- Firewall technology is the cornerstone of Intranet security. As such, careful planning and implementation of firewall technology to protect corporate Intranet becomes critical;
- The paper will review and discuss different types of firewall, their capabilities and limitations, implementation methods, and some of the latest products in the marketplace;
- Nothing can replace a set of well developed and observed security policy. The effect of good technical implementation can only be as good as how security policy is carried out;
- Based on our understanding of the current products and markets, we shall try to predict what the future of firewall technology might be, in managerial (not technical) terms.
Internet uses resources of the public voice communication networks. Technically, what distinguishes the Internet from other network arrangements is its use of a set of protocols called TCP/IP (Transmission Control Protocol / Internet Protocol). For most users, access to the World Wide Web (WWW, or the "WEB") is the most widely used application, along with electronic mail. Online chat room (using IRC, Internet Relay Chat) for real time conversation is very popular. Audio (Internet telephony) and video (video clips) capabilities have been significantly improved and will gain increasing popularity.
Using hypertext, a method of instant cross-referencing in the Web, users have access to millions of pages of information. Access to, or "surfing" the Web sites, is done with a Web browser. Netscape is the pioneer and Microsoft Explorer is similarly popular. A Web site may vary slightly depending on the browser being used. Also, later versions of a particular browser are more capable of featuring such things as animation, virtual reality, sound, and music files, than earlier versions.
An INTRAnet is an implementation of Internet technology within an enterprise. It may link up many inter-linked local area networks and wide-area network. It may or may not include connections to the outside Internet. The main purpose of an Intranet is usually to share company information and computing resources among employees more effectively, so that savings in operating cost and improved customer service can be realized.
An Intranet uses TCP/IP, HTTP, and other Internet protocols and in general looks like a private version of the Internet. With tunneling, companies can send private messages through the public network, using the public network with special encryption/decryption and other security safeguards to connect one part of their Intranet to another.
Typically, larger enterprises allow connection outside of the Intranet to the Internet through firewall servers that have the ability to screen messages in both directions so that company security is maintained.(2 , 3)
There are a wide variety of Web-based applications, ranging from static document access systems to database access systems and systems that help corporations capture and manage knowledge. Some of the applications that can be found on World Wide Web are as follows:4
Product Information • Employee Infobases • Project Information • Employee Property Management • Access to Data Warehouse • Policies and Procedures • Product Support Databases • Jobs • Training and Registration • Benefits • Newswire Clippings • Literature Ordering • Software Libraries • Stock Quote • Phone Directory • Performance Tracking • Conference Room Reservations • Surveillance • Libraries • Application Front-end • Subscription Services • White board • Engineering Groups and Information • Conferencing • Sharing Design Drawings • Events diary • Employee and Group Information • Art Libraries • Policies and Procedures • Directions • Historical Information • Maps • Technology Centers • Indexing Engines • Sales Support Centers • Information Catalogs • Competitive Analysis • Knowledge Preservation • Strategies • Official Travel Guide • Financial-Management Query • Existing Catalogs • Corporate Newsletters
2 Simcha Gralla, How Intranets Work, ZD Press, (1997).
3 Tim Evans, Building an Intranet, Sams.net Publishing, (1996).
4 http//:www.web-master.com CIO Communications Inc. 1996
In a complex business environment, there are many different business and technology components that must be considered for security. Among all components, Intranet warrants some special attention due to its directly interfacing with the outside world - the Internet - where professional and amateur hackers are all over. Further, the increasing popularity of Internet, immature security measures, and the richness of otherwise proprietary information make Intranet a prime target for hacking.
Is Intranet then insecure? The answer is not necessarily. If a sound security policy is in place, the people who manage and use Intranet religiously follow the policy, deploy a combination of security measures such as secure server, firewall, password protected access and physical security for the server machines, you have covered all the bases.
Our discussion in the later sessions of this paper will only focus on the most important element in the Intranet security puzzle - the firewall. A firewall is a program, usually an Internet gateway server that protects the resources of one network from unauthorized access by users from other networks. Typically, an enterprise with an Intranet that allows its workers access to the wider Internet will want a firewall to prevent outsiders from accessing its own private data resources1 .
There are different types of firewall screening methods. The simple ones will perform such functions as screening requests to ensure only pre-defined domain names and IP addresses will be accepted, while the others may deny Telnet access altogether. Many sophisticated Internet servers come with some firewall capability today.
There are three basic areas of vulnerability in information security management, i.e. storage, access and transfer.
Storage related issues are concerned about physical and logical threats to where information is stored. Usually the issues are addressed in conjunction with environmental and access control measures.
Transfer related issues are concerned about information being stolen or tampered with when in transit. The most common way to tackle this type of issue is to use sophisticated encryption/decryption schemes.
Access issues are primarily concerned about who have the rights to access physical or logical information services, at what level, and to what degree. For instance, there are different levels of restrictions on who can access computer systems, network systems, system and application functions, file systems, and even different records or fields within the same file.
As part of the overall network access control scheme, firewalls are the single most important element in Intranet security. Essentially, they are programs that will deny access to unauthorized outsiders and keep the corporate Intranet secure, based on pre-defined rules. As Internet Firewalls FAQ put it, "Generally, firewalls are configured to protect against unauthenticated interactive logins from the ‘outside’ world, this, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it." Many firewalls today even have the capability of keeping audit tails, which then facilitate tracing the source of unauthorized access2 if necessary.
Firewall screens network traffic and validate the flow of information between Intranets and external networks. Not every Intranet is vulnerable to intruders from the outside world; only those with Internet connections are. However, since most companies that have internal network use the same infrastructure for both the internal network and the link to the outside world, the primary goal of the firewall then is to shield the public from unwanted access. It may also be used as a one way service for a corporation’s employees to go from the Intranet directly to the Internet. Indeed, firewalls can perform many different functions:
- Controls access to its programs and utilities
- Controls access to its data files avoiding direct editing of the files
- Controls scope of authority to a predefined set of actions according to separate group functions (firewall administrators, auditors, security administrators, system administrators)
- Employ filtering techniques to permit or deny services to specified host systems when necessary
- Filter as many attributes as possible, including source and destination IP addresses, source and destination TCP/UDP port, protocol type, inbound and outbound interfaces
- Contains the ability to concentrate and filter dial-in access
- Contains mechanisms for logging traffic and log reductions so that they are readable and understandable
- Records which user travel to what web sites via the corporate Intranet and Internet connections. The purpose is to maintain proper use of company resources
- Logs user actions such as configuration and log file changes, file access, firewall startup/shutdown, security policy/rules changes, root id changes and audit file browsing
- Acts as a constant watchdog in monitoring any suspicious activity and inform the network manager via e-mail, pager, fax or console alarm
- Detects intrusions
As Security Guard
- Prevents authorized or unauthorized super-users from tampering the system
- Prevents unauthorized attempt to shutdown the system which may leave the network wide open to attacks and unauthorized access
- Protects the processes/daemons, configuration files, data files and administrative utilities secure the system without underlying changes to the kernel
- Check inter-network traffic for viruses, malicious applets written in Java or ActiveX and Trojan horses
- Sensitive events are screened, audited and tamper-proof
Firewall topology depends on the services needed and on the structure of a Corporate Intranet’s connection type. There are four typical physical configurations of firewalls:
Dual-home Gateway - The bastion host is the sole connection point between the private network and the Internet and disabling the TCP/IP forwarding by that system. Direct traffic between the network is blocked where as system on the private network can communicate with the gateway as well as systems on the Internet. They are simple and require a minimum of hardware without the use of a router. All traffic between private and public networks must pass through an application (a proxy) on the gateway host. The private network is kept invisible to the outside world. The only draw back is that no service can pass through unless a proxy allows it.
Screened-host gateway - It uses both a router and a bastion host. The router permits traffic only to the bastion host, which resides on the private network. This system is very flexible due to the fact that they can be quickly reconfigured to allow new services without creating a proxy application. This design is more complex in design compared to the dual-home gateway and the router requires more careful administration.
Screened Subnet - A subset of the dual-homed gateway which the Screened Subnet replaces the single bastion host with an entire sub-network isolated by routers. Both the private network and the Internet have access to hosts on this model although the traffic is blocked between the Internet and the private network. This design allows multiple hosts on the screened network.
Dual-homed routers - Such system deploys an "inside" router on the private network that initiates a message exchange with an "outside" router on the exposed network. The "outside" router is connected to the Internet, with both routers implementing security rules.
Not long ago, firewalls fell into one of four major categories, depending on the type of access control they used, i.e., packet filtering, application gateways, circuit-level gateways, and proxy servers. Today, most systems and products are hybrids that expand across the traditional classes.
In the packet-filtering firewall, every type of packet is identified. Each source or destination addresses, or services are examined. This approach is generally the easiest type of control to administer but yet the most vulnerable to penetrate. In most products, packet filtering appears to be an option or becomes part of a hybrid package.
Application gateways use special purpose software that restricts traffic to applications such as Lotus Notes or E-mails. A specialized code is used by the gateway for each particular application. The access is provided to only those applications that are permitted to pass through the traffic. The general-purpose code in this case is not used since such code is not specific to the application being used, thus creating more security.
Circuit-level gateways connect an internal destination to an outside TCP/IP port such as a peripheral network printer. These gateways function as intelligent filters to separate User Datagram Protocol from a valid TCP during a session. The application that is being used will not be identified.
Proxy servers can also be firewalls. They maintain replicated copies of Web pages for a designated group of users and provide access to those designated groups. They can be set up as storage space for more sensitive information that is safely put away at the address point with the appropriate routing scheme.
A new technology, Stateful Inspection has surfaced. It works by deriving information from the state of a transmission and applying it to the organization’s business rules. The state information is stored in order for the messages from similar sources to be inspected and examined in context such as a previous authenticated user’s application is applied again to allow access to authorized services. This is done on the physical layer of the OSI networking protocol model. The purpose is to screen transmission before the operating system is contacted.
Firewalls are designed to block out unauthorized access. Yet they are not the answer to total protection and they are not a general-purpose control system that can save the internal networks from the abuse of the internal users. Information security surveys report more than 50 percent of the attacks to networks are done by insiders. Certainly firewalls are not the solution to the malicious code problem.
One example, the Trojan horses, are programs that pretend to be something they are not. They post as password sniffers to gain access to a company’s internal network and cause considerable damages. Some 90 percent of organizations with more than 500 PCs have experienced, on average, at least one virus incident per month. The cost of incidents average over $8,000 and can run as high as $10,000, with survey results indicating that the problem is getting worse rather than better.1 New types of viruses that use macro languages spread through shared documents rather than programs. These documents travel through the World Wide Web as E-mail attachments over the Internet. Virus-scanning firewalls are only part of the answer.
Other loopholes can be found in firewall code. External interface to respond to a traceroute query is a security problem, and certain firewalls are allowed to perform such tasks.
There is also the SYN storms (also known as SYN flooding), a denial-of-service attack that took down several ISPs last fall.2 The SYN storms attack bombards the firewall with requests to synchronize TCP connections. All available buffers of the firewalls are used to respond to these requests and in the end there is no more capacity to accept legitimate connections.
One other weakness as observed is the TCP sequence prediction, which fools the system by using IP addresses for authentication into thinking that forged packets actually come from trusted networks.
Firewalls should be flexible enough to grant access to Web servers in the event that all access are blocked behind the firewalls. They should also be able to guard against IP spoofing-intruders configure their machines with IP addresses on the inside to attack a network. The result from a recent study shows that access to multiple Web servers are denied.3
Firewalls are vulnerable to malicious applets written in ActiveX or JAVA. Since these are new generation languages, there are no tests and proven evidence to prove the effectiveness or ineffectiveness of firewalls against them. Nonetheless, firewalls are better off programmed to screen the executable content their firewall can handle.
One most important fact is that abuse of insiders to the valuable information of Intranets in many cases outranks the external hackers in the information security surveys. According to the February 1996 issue of NetGuide, "recent federal law enforcement estimates that online thieves steal more than $10 billion worth of data in the United States annually". Protecting valuable assets has become a most challenging business problem in the corporations that have established Intranets. The most expensive and effective firewall is unlikely to protect one department’s computer system from another department’s computer when the door is opened and the key is left on the counter. Internal firewalls then are as equally important as external firewalls.
There are many aspects an organization must examine in the deployment of firewalls. The three main forces to a successful firewall operation are the policy, the people who execute and maintain the policy, and the technology employed in the support of the operation. The decision in the implementation and operation of the firewall must meet the following criteria, whether a vendor is used or the in-house personnel is in charge:
- Establish guidelines of how the firewall will be tested
- Determine who will verify the firewall performs as expected
- Determine who will perform general maintenance of the firewall, such as backups and repairs
- Determine who will perform user support and training
- Determine who will install updates to the firewall, such as for new proxy servers, new patches and other enhancements
- Examine whether the security related patches and problems can be corrected in a timely manner.
A firewall should possess the following properties:
- Traffic from inside to outside or outside to inside must pass through it;
- It allows only authorized traffic, as defined by the security policy, to pass through;
- The system itself is "immune" to any form of penetration.
Firewalls should have the following features:
- Limit access to its own programs;
- Provides separation of duties;
- Provides extensive auditing;
- Protects Intranets from unauthorized access;
- Protects its own process, configuration, log and audit files;
- Add support on the fly that would expand as needs evolve;
- Block employees from going to designated Internet sites ;
- Mix and match software provided standard interface platform is in place;
- Automatic paging and e-mailing for notifying management when their network is in jeopardy;
- Proper anti-virus policies and procedures should be added to reduce virus infections .
Further, firewalls selected for implementation should be designed in a simple way, so that they are understood. Firewalls should be maintained with operating systems that are updated with patches and other bug fixes in a timely manner. It should also be developed in a manner that its strength and correctness is verifiable. Trouble should be detected almost before it happens. Firewall is the security clearinghouse that reports intrusions, investigates these intrusions, publishes advisories at regular intervals and recommends security countermeasures.
A firewall, as the critical gateway that prevents the corporate networks being exposed to either accidental or malicious attacks, it must be accountable, available and reliable. What makes a firewall a good gatekeeper that can protect valuable data and applications and catch unauthorized users?
Essentially the backbone to an effective firewall is the corporate security policy applied by personnel who ensure that the firewall is doing an effective job. Security policy must be developed based on the functional needs and risks to the organization. Needs and risks are not always obvious and can be easily defined. Generally speaking, when the security level is tightened, the organization pays the price in terms of increased complexity of access, increased response time and reduced communication. It is therefore important to balance costs, risks and practicality.
To properly analyze the risks involved, both business and technology management should be involved. It is the business management who can quantify the risks to the firm as a result of a security threat, and it is the technology management who can provide technology options to mitigate the risks. Most importantly, it is every employee’s responsibility in the firm to follow security policies and procedures to ensure the physical and intellectual properties are protected, including information and services on the corporate Intranet. A collaborative effort between business and technology management can ensure effective implementation and execution of security policies across all functions in the company. Goals must be clearly set up-front, along with implementation and execution procedures, as well as individuals or groups accountable for taking those actions. Regular auditing must be part of the security program, so as to constantly review and revise the program to ensure its viability in an ever-changing business and technology environment.
In the 1970’s, firewalls were custom made and cost around $50,000. This first generation firewall was a complex product and required a consultant to install and maintain.
In the 1980’s, firewalls were made easier to use and configure. The cost was around $15,000 to $20,000, and still required experts and consultants to help with the installation and maintenance. Bigger companies paid large more money because the price increased with the number of users.
Today, new types of firewalls introduced to the market are much easier to configure and use. These firewalls are usually a combination of hardware and software, which differ from the older types that were mostly software driven. They are now less complicated and can be run by any competent IT personnel. Cost of installation and maintenance is reduced greatly. These firewalls are much less expensive than older models. High-end models still range around $18,900, but average price for low-end models are expected to tumble to $2,000 from $3,500. From a revenue standpoint, this is undoubtedly a brutal market. Manufacturers run rate of shipping more than 20,000 units. Low-end models are in strong demand especially for the Intranets. As the number of the Intranets grow, large corporations would like to deploy simple solutions that require less complex configuration.
With low cost and ease of use, a firewall makes it easier to protect a corporation’s data and information, both internally and externally, than in the past.
Technologically, firewall products will become more robust, and will be an integral part of the enterprise security solution, as they will be integrated with other security technologies such as digital signatures, tokens, encryption, smart cards, SSL, and S-HTTP. Organizations will most likely replace static passwords with authentication tokens or smart card-based passwords to secure their remote access devices or when employees are using the Internet for access. Over the long run, we should see fewer firewall vendors since the market will become more consolidated. These vendors will be bigger and more capable of providing products combining firewall, encryption and other security technologies, as well as management consulting to companies requiring total security solutions.
A higher degree of cooperation between the commercial sector and government sectors will also be established. As cross-certification between the two becomes increasingly necessary, and requirement for standard and interoperability prevails, a joint certification authority will eventually be established between the commercial and governmental organizations.
In the last 18 years, Simon Tsang has held various positions in Data Center Operations Management, Technology Risk Management and Contingency Planning, worked for such companies as Bankers Trust Company and Pinnacle Alliance / Computer Science Corporation, in both New York and Asia. Presently, he is a Vice President at Merrill Lynch & Co., responsible for coordinating the firm’s Year 2000 program in the Far East. He earned a MBA in 1991, from University of East Asia in Macau (now has changed name to University of Macau), and MS in Computing and Telecommunications Management in 1998, from Polytechnic University in New York. He is a Member of the British Computer Society (MBCS and Chartered Information System Practitioner), as well as a Member of the Institute of Management, U. K. (MIMgt). Simon Tsang can be reached by e-mail at firstname.lastname@example.org.
Dorothy Woo was born and raised in Hong Kong. She arrived in New York as a foreign student when she was a teenager and earned her Bachelor of Business Administration in Advertising at Baruch College. Her graduate study was in the field of Telecommunication and Information Management. In May of 1998, she completed her Master of Science Degree at Polytechnic University. In the business world, Dorothy held many job titles. She has a diversified background and vast knowledge of the telecommunication industry. Currently she is working for Bell Atlantic as a Senior Specialist in charge of major projects. Prior to working for Bell Atlantic, she had worked for AT&T before the divestiture. After the divestiture, she became a member of New York Telephone. From New York Telephone she moved on to NYNEX. Her nineteen year career is mainly in achieving technological excellence and success. At home, Dorothy enjoys playing volleyball and loves listening to music. She has two wonderful children who keep her busy schedule extremely challenging. Dorothy Woo can be reached at email@example.com.
4http://www.iorg.com/intranetorg/homepage.html, Strategies for managing change, Steven L. Telleen, Ph.D.