Series: Been Burned?
Maybe you need a firewall! They're not just for network administrators anymore.
Article 1 of 1 in series
by Chris Pepper
One of the best things about the Internet - a legacy of its educational history - is that it lets us share information with people all over the planetShow full article
One of the best things about the Internet - a legacy of its educational history - is that it lets us share information with people all over the planet. Another wonderful capability - this one a legacy of its Unix roots - is that it provides us access (to Web pages, email accounts, games, corporate info, and more) from any properly connected computer.
Of course, there are trade-offs. One of the biggest problems with sharing information with people you've never met is that some of them aren't nice. The Internet can put you in touch with fascinating folks, but it can also introduce you to people you'd rather avoid - spammers, antisocial hackers, and virus authors.
It's great that you can go to a coffee shop, computer lab, or copy shop and check your private email. However, people you don't know could be sitting over their own coffee right now, trying to access your credit card numbers, private records, or corporate data. Obviously, people can use the Internet to work from anywhere on the planet, but what about security issues? How do you differentiate between an employee at a coffee shop and a competitor at the next table?
Firewalls are one of the most effective ways to protect sensitive data and servers from hackers. Although firewalls aren't rocket science - despite what many consultants would have you believe - they aren't simple either. This article will show you how firewalls work and why they're important, and provide some guidance for your own thinking on firewalls. It assumes you're familiar with the basics of how the Internet works, although it explains some details briefly. If you have a full-time or multiple-machine Internet connection, you should consider a firewall, but they're generally unnecessary for individual users who don't use server software.
The Intranet -- A few years ago, most networks were within buildings - local area networks, or LANs. Some companies connected their LANs with expensive dial-up links, making wide area networks, or WANs. In either case, you had to be on the premises to use company servers. Such physical security is extremely effective - there are laws against trespassing, and it's fairly easy to recognize valid employees. On the other hand, anyone who's visited an AOL chat room or IRC channel knows that identity is more complicated online. The problem for network administrators is providing access to legitimate users and blocking outsiders.
The intranet concept is an attempt to regain some of the control lost in this age of widely available Internet connections. Basically, an intranet is everything on the inside of the Internet connection - what would be a LAN or WAN if the Internet link was cut. Generally, users on the intranet have more access than outsiders - after all, they've made it into the building and past any guards, locks, or coworkers. People working on the far side of the Internet connection have less access - enough that they can get work done but not enough to cause harm. The key to the intranet is our friend the firewall, restricting Internet users to innocuous activities, and letting intranet users go about their business.
Public information available to anybody on the Internet might include public relations materials and public Web sites, software demos, and annual reports. Private information available only to people on the intranet includes things like detailed human resources policies, forms, and records; accounting and financial records; site-licensed software; and help desk systems and technical support resources. Deciding which services fall into public and private categories is key to a successful intranet.
How Does It Work? Traffic on the Internet consists of individual packets of data, generally either TCP (Transmission Control Protocol) packets or UDP (Universal Datagram Protocol) packets. Every packet includes a header which identifies the sending computer and port, and the receiving computer and port. Both TCP and UDP use IP numbers (such as 188.8.131.52) to identify individual computers, and port numbers (which range from 0 to 65,535) to identify individual programs on each computer.
As an example, if you wanted to see the Audubon home page, your Web browser might create a packet with source IP 184.108.40.206 (assigned by your network administrator or ISP), source port 54,321 (arbitrarily chosen by your application), destination IP 220.127.116.11 (the Audubon Web server), destination port 80 (identifying the Web server), and a "payload" containing a request for the Audubon home page.
The higher level protocols we use to surf the Web, send email, transfer files, and more, all run on top of TCP and UDP (which in turn run on top of IP - the Internet Protocol). Most protocols answer on a specific TCP or UDP port, but some higher level protocols can use either TCP or UDP.
It might help to think of IP addresses as street addresses and ports as apartment numbers. Every computer that sees a packet (including your computer, the router that connects you to the Internet, the routers between your ISP and your destination, etc.) looks at the IP address and ignores, forwards, or accepts the packet based on the IP address. Once the recipient computer sees and accepts the packet, it decides what program should handle it based on the destination port. TCP and UDP port numbers correspond to specific services, and the destination computer uses the port number to decide which program gets the packet. For example, without port numbers, an AppleShare IP server wouldn't know whether a specific packet should be handled by its FTP, SMTP, AppleShare-over-IP, or Web servers.
The Internet Assigned Numbers Authority maintains a list of the major assigned ports, including those used by standard services and registered to specific applications (even games).
HTTP - TCP port 80. HyperText Transfer Protocol is how Web browsers and servers talk to each other. (HTTPS, or Secure Sockets Layer, is an encrypted variant of HTTP that uses TCP port 443.)
SMTP - TCP port 25. Most people send email using Simple Mail Transfer Protocol.
POP3 - TCP port 110. Post Office Protocol version 3 is used to receive mail. Email programs like Eudora and Netscape Communicator typically send email via SMTP and receive email via POP3.
DNS - TCP or UDP port 53. Domain Name Servers convert between human-readable names like www.audubon.org and IP numbers like 18.104.22.168.
Telnet - TCP port 23. Telnet (or remote login) is the granddaddy of all remote control schemes.
FTP - TCP port 21. FTP programs send commands to FTP servers using TCP port 21, but FTP is unusual in that it uses an additional port for the actual data transfer.
ASIP - TCP port 548. Used by AppleShare-over-TCP/IP, as used by AppleShare IP, ShareWay IP, some Unix servers, Mac OS 8's built-in AppleShare client, and Microsoft Windows 2000/NT 5.
SNMP - UDP port 161. Simple Network Management Protocol servers are built into most routers, smart hubs, servers, and some desktop operating systems (SNMP is optional in Mac OS 8.5). An SNMP console, such as Dartmouth's excellent InterMapper, can monitor these servers to map out a network and watch for trouble.
There are over four billion valid IP numbers (2^32 - and we're running out). Each computer on the Internet has its own complement of 131,072 ports which can talk to any port on any other computer on the Internet. The number of possible connections is more than anyone could track or guard - 2^(32+32+16+16+1), or 2^97 - but a firewall can bring this number down to a manageable range.
Firewalls -- Firewalls work by selectively passing traffic between secure and insecure network areas. Typically, the firewall is a part of - or adjacent to - the Internet router. The Internet connection is a logical place for a firewall, since people on an intranet are more trusted than people using the Internet, and any hackers must get past the firewall to reach the tasty data on the intranet.
There are two types of firewalls: packet filters (also known as packet screening firewalls) and proxy servers. The more common packet filters are simpler, cheaper, and much faster than proxies. Since IP numbers identify computers and ports identify services, a firewall can determine whether a packet is legitimate by looking at the source and destination IPs and ports and comparing them against a simple set of rules. As IP addresses are often grouped logically, it's usually easy to determine who is or is not part of the local network.
Packet filters are simple because they don't consider the content (called the payload) of the packet: the firewall makes its decisions based solely on a packet's IP and port numbers. Think of a firewall as a military checkpoint - there are a few people with passes who can get through, and anyone else is turned away. The guards don't open briefcases.
Most firewalls keep people out, rather than prevent intranet users from getting out to the Internet (although there are a few common exceptions). Thus, configuring a firewall is generally a process of listing the few valid uses Internet users might have for intranet services, and then writing rules to allow only those uses, thus blocking out the vast number of unneeded connections which might otherwise pose a security risk. Here is a simple set of rules for a boring company named Examples, Inc., translated into plain English:
"Allow Internet computers to connect to mail.example.com on port 25. Allow mail.example.com to connect to outside computers on port 25. Block all other traffic to or from port 25 across the firewall." Port 25 is used by SMTP for sending email. Since the firewall controls only traffic crossing from one side to the other, this would prevent outsiders from using private internal mail servers and keep employees on the intranet from sending mail directly to servers outside the firewall. If mail.example.com logs all mail sent and received, you can ensure that nobody is using a private mail server to avoid being caught in corporate mail logs (or to send spam).
"Allow Internet computers to connect to www.example.com on ports 80 and 443. Allow any internal computer to connect to outside computers on ports 80 and 443. Log every outbound URL request along with the (internal) requesting IP. Block all traffic to port 80 or 443 on other internal servers." Port 80 is the standard HTTP (Web browsing) port, and port 443 is used by HTTPS (Secure Sockets Layer) for encrypted Web browsing. Again, this prevents outsiders from reaching private internal services (such as Personal Web Sharing). It also logs employee Web use, so administrators can tell if employees are using the company's Internet connection to access inappropriate Web sites. Many companies have policies against non-work-related use of the Internet - in fact, the Dilbert Zone's Pointy-Haired Boss Index lists companies that block access to the Dilbert site.
"Block all inbound DNS requests." If you run a public DNS server outside the firewall, and a private server inside, you can prevent outsiders from finding out about non-public hosts, like printers.
"No FTP connections may come in. Outbound connections are unrestricted." In this case, ftp.example.com might be hosted by an upstream ISP outside the firewall, and employees would go out through the firewall to use it. Some organizations are concerned about information leaking out and force all employees to use FTP proxy servers that allow FTP GET but not FTP PUT. The idea is to prevent employees from giving a large chunk of sensitive data to a competitor.
Proxy Servers -- The more complicated and expensive type of firewall is called a proxy. If a packet filtering firewall is a military checkpoint, a proxy is a finicky translator and interpreter. People on either side of a proxy can't talk directly to each other; instead, all communication passes through the proxy. If someone on the Internet tries something dodgy, the proxy refuses to pass the message. Further, machines on the outside have no direct communication with machines on the inside, which means they have no knowledge of the internal network topology, and can't attack or probe internal machines for vulnerabilities.
Network Address Translation (NAT) is a relatively new specification which enables a firewall to act as a proxy server without the client software doing anything different (or even knowing about the firewall's presence). The NAT-enabled firewall rewrites every packet to use its own source IP and an available source port, and then reverses the process for replies. Because it is fairly simple, NAT is becoming more common in firewalls and routers. More sophisticated firewalls understand specific protocols and can place restrictions on individual commands or actions which are suspicious. These firewalls generally run under Unix or NT and are quite expensive.
At the other end of the spectrum, relatively inexpensive caching firewalls such as Maxum's WebDoubler focus on performance improvements rather than security. WebDoubler improves browsing speed by caching Web requests, then providing the cached copy to other users requesting the same page - just like the cache built into Navigator or Explorer, except that all WebDoubler users share the larger cache. Sustainable Softworks's IPNetRouter (which has its own packet screening capabilities) is bundled free with WebDoubler. Both run on Macs.
Configuration -- Don't forget to configure your firewall! No matter how much it costs, a firewall can't help you unless you think about what you need to permit and exclude, then codify that in the firewall configuration. Since a firewall configuration is based on your IP numbers and the ports (services) you use, a generic configuration won't help. Before buying a firewall, look at a couple of configuration files. If they make sense to you, good. If you can't figure them out, you either need to read more or hire someone to do the configuration for you, and make sure they'll be available when you need to make changes.
First, make a list of all your internal services, then decide which the public and employees outside the intranet (satellite offices, travellers, people working from home, etc.) need to access. Firewall configuration often requires trade-offs - in blocking misuse of your systems, you may make some legitimate uses harder or even impossible.
Will people want access to their email? Are you confident about the security of your email server and its passwords, or are you better off providing external accounts for travelling users?
Can your Web server be configured to allow access to internal pages to anyone with an intranet IP address or who has a password? If so, you can set up an intranet Web site without setting up another Web server.
If you have a contingent of people outside the firewall who need full access to your intranet services, consider a Virtual Private Network (VPN) in conjunction with your firewall. VPN technologies encrypt all Internet traffic between your intranet and your remote users. VPNs make effective partners with firewalls, since you can allow VPN traffic through the firewall with confidence that only authorized users will have the VPN passwords and keys, and they can access all your services. This enables you to lock down much more on the firewall, since legitimate users gain access through the VPN.
Be sure to turn on any packet forgery and malformed-packet filters in the firewall - such packets can cause stability and security problems. Be sure to log rejected packets - if your firewall blocks an attack but you don't know about it, the attackers can keep trying until they get through.
Before setting up your firewall, think carefully about what should be outside and what should be inside. Since Web servers primarily serve the public, it might make sense to put them outside the firewall, perhaps even at your ISP. This may make your site faster for visitors and ensures that public access to your Web server doesn't become a beachhead into your internal security. ClearWay's FireSite manages such external Web servers, and provides most of the benefits of an internal Web server in terms of flexibility, logging, and customization. FTP servers raise the same question.
Buying a Firewall -- Before you buy a firewall, find out what capabilities your routers have. If your Internet router came with packet filtering capabilities, you may not need to buy anything else.
You can buy a hardware firewall from many of the same vendors who make routers, including Cisco and Compatible Systems. Several companies also make software firewalls for Unix and Windows NT.
Fortunately, there are several Mac firewalls. IPNetRouter includes firewall functionality. Both Vicomsoft's Internet routers (Mac and Windows versions) include firewall functionality. Open Door Networks' DoorStop is a limited firewall - it protects only the machine on which it is running.
In the End -- If you have servers connected to the Internet, you should consider protecting them with a firewall. Fortunately, there are a plethora of options, some of which you may already own. Hopefully, you'll never be attacked, but there are nasty people out there. You owe it to yourself to think about network protection before someone else forces you to do so.
Configuring a firewall is a two-stage process. First think about how you use TCP/IP, and then balance the uses against the harm someone could do through subverting those facilities. If you plan well, your servers will be protected and your users may not even notice.
[Chris Pepper is webmaster and list manager for the National Audubon Society. This article was originally presented (in a highly abbreviated form) as part of a panel presentation at Macworld Expo SF '99.]