Keywords: Hacker, Network Security, Firewall, Packet Filter, Application gateway, Circuit Gateway, Stateful Inspection, Password, Identification, Advanced Authentication, Security Policy, Encryption, Virtual Private Network, Remote Access, User Authentication, Tokens, Time-synchronised
How did these organisations become vulnerable? They left electronic doors open. They failed to keep up with the advances in technology that have enabled such security breaches. They trusted systems or individuals who were not worthy of the trust.
This paper is not a survey of computer crime methods but rather a survey of a class of products that are designed to protect against unauthorised network access to systems, services and resources. This class of product is referred to as a network firewall. I will describe the basic types and key features of these products. I will then address the subject of traditional versus advanced user authentication within a firewall. Finally I will show how an authentication architecture can be extended to other network systems and devices.
Firstly, however, let's take a high level view of enterprise security. What are the industry trends that impact network security? What are the major concerns of top management? How do these concerns filter down security policy and network configurations?
The Internet is upon us and has emerged as an absolute paradise for hackers. By definition, the Internet is an un-trusted network, while your internal network is normally considered a trusted network. By establishing a connection to the Internet, you may compromise the trust of your internal network.
How does a network become compromised? Intruders may pose as trusted users or pretend that their computers are trusted network nodes. Industry confidence in static passwords is diminishing rapidly. Well-composed or even encrypted passwords are vulnerable to being intercepted and 'stolen' by today's more sophisticated system attackers. In recent months, unidentified system 'crackers' have deployed password-gathering programs and have succeeded in collecting tens of thousands of passwords. These keys to the kingdom are commonly shared with other intruders to be used for future adventures. User identification by location, or IP address, is a more recent phenomenon. The reliability of network defences based upon this approach have also come under scrutiny as sophisticated intruders have developed IP-spoofing techniques.
It's quite difficult to gauge the extent of the problem since many victim organisations will not report any breaches - in fact, the inclination for most organisations is to keep quiet to avoid negative publicity or loss of face. However, one researcher estimated worldwide losses due to hacker intrusions at $800 million annually, half of which was lost by US companies. The US Senate's Permanent Investigations Subcommittee reported these estimates in June 1996, after an eight month probe of computer security. Most losses sustained by banks do not appear in required federal reports, according to a subcommittee spokesperson, due to fears that the resulting publicity would cost them clients. In another report to the subcommittee, intruder attacks on Defence computer systems were estimated at 250,000 per year with a 65% success rate.
Products for the protection of information resources on a computer system or network can be grouped into four classes. These classes of security products form a hierarchy which is set forth in the following diagram:
Audit products are for monitoring and recording user activity. Encryption products provide privacy and/or integrity by scrambling and unscrambling data using private or public keys. Privilege Definition Products are for administering the level of data, system access and application privileges granted to specific users. User Identification and Authentication products are for authenticating the identity of authorised users. The effectiveness of each succeeding class of security products is either dependent on, or enhanced by, the availability and effectiveness of one or more of the preceding classes. For example, without proper authentication of the identity of a user, it is difficult to control access to encryption keys or to effectively audit user activity.
Some analysts extend the hierarchy to show a further dependence on physical security. All bets are off if the computer criminal wheels away the corporate database server in the middle of the night.
Privilege. Firewalls can grant privilege with either of two primary approaches. The first states that all that is not expressly prohibited is allowed. The second states that all that is not expressly allowed is prohibited. What are these privileges? The primary privileges addressed by a firewall access to network resources and services. The resources are typically data, file, application and mail servers. The services comprise an ever-expanding list including Telnet, FTP and Mail. Note that if the firewall allows access to sensitive resources, advanced authentication must be considered.
Audit. The firewall audit function is to log usage activity as well as failed usage attempts. The usage reports will typically identify the user, time, service and resources accessed. However, since the firewall is a gateway product, it may not be capable of tracking everything a remote user has done once accessing the network. The firewall may also not be capable of monitoring internal user activity within the trusted network. Attempts at unauthorised access can be tracked, including incorrect user name, wrong passwords, failed logons, etc. Note that the audit of user activity will be only as reliable as the level of user authentication.
User Authentication. All firewalls in the standard configuration use only static passwords to protect user and administrative accounts. This can be a concern since static passwords have known weaknesses. Passwords are often shared between users and can be guessed, stolen or observed. As a result, they can be compromised without user awareness. However, most firewalls provide advanced authentication as an optional feature. The reliability of privilege and audit functions of a firewall are highly dependent on the strength of user authentication.
Encryption. Since firewalls often operate as a gateway to and from the trusted networks, they become the logical point to encrypt transmissions through the un-trusted network. This capability ensures the privacy of the transmitted data but normally requires that both gateways operate identical firewall products.
A network firewall has a similar concept. I would define it as follows:
It's important here to distinguish between the 'concept' of a firewall and firewall 'products'. In the end, the most effective firewall may be combination of off-the-shelf products and some home grown tools that address various levels of the security hierarchy. Network firewall products are based upon two primary types or techniques. These are Packet Filtering (PF) and Application Gateway (AG). The Packet Filter is designed to examine all packets to determine if the content conforms to the established policy. Policies in this case are limited to source and destination ports and addresses. Packets that the policy excludes will not be transmitted. A PF firewall is shown in Figure 2.
The most advanced firewall products are Application Gateways which provide proxies to support specific services or applications. The most commonly used services are Telnet and FTP. Other common services supported are SMTP (email) , X11, Gopher and HTTP. These application gateway firewalls will prohibit all services unless they have been explicitly allowed. With the AG, each service is represented by a proxy which will be launched as requested by the user. The AG is more flexible in that it can enforce policies by service, by location and by user. The trade-off for AG versus PF may be performance since the AG Firewall will run a number of processes as required by each user. A router can be configured as a PF, but an AG must be built upon an application server such as UNIX or Windows NT.
Placing two firewall products at the Internet/LAN connection allows
you to define a semi-trusted zone. This zone, normally referred
to as a DMZ, or demilitarised zone, is where Internet-related
servers can be located. Figure 3 shows an AG and PF forming a
DMZ for the WWW Server.
Alternatively, a DMZ can be established that is fully under the control of the AG. This is shown in Figure 4. Also shown in Figure 4 is an authentication server which is described in a later section.
Aside from the Packet Filter and Application Gateway, two other firewall models have been proposed. These are the Circuit Gateway and Stateful Inspection. The Circuit Gateway is concerned with allowing or disallowing a session (such as Telnet or FTP), without analysing the content of the transmitted packets. Stateful Inspection analyses the packets while remaining aware of the state of the session, but avoids raising the process to the application level. Both seem to offer a compromise between the extremes of the Packet Filter and Application Gateway. A commercial firewall product can employ some or all of these models to achieve the various goals of throughput, flexibility, ease of implementation, robustness, etc.
...Firewall security is never static; a firewall may only be secure at a point in time. New undiscovered vulnerabilities, changes in configurations and even new hacking techniques may weaken a firewall's effectiveness (Kurtz and Roath, Price Waterhouse).
Network Firewalls are, by definition, security products. However, a survey of commercially available products will quickly identify a range of optional security features. Perhaps here is where the rubber meets the road in the commercial world of sales and marketing. Sample features include the ability to block IP-spoofing, hide internal addresses and sound an alarm if the network appears to be under attack. More significantly, firewalls may offer support for Encryption, Virtual Private Networking and Advanced Authentication. Encryption and VPNs are discussed below. Advanced Authentication is covered in the following section.
The basic encryption capability expected of the firewall is to encrypt communication over the Internet between two trusted sites the using the firewalls as gateways. The secure 'stream' of data is encrypted via secret key such as DES, RC2 or RC4. This feature, in its simplest form, will encrypt between the gateways of two sites of the same company. A more interesting challenge is to encrypt the session of a mobile worker accessing the corporate LAN. Consider the complexity of establishing a secure link to a portable PC at a temporary un-trusted site such as a hotel, branch office or customer site. In this case, positively establishing the identity of the user (via advanced authentication) is crucial. The most advanced firewalls will do all of the above which can be the basis of a Virtual Private Network (VPN) or Internet Tunnel. However, there are additional requirements such as key management and inter-operability.
A robust VPN requires a key server to store and propagate keys as new sites are added. Since secret encryption keys can be decoded given enough time, the key server should also be capable of automatically generating and distributing new keys to all gateways at the launch of new sessions, or at user-defined intervals. Given the frequency and complexity of key propagation, the only practical medium for distributing keys is the WAN itself. To maintain security of the new keys, the firewall can rely on the existent (secret key) tunnel or use a separate logical tunnel based upon public key encryption. The advantage of the latter is that it offers better security since strong public keys are unlikely to be decoded. In fact, a compromised VPN can be restored by re-propagating the private keys via public key encryption. Why don't we just base the tunnel on a public key system? Public key systems are not well-suited to stream encryption since they use too much overhead.
The security of international VPN's is dependent upon the strength of the encryption which is export-regulated (and classified by the US Government as a munition). Since governments take a keen interest in the import/export of encryption, it is not sufficient for network security professionals to stay abreast only of the technological developments. They must also be familiar with the related regulatory trends. Since VPN products from different vendors do not inter-operate, the enterprise must at the moment standardise on a single firewall vendor to operate a VPN. To address this issue, a new standard called Secure/WAN or S/WAN has been proposed and is gaining momentum in the industry.
How are firewalls deployed? Last year, 95% of firewall products sold were installed to protect from external attack via the Internet or other un-trusted networks. The Yankee group estimates that within five years, firewall products will be deployed as often for internal security as external. Internal firewalls can be used to implement policy by site, subnet, workgroup. etc. The Yankee Group further predicts a tremendous surge in interest for firewall products. They expect sales in the USA to grow from $121 million in 1995 to nearly $1 billion in five years.
To address the weaknesses of passwords, a class of product has
emerged called a token - something physical that the user
possesses. These include smart cards, super-smart cards and challenge/response
systems. The token most widely supported by Internet firewalls
is the time-synchronised token which contains an internal power
source and display. Time-synchronised tokens combine two methods
of user identification - something secret the user knows (a PIN)
and something the user possesses (the token). To gain access
to a protected resource, a user enters his or her PIN and a token
code, a constantly changing number automatically computed and
displayed on the liquid crystal display ('LCD') of the
user's secured token.
Third Party Support. Since all of the systems and devices on the network can operate as authentication clients, some programming development effort is required to establish this capability. The authentication client code can be enabled on a range of UNIX and other systems through an application programming interface (API). For network devices, normally the manufacturer has to embed the authentication client code in the firmware. Thus, the usefulness of this authentication architecture is determined to a large extent by the extent and the quality of the relationships between token manufacturer and third party suppliers. To meet this challenge, a broad range of relationships have been forged with the leading vendors of firewalls, remote access servers, network device, network applications and network operating systems.
Return to Conference Proceedings