[Kingston Technology Memory]


June 19, 1995

If you can reach them, they can reach you

How to protect valuable data with a well-built firewall, and keep the global
village prowlers at bay



By William Dutcher

    ---------------------------------------------------------------------

[o] What to look for when shopping for a firewall

    ---------------------------------------------------------------------

Those Internet neighborhood crime reports are getting serious.

A hacker breaks into Netcom and deletes all of the Internet access
provider's billing records. Somebody in Denmark reaches into the National
Weather Service's computer system in Maryland and removes weather reports.
Pranksters from the Legion of Doom and the Masters of Deception prowl the
Internet nightly.

No matter how safe you think your Internet neighborhood is, you shouldn't
leave your doors unlocked in the global village anymore. There are plenty of
bad guys out there, and they can use your Internet connection to get inside
your network. Remember -- if you can reach them, they can reach you.

Building a firewall A firewall (usually a gateway or router) lets your users
access the Internet, but it doesn't let just anyone on the Internet access
the computers on your network. It's a one-way gateway to and from the
Internet, watching what goes in and out. Since every network is different,
each network must be configured individually.

The traffic that passes through an Internet connection bears a source and a
destination IP address, as well as other codes that indicate the type of
transaction for which it is intended (such as FTP, Telnet, or SMTP).

The firewall might screen IP addresses, to prevent traffic from all but a
known set of IP addresses from passing into your network. It might also
screen protocols, to prevent transactions that transfer files to and from
your computers through the firewall.



In our example (see figure, above) -- a relatively simple LAN, but the basic
principles apply to larger networks -- there are four interconnected LANs,
one remote site connected via a router-to-router link, and a single
connection to the Internet.

There are 250 users with PCs and Macs on the LANs, and they use a LAN-based
E-mail system. The Internet connection is a dedicated 56K-bps access line to
an Internet access provider. The circuit originates on a router on one of
the LANs.

Users on the example network run NCSA's Mosaic Web browser to connect to
World-Wide Web sites. There is an SMTP gateway for E- mail, so users can
send and receive local and Internet messages from the same E-mail box.

Secure your network When installing a firewall, the goal is to protect the
network in a way that's invisible to the users. Rather than preventing users
from sending Internet messages entirely, the firewall can be set up to be
selective about what traffic it permits in and out.

The first step, then, is to reconfigure the network to reduce vulnerability.
To accomplish this, a single point through which Internet traffic will flow
must be established.

To do so, a dedicated external LAN for Internet communication is created on
which only the systems that are exposed to the Internet are linked. A router
is then used to screen IP addresses and protocols.

Next, set up a separate PC, which will act as a gateway to the Internet.
From there, isolate your LANs further by making the gateway a proxy server
for users on the LANs. Last, set up a Web server on the external LAN, so
Internet access is further isolated. It's also important to log traffic that
goes through the Internet connection, to keep a record of outside access to
your network.

Close Internet back doors It's important to identify the best physical
location for the firewall before building it, so all Internet traffic will
go through the gateway. It's imperative to close any back doors into the
Internet that could bypass the firewall. Are there any router ports that
connect users to other networks that have Internet access? Has anyone
connected a server to an Internet access provider to get a specialized or
private service?

For an effective firewall, the target data must be identified first.
Specifically, what do you want the firewall to protect? Are there hosts and
servers that contain sensitive, confidential, or classified information
which an outsider might target? Are there customer lists, accounting data,
or other files on the network considered essential to running the business?
Or do you just want to build a barrier against pollution from the Internet?

Configuring a router First, configure the IP address screen in the router. A
database table to screen the IP addresses on all incoming traffic through
the router port for the Internet access line can be configured.

Identify Internet hosts that will have access to your network. Then
configure a table that lists the hosts' source IP addresses. Such a scheme
will exclude all other host access.

In the example network, the Internet service provider operates a mail
gateway. That is, all Internet mail stops at the service provider first, and
is then forwarded to the company's E-mail host.

In such a scenario, Internet traffic would be sufficiently screened if the
firewall (AKA router) were configured to only accept inbound traffic from
the Internet service provider host.

However, the router's packet filter would also stop all other traffic coming
in from the Internet, which may not be desirable. For example, to transfer a
file using FTP from a network PC on an internal LAN, the source IP address
on the incoming file-transfer datagrams (the ones that contain the file)
will not be on the firewall's approved list, and the incoming IP datagrams
will be stopped at the router. In this case, the firewall is a tad too
secure. However, such a setup may be appropriate for others.

Most networks need a less restrictive way to screen Internet traffic -- but
one that still affords a similar measure of security. To rectify this
problem, set up a new host gateway on the external LAN.

Gateways for extra security The gateway will be the target of all incoming
traffic, regardless of its source or application. Acting together, the
router and the gateway will constitute a firewall.

The SMTP gateway will be relied upon more heavily than the router, since it
will do more than just filter traffic. But the router still affords some
measure of protection and its filter tables should specify the applications
for which traffic will be accepted. Specifically, the router's filter table
will be modified to pass traffic destined for the SMTP gateway. The same
would be done for inside hosts that are accessible from the Internet so that
the router will pass traffic for a specific inside address, rather than only
from a specific outside address.

This setup offers additional mail-handling options, rather than relying
solely on an Internet service provider.

The gateway will be the first stop for traffic that has already passed
through the router. The gateway will then screen all of the transactions,
and in a second, independent step, will pass approved traffic to systems on
the inside networks.

As such, a user on the Internet could still use the FTP program to send a
file from a host on one of the inside LANs, but the transaction would be
handled by the gateway, and only indirectly by the host on the inside LAN.
The gateway would receive the FTP request, and respond to the Internet
requester. Meanwhile, the gateway would make its own FTP request to the
protected, inside host.

For an added measure of security, the gateway can be configured as a proxy
server for PCs and hosts on the inside LANs. As such, not only would all
traffic from the Internet be stopped at the gateway, but all outgoing
transactions from our LANs would also be intercepted by the gateway.

The gateway would then forward transactions to hosts on the Internet,
re-originating them as new transactions. This way, no PC or protected host
would be visible to the Internet.

At times, the gateway might also have to act as a DNS (Domain Name Server)
for the outside world. The gateway would handle DNS inquiries for LANs
behind it, but it would only identify a few hosts. The rest would be hidden.

The gateway's Mail Exchange record, which would normally indicate the host
names and IP addresses of E-mail servers on the inside LANs, instead would
point to the gateway itself.

----------------------------------------------------------------------------

What to look for when shopping for a firewall

Firewalls range from Internet Protocol routers configured to filter IP
addresses to higher-end Unix hosts with custom software for comprehensive
filtering, logging, and analysis.

Some vendors also offer customized turnkey systems, as well as ongoing
support and system maintenance.

Following is a sample of firewall router and gateway suppliers. Routers:

Bay Networks (Access Node, Backbone Link, Concentrator Nodes); (800)
822-9638 or (2500, 4000, 7000 routers); (408) 526-4000 or www.cisco.com

IBM (NetSP Secured Gateway); (919) 254-7416 or sbaumann@vnet.ibm.com

Router packet filter software:

Livingston Enterprises Inc. (Firewall IRX); (510) 426-0770 or
support@livingston.com

Gateway software:

Checkpoint Software Technologies Ltd.(Firewall-1); (617) 863-6400 or
info@security.com

Trusted Information Systems Inc. (Gauntlet Firewall Toolkit); (301) 854-6889
or net-sec@tis.com

Gateway Hardware and Software:

Raptor Systems Inc. (NetSP Secured (Eagle, Eaglet); (617) 487-7700 or
info@security.com

Digital Equipment Corp. (Screening External Access Link); (508) 952-3266 or
http://www.digital.com

ANS CO+RE Systems (InterLock); (703) 758-8700 or interlock@ans.net

NetPartners Inc. Janus Firewall Server); (714) 252-5493 or sales@netpart.com

William Dutcher, of Washington, works on LAN-integration projects at Network
Solutions, which manages the Internet Network Information Center, and
teaches a course on Defense Information Services.

    ---------------------------------------------------------------------

Copyright (c) 1995 Ziff-Davis Publishing Company. All rights reserved.
Reproduction in whole or in part in any form or medium without express
written permission of Ziff-Davis Publishing Company is prohibited. PC Week
and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC
Week Online and the PC Week Online logo are trademarks of Ziff-Davis
Publishing Company.

[o] Return to the Internet Tools Special Report index
[o] Go to the PC Week home page

JF
