Defending Against Attack

If a network is attached to the Internet with no security provisions, hosts on that network will be exposed to all of these types of attack. This is where firewalling gateways come into play. By placing a firewall between the Internet and your internal networks, you provide a barrier, preventing internal hosts from being directly attacked. Instead, an attacker must first compromise the security of the firewall before they can gain internal access. This allows system administrators to concentrate their efforts on securing a single host rather than a whole network or collection of networks.

For this to succeed, a fundamental requirement of a firewall gateway is that it strictly controls which packets are gatewayed. The simplest types of firewalls are packet filtering gateways : these match packets (in particular, their addresses and ports) against tables which specify which packets can be gatewayed and which should be filtered (i.e. discarded). Packet filtering can be quite effective, but setting up good packet filters takes intimate knowledge of the various protocols and great care. A more sophisticated approach is to use application-specific proxy servers to gateway individual services in a controlled fashion.

Firewalls can help secure your networks against the following types of attacks:

ICMP attacks

The ICMP  protocol can be used to determine information about hosts and routes, to make services appear inaccessible, to change routes, and so on. Firewalls usually either disallow ICMP completely or restrict its use considerably.

Denial-of-service attacks

These can be handled using the following techniques:

• Prohibiting gatewaying of printer, logging and mail services. Mail  can be handled using a store-and-forward relay mechanism which places limits on mail message sizes, number of recipients, and so on. Packet filters  can be used to prohibit access to the other services.

• Using separate file systems for spooled data such as mail, or for a public FTP area, so that if that area of the disk fills up  other parts of the firewall are not affected.

• Using server programs that are robust and not vulnerable to buffer overrun problems.

• Maintaining detailed activity logs .

Password-cracking attacks

These can be handled by not allowing user accounts on the firewall, preventing incoming telnet requests from being relayed, and prohibiting network logins on the firewall itself. If any of these is not possible, the use of a one-time password system   such as S/Key can achieve the same ends.

Exploiting security holes

Again, by using robust and secure servers on the firewall, this risk can largely be eliminated. In particular, no robust firewall would use the sendmail program to receive mail (using it to send mail is much less of a security risk if done with care).

Address-spoofing, tunnelling and routing attacks

  These can be avoided in several ways:

• Double reverse domain lookups can be used to check that the symbolic domain name and numeric IP address for a requesting host are in agreement; unfortunately, the recent explosive growth of the Internet has resulted in many DNS servers being set up in a lackadaisical fashion, with no reverse records being made available to map numeric IP addresses back to domain names, making address spoofing harder to detect (also, many Internet porn sites deliberately avoid supplying reverse records, making it easier for people to browse porn sites without suspicious site names being logged).

• If the firewall is aware of all the internal network addresses, it can ensure that packets received from outside do not claim to be from any of these addresses;

• By disallowing `source routing' and restricting the use of IP options.

Session hijacking

This is difficult to prevent, but can be done in some instances through the use encrypted connections.

No firewall can provide complete protection. Every network is vulnerable to physical attack. Another security problem is in the form of Trojan horse-type attacks, such as viruses . If users upload software from the Internet that contains viruses, the firewall may not be able to prevent this (the CEQURUX Technologies firewall does support virus scanning of e-mail attachments, however, using the Sophos PLC anti-virus library obtainable from Sophos PLC at www.sophos.com). Another example is the use of Java  on the World Wide Web; despite the declamations of its proponents, Java represents a potential security problem. If you allow users on the inside of your network to access the WWW using Java-aware browsers, then you are exposing yourself to this risk.

In particular, it is worth being aware that text-based clients may be vulnerable to terminal control attacks. Some terminal types (such as ANSI) support character sequences which can reassign key bindings. A server could potentially serve data with such a control string embedded (consider, for example, a string which reassigns the ENTER key to send a command to reformat the hard disk). To avoid such attacks, you should use terminal emulators which do not allow such key redefinitions (e.g. simple VT100 emulators). This is considered the main potential danger of allowing users access to text-based services such as whois.

To maximise the effectiveness of your firewall, you should follow these guidelines:    

• Use a firewall at each point of attachment to the Internet or other foreign networks. Having a point of attachment with no firewall renders any other firewalled points of attachment completely ineffective at providing security.

• Strictly control physical access to your firewall machines.

• Disable all services except those that are needed. Even though the firewall may provide secure access to these services, there is no reason to expose your networks to more risk than absolutely necessary.

• Keep a close watch on activity through the firewall. Do not assume that since you have a firewall you can simply forget about security concerns.

• Do not allow user accounts  on the firewall. The only user accounts should be for firewall administration. These accounts should use good passwords. If these accounts can be accessed over a network connection (as opposed to strictly locally on the physical machine), they should use one-time passwords. Access over the network from outside should not be allowed, unless it uses strong authentication and encrypted connections (such as with SSH).

• Ensure that your users are aware of the dangers of viruses , and that they check any downloaded software for viruses before use.

• Consider filtering potentially dangerous web page content such as Java and Active/X.