Intranet vs. Internet: Firewalls

Presented at MacWorld/Expo San Francisco '99, as part of the MacWorld/Pro conference.

  1. Once upon a Time
    1. AOL didn't identify itself as the Internet.
    2. Servers were used for private networks.
    3. WANs were rare, expensive, and highly restricted.
    4. Security was simpler -- physical blocked most attackers completely.
    5. A locked door is 95% protection in such a situation.
  2. Now
    1. Many things are decentralized.
    2. Internet makes access from outside the server room available and increases demand for access to services / servers.
    3. A library or coffee shop is now a valid access point for computer resources. This provides increased flexibility for users, and additional workload for administrators.
    4. Firewalls can restore much of the security lost when connecting to the Internet, through restrictions placed on people not 'on the premises'....
  3. Intranets
    1. Generally speaking, an Intranet is a LAN with a firewall-controlled Internet connection which places severe restrictions on external->internal connections and minor restrictions on internal->external connections.
    2. There are lots of valid definitions in circulation, and other ways to create an Intranet.
      1. You may not need a real Intranet at all, if your confidence in passwords is strong enough relative to your exposure (often the case if money isn't involved).
      2. Using VPN (encrypted IP) technology, you can get strong security without basing it around physical access to a LAN. This may work with or instead of a firewall-based solution, and is very interesting, but beyond the scope of this discussion.
      3. Your web server may also be able to restrict access to certain areas of your site to local users, by recognizing local IP addresses. If your web server is flexible, you may be able to give your users passwords which allow them to use the same restricted areas by supplying a password.
  4. TCP, UDP, and Ports
    1. Internet traffic uses 'port numbers' to identify the sending and receiving services.
    2. The higher-level protocols run on top of two more fundamental protocols: TCP (Transmission Control Protocol) and UDP (Universal Datagram Protocol).
      1. Each of these protocols uses port numbers from 0 to 65,535; some services use UDP (such as SNMP), some use both (like DNS and ping), and most use TCP (HTTP and FTP, among others).
      2. TCP and UDP are effectively equivalent for our purposes today -- each has its own set of 65k ports.
      3. To talk to a service, you connect to the appropriate port, and the receiving computer knows which service to pass the traffic on to (this works somewhat like preceding every sentence with a person's first name in a crowded room).
    3. If you connect to a computer on (TCP) port 80, you get a connection to its web server (if one is running); port 443 opens a connection encrypted with SSL (Secure Sockets Layer).
    4. If you connect to port 25, you're talking to the SMTP server, which will accept E*Mail messages for delivery to local users or other servers.
    5. DNS servers answer on port 53, and FTP servers answer on port 21 for initial connections (actually FTP is a bit more complicated, described later).
    6. Once you've enumerated the services (and their ports) you want to offer, and what machines offer them, you're ready to start considering rules for your firewall.
    7. Compatible Systems includes a useful list of port numbers under 'port' on this page about firewall configuration http://flash.compatible.com/ini-html/ini_ip_filter.html.
    8. Well-established TCP/IP protocols generally use ports below 1024 -- those above 1024 are mostly left unspecified for client computers to use.
  5. Firewalls
    1. Firewalls can be a valuable barrier to interpose between yourself and this mass of anonymous and unpoliced humanity.
    2. Principles
      1. Firewalls work by preventing certain 'dangerous' activities -- realize ahead of time that you are likely to block legitimate activities in order to prevent malicious activities.
      2. Since each organization has different servers and services, a generic firewall configuration would be useless -- you must be prepared to carefully consider what services you offer and who should have access, and build this knowledge into your firewall.
      3. Firewalls work by making a distinction between here (generally called the 'Intranet') and there (the Internet) -- or us and them, and selectively restricting traffic between the two.
      4. A firewall configuration is basically a list of IP address blocks, and the services (really ports, as I'll explain shortly) that those IP addresses are allowed to access. This will become clearer when we talk about ports, which identify services on the Internet.
    3. Protection from outsiders
      1. Think of a firewall as a military checkpoint -- people with legitimate business are allowed past, but anyone without authorization is turned away.
      2. Many types of crashing-server-type network attacks are documented and recognizable within a few weeks after their first appearance, and can be blocked completely by properly-configured firewalls. For details, check out Bugtraq: http://www.netspace.org/netspace/lsv-subscribe.html
      3. Generally speaking, firewalls have a short list of things Internet users are allowed to do to Intranet computers.
      4. A firewall limits the number of ways an Internet user can access Intranet services, bringing the combinations down from effectively infinite to a handful, which you can then focus on securing and monitoring.
    4. Control over insiders
      1. Firewalls can also log suspicious and normal activities across your Internet link, and block certain activities (most often connections to certain websites) -- for an example, see http://www.dilbert.com/comics/dilbert/financial/tphbx.html.
      2. Financial institutions often block outgoing FTP (File Transfer Protocol) transfers, in an effort to keep proprietary data private.
  6. Specific Suggestions
    1. Basic suggestions
      1. Use up any standard your firewall's packet-forgery and bad-packet filters (I'm thinking specifically of source routed packets -- those which come from the Internet but falsely identify themselves as originating on the inside of your firewall. Firewalls are the logical place to catch such forged or broken packets.
      2. Think carefully about what should be outside your firewall, and what should be inside -- in many cases, it makes sense to put public webservers outside, since their primary purpose is to serve people on the Intranet. Depending on your Internet connection and Internet provider, this may also make your webserver faster for Internet visitors (and access from your office correspondingly slower). Talk to Clearway http://www.clearway.com/ if you're interested in discussing this.
      3. Consider putting your FTP site outside the firewall -- possibly on your Internet provider's machine. Web and FTP servers are prime targets.
      4. Consider having a separate external DNS server, with a minimum set of hosts defined. In this case, you can prevent DNS requests to any of your other DNS servers completely. It is also fairly simple to configure internal DNS servers to block access to certain websites (thanks to Compatible for this tip, and ask me directly if you're interested).
      5. If you have trusted users at another site (such as an office which connects to you via the Internet), consider relaxing firewall-based restrictions for them. Generally, you'll want such people to have the same access as people on the inside of the firewall. This is sometimes called an extranets work this way.
      6. Log rejected packets. Reading such logs may let you identify people who are attacking your network, before they succeed. If you find such attackers, you might block all traffic from their IP block, complain to their Internet provider (which you can generally find through ARIN, the American Registry of Internet Numbers http://www.arin.net/whois/arinwhois.html), or possibly take legal action.
    2. Protection from outsiders
      1. You generally want outsiders to be able to connect to port 25 on your mail server, ports 80 and 443 on your web server, port 21 on your FTP server, and port 53 on your DNS server; this covers the major legitimate uses of computer resources by outsiders, and is a manageable set.
      2. Block any inbound traffic that isn't specifically allowed.
      3. A special consideration: FTP
        1. Normal FTP (file transfer protocol) works by having the client open a connection to a server and then use the PORT command, which causes the server to open a new connection back to the client machine and transfer files over it.
        2. This is a security issue because a user outside the firewall might ask an FTP server behind the firewall to transfer files to/from other internal servers, and the firewall wouldn't be in the way to prevent this.
        3. Also, this procedure requires any FTP server on the Internet to be able to connect to ports on any client on the Intranet, which is what firewalls generally prevent.
        4. Passive mode FTP (which web browsers generally use, and many firewall configurations require) asks the server to opens an additional port above 1024 which the client then connects to for the actual file transfer.
        5. PASV is easier on firewalls, as internal users are often allowed to connect to any high port on external servers so they can use new services, and PASV looks like this.
    3. Control over insiders
      1. In most situations, you'll want to allow clients to connect to most or all external servers and ports. Also, you'll probably want to permit external hosts to reply to requests from your Intranet (fortunately, TCP packets include an establishing flag that makes this possible).
      2. Many businesses log visited sites by internal requesting IP address (local user). Obviously, this is a major privacy issue, but management may want to know if the newest employee's computer downloads 300 pages from www.playboy.com in a typical week, or may be more interested in what pages employees visit on competitors' sites (job listings, for example).
      3. As mentioned previously, many financial institutions are very concerned about what information leaves the company -- they configure their firewalls to block or log outgoing FTP transfers, in an attempt to guard proprietary data.
      4. If you log sent mail, don't allow anything but the official mail servers to connect to port 25 on the outside, which will force people to go through your mail servers. To accomplish the same thing for received mail, block port 110 for POP and 143 for IMAP.
    4. Network Address Translation (NAT)
      1. Network Address Translation for outbound packets rewrites outbound packets to look like they're coming from the firewall itself -- to prevent outsiders from learning about the IP addresses of internal hosts -- and reverses the conversion when responses come back, rewriting the packets and putting them back on the internal network, redirected at the right hosts. NAT is described at http://www.cisco.com/warp/public/732/nat/.
      2. NAT for *inbound* packets is most useful for people with a single-IP (cheaper) Internet connection, who want to use multiple servers (web, mail, etc.). Effectively, all users talk to the firewall, which is able to use port numbers to redirect traffic to the appropriate server on the local network.

Part II

  1. Hackers
    1. Tabloids (which covers most news reportage for purposes of this discussion) are happy to tell you that the Internet contains about a thousand real business users and trillions of sociopathic teen hackers.
    2. This is of course absurd (but still widely reported), but there is a germ of truth.
    3. There are lots of hackers on the Internet (think about it -- free or flat-rate connectivity to lots of machines, with no centralized admins and lots of documented weaknesses is hacker hog heaven).
    4. Motivations may include: challenge, money, ego, destructiveness.
    5. Remember -- while an employee might be able to physically shut down your server, this is fairly obvious; also, they generally have a stake in your success. You don't have this commonality with most Internet users, and even if you can figure out who attacked your servers, you can't fire 'em.
  2. Passwords
    1. After presence (physical) security, the next best option is strong passwords.
    2. Any admin password should be at least 6 characters and very strong!
    3. General user passwords should also be strong, but this is less important.
    4. Admins should keep a list of accounts and change passwords at least yearly (if this is an option on servers, use it!).
    5. Assume that any password may be attacked a few thousand times by someone with vague personal knowledge of the owner -- this may not be likely, but it's what you must defend against / prepare for. If your password is guessable, 'crack'-able, or weak, it's useless.
  3. Proxy Servers
    1. Proxy servers come in several types, often tied in with firewall functionality. The basic concept is that internal users connect to the proxy server, which then makes another connection to the desired external service.
    2. The proxy server then has precise control over what transfers are permitted and what is blocked.
    3. The proxy can also keep detailed logs of connections made and data transferred.
    4. Proxy servers can speed up Internet access by providing a centralized cache.
    5. To use a proxy server for security, you would block all outbound web and/or FTP traffic except that coming from the server, thus forcing people through the proxy.
    6. WebDoubler http://www.maxum.com/WebDoubler/Features.htmlis a Mac software-only proxy.
  4. Buying a Firewall
    1. Firewall functionality may be built into a dedicated firewall box, or come as a feature of a general-purpose router, or may be a software module that runs on a general-purpose server.
    2. When comparing firewalls, think about what would happen if someone attacks the firewall (since the purpose of the firewall is to interpose it between hackers and your resources, anyone interested in attacking you is likely to start with your firewall).
    3. Ask the vendor what the firewall's speed impact is likely to be.
      1. Will it making things faster by cutting down on the traffic that reaches your critical resources?
      2. Will a critical resource spend a great deal of time deciding whether to pass or throw away individual packets?
    4. Cisco and Compatible Systems make hardware routers.
    5. Vicom makes Mac software routers: http://www.vicomsoft.com/softrouter/information/sfr.firewall.html & http://www.vicomsoft.com/vig/information/vig.firewall.html
  5. Categories of Attacks
    1. It's worth categorizing the most common types of attacks. Some attacks fall into multiple categories.
    2. Finding and capitalizing on weak security
    3. Guessing passwords (a subcategory of weak security)
    4. Using known bugs to trigger useful misbehaviors: Several UNIX attacks, for instance, are based upon known ways to get sendmail to crash and execute hostile code in the process.
    5. Social Engineering -- tricking people into providing information to unauthorized parties
    6. Forgery (either of packets or of documents)
    7. Leeching off someone else's services (such as using someone else's SMTP server to deliver spam -- a very big problem in 1998)
    8. Denial of service: either making a system so busy that it can't perform its function, or making so many fraudulent attempts that the service must be shut down.
  6. Reminders
    1. Firewalls are useless without careful configuration, taking into consideration your network services, users, and vulnerabilities.
    2. Firewalls are effective, but in the process of blocking attacks you generally lose some flexibility -- users working from home, specifically, are generally quite restricted.
    3. Before spending money on a firewall, carefully consider what you're protecting, and whether there's a better way (if there's no money involved, a firewall may not be necessary, and a VPN may be either a useful adjunct to a firewall system, or a superior alternative).
    4. Cisco is good, but nothing's good unconfigured.
    5. Medscape got a firewall router, but never configured it.
    6. Look for sample configs from the vendor before purchase.
    7. If you can, take advantage of SSL, which offers 40-bit (export version) or 128-bit (non-export version) encryption of web connections.
      1. Using a web browser as a generic client has many advantages, and SSL is an effective barrier to hackers.
      2. If you're thinking of going this route, remember that POP and FTP generally transmit passwords in plain text. You can get around this by using APOP for encrypted password negotiation and SSL for file transfer over port 443 .
  7. Closing Comments
    1. Hopefully we've made it clear to you that being connected to the Internet does pose a security risk, but it's one you can deal with. Securing your 'Intranet' is really a question of weighing comfort and simplicity versus security and deciding on an appropriate balance.
    2. You can find the outline for this talk at http://www.reppep.com/expo/.