In Internet communications, firewalls are normally established to buffer the intranet from outside attacks. Firewall functions are implemented on packet-forwarding devices, which usuallybut not alwayshave at least two interfaces. They can take the form of a dual-homed host with two interface cards or a piece of network gear known as a router.
A typical firewall configuration consists of an external packet filtering firewall and a secondary firewall supporting the needed proxy services. The packet-filtering rules are configured to allow external Internet users access to HTTP and FTP services on the company's Web and FTP serversor whatever ports you decide to let through, including SMTP or real audio. All other network and transport protocol packets not matching the packet filtering rules are dropped. Additional rule sets must be implemented to allow services, such as DNS and SMTP, to pass from the internal intranet through the packet filtering firewall to servers on the Internet. Servers located in the zone between the two firewalls, sometimes referred to as the Demilitarized Zone (DMZ), are given their own dedicated Ethernet segments. If one of them is compromised, a remotely installed network sniffer is prevented from monitoring traffic to the internal network. (This is really dependent on the firewall implementation.) The second firewall proxies Web and ftp services initiated by internal users to the Internet.
The firewall routes packets between interfaces performing packet filtering, stateful inspection, or proxy services. A review of each of these items is appropriate.
A packet filter is designed to restrict external connections to a limited set of services, protecting the internal network from the Internet. The firewall enforces rules for packet filtering. These rules typically filter on protocols, source ports, source addresses, destination ports and destination addresses, and allowed network interfaces a given address may use. They may also filter on whether the traffic is UDP or TCP. Packet rules define connection types that are accepted and those that are rejected. For simplicity and security, it is probably best to establish rules for packets that will be accepted. Everything else is dropped and not forwarded.
Packet filtering occurs mostly at the network and transport protocol levels. If the NetBIOS service ports are not specifically enabled, traffic targeting the NetBIOS services will be blocked from Internet attacks. Attacks using IP source routing can also be stopped using packet filtering.
Packet Filtering Example
The rule set configuration allows external clients to access the internal Web server through the packet filtering router. The rule set allows inbound requests and outbound responses with IP addresses and TCP port settings. It also allows internal intranet users to connect with external Web servers on the Internet. Packets with destination TCP port = 80 and return TCP port = random number above 1023 are considered inbound HTTP requests from Internet users (line A). In order for the internal Web server to respond to this client connection, the outbound destination TCP port = Random > 1023 and source TCP port = 80 (Line B) must be permitted. However, an Internet user attempting to connect to the intranet using an internal source IP address will not be permitted. Internal IP addresses are forwarded only from the internal to the external interface on the packet filter route.
The foregoing is a general rule and is by no means absolute. Additionally, a filter may be applied to the incoming or outgoing interface, and the ACK bits may be set. Because a cracker can make a request come from any port she wants, you must check the ACK bit in the header to make sure that incoming requests either are to a specific IP address or were already established.
A rule set similar to this example must be implemented for every network service that intends to communicate through the packet filter.
Allowing TFTP, SNMP, or any of the NetBIOS services in from the Internet is not recommended. This, of course, needs to be based on policy, but these services are relatively insecure.
A proxy server is a popular way to give internal users access to the Internet without compromising external access. The proxy software runs on a host routing between the internal network and the Internet. The main idea is to allow internally initiated connections with the Internet, while preventing any that are externally initiated. For example, after installing and configuring Microsoft Proxy Server 2.0 for HTTP, the internal users designate the HTTP proxy server in their Web browser. All external Web site requests are directed to it. The proxy receives HTTP URL requests, and establishes its own connections with the destination Web sites. It then retrieves the data, and relays it back to the correct internal client. This translation between internal Web client and external Web server can be transparent to the user. A proxy firewall requires client proxy and server proxy software specifically designed for each proxy service implemented to provide this transparency.
Both Netscape and Internet Explorer provide client proxy software for HTTP. Noncaching proxies degrade network performance, but provide a secure firewall. Noncaching is included here because a caching server may actually respond much more quickly if the answer is in the cache. The Microsoft Proxy Server also has an added caching feature. Commonly visited sites are stored on the proxy's local hard disk, preventing the need for Internet retrieval. Clients receive the pages more quickly and reduce the required Internet bandwidth. The proxy can also retrieve and refresh popular Web sites automatically without client requests.
Stateful inspection offers an alternate way to provide internal users with connectivity to Internet resources while preventing external users from initiating inbound connections. As a user makes an outbound request to an external server, the stateful inspection firewall records details about it. The information tracked includes the source address, destination address, protocol, port number, and so forth; and it is evaluated for a certain period of time. When the destination service responds to the internal user, the packet is permitted to return through the firewall.
The firewall performs intelligent packet filtering without requiring the server and client software to support each network service. However, although stateful inspection offers better performance than the proxy model, it reveals internal IP addresses to the Internet. Several stateful inspection products hide internal IP addresses through address translation.
In the final article of this series, we will examine the special security issues associated with the Internet and Web services.