Abstract
The
Internet offers tremendous promise as a high-speed global
communication medium providing instant information and entertainment
and enabling new forms of commerce. It has also emerged as
an absolute paradise for network intruders or hackers.
To ensure the integrity of their networks, many corporations
have installed Internet firewalls. A firewall is a
single device or a series of specialised servers and routers
that will control network usage by user, by location and by
application. Firewalls can also be used to protect one LAN
from another LAN within the same enterprise. Token-based authentication
is well-suited for establishing the identity of users seeking
services such as Telnet and FTP via the firewall. Firewall-based
Virtual Private Networks are best suited to multinationals
who need to ensure the privacy of their intra-net communications.
Keywords:
Hacker, Network Security, Firewall, Packet Filter, Application
gateway, Circuit Gateway, Stateful Inspection, Password,
Identification, Advanced Authentication, Security Policy,
Encryption, Virtual Private Network, Remote Access, User
Authentication, Tokens, Time-synchronised
Introduction
Most of you have seen sensational headlines about sophisticated
hackers breaking into corporate and government networks. Who
are these people? They range from clever students and thrill-seekers
to unscrupulous professional cyber-criminals. What do they
do? They install sniffers and Trojan horses on network nodes
to monitor transmissions. They listen in and copy email, files
or logon sequences. They crack into computers to gain lists
of credit card numbers or passwords which are then used for
illicit activity. The more ambitious of the cyber-criminals
have electronically stolen large sums of money from financial
institutions and transferred it to offshore accounts.
How
did these organisations become vulnerable? They left electronic
doors open. They failed to keep up with the advances in
technology that have enabled such security breaches. They
trusted systems or individuals who were not worthy of the
trust.
This
paper is not a survey of computer crime methods but rather
a survey of a class of products that are designed to protect
against unauthorised network access to systems, services
and resources. This class of product is referred to as a
network firewall. I will describe the basic types
and key features of these products. I will then address
the subject of traditional versus advanced user authentication
within a firewall. Finally I will show how an authentication
architecture can be extended to other network systems and
devices.
Firstly,
however, let's take a high level view of enterprise security.
What are the industry trends that impact network security?
What are the major concerns of top management? How do these
concerns filter down security policy and network configurations?
Establishing
the Requirements
Computer and network security has historically been the focus
of businesses engaged in security-conscious industries such
as banking, telecommunications, aerospace and defence. However,
with the increased use of enterprise-wide computing and remote
access, network security is of increasing concern to mainstream
businesses that use computer or network-based information
resources. According to a recent survey conducted by Ernst
& Young in the USA and published in Information
Week (27 November 1995), nearly half of US corporations
lost valuable information as a result of computer security
breaches in the last two years. At least 20 of the 1290 respondents
had breaches resulting in losses of over US$1,000,000. Security
continues to gain a greater corporate focus. Nearly 80% of
respondents now have a full-time security administrator -
up from 75% last year.
The
Internet is upon us and has emerged as an absolute paradise
for hackers. By definition, the Internet is an un-trusted
network, while your internal network is normally considered
a trusted network. By establishing a connection to
the Internet, you may compromise the trust of your internal
network.
How
does a network become compromised? Intruders may pose as
trusted users or pretend that their computers are trusted
network nodes. Industry confidence in static passwords is
diminishing rapidly. Well-composed or even encrypted passwords
are vulnerable to being intercepted and 'stolen' by today's
more sophisticated system attackers. In recent months, unidentified
system 'crackers' have deployed password-gathering programs
and have succeeded in collecting tens of thousands of passwords.
These keys to the kingdom are commonly shared with
other intruders to be used for future adventures. User identification
by location, or IP address, is a more recent phenomenon.
The reliability of network defences based upon this approach
have also come under scrutiny as sophisticated intruders
have developed IP-spoofing techniques.
It's
quite difficult to gauge the extent of the problem since
many victim organisations will not report any breaches -
in fact, the inclination for most organisations is to keep
quiet to avoid negative publicity or loss of face. However,
one researcher estimated worldwide losses due to hacker
intrusions at $800 million annually, half of which was lost
by US companies. The US Senate's Permanent Investigations
Subcommittee reported these estimates in June 1996, after
an eight month probe of computer security. Most losses sustained
by banks do not appear in required federal reports, according
to a subcommittee spokesperson, due to fears that the resulting
publicity would cost them clients. In another report to
the subcommittee, intruder attacks on Defence computer systems
were estimated at 250,000 per year with a 65% success rate.
Management
Concerns & Security Policy
The highest
level concern of the enterprise regarding network security
is the ability to audit network activity. The internal network
is a valuable - and vulnerable - enterprise resource.
Senior Management has a need and indeed an obligation to know
who the users are, what they are doing, where they are doing
it and when they are doing it. Other concerns of management
are privacy and integrity of corporate data, and control of
user privileges - for employees as well as non-employees such
as customers or suppliers.
Products for the protection of information resources on
a computer system or network can be grouped into four classes.
These classes of security products form a hierarchy which
is set forth in the following diagram:
Figure 1: Computer and Network Security Hierarchy
Audit
products are for monitoring and recording user activity.
Encryption products provide privacy and/or integrity
by scrambling and unscrambling data using private or public
keys. Privilege Definition Products are for administering
the level of data, system access and application privileges
granted to specific users. User Identification and Authentication
products are for authenticating the identity of authorised
users. The effectiveness of each succeeding class of security
products is either dependent on, or enhanced by, the availability
and effectiveness of one or more of the preceding classes.
For example, without proper authentication of the identity
of a user, it is difficult to control access to encryption
keys or to effectively audit user activity.
Some analysts extend the hierarchy to show a further dependence
on physical security. All bets are off if the computer criminal
wheels away the corporate database server in the middle
of the night.
Network
Firewalls and the Hierarchy
Network firewalls are concerned first and foremost with privilege
definition within the trusted network. The next most significant
capabilities of a firewall product are audit and user authentication.
A more recent feature of firewall products is encryption.
Privilege.
Firewalls can grant privilege with either of two primary
approaches. The first states that all that is not expressly
prohibited is allowed. The second states that all that is
not expressly allowed is prohibited. What are these privileges?
The primary privileges addressed by a firewall access to
network resources and services. The resources are typically
data, file, application and mail servers. The services comprise
an ever-expanding list including Telnet, FTP and Mail. Note
that if the firewall allows access to sensitive resources,
advanced authentication must be considered.
Figure 2: Packet Filtering Firewall-Router.
Audit.
The firewall audit function is to log usage activity as
well as failed usage attempts. The usage reports will typically
identify the user, time, service and resources accessed.
However, since the firewall is a gateway product, it may
not be capable of tracking everything a remote user has
done once accessing the network. The firewall may also not
be capable of monitoring internal user activity within the
trusted network. Attempts at unauthorised access can be
tracked, including incorrect user name, wrong passwords,
failed logons, etc. Note that the audit of user activity
will be only as reliable as the level of user authentication.
User
Authentication. All firewalls in the standard configuration
use only static passwords to protect user and administrative
accounts. This can be a concern since static passwords have
known weaknesses. Passwords are often shared between users
and can be guessed, stolen or observed. As a result, they
can be compromised without user awareness. However, most
firewalls provide advanced authentication as an optional
feature. The reliability of privilege and audit functions
of a firewall are highly dependent on the strength of user
authentication.
Encryption.
Since firewalls often operate as a gateway to and from
the trusted networks, they become the logical point to encrypt
transmissions through the un-trusted network. This capability
ensures the privacy of the transmitted data but normally
requires that both gateways operate identical firewall products.
Definition
of a Firewall
What exactly do we mean by a firewall? The term firewall
is based upon the concept of adjacent buildings or compartments
which are at risk of damage if a fire ignites and follows
a path to the next unit. The firewall, composed of metal,
asbestos or some fire-resistant material, is installed at
the juncture to provide protection until help arrives.
A network
firewall has a similar concept. I would define it as follows:
A
network firewall is a set of software and hardware components
designed to secure the trusted network from outside intrusion
through the assignment and monitoring of privilege by
user and by location.
Figure 3: Firewall composed of UNIX Application
Gateway with DMZ behind Filtering Router.
It's important here to distinguish between the 'concept'
of a firewall and firewall 'products'. In the end, the most
effective firewall may be combination of off-the-shelf products
and some home grown tools that address various levels of
the security hierarchy. Network firewall products are based
upon two primary types or techniques. These are Packet Filtering
(PF) and Application Gateway (AG). The Packet Filter is
designed to examine all packets to determine if the content
conforms to the established policy. Policies in this case
are limited to source and destination ports and addresses.
Packets that the policy excludes will not be transmitted.
A PF firewall is shown in Figure 2.
The most advanced firewall products are Application Gateways
which provide proxies to support specific services or applications.
The most commonly used services are Telnet and FTP. Other
common services supported are SMTP (email) , X11, Gopher
and HTTP. These application gateway firewalls will prohibit
all services unless they have been explicitly allowed. With
the AG, each service is represented by a proxy which will
be launched as requested by the user. The AG is more flexible
in that it can enforce policies by service, by location
and by user. The trade-off for AG versus PF may be
performance since the AG Firewall will run a number of processes
as required by each user. A router can be configured as
a PF, but an AG must be built upon an application server
such as UNIX or Windows NT.
Placing two firewall products at the Internet/LAN connection
allows you to define a semi-trusted zone. This zone, normally
referred to as a DMZ, or demilitarised zone, is where Internet-related
servers can be located. Figure 3 shows an AG and PF forming
a DMZ for the WWW Server.
Alternatively, a DMZ can be established that is fully under
the control of the AG. This is shown in Figure 4. Also shown
in Figure 4 is an authentication server which is described
in a later section.
Figure 4: UNIX Application Gateway Firewall protecting
the DMZ. Authentication Server located on Secure LAN.
Aside from the Packet Filter and Application Gateway, two
other firewall models have been proposed. These are the
Circuit Gateway and Stateful Inspection. The Circuit Gateway
is concerned with allowing or disallowing a session (such
as Telnet or FTP), without analysing the content of the
transmitted packets. Stateful Inspection analyses the packets
while remaining aware of the state of the session, but avoids
raising the process to the application level. Both seem
to offer a compromise between the extremes of the Packet
Filter and Application Gateway. A commercial firewall product
can employ some or all of these models to achieve the various
goals of throughput, flexibility, ease of implementation,
robustness, etc.
Firewall
Security Features
...Firewall
security is never static; a firewall may only be secure
at a point in time. New undiscovered vulnerabilities, changes
in configurations and even new hacking techniques may weaken
a firewall's effectiveness (Kurtz and
Roath, Price Waterhouse).
Network Firewalls are, by definition, security products.
However, a survey of commercially available products will
quickly identify a range of optional security features.
Perhaps here is where the rubber meets the road in the commercial
world of sales and marketing. Sample features include the
ability to block IP-spoofing, hide internal addresses and
sound an alarm if the network appears to be under attack.
More significantly, firewalls may offer support for Encryption,
Virtual Private Networking and Advanced Authentication.
Encryption and VPNs are discussed below. Advanced Authentication
is covered in the following section.
The basic encryption capability expected of the firewall
is to encrypt communication over the Internet between two
trusted sites the using the firewalls as gateways. The secure
'stream' of data is encrypted via secret key such as DES,
RC2 or RC4. This feature, in its simplest form, will encrypt
between the gateways of two sites of the same company. A
more interesting challenge is to encrypt the session of
a mobile worker accessing the corporate LAN. Consider the
complexity of establishing a secure link to a portable PC
at a temporary un-trusted site such as a hotel, branch office
or customer site. In this case, positively establishing
the identity of the user (via advanced authentication) is
crucial. The most advanced firewalls will do all of the
above which can be the basis of a Virtual Private Network
(VPN) or Internet Tunnel. However, there are additional
requirements such as key management and inter-operability.
A robust VPN requires a key server to store and propagate
keys as new sites are added. Since secret encryption keys
can be decoded given enough time, the key server should
also be capable of automatically generating and distributing
new keys to all gateways at the launch of new sessions,
or at user-defined intervals. Given the frequency and complexity
of key propagation, the only practical medium for distributing
keys is the WAN itself. To maintain security of the new
keys, the firewall can rely on the existent (secret key)
tunnel or use a separate logical tunnel based upon public
key encryption. The advantage of the latter is that it offers
better security since strong public keys are unlikely to
be decoded. In fact, a compromised VPN can be restored by
re-propagating the private keys via public key encryption.
Why don't we just base the tunnel on a public key system?
Public key systems are not well-suited to stream encryption
since they use too much overhead.
Figure 5: Virtual Private Network: Establishing
a Tunnel through the Internet.
The security of international VPN's is dependent upon the
strength of the encryption which is export-regulated (and
classified by the US Government as a munition). Since governments
take a keen interest in the import/export of encryption,
it is not sufficient for network security professionals
to stay abreast only of the technological developments.
They must also be familiar with the related regulatory trends.
Since VPN products from different vendors do not inter-operate,
the enterprise must at the moment standardise on a single
firewall vendor to operate a VPN. To address this issue,
a new standard called Secure/WAN or S/WAN has been proposed
and is gaining momentum in the industry.
How are firewalls deployed? Last year, 95% of firewall products
sold were installed to protect from external attack via
the Internet or other un-trusted networks. The Yankee group
estimates that within five years, firewall products will
be deployed as often for internal security as external.
Internal firewalls can be used to implement policy by site,
subnet, workgroup. etc. The Yankee Group further predicts
a tremendous surge in interest for firewall products. They
expect sales in the USA to grow from $121 million in 1995
to nearly $1 billion in five years.
Traditional
versus Advanced Authentication
The traditional method of user identification and authentication
is the static password - something secret that the
user knows. Most computer-based systems, including network
firewalls, provide static password security. However, static
passwords are often shared between users and can be guessed,
stolen or observed. As a result, they can be compromised without
user awareness.
To
address the weaknesses of passwords, a class of product
has emerged called a token - something physical that
the user possesses. These include smart cards, super-smart
cards and challenge/response systems. The token most widely
supported by Internet firewalls is the time-synchronised
token which contains an internal power source and display.
Time-synchronised tokens combine two methods of user identification
- something secret the user knows (a PIN) and something
the user possesses (the token). To gain access to a protected
resource, a user enters his or her PIN and a token code,
a constantly changing number automatically computed and
displayed on the liquid crystal display ('LCD') of the user's
secured token.
Enterprise
Authentication Architecture
While
the network firewall will secure the network entry point,
additional resources on the network may also need protection.
These include computing resources such as computers, servers,
workstations and PCs since these are critical resources that
can contain sensitive information. Protection is also indicated
for network devices: communication servers, routers and hubs,
since these are the lifeblood of the network. Unauthorised
users can not only gain access, but they can reconfigure or
shutdown the network by accessing the administration facilities
on these devices. I propose an architecture for protection
for the entire network including all these resources based
upon three elements: an authentication server, a wide range
of authentication clients and a hand-held token. This architecture
allows for controlling access at the network, the system,
the application or the transaction level. Figure 4 shows an
authentication server on the Secure LAN. The WWW server, the
AG firewall and the individual user workstations can be configured
as authentication clients. Third
Party Support. Since all of the systems and devices
on the network can operate as authentication clients, some
programming development effort is required to establish
this capability. The authentication client code can be enabled
on a range of UNIX and other systems through an application
programming interface (API). For network devices, normally
the manufacturer has to embed the authentication client
code in the firmware. Thus, the usefulness of this authentication
architecture is determined to a large extent by the extent
and the quality of the relationships between token manufacturer
and third party suppliers. To meet this challenge, a broad
range of relationships have been forged with the leading
vendors of firewalls, remote access servers, network device,
network applications and network operating systems.
Conclusion
Network firewalls are an invaluable tool in the arsenal of
the security-conscious enterprise for Internet or Intranet
applications. Firewalls can be extended to create virtual
private networks. Firewall products continue to be enhanced
in response to known security threats and the requirements
of industry. Since firewalls in the standard configuration
provide only traditional single-factor authentication, the
enterprise must consider employing advanced user authentication.
The two-factor advanced authentication scheme can also be
applied to other network systems and devices to establish
an enterprise-wide authentication architecture.
|