Chapter 13: Internet Security
  1. Introduction
  2. Security Policy
  3. Firewall Technology
  4. Recommendations
  5. Proposal #1
  6. Proposal #2
  7. Proposal #3
  8. Proposal #4
  9. Proposal #5
 

This paper has been written in response to a request from CEH Computer Services for proposals to increase the security of the Wallingford (or other NERC site ) computer network with respect to possible attacks from the Internet. After a short introduction to explain the rationale of the firewall approach and how one would go about implementing such a system, we give a basic outline of the present state of Internet firewall technology and make several proposals and recommendations. This paper is a much expanded version of an earlier paper dated 7 October 1996. Our preferred product is Solstice Firewall-1 on a PC at a cost of £7000 including VAT but not including staff time. One or two of the largest sites (in particular, SOC) have a more complicated network topology and a single firewall may not be appropriate. With that caveat, all of this paper should be relevant at all NERC sites.

Back to contents

Introduction

In any society a small percentage of people are malicious. The Internet now has in excess of 100 million users so, even if the fraction of users who are malicious is less than 1%, it is clear that the potential number of miscreants is large enough to concern us. This paper explores the problem of Internet security and makes some proposals for effective strategies to address the problem.

The most common computer security model is to enforce the security of each host machine separately and make every effort to avoid or alleviate all the known security problems on every single machine. This is a perfectly reasonable approach for a small network but the problem is that it does not scale to large numbers of machines. The different vendors, different software releases, different services enabled, and so on, all lead to different sets of security problems. Also, host security relies on the good intentions and skill of everyone who has privileged access and, inevitably, the number of privileged users increases with the number of hosts. As environments grow larger and more diverse, therefore, sites turn to a network security model rather than securing individual hosts. A single network firewall, of the types discussed here, can protect hundreds of hosts regardless of their individual level of security.

NOTE I am not suggesting that we ignore host security - especially not on important machines such as file servers. Surveys of security incidents invariably show that the majority of attacks come from inside the organisation and firewalls are of no help in such cases.

The vast majority of commercial organisations with Internet connections and also most universities, these days, have already implemented such firewall systems. In fact, NERC institutes are beginning to look exceptional (vis a vis comparable organisations) in not having firewalls.

Security Policy

Many of the services that people want from the Internet are inherently insecure. On the other hand they are extremely useful and it is not acceptable to bar their use. Patently, a necessary first step to improve security is to agree on what is permitted and document that in sufficient detail. The document which sets out how such compromises have been decided is the site "security policy" and it is most desirable that this exist and be owned by the site management ( rather than a "supplier" such as iTSS or the IT Core Group).

We should not pretend that we want absolute security, if only we could afford it. This would result in such a hostile working environment that it would never be implemented. The security policy is all about compromises and should have regard to cost, usability and compatibility with existing working practices as well as security risks.
 

A lot of this is in place already as part of the NCS Security Manual but it is worthwhile to collect it all together. Also there have been, and will be more, developments (eg dial- up access from home computers) since that document was written.

Back to contents

Firewall Technology

An internet firewall is installed at the point where the protected internal network connects to the Internet. All traffic coming into or going out from the internal network passes through the firewall and the firewall checks that this traffic (email, file transfers, remote logins,....) conforms to the site security policy. The existing Cisco router is already configured to act as a simple firewall - certain port numbers (services) have been blocked.

Figure 1 

Such a set-up is not today considered adequate and modern practice is to augment the router with a Firewall computer. The complete firewall therefore would consist of several physical components - the existing Cisco router, a short ethernet segment, called the DMZ (De-Militarized Zone!), and a Firewall computer.

Figure 2. 

The advantages of having a computer are

 

The disadvantage of a firewall computer is that it may itself be attacked - to combat this it should be configured to operate independently of all machines on the local network, not sharing disks or services with them, for example. Also, all services which are not specifically required for operation of the firewall software should be disabled and the associated files removed.

External services which are seen as a potential exposure (eg WWW servers) can be run on a similar isolated , stripped-out server on the DMZ network. By removing non-essential software, we can remove much of the potential for future security loopholes. Also if it were to be penetrated. there should not be anything of interest on it.

Historically, there are two main firewall architectures -

packet filters application proxy servers Both of these architectures have their limitations - Packet filters can only allow or block packets depending on the contents of the packet header, in particular the source and destination addresses and port numbers. This is not adequate for many popular Internet services such as those using UDP datagrams or RPC services.

Proxy servers require specialized proxy software running on the firewall host and modified client software throughout the internal network. Unless both of these are available for a particular service or application, one is likely to have to prohibit that service pending their availability. This is not a problem for established services on the common platforms but is likely to be a recurring issue whenever anything new comes up.

Many modern firewall products, however, are hybrids of these two simple architectural models and combine the high performance of packet filters with the application proxy servers knowledge of the protocols. For example, some modern packet filtering systems have a knowledge of the application protocols and modify the packet filtering rules "on the fly" . For example, an outgoing UDP packet can cause the creation of a temporary rule to allow an answering UDP packet back in. Similarly, the firewall software can follow the course of an RPC transaction and the rules be temporarily modified to allow it through.

Finally, there is a great deal of information about many firewall products, including those proposed here, at

http://www.ncsa.com/fpfs/fwcert.html

We have not been able to examine all of these. Instead we have concentrated on the market leaders.

Back to contents

Recommendations

It is possible to construct a firewall from "freely available" software, for example the FWTK from TIS - the difficulties of this approach are -

 

We therefore recommend purchasing an established, commercial product with a strong support organisation behind it.

Due to the complexity of many of the issues which arise in configuring a Firewall, it is important, if it is to be credible, to have a clear, easily-understood user interface which hides details and presents a clear picture. To put it another way, we see credibility among non-experts as a major requirement for a firewall system.

The list of Internet services required at NERC sites (We refer to this as the A List below!) includes all of the following :

Terminal services (telnet, rlogin)

File transfer (FTP)
Electronic mail (SMTP, POP3, IMAP4)
World Wide Web (HTTP, SHTTP, SSL)
Gopher
Archie
X Window System (X11)
Printing (lpd)
Remote execution (rsh)
Finger
Whois
Network management (SNMP)
Usenet news (NNTP)
Oracle (SQL*Net)
Lotus Notes

Some sites may be willing to delete a few items from this list. They may also want to add some more such as NFS or SMB (Microsoft-style TCP/IP)! The point is that this list is significantly larger than equivalent lists for many (most ?) commercial sites so it is important to check a list like this against any proposed firewall if it is not to block existing functionality. This is especially true of application proxy servers and hybrid firewalls which require an understanding of application protocols.

Desirable features which some products offer include:

URL screening (log who is viewing what WWW pages and possibly block selected URLs)

scanning of file transfers, WWW downloads and electronic mail for PC viruses. I am doubtful about the utility of this at present. For example, some products can VIRUS check uuencoded attachments but what about uuencoded Groupwise attachments. At present, there are simply too many non-standard ways of encoding attachments in mail messages in use for this to be practicable. Hopefully, NERC will move to MIME attachments some day soon.

The firewall computer must be fast enough to pass the full bandwidth of the site's Internet connection without introducing a noticeable delay. Currently, this bandwidth is 2Mbps for the Wallingford site and any reasonably modern workstation or PC is designed to operate at ethernet speed (10 Mbps) so this is not a problem.

Many of the firewall products which were developed on unix are being ported to Windows/NT and these are now appearing on the market place. However, common advice is that the TCP/IP software in NT is still relatively immature and its use in such a sensitive area is not yet appropriate. The TCP/IP software in UNIX is very mature and we have many years of practical experience with it. The cost of the operating system (Windows/NT or unix) is not more than a few hundred pounds so this should not be a deciding factor. We do not recommend the use of Windows/NT for a firewall at this stage.

As well as firewall software running on top of a (hardened) general purpose operating system, there are several products employing dedicated hardware with the software stored in a Flash EPROM in a similar manner to a router. Typically, there is no hard disk and the possibilities for configuring or adapting the system are strictly limited to what was foreseen by the designer. Naturally, the vendors make a virtue of this and emphasise how simple such boxes are to configure! It is usually possible to reload the EPROM from an image provided by the vendor on a floppy disk or via the Internet. As such a reload is the only method available to update such products, if one has to respond to a new threat or add support for a new "Internet application", we should satisfy ourselves that the supplier has the organisation in place to produce and distribute such EPROM images at short notice. The lack of a hard disks severely limits logging capacity and such products often support the unix syslog facility, employing a nearby unix system to do their logging. Also report generation and email alerts (both highly desirable as people will not be willing to spend time doing routine checking of log files) will be done on the unix host. We could write tools to do this ourselves (awk, perl,...) but really it would be much better for them to be supplied and supported as part of the product.

Dedicated, EPROM-resident firewall boxes and firewall software running over a general purpose operating system both have their proponents and seem to me to be addressing different market places. The advantages of the dedicated boxes are :

1. lower cost

2. simplicity and relatively easy to set up

The disadvantages, relative to a general purpose computer, are : 3. inflexible hardware. For example usually two 10bT ethernet ports are provided and there are no options for other types of LAN

4. it is not possible to ' maintain' the software by applying patches etc. The only possibility is to reload a complete new EPROM image which is probably too drastic to do very often

5. the lack of a hard disk severely limits what is possible by way of local logging, reports and alerts

6. It is not possible to upgrade the hardware (eg for an FDDI or ATM network or for a faster processor). One has to start again.

A general purpose computer firewall, if it is properly set up and maintained, should be a much better firewall, adapting easily to new threats and supporting new applications. However, if it is not properly configured and maintained by staff who have a reasonable background in TCP/IP networking, it will, almost certainly, be much inferior to a simple "black box" type solution.

In a distributed organisation, such as NERC, we must have the ability to configure and manage firewalls systems from off-site. This feature is usually called Multi-site Management. A few products do not allow this, arguing that it is a risk. If it is, it is a very small additional risk and compatible with the level of security that NERC requires.

Other Features

We should also mention several features which are often available with firewalls. I don't expect anyone in NERC to be interested in these, at the moment, but mention them here for completeness.

Back to contents

Network Address translation

This enables a site to use "internal" IP network nos which are translated to and from properly registered Internet IP nos at the firewall. Besides the security aspects (hiding details of the internal network from the outside world), this is a solution to the current shortage of IP network nos. A site could potentially run a Class B network internally (up to 16 million hosts) and only require a few hundred registered addresses for those hosts which provide external services. Other hosts wishing to access external services would be allocated temporary IP nos from a small pool.

One Time Passwords

Users working over public phone lines can be provided with a device (similar to a small calculator) which generates a series of passwords. When they dial-in to the site they are challenged and have to respond with the next password to gain access. This is sometimes called Strong User Authentication.

Virtual Encrypted Networks

These provide a means to encrypt IP packets (independent of the application) and so provide the privacy of a private network between sites while using the unsecured public Internet.

Pager Alerts

It is possible to have staff alerted via an electronic pager in their pocket. This seems rather OTT in the NERC environment and alerts via email are probably more convenient?

Proposal #1

The current market leader in the firewall market place is the Firewall-1 product from Checkpoint Systems in Tel Aviv. Sun Microsystems sell a rebadged version of this called Solstice Firewall-1. This is an advanced packet filter which supports dynamic modifications to its rule base as described above. It also has an extremely attractive GUI user interface which has impressed us greatly.

It consists of two major components - a Management Component which manages the Rule Base, logging , alerts and so on and an Inspection Module which is installed on the gateway machine, inside the operating system kernel at the first layer (IP) of the protocol stack. The Inspection Module, which is highly optimised for performance, intercepts and inspects all inbound and outbound packets according to the rules defined in the Management Component using the GUI. There are also powerful facilities for managing logs and alerts. These are an integral part of the product and there is no way these could be seen as an optional add-on or afterthought.

The list of supported applications covers everything in the A list except, possibly, the database services and there are tools to describe these so these are not a serious problem. We do not expect such a firewall to cause significant disruption to the work of any NERC site.

The licensing for this (and most other firewall products) depends on the number of systems in the internal network which communicate with the external network. I would imagine this includes all workstations and the majority of PCs.
 
Cost of Solstice Firewall-1
Up to 50 systems £1160 +VAT
Up to 250 systems £3860 +VAT
Unlimited £7460 +VAT
 

These are SUN ScholarPAC prices. Commercial prices are much higher. For the Wallingford site, 250 systems would just about be enough.

A machine to run this could be a SUN SPARC but we could also use an Intel x86 PC running Solaris x86. Solaris x86 is essentially the same operating system as the Solaris SPARC OS, which we already have considerable familiarity with, but ported to Intel x86 hardware.

Minimum specification of the x86 PC would be similar to -

Estimated cost of this, if it has to be purchased, is 2000 pounds. It is not possible to give an accurate cost estimate due to the large number of special offers and deals which are available in the PC market place. If a suitable such offer was available at the time of purchase, it is possible the cost would be much less? Also 300 pounds for Solaris x86 media (The operating system).

Total cost of this option is therefore around £6000 +VAT (£7000). We estimate 1-2 man weeks to set it up. Subsequent installations by the same people should be 2-3 man days.

 

More information on this product (also a good introduction to firewalls) can be found on the World Wide Web at the URL

http://www.checkpoint.com/firewall-1.html

This is a highly successful, commercial product with two good support organisations (SUN Microsystems and Checkpoint Systems) behind it. This is our preferred proposal.

Back to contents

Proposal #2

There is a chest deal available to us for VCS Portcullis Firewall from Knowledge Technology Ltd in Bristol. This is an Application Proxy Server Firewall as described above. Administration is via a WWW browser and includes tools written in JAVA! Software to manage logs, produce reports and send alerts are an integral part of the product. Proxy software is provided for telnet, FTP, WWW and email. After that, there is a generic proxy tool and, after that, it becomes a simple packet filter which is not really adequate. One would end up either blocking services and disrupting existing work patterns or else accepting significant weaknesses in the firewall.

 
 
Cost of VCS Portcullis Firewall
Year 1 £1650 +VAT
Subsequent years £995 +VAT
Or 5 Years  £4635 +VAT
 

A machine to run this would be an Intel x86 PC (as described in Proposal #1) running LINUX. LINUX is the most successful of the "free" UNIXes. Estimated cost would be £2000 as above plus £100 for LINUX.

Total cost of this option is therefore around £6800+VAT (£8000) assuming the 5 year licence deal. We estimate 1-2 man months to set it up.

More information on this product can be found on the WWW at the URL

http://www.ktgroup.co.uk

This seems to be a well thought out product with some interesting features (eg the JAVA configuration tools) . However, the lack of supported services compared to the A list suggests it needs a lot more investment before it can compete with the market leaders.

Regardless of how justified it is, people are bound to question the wisdom of a firewall system based on "free" software such as LINUX. Perhaps a more serious worry is the small size of the supplier.

Proposal #3

Probably the first company to produce Internet firewall products, Trusted Information Systems (TIS) have a long background (since 1983) in the computer security area, mostly working for the US Government. Their current firewall offering is the Gauntlet application gateway firewall.

More information is available at

http://www.tis.com/docs/products/gauntlet
 
Cost of TIS Gauntlet 
Internet Firewall
Up to 50 systems £3700 +VAT
Up to 100 systems £8500 +VAT
Unlimited £11500 +VAT
 

This is an application gateway which performs extensive processing on every data packet and requires a powerful host such as a SUN ULTRA-1 costing around £4000 +VAT (including a second ethernet). Support costs are £1000, £2000 and £3000 pa for the three price breaks. TIS will also install the firewall on your site for £1650 (This includes "hardening" Solaris by disabling unneeded features and applying current SUN security patches.) and offer a two day training course for £660.

Support is included for all the services in the A list, so this firewall should cause minimal disruption to the work of any NERC site.

This is clearly an excellent product which will do a very good job but it may be too expensive for NERC.

Back to contents

Proposal #4

There is considerable experience within NERC with CISCO routers and the company has recently introduced the PIX series of firewalls. This is a dedicated black box with the software in flash EPROM.

More information is available at

http://www-europe.cisco.com

The list price is £11,185 +VAT which is very expensive for such boxes. Not surprisingly, there are "promotions" and the bottom-line price seems to be around £5000 +VAT.

There are two 10/100 Mbps RJ45 Ethernet interfaces.

This is a hybrid firewall and a definite improvement over a packet filter. The list of supported services includes WWW, FTP, terminal access and gopher. There are significant shortcomings in this list compared to the A list ! Since the software is in EPROM, there is no possibility at all of adding additional services ourselves. Either one blocks services and disrupts existing work or one configures the firewall as a simple packet filter and accepts the deficiencies (from a security aspect) of this.

We have been told that the product includes at WWW browser configuration tool and a Windows NT Central Management GUI but the documentation describes a command line interface very similar to a CISCO router. Certainly, we would not recommend any firewall product without a good GUI configuration tool. Also, logging is done via syslog to a nearby unix host and we have not been able to find out details of tools to generate reports or send alerts.

We estimate it would take less than a man-week to set this up.

Proposal #5

The market leader among the black box firewalls is the Radguard PyroWall.

More information is available at

http://www.radguard.com

The list price is £4717 +VAT for 50 systems and £9038 +VAT for up to 200 systems. Again, these prices seem to be frequently discounted and the real price is probably around £4000 +VAT.

Administration is via a Windows GUI running on a nearby PC. A popular feature is a Windows security policy wizard to guide "people with little or no technical background" through the installation process! The list of supported services seems very small and , I suspect, it is little more than a packet filter. I would not expect a black box firewall like this to greatly disrupt a site's work since it would end up being configured to allow most anything through it!

This is probably a good quick solution for sites who don't have the time or the expertise to set up a software firewall. I suspect it would take less than 1 man-day to set it up.

I believe these boxes should be regarded as having a relatively short lifetime and you should be prepared to throw it away and start again if there were new requirements such as a new LAN (eg 100Mbps ethernet - it only supports 10Mbps ethernet at present), or a new threat. Nonetheless, products like these clearly have a market.

Back to contents



This page last updated August 8th 1997 by R.Campbell