[Kingston Technology Memory] June 19, 1995 If you can reach them, they can reach you How to protect valuable data with a well-built firewall, and keep the global village prowlers at bay By William Dutcher --------------------------------------------------------------------- [o] What to look for when shopping for a firewall --------------------------------------------------------------------- Those Internet neighborhood crime reports are getting serious. A hacker breaks into Netcom and deletes all of the Internet access provider's billing records. Somebody in Denmark reaches into the National Weather Service's computer system in Maryland and removes weather reports. Pranksters from the Legion of Doom and the Masters of Deception prowl the Internet nightly. No matter how safe you think your Internet neighborhood is, you shouldn't leave your doors unlocked in the global village anymore. There are plenty of bad guys out there, and they can use your Internet connection to get inside your network. Remember -- if you can reach them, they can reach you. Building a firewall A firewall (usually a gateway or router) lets your users access the Internet, but it doesn't let just anyone on the Internet access the computers on your network. It's a one-way gateway to and from the Internet, watching what goes in and out. Since every network is different, each network must be configured individually. The traffic that passes through an Internet connection bears a source and a destination IP address, as well as other codes that indicate the type of transaction for which it is intended (such as FTP, Telnet, or SMTP). The firewall might screen IP addresses, to prevent traffic from all but a known set of IP addresses from passing into your network. It might also screen protocols, to prevent transactions that transfer files to and from your computers through the firewall. In our example (see figure, above) -- a relatively simple LAN, but the basic principles apply to larger networks -- there are four interconnected LANs, one remote site connected via a router-to-router link, and a single connection to the Internet. There are 250 users with PCs and Macs on the LANs, and they use a LAN-based E-mail system. The Internet connection is a dedicated 56K-bps access line to an Internet access provider. The circuit originates on a router on one of the LANs. Users on the example network run NCSA's Mosaic Web browser to connect to World-Wide Web sites. There is an SMTP gateway for E- mail, so users can send and receive local and Internet messages from the same E-mail box. Secure your network When installing a firewall, the goal is to protect the network in a way that's invisible to the users. Rather than preventing users from sending Internet messages entirely, the firewall can be set up to be selective about what traffic it permits in and out. The first step, then, is to reconfigure the network to reduce vulnerability. To accomplish this, a single point through which Internet traffic will flow must be established. To do so, a dedicated external LAN for Internet communication is created on which only the systems that are exposed to the Internet are linked. A router is then used to screen IP addresses and protocols. Next, set up a separate PC, which will act as a gateway to the Internet. From there, isolate your LANs further by making the gateway a proxy server for users on the LANs. Last, set up a Web server on the external LAN, so Internet access is further isolated. It's also important to log traffic that goes through the Internet connection, to keep a record of outside access to your network. Close Internet back doors It's important to identify the best physical location for the firewall before building it, so all Internet traffic will go through the gateway. It's imperative to close any back doors into the Internet that could bypass the firewall. Are there any router ports that connect users to other networks that have Internet access? Has anyone connected a server to an Internet access provider to get a specialized or private service? For an effective firewall, the target data must be identified first. Specifically, what do you want the firewall to protect? Are there hosts and servers that contain sensitive, confidential, or classified information which an outsider might target? Are there customer lists, accounting data, or other files on the network considered essential to running the business? Or do you just want to build a barrier against pollution from the Internet? Configuring a router First, configure the IP address screen in the router. A database table to screen the IP addresses on all incoming traffic through the router port for the Internet access line can be configured. Identify Internet hosts that will have access to your network. Then configure a table that lists the hosts' source IP addresses. Such a scheme will exclude all other host access. In the example network, the Internet service provider operates a mail gateway. That is, all Internet mail stops at the service provider first, and is then forwarded to the company's E-mail host. In such a scenario, Internet traffic would be sufficiently screened if the firewall (AKA router) were configured to only accept inbound traffic from the Internet service provider host. However, the router's packet filter would also stop all other traffic coming in from the Internet, which may not be desirable. For example, to transfer a file using FTP from a network PC on an internal LAN, the source IP address on the incoming file-transfer datagrams (the ones that contain the file) will not be on the firewall's approved list, and the incoming IP datagrams will be stopped at the router. In this case, the firewall is a tad too secure. However, such a setup may be appropriate for others. Most networks need a less restrictive way to screen Internet traffic -- but one that still affords a similar measure of security. To rectify this problem, set up a new host gateway on the external LAN. Gateways for extra security The gateway will be the target of all incoming traffic, regardless of its source or application. Acting together, the router and the gateway will constitute a firewall. The SMTP gateway will be relied upon more heavily than the router, since it will do more than just filter traffic. But the router still affords some measure of protection and its filter tables should specify the applications for which traffic will be accepted. Specifically, the router's filter table will be modified to pass traffic destined for the SMTP gateway. The same would be done for inside hosts that are accessible from the Internet so that the router will pass traffic for a specific inside address, rather than only from a specific outside address. This setup offers additional mail-handling options, rather than relying solely on an Internet service provider. The gateway will be the first stop for traffic that has already passed through the router. The gateway will then screen all of the transactions, and in a second, independent step, will pass approved traffic to systems on the inside networks. As such, a user on the Internet could still use the FTP program to send a file from a host on one of the inside LANs, but the transaction would be handled by the gateway, and only indirectly by the host on the inside LAN. The gateway would receive the FTP request, and respond to the Internet requester. Meanwhile, the gateway would make its own FTP request to the protected, inside host. For an added measure of security, the gateway can be configured as a proxy server for PCs and hosts on the inside LANs. As such, not only would all traffic from the Internet be stopped at the gateway, but all outgoing transactions from our LANs would also be intercepted by the gateway. The gateway would then forward transactions to hosts on the Internet, re-originating them as new transactions. This way, no PC or protected host would be visible to the Internet. At times, the gateway might also have to act as a DNS (Domain Name Server) for the outside world. The gateway would handle DNS inquiries for LANs behind it, but it would only identify a few hosts. The rest would be hidden. The gateway's Mail Exchange record, which would normally indicate the host names and IP addresses of E-mail servers on the inside LANs, instead would point to the gateway itself. ---------------------------------------------------------------------------- What to look for when shopping for a firewall Firewalls range from Internet Protocol routers configured to filter IP addresses to higher-end Unix hosts with custom software for comprehensive filtering, logging, and analysis. Some vendors also offer customized turnkey systems, as well as ongoing support and system maintenance. Following is a sample of firewall router and gateway suppliers. Routers: Bay Networks (Access Node, Backbone Link, Concentrator Nodes); (800) 822-9638 or (2500, 4000, 7000 routers); (408) 526-4000 or www.cisco.com IBM (NetSP Secured Gateway); (919) 254-7416 or sbaumann@vnet.ibm.com Router packet filter software: Livingston Enterprises Inc. (Firewall IRX); (510) 426-0770 or support@livingston.com Gateway software: Checkpoint Software Technologies Ltd.(Firewall-1); (617) 863-6400 or info@security.com Trusted Information Systems Inc. (Gauntlet Firewall Toolkit); (301) 854-6889 or net-sec@tis.com Gateway Hardware and Software: Raptor Systems Inc. (NetSP Secured (Eagle, Eaglet); (617) 487-7700 or info@security.com Digital Equipment Corp. (Screening External Access Link); (508) 952-3266 or http://www.digital.com ANS CO+RE Systems (InterLock); (703) 758-8700 or interlock@ans.net NetPartners Inc. Janus Firewall Server); (714) 252-5493 or sales@netpart.com William Dutcher, of Washington, works on LAN-integration projects at Network Solutions, which manages the Internet Network Information Center, and teaches a course on Defense Information Services. --------------------------------------------------------------------- Copyright (c) 1995 Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. PC Week and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC Week Online and the PC Week Online logo are trademarks of Ziff-Davis Publishing Company. [o] Return to the Internet Tools Special Report index [o] Go to the PC Week home page JF