable of processing and manipulating packet data.
  
  
• Proxy services do not allow direct communications between external servers and internal computers, so the names of internal computers do not have to be made known to external computers. In other words, proxy services shield internal IP addresses from the external world.
  
  
• By providing transparency, proxies provide users with the appearance that they are communicating directly with external servers.
  
  
• Proxy services can route internal services, as well as external-to-internal requests, elsewhere (for example, they can route services to an HTTP server on another computer).
  
  
• Proxy services can provide value-added features, such as HTTP object caching, URL filtering, and user authentication.
  
  
• Proxy services are good at generating audit records, allowing administrators to monitor attempts to violate the firewall's security policies.
  
  

• Proxy services require you to replace the native network stack on the firewall server.
  
  
• Because the proxy servers listen on the same port as network servers, you cannot run network servers on the firewall server.
  
  
• Proxy services introduce performance delays. Inbound data has to be processed twice, by the application and by its proxy (for example, the Internet e-mail application talks to the proxy e-mail agent, which in-turn talks to a LAN e-mail application).
  
  
• Generally, a new proxy must be written for each protocol that you want to pass through the firewall, and therefore, the number of available network services and their scalability is limited. Usually a lag of six months or more exists from when the application is available and when its proxy is available, meaning users must wait for mission-critical applications to be available to them.
  
  
• Application level firewalls cannot provide proxies for UDP, RPC, and other services from common protocol families.
  
  
• Proxy services often require modifications to clients or client procedures, thus adding a task to the configuration process.
  
  
• Proxy services are vulnerable to operating-system and application-level bugs. Most packet filter firewalls do not rely extensively on operating system support mechanisms; however, they do generally rely on device drivers, etc. Most application layer firewalls require extensive support from the operating system to operate correctly, such as support from NDIS, TCP/IP, WinSock, Win32, and the standard C library. If a security relevant bug appears in any of these libraries, it can have undesirable effects on the security of the firewall server.
  
  
• Application layer firewalls overlook network packet information that is contained in lower layers. If the network stack is not performing correctly (which is complex to validate), then some of the information used to perform security checks that application layer firewalls request using standard calls from operating system libraries could return incorrect information. An example call that is often utilized by application layer firewalls is the getpeeraddress() call.
  
  
• Proxies may require additional passwords or other validation procedures that introduce delays and frustrate users.
  
  

This feature is useful for allowing application layer protocols, such as the Domain Name System (DNS), to operate across your security perimeter. An internal DNS server must originate requests to other DNS servers running on the Internet to retrieve address information for unknown hosts. DNS servers may make these requests using a TCP connection or UDP virtual connection.

A dynamic packet filter firewall may also be used to provide support for a limited subset of the ICMP transport protocol. ICMP is often used to test network connectivity by sending a pair of network packets between two cooperating hosts. Because the firewall server can allow a response to cross the firewall at the request of an internal host, the internal host is able to deduce that a host exists on an untrusted network.

In general, application layer firewalls are the slowest architecture due to the fact that all network packets are sent up one network stack and down a different one, thus being treated as two separate network sessions. Application layer firewalls also implement the broadest set of security data checks, which increases the processing time required. Throughout the industry, application layer firewalls are generally considered to provide the best security.

Because packet filters performed functions very similar to routers, these router-based languages transitioned into the first generation packet filters. These languages require that each protected network object have an individual rule associated with it for each network service that the object can access. A network object is any addressable entity on the network. As such, it can be a computer, a network printer, a subnet, or a router.

Eventually, when proxy services, and later dynamic packet filters and circuit level firewalls, appeared on the scene, they were developed using similar router-based rule sets. Because of the introduction of additional features and options, the programming languages grew more complicated and became network-service specific. Today this "router-based rule set" method of defining security policies is universal in the industry.

The following example is the set of rules required to provide the hosts, 192.168.1.*, with access to FTP:

The exploding demand for Internet and intranet connectivity far exceeds the supply of available security experts who are familiar with router-based rule sets or with command line operating systems. The long lists of security policy rules are often difficult to manage no matter what the level of expertise of the administrator. Also, it is extremely difficult to ensure that all of the objects on a network are protected without spending a great deal of time evaluating the lists of rules.

Some firewall vendors have responded to this problem by providing icons. These icons represent rule types that are intended to make the command line policy lists more user friendly. The addition of icons, however, has not reduced the complexity of ensuring that each network object is protected, and the user interfaces based on this scheme still require individual rules for each network service to be accessed by a network object. As a result, administrators are still required to use "machine language" when defining rules that enforce their security policies.

The next chapter completes our discussions of requisite background information by defining network security policies and the role that they play within the Cisco Centri Firewall. It also introduces several features within the Cisco Centri Firewall user interface.