Network Firewall Technologies

This paper provides an overview of the topic of network firewalls and the authentication methods that they support. The reasons why a firewall is needed are given, plus the advantages and disadvantages of using a firewall. The components that comprise a firewall are introduced, along with the authentication methods that can be used by firewalls. Finally, typical firewall configurations are described, along with the advantages and disadvantages of each configuration. 1. Security Threats from connecting to the Internet Most organisations today have an internal network that interconnects their computer systems. There is usually a high degree of trust between the computer systems in the network, particularly if the network is private. However, many organizations now see the benefits of connecting to the Internet. But, the Internet is inherently an insecure network. Some of the threats inherent in the Internet include: Weak or No Authentication required. Several services e.g. rlogin, require no password to be given when a user logs in. Other services provide information with no or little authentication e.g. anonymous FTP, and WWW. Other services trust the caller at the other end to provide correct identification information e.g. TCP and UDP trust the IP address of the remote station; whilst other services grant access at too large a granularity e.g. NFS grants access to anyone from a particular remote host. Finally many services require passwords to be transmitted in the clear across the network, which make them vulnerable to capture and replay. Insecure software. Internet software, particularly shareware, free or low cost packages, often have bugs or design flaws in them usually as a result of poor design or insufficient testing of the software. But due to their ready availability and low cost, many people still take the packages. Examples include: the UNIX sendmail program which has had numerous vulnerabilities reported in it, and a freeware FTP product which contained a Trojan Horse that allowed privilege access to the server. Unscrupulous people are always ready to exploit these weaknesses. Sniffer programs. In 1994 the CERT reported that thousands of systems on the Internet had been compromised by hackers, and sniffer programs installed on them. Sniffer programs monitor network traffic for usernames and passwords, subsequently making these available to the hacker. Cracker programs. These programs, widely available on the Internet, run in background mode on a machine, encrypting thousands of different words and comparing these to the encrypted passwords stored on the machine. These so called dictionary attacks (because the words are held in a dictionary) are often very successful, providing the hacker with up to a third of the passwords on a machine. Port Scanners. These programs, again available freely from the Internet, will send messages to all the TCP and UDP ports on a remote computer to see if any of them are open and waiting to receive a call. Once an open port has been located, the hacker will then try to get in to the computer through it. Ease of Masquerade (Spoofing). The above make it relatively easy for the hacker to exploit the trust inherent in the Internet, or to capture passwords and replay them. Other security weaknesses include: the SMTP protocol uses ASCII messages to transfer messages, so a hacker can TELNET into an SMTP port and simply type in a bogus Email message; a feature called IP source routing allows a caller to falsify its IP address, and to provide the recipient with a return path directly back to itself. So how can an organization securely connect to the Internet? One solution is to use one or more network firewalls. 2. What is a Firewall ? A firewall is a secure Internet gateway that is used to interconnect a private network to the Internet (see Figure 1). There are a number of components that make up a firewall: i) the Internet access security policy of the organisation. This states, at a high level, what degree of security the organisation expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used. An example of The Firewall Organization's Network (trusted) The Internet (untrusted)