In discussing firewalls there is often confusion of terminology since
firewalls all differ slightly in implementation if not in purpose.
Various discussions on Usenet indicate that the term ``firewall'' is
used to describe just about any inter-network security scheme. For the
sake of simplifying discussion, some terminology is proposed, to
provide a common ground:
A screening router is a basic component of most firewalls. A screening
router can be a commercial router or a host-based router with some kind
of packet filtering capability. Typical screening routers have the
ability to block traffic between networks or specific hosts, on an IP
port level. Some firewalls consist of nothing more than a screening
router between a private network and
Bastions are the highly fortified parts of a medieval castle; points
that overlook critical areas of defense, usually having stronger walls,
room for extra troops, and the occasional useful tub of boiling hot oil
for discouraging attackers. A bastion host is a system identified by
the firewall administrator as a critical strong point in the network's
security. Generally, bastion hosts will have some degree of extra
attention paid to their security,
may undergo regular audits, and may have modified software.
Some firewalls are implemented without a screening router, by placing a
system on both the private network and the Internet, and disabling
TCP/IP forwarding. Hosts on the private network can communicate with
the gateway, as can hosts on the Internet, but direct traffic between
the networks is blocked. A dual homed gateway is, by definition, a
Possibly the most common firewall configuration is a screened host
gateway. This is implemented using a screening router and a bastion
host. Usually, the bastion host is on the private network, and the
screening router is configured such that the bastion host is the only
system on the private network that is reachable from the Internet.
Often the screening router is configured to block traffic to the
bastion host on specific ports, permitting only a small number of
services to communicate with it.
In some firewall configurations, an isolated subnet is created,
situated between the Internet and the private network. Typically, this
network is isolated using screening routers, which may implement
varying levels of filtering. Generally, a screened subnet is configured
such that both the Internet and the private network have access to
hosts on the screened subnet, but traffic across the screened subnet is
blocked. Some configurations of screened subnets will have a bastion
host on the screened network, either to support interactive
terminal sessions or application level gateways.
Much of the software on the Internet works in a store-and-forward mode;
mailers and Usenet news collect input, examine it, and forward it.
Application level gateways are service-specific forwarders or
reflectors, which usually operate in user mode rather than at a
protocol level. Generally, these forwarding services, when running on
a firewall, are important to the security of the whole. The famous
sendmail hole that was exploited by the Morris Internet worm is one
example of the kinds of security problems an application level gateway
can present. Other application level gateways are interactive, such as
the FTP and telnet gateways run on the Digital Equipment Corporation
firewalls. In general, the term ``application level gateway'' will be
used to describe some kind of forwarding service that runs across a
firewall, and is a potential security concern. In general, crucial
level gateways are run on some kind of bastion host.
Hybrid gateways are the ``something else'' category in this list.
Examples of such systems might be hosts connected to the Internet, but
accessible only through serial lines connected to an ethernet terminal
server on the private network. Such gateways might take advantage of
multiple protocols, or tunneling one protocol over another. Routers
might maintain and monitor the complete state of all TCP/IP
connections, or somehow examine traffic to try to detect and prevent an
attack. The AT&T corporate
firewall is a hybrid gateway combined with a bastion host.
Taking the components described above, we can accurately describe most
of the forms that firewalls take, and can make some general statements
about the kinds of security problems each approach presents. Assuming
that a firewall fulfills its basic purpose of helping protect the
network, it is still important to examine each type of firewall with
Damage control -- If the firewall is compromised or destroyed, to what
kinds of threats does it leave the private network open?
Zones of risk -- How large is the zone of risk during normal
operation? A measure of this is the number of hosts or routers that
can be probed
from the outside network.
Failure mode -- If the firewall is broken into or destroyed, how easy
is this to detect? In a post mortem, how much information is retained
that can be used to diagnose the attack?
Ease of use -- How much of an inconvenience is the firewall?
Stance -- Is the basic design philosophy of the firewall ``That which is not expressly permitted is prohibited'' or is it ``That which is not expressly prohibited is permitted''?
In the case of total destruction of the firewall, it tends to be very
hard to trace or even to discover. If a commercial router (which does
not maintain logging records) is used, and the router's administrative
password is compromised, the entire private network can be laid open to
attack very easily. Cases are known where commercial routers have been
configured with erroneous screening rules, or have come up in some
pass-through mode because of hardware or operator error. Generally,
this configuration is a case of ``That which is not expressly
prohibited is permitted'' as the ingenious user can fairly easily
piggyback protocols to achieve a higher level of access than the
administrator expects or wants.
Screening routers are not the most secure solution, but they are popular since they permit fairly free Internet access from any point within the private network. Many consultants and network service providers offer screening routers in a ``firewall'' configuration. It is uncertain if the various trade-offs involved are clear to the customer; thus the use of a screening router to protect sensitive information or trade secrets would not be recommended, since screening routers are very permeable from the inside.
Attacking a dual homed gateway leaves the attacker a fairly large array of options. Since the attacker has what amounts to local network access if a login can be obtained, all the usual attacks that can be made over a local network are available. NFS-mounted file systems, weaknesses in .rhosts files, automatic software distribution systems, network backup programs and administrative shell scripts - all may provide a toehold on systems on the internal network. Once a toehold is secured, it then provides a base from which to launch attacks back at the gateway itself. The weakest aspect of the dual homed gateway is its failure mode. If the firewalll is destroyed it is possible that a skillful attacker might re-enable routing and throw the entire private network open to attack. In the usual Unix-based dual homed gateway, TCP/IP routing is often disabled by modifying a kernel variable named ipforwarding; if systems privileges can be obtained or stolen on the gateway, this variable can be changed. Perhaps this seems far-fetched, but unless great care is paid to monitoring the software revision levels and configuration on the gateway host, it is not improbable that a vandal with a copy of the release notes for the operating system version and a login can compromise the system.
If a screened subnet based firewall with inter-network routing blocked
is attacked with an intent to destroy it, the attacker must reconfigure
the routing on three networks, without disconnecting or locking himself
out, and without the routing changes being noticed. No doubt this is
possible, but it can be made very difficult by disabling network access
to the screening routers, or by configuring the screening routers to
only permit access from specific hosts on the private network. In this
case, an attacker would need to break into the bastion host, then into
one of the hosts on the private network, and then back out to the
screening router -- and would have to do it without setting off any
Another advantage of screened subnets is that they can be put in place in such a way that they hide any accidents of history that may linger on the private network. Many sites that would like to connect to the Internet are daunted by the prospect of re-addressing and re-subnetting existing networks. With a screened subnet with blocked inter-network routing, a private network can be connected to the Internet and changed gradually to new subnet and network addresses. In fact, this approach has been observed to significantly accelerate the adoption of new network addresses on loosely controlled private networks. Users will be more receptive to changing their host addresses if they can realize the benefits of Internet connectivity thereby, since hosts that are not correctly addressed cannot use the firewall properly. In most other respects, the screened subnet is very much dependent on the suite of software running on the bastion host. Screening a whole subnet provides functionality similar to the dual homed gateway or screened host gateway; it differs primarily in the extra level of complexity in routing and configuration of the screening routers.
Let us postulate a hybrid gateway that consists of a box sitting on the
Internet, which is capable of routing traffic, but also maintains a
complete notion of the state of every TCP connection, how much data has
gone across it, where it originated, and its destination. Presumably,
connections can be filtered based on arbitrarily precise rules, such
as: ``permit traffic between host A on the private network and all
hosts on network B on the Internet via the telnet service if and only
if the connection originated from host A between the hours of 9:00 am
and 5:00 pm and log the traffic.'' This sounds terrific, providing
arbitrary control with great ease of use, but some problems simply
refuse to go away. Consider that someone wishing to circumvent the
firewall, who broke into the private network via an unguarded modem,
might very easily set up a service engine that was piggybacked over the
telnet port. This is actually a fairly easy firewall to destroy.
Another hybrid gateway might take advantage of various forms of protocol tunneling. Suppose the requirement is to connect to the Internet with very tight restrictions, but that a high degree of connectivity is required between the private network and an external network that is somewhat trusted (for example, a corporate R&D department needs to be able to run X-windows applications on a supercomputer at another facility). The usual archetypal gateways discussed here could provide general purpose e-mail connectivity, but for secure point-to-point communications, an encrypted point-to-point virtual TCP/IP connection might be set up with the remote system, after users had authenticated themselves with a cryptographic smart card. This would be extremely secure, and might be made fairly easy to use, but has the disadvantage that the protocol driver needs to be added to every system that wants to share communication. It is hard to make any guesses about the failure mode of such a system, but the zone of risk is neatly limited to all the hosts which are running the tunneling protocol driver, and to which the individual user has smart card access. Some of this might be implemented in hardware or in the routers themselves. In the future, it is likely that the rapid growth of the Internet will fuel more development in this area, and we will see various hybrid gateways arise. The basic issues surrounding configuring a firewall will probably remain the same as the ones discussed here.
There is active research and development on tools to aggressively seek out and identify weaknesses in an entire network, or to detect the patterns that might indicate when an attack is in progress. These tools range from the simple checklist to complex ``expert systems'' with inference engines and elaborate rule bases. Many firewalls today run software that is designed to go forth and gather information relating to possible attacks and their origins, often using and abusing tools like finger and SNMP. Unless true artificial intelligence is developed, however, these tools cannot guard against an unknown form of attack, since they cannot possibly match the creativity of a network vandal. While often billed as being ``proactive'' they are in fact reactive, and generally will serve only to catch systems crackers armed with last year's bag of tricks. Catching the small fry is still worth doing, but it is likely that they are less of a threat than the fellow who is so eager to break into your network that he is doing research and development in new system cracking techniques.