20 September 2016

Network Firewall Technologies

Network Firewall Technologies

 1. Security Threats from connecting to the Internet

Most organisations today have an internal network that interconnects their computer systems. There is usually a high degree of trust between the computer systems in the network, particularly if the network is private. However, many organizations now see the benefits of connecting to the Internet. But, the Internet is inherently an insecure network. Some of the threats inherent in the Internet include:
Weak or No Authentication required. Several services e.g. rlogin, require no password to be given when a user logs in. Other services provide information with no or little authentication e.g. anonymous FTP, and WWW. Other services trust the caller at the other end to provide correct identification information e.g. TCP and UDP trust the IP address of the remote station; whilst other services grant access at too large a granularity e.g. NFS grants access to anyone from a particular remote host. Finally many services require passwords to be transmitted in the clear across the network, which make them vulnerable to capture and replay.
Insecure software. Internet software, particularly shareware, free or low cost packages, often have bugs or design flaws in them usually as a result of poor design or insufficient testing of the software. But due to their ready availability and low cost, many people still take the packages. Examples include: the UNIX sendmail program which has had numerous vulnerabilities reported in it, and a freeware FTP product which contained a Trojan Horse that allowed privilege access to the server. Unscrupulous people are always ready  to exploit these weaknesses.

Sniffer programs. In 1994 the CERT reported that thousands of systems on the Internet had been compromised by hackers, and sniffer programs installed on them. Sniffer programs monitor network traffic for usernames and passwords, subsequently making these available to the hacker.

Cracker programs. These programs, widely available on the Internet, run in background mode on a machine, encrypting thousands of different words and comparing these to the encrypted passwords stored on the machine. These so called dictionary attacks (because the words are held in a dictionary) are often very successful, providing the hacker with up to a third of the passwords on a machine.
Port Scanners. These programs, again available freely from the Internet, will send messages to all the TCP and UDP ports on a remote computer to see if any of them are open and waiting to receive a call. Once an open port has been located, the hacker will then try to get in to the computer through it.
Ease of Masquerade (Spoofing). The above make it relatively easy for the hacker to exploit the trust inherent in the Internet, or to capture passwords and replay them. Other security weaknesses include: the SMTP protocol uses ASCII messages to transfer messages, so a hacker can TELNET into an SMTP port and simply type in a bogus Email message; a feature called IP source routing allows a caller to falsify its IP address, and to provide the recipient with a return path directly back to itself.

So how can an organization securely connect to the Internet? One solution is to use one or more network firewalls.

2. What is a Firewall ?

A firewall is a secure Internet gateway that is used to interconnect a private network to the Internet.  There are a number of components that make up a firewall:
i) the Internet access security policy of the organisation. This states, at a high level, what degree of security the organisation expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used.
statements from such a security policy might be: external users will not be allowed to access the corporate network without a strong level of authentication; any corporate information not in the public domain must be transferred across the Internet in a confidential manner, and corporate users will only be allowed to send electronic mail to the Internet - all other services will be banned.
ii) the mapping of the security policy onto technical designs and procedures that are to be followed when connecting to the Internet. This information will be updated as new technology is announced, and as system configurations change etc. For example, regarding authentication, the technical design might specify the use of one-time passwords. Technical designs are usually based on one of two security policies, either: permit any service unless it is expressly denied, or deny any service unless it is expressly permitted. The latter is clearly the more secure of the two.
iii) the firewall system, which is the hardware and software which implements the firewall. Typical firewall systems comprise a IP packet filtering router, and a host computer (sometimes called a bastion host or application gateway) running application filtering and authentication software.
Each of these firewall components are essential.  A firewall system without an Internet access security policy cannot be correctly configured. A policy without enforced procedures is worthless as it is ignored.

3. Advantages of Firewalls

Firewalls have a number of advantages.
They can stop incoming requests to inherently insecure services, e.g. you can disallow rlogin, or RPC services such as NFS.
They can control access to other services e.g. bar callers from certain IP addresses, filter the service operations (both incoming and outgoing), e.g. stop FTP writes hide information e.g. by only allowing access to certain directories or systems
They are more cost effective than securing each host on the corporate network since there is often only one or a few firewall systems to concentrate on.
They are more secure than securing each host due to: the complexity of the software on the host - this makes it easier for security loopholes to appear. In contrast, firewalls usually have simplified operating systems and don’t run complex application software,the number of hosts that need to be secured (the security of the whole is only as strong as the weakest link).

4. Disadvantages of Firewalls

Firewalls are not the be all and end all of network security. They do have some disadvantages, such as:
They are a central point for attack, and if an intruder breaks through the firewall they may have unlimited access to the corporate network.
They may restrict legitimate users from accessing valuable services, for example, corporate users may not be let out onto the Web, or when working away from home a corporate user may not have full access to the organization’s network.
They do not protect against back door attacks, and may encourage users to enter and leave via the backdoor, particularly if the service restrictions are severe enough. Examples of backdoor entrance points to the corporate network are: modems, and importing/exporting floppy discs. The security policy needs to cover these aspects as well.
They can be a bottleneck to throughput, since all connections must go via the firewall system.
Firewall systems on their own cannot protect the network against smuggling i.e. the importation or exportation of banned material through the firewall e.g. games programs as attachments to Email messages. Smuggling could still be a significant source of virus infection if users download software from external bulletin boards etc. The recent Melissa and Love Bug viruses were smuggled inside Email messages unbeknown to the recipients. This is an area that the security policy needs to address. There are software packages that can help in this e.g. Mimesweeper runs in the firewall and will check Email attachments before letting them pass. It will remove potentially dangerous attachments or stop the Email altogether.
The biggest disadvantage of a firewall is that it gives no protection against the inside attacker. Since most corporate computer crime is perpetrated by internal users, a firewall offers little protection against this threat. E.g. an employee may not be able to Email sensitive data from the site, but they may be able to copy it onto a floppy disc and post it.
Consequently organizations need to balance the amount of time and money they spend on firewalls with that spent on other aspects of information security.


No comments:
Write comments

Never Miss Our Updates
Subscribe by email !