Firewalls: Securing NT Networks from Internet Intruders

Make sure you set up a basic firewall before you expose your business to the Internet

MOST BUSINESSES TODAY have learned that an Internet connectionsharpens their competitive edge by giving them (and their customers) timelyaccess to information. But connecting to the Internet spawns a new set ofresponsibilities for IS departments: They must deliver reliable Internetservices to corporate users while ensuring that systems and information staysecure from outside threats--such as hackers--that an Internet connectionexposes them to. An important tool for protecting a corporate network fromInternet intrusions is a firewall--an intelligent device that controls trafficbetween two or more networks for security purposes.

Just as a firewall blocks the spread of a real fire, a network firewall is ahardware/software barrier between a corporate network and the Internet. Thefirewall gives you control over who can access the connection and how they canaccess it. A firewall usually consists of a UNIX or Windows NT computer runningspecial firewall software, though other hardware platforms such as routers canalso run firewall software. Although this software is usually associated withInternet connections, you can use firewalls to control traffic between parts ofan intranet or between networks of different corporations.

Before you set up a firewall, you need a risk analysis to determine whetheryour organization is a candidate for a firewall and you need to draft anInternet security policy. For information about these issues, see "Who Needs a Firewall?" page 120, and "Drafting an Internet Policy Document," page 125.

Firewall Features
Different organizations have different firewall needs. Based on thosediffering needs, firewall features fall into five major categories:

The rest of this article explores the significant issues in each categoryand examines the features specific to NT firewalls. (For more information aboutNT firewall products, see "Windows NT-based Firewall Vendors," page122. And for information about National Computer SecurityAssociation--NCSA--certification for firewall products, see "Can Your Firewall Take the Heat? " page 124.)

Basic Requirements
A basic firewall lets corporate-network users access common Internetservices while preventing unauthorized outside users from accessing internalsystems. A firewall needs to let a security administrator set up rules for thetypes of allowed and prohibited connections. In addition, a firewall needs toensure that internal IP addresses remain invisible to the Internet and allow theIP address range that you use inside the firewall to be different from andlarger than your company's registered Class A, B, or C IP address range. (Formore information on NT and IP addressing, see Mark Minasi, "How to Set UpIP," February 1996; "IP Routing with NT," March; "NTWorkstations Using an IP Router," May; and "DHCP and Assigning IPAddresses," August.)

Firewalls also log network activity in detail, filter the log to producemeaningful reports, and alert a network administrator when the network hasreached a predefined suspicious-activity threshold. Make sure your firewallsoftware supports at least the following Internet services: Hypertext TransferProtocol (HTTP), File Transfer Protocol (FTP), Gopher, Simple Mail TransferProtocol (SMTP), Telnet. Your firewall also needs a way to provide Domain NameSystem (DNS) name resolution (preferably by letting you run DNS on the firewalland on an internal system).

In addition, a basic firewall system needs to be easy to use. Inparticular, adding rules to firewall software needs to be easy and, moreimportant, examining and understanding previously entered rules needs to beeasy.

A firewall should have a graphical interface, especially if the firewallwill be administered by a staff member who is used to NT. Finally, a firewallneeds high-quality documentation that clearly explains how to configure eachtype of Internet service and explains address-related issues such as setting upDNS and configuring Web browsers.

Packet Filters and Proxy Systems
The two main methods for providing a basic firewall are packet filters andproxy systems. A packet filter is a device (usually a router withtraffic-filtering capabilities) that controls traffic based on the IPsource/destination addresses and the TCP source/destination port in the headerinformation of each TCP/IP packet sent across a network (a port is a number thatidentifies the service the packet is using). For example, you can set up atraffic filter on a router that allows IP traffic only with a source ordestination IP address that corresponds to the Dynamic Host ConfigurationProtocol (DHCP) scope you use for client workstations. You can add anotherfilter that specifically disallows TCP port 139, the port number NetBIOS usesfor connections over TCP/IP--the port number Windows clients use to log on toservers (remember that even NT Workstation clients can run the NT Serverservice). Finally you can filter User Datagram Protocol (UDP) on ports 137 and138, which NT uses to advertise computer names and related information. Withthese steps, you build a simple packet filter that goes some of the way towardpreventing outsiders from directly connecting to an internal server, whileallowing internal users to access Internet services.

This packet filter is far from perfect. For example, suppose a hacker triesto connect to each machine in your DHCP that uses FTP on TCP port 21. In yourDHCP scope, the hacker might find a machine running FTP server software. Thehacker could then upload a file to that machine. He or she might upload anexecutable file with a similar name to a file the user has recently downloadedbut that produces unexpected results when the user accidentally clicks on it. Abetter security approach is to disallow all TCP and UDP ports except those yourusers need (such as TCP port 80 for HTTP).

Even when you create a filter that permits only essential traffic,packet-filtering devices alone usually don't provide adequate security. Thereason for this inadequacy is that packet filters can't establish whether an IPsource address is valid (a hacker can use a forged address) nor ensure a TCPsource port will be used only for the service commonly associated with thatport. A hacker can run any client or server program on a source port runningthrough your packet filter. However, packet filters are well-suited tosupplementing the protection that a firewall provides. For example, you canplace routers with packet filters on one or both sides of a firewall to increaseoverall security and limit your organization's dependence on a single machine.

The proxy system shown in Figure 1 provides a more secure firewallthan a packet filter alone. The proxy system (sometimes called anapplication-level gateway) consists of a host running both a proxy serverprogram and a proxy client program (the proxy server and proxy client are alsocalled a proxy service, or proxy). The firewall host usually hastwo network adapter cards: one that communicates between the firewall system andan internal network and another that communicates between the firewall and anexternal network such as the Internet (this setup is a dual-homed gateway). Formore information on how a proxy works and Microsoft's proxy server, InternetAccess Server, see Mark Edwards, "Microsoft's Internet Access Server,"September 1996; "Configuring Internet Access Server," October; and "ExploringInternet Access Server Software," page 74.

A user connecting to the Internet first connects to the proxy serverrunning on the firewall. Then on behalf of the real client, the proxy client(also running on the firewall) establishes a session with the destination host.For example, to establish a Web connection, a Web browser connects to a proxyWeb server running on the firewall machine. After verifying that this connectionis allowed, the proxy Web server starts a proxy Web client, which then connectsto the destination Web server. Most proxy system firewalls support transparentconnection, which means the firewall is not apparent to an authorized user.

A proxy system is a secure solution because it protects an internalcorporate network from the hazards of a direct IP connection. To Internethackers, a site with a proxy system appears as only one computer and IP addressestablishing Internet connections; the firewall hides the rest of a site'sInternet-connected systems and IP addresses.

Besides providing security, a proxy system conserves IP address space.Because the number of Internet-connected systems worldwide is huge and stillgrowing, the number of IP addresses is limited. Each Internet-connected systemmust have a unique IP address (often an Internet Service Provider--ISP--assigns,clears, and registers the address and class range through InterNIC RegistrationServices. For more on registering with InterNIC, see Richard Reich, "Registeringa Domain Name Is Easy," September 1996). With a proxy system, you need onlyone unique IP address--that of the proxy; you can use any addressing scheme youwant for your internal systems. (If you don't use a proxy system firewall, youmust make sure your firewall can map internal addresses to unique IP addresses.)

Proxy systems provide a simple, secure way to implement basic Internetservices. So, many firewall products use this approach or combine proxy systemswith other methods. If you have to connect a small organization to Internetemail and the Web, a simple proxy-based firewall will probably meet your needs.

Additional Internet Services
Proxy systems are a secure, but basic, firewall solution. A disadvantage ofthe proxy approach is that you must use a separate proxy service for eachInternet service you want to support. Many firewalls include proxies for themost common Internet services (HTTP, FTP, Gopher, SMTP, Telnet), but firewallsoften do not provide proxies for less common services such as RealAudio,Internet Relay Chat (IRC), and even news protocols. Perhaps this lack ofservices is because the proxy firewall vendor has not yet developed the proxy orbecause the Internet service is not well suited to a proxy solution. Servicesbased on connection oriented TCP are usually better suited to a proxy solutionthan are connectionless UDP-based services, because the proxy approach isconnection oriented: A proxy client establishes a connection with the realdestination based on an already established connection between the real clientand the proxy server.

Because of proxy system limitations, many firewall products provide ways toconnect through an Internet gateway or to use an alternative approach. Forexample, the Eagle NT firewall by Raptor Systems not only provides predefinedproxies for FTP, Gopher, HTTP, SMTP, and Telnet but also lets an administratorcustom-define uni- or bidirectional service-passing proxies for supporting lesscommon services.

CheckPoint's FireWall-1 uses a different architecture, stateful inspection.The company claims it supports 120 different applications, protocols, andservices. Stateful inspection works like packet filtering but may provide bettersecurity because it examines application-level information within IP packets andkeeps track of a connection's context. To explain the difference between packetfiltering and stateful inspection, let me use TCP-based FTP as an example.

An FTP client opens a TCP connection to port 21 (the FTP command port) onthe FTP server. The FTP client also picks a random TCP port (usually greaterthan 1024) for the data channel and tells the FTP server (via the command port)that the client will listen for data on that port. The FTP server then opens aTCP connection to that high TCP port on the client and transfers the data. Tolet this service pass with a simple packet filter, you need to allow adestination TCP port of 21 for connections originating from the client to theserver and allow all destination TCP ports above 1024 for connections from theserver to the client. You can tighten this design a little because the FTPservice definitions also tell us that the client source port for the commandphase is above 1024 and that the server sends data from port 20. However, if youwant to let users download files from anywhere on the Internet, you still needto let a host on the Internet establish a session from its port 20 to any portabove 1024 on your internal clients.

The problem is that you have no way of telling whether that connection isbeing used for FTP data transfer or some malicious purpose. This flaw is becausesuch packet filters provide no way of tracking the context of the connection.Checkpoint's FireWall-1, in contrast, does keep track of context or state.When FireWall-1 sees an attempt to connect to port 21 (assuming a rule in theFireWall-1 rule base permits FTP), the program examines the applicationinformation in the packet to confirm the packet is FTP. The program then allowspackets from the destination FTP server (with a source port of 20) back todestination ports above 1024 on the client that originated the connection. Inshort, the program keeps track of which FTP data connections are associated withwhich FTP command connections and allows only those high TCP destination portconnections that have a valid reason to be there.

Products that let you configure custom services or use state-orientedarchitectures provide greater flexibility and security than products thatprovide only a limited number of predefined proxy services. Consider seriouslythe more flexible products if your users must access less common or moresophisticated Internet protocols or if your users are so numerous that you mustallow for unforeseen requirements. If you have these needs, also look forfirewall products that provide many predefined services.

Advanced Security and Control
Many firewalls provide security beyond source-, destination-, andservice-based rules. For example, some firewalls allow rules based on time ofday, day of week, and date ranges. Other firewalls provide features such asconfiguration verification and virus scanning. Some firewall products alsomonitor what processes are running on the firewall system and halt unknownprocesses.

Another type of advanced firewall security is user-orientedauthentication-- the ability to allow or deny certain connections based ona username and password combination or a more advanced scheme for identifyingindividual users. Some NT-based firewall products that support user-orientedauthentication include Eagle NT, FireWall-1, Global Internet's Centri Firewallfor Windows NT, and Microsoft's proxy server (Internet Access Server code namedCatapult).

Various authentication technologies are available. The simplest formsrequire entering a username and a reusable password. This method is suitable forcontrolling only outbound Internet access, because a hacker will guess andeavesdrop to get passwords and user names.

For inbound access, one-time passwords that follow a scheme such asBellcore's S/KEY provide more security. The S/KEY scheme calculates a six-word,one-time password based on a sequence number, firewall-supplied seed word, and auser's secret password. Users enter a different password each time they connect.

Better still, some firewalls provide integration with one or more creditcard-sized, handheld token generators that automatically generate and displaythe next password the user will enter. Examples include Security Dynamics'sSecurID, Digital Pathways's SecureNet Keys (SNKs), CRYPTOCard's CRYPTOCard RB-1,and Digipass S.A.'s Digipass. In addition, watch for firewall systems thatsupport Cisco's TACACS+ or Livingston's RADIUS schemes (predominantly forauthenticating users dialing into access servers via the public telephonenetwork). Such support will soon be available for NT--both Checkpoint and Raptorpromise support in their respective next releases later this year.

Many organizations also want to control employee access to nonbusiness-related Internet sites. Limiting such outbound access is called contentfiltering. NT-based firewall products currently let you filter content bymanually maintaining lists of allowed and prohibited universal resource locators(URLs). This is a tedious process, but advanced content-filtering capabilitieswill appear in the next releases of products. The first vendor to provide suchcapabilities will probably be Raptor, which promises CyberPatrol support in itsRelease 4.0, due this month. Implementing content filtering without using thefirewall is also possible. Indeed, because this is a productivity and legalissue rather than a security issue, you can choose to keep the firewall simpleand perform the content filtering elsewhere. One alternative is to usespecialized content filtering servers, which sit between the users and thefirewall (or between the firewall and the Internet) and use a database of URLssupplied by a third-party vendor that classifies sites for you. You can thenallow or disallow classes of sites, such as adult, gambling, sports, andleisure, based on criteria such as time of day. Another alternative is to relyon content providers to use RSACi (the Recreational Software Advisory Council'sInternet content rating system) to rate their sites. A RSACi-enabled browser(currently, that means Internet Explorer--IE--3.0) lets you set up the browserto allow access only to rated sites that meet your criteria.

Remote Users and Virtual Private Networking
If your company's mobile users or telecommuters must connect to yourcorporate systems via the Internet, or if you want to establish Internet linkswith business partners, suppliers, or customers, you must use encryption betweenthe remote locations and your firewall. This use of encryption to enable privatecommunications across the Internet is a Virtual Private Network (VPN).Unfortunately, no NT firewall product supports emerging VPN encryptionstandards. Instead, vendors use proprietary encryption techniques. So allmembers of your VPN must use products from the same vendor.

Encryption standards are especially important for Internet connectionsamong trusted business partners (e.g., to support EDI applications). With suchstandards in place, partners need not have the same firewall to exchangeinformation.

The Internet Engineering Task Force (IETF) has already defined the main setof VPN encryption standards, the IP Security (ipsec) standards. They include theEncapsulation Security Payload (ESP) protocol--RFC 1827--or encryption and theauthentication header (AH) protocol--RFC 1826--for authenticating TCP/IPpackets. Encryption vendor RSA Data Security has introduced S/WAN, analternative to ipsec. S/WAN uses the proprietary RC5 encryption protocol. TheIETF continues to evaluate standards for a key-management protocol, the methodby which encryption keys are automatically passed between computers. (For moreon encryption and key management, see Lawrence Hughes, "Secure EnterpriseEmail," May 1996; "Digital Envelopes and Signatures," September;and "Exchange Email," October.)

If you plan to connect to other organizations across the Internet in thenext year or two, find out whether the firewall vendors you're considering haveparticipated in VPN standards interoperability testing and whether they plan tointroduce ipsec support (including Internet Security Association and KeyManagement Protocol--ISAKMP--/OAKLEY key management, which, because of strongsupport from Cisco Systems and other vendors, is likely to be the key managementstandard the IETF will choose). Both FireWall-1 and Raptor claim that the nextrelease of their NT firewall products will include ipsec support.

If you want to establish a VPN that includes only your company's sites, youcan use proprietary VPN technologies to implement a secure working solutionright now. Similarly, if you want to let remote users connect via dial-inPoint-to-Point Protocol (PPP), many vendors can provide a solution that usessoftware on a remote PC to provide an encrypted path back to the firewall.Another common approach is to provide encryption between a remote system and aserver inside the firewall. However, this approach requires establishing a paththrough the firewall, which can open a security hole.

Enterprise-Level Functionality
Large organizations usually require an enterprise-capable firewall thatincludes multiple firewalls and multiple interfaces on those firewalls. Anenterprise-capable firewall lets a network administrator centrally manageremote firewalls over an encrypted path and as one entity, with a central pointfor logging network information. Many firewall products achieve thisconfiguration by separating the management interface program from therule-processing engine. Some firewall vendors, including CheckPoint and Raptor,also let you download packet filters to routers such as those from Bay Networksand Cisco Systems. An enterprise-capable firewall also needs to provide realtimenotification of suspicious activity via email and pager and needs to generateSimple Network Management Protocol (SNMP) traps that you can integrate with theenterprise network management system. (SNMP is a standard protocol that networkmanagement systems use to collect information from network devices.)

NT-Specific Features
If you plan to run your firewall on NT, answers to a few additionalquestions will determine your firewall product needs. For instance, during theproduct's installation, does it automatically configure NT to maximize security(e.g., does the firewall disable IP forwarding, nonessential services such asthe server service, and the guest account)? Is the product tightly coupled withnative NT features such as User Manager for Domains, Event Viewer, and Perfmon?Will the product run on the Digital Equipment Alpha version of NT? Will it runon NT 4.0? Is the product integrated with Microsoft's DNS Server, or does itrequire a different DNS server? (This question is more important if you intendto use NT 4.0, which includes Microsoft's DNS Server.)

Start with the Basics
When evaluating your organization's firewall requirements, start with thebasics and add more complexity as needed. A basic firewall that consists of aproxy system and packet-filtering device and supports common Internet servicescan be enough for a small organization. Large organizations and those withsophisticated users can require multiple firewalls that support more Internetservices. Stay tuned for an upcoming article that will review several NT-basedfirewall products in tests in a real-world, corporate NT environment.