Firewalls, Part I
Stuck behind the corporate firewall with your Macintosh? Part I of this two-part article introduces firewalls and describes common firewall configurations. Part II explains how to access the Internet from behind a firewall with your favorite Mac Internet applications, and how to safely access your internal networks from the Internet.
What is a firewall? A firewall is a collection of components (not necessarily a single computer, although a single computer is not an uncommon configuration) that protects your company’s internal networks from attacks from the Internet. A firewall acts as a choke-point through which all traffic to and from the Internet must pass; it determines which types of traffic are allowed between the Internet and the internal network, which types are not, and in which directions a given type of traffic may flow. A firewall makes it easier to protect internal networks, as it represents a single point of exposure – a single machine can be secured more easily than an entire network, and having all traffic pass through a single point makes it easy to maintain audit trails of traffic to and from the Internet.
Who needs a firewall? A single Macintosh accessing the Internet via a dialup PPP connection to a service provider need not hide behind a firewall. Compared to Unix workstations, Macs are safer to expose to the Internet, because they run few, if any, TCP/IP-based daemons (this assumes your Internet connection does not route AppleTalk). If you run any MacTCP daemons (such as Peter Lewis’s just-updated FTPd 2.3.0), you must make sure the access you allow does not permit a malicious intruder to damage your system.
Once you have more than a few machines, or if you have a variety of machines running on a private network, it makes sense to protect a company’s assets by installing a firewall between the network and the Internet. A firewall is a cheaper and more efficient than securing every computer on a network, and many computers become much less usable when configured for high levels of security. Where I work, we have over one hundred Unix workstations, Macs, and PCs. The decision was easy: we could not connect our networks to the Internet until we had a good firewall in place.
Keep in mind that a firewall is just one part of a comprehensive computer security plan. A firewall cannot protect you against a disgruntled employee walking off with a DAT full of the "corporate jewels," nor can it check for the presence of computer viruses in programs retrieved via FTP.
What do common firewalls look like? One of the most common firewall components is the packet screening router, such as a Cisco 7000 or Livingston IRX router with packet filtering enabled. Packet filtering uses a set of rules to determine what type of traffic can pass through the router. Rules are generally based on destination address, port , and source address. A completely made up example of a rule is:
operation src addr dst addr dst port ---------------------------------------------- permit * mailhub smtp deny * * smtp
This fictitious rule permits any Internet host to send mail to your mailhub machine, but prevents mail from being sent directly to any other address on the protected network. Packet screening routers have the advantage of being configurable to allow almost kind of traffic to pass, but typically they cannot maintain detailed audit trails, and they sometimes require you to leave more "holes" in your firewall than you would like. Only a few packet screening routers (such as Firewall 1 from Checkpoint) do not have these problems. Packet screening routers are usually not used alone; instead, they are used in conjunction with other firewall components, such as a bastion host (a highly secure machine on your network). Filtering can be set up on the router so the outside world can only talk to the bastion host, but not to any other machines on the protected network.
Another common firewall component is the application-level gateway, such as Gauntlet from Trusted Information Systems, or their freely available Firewall Toolkit running on a dual-homed gateway (a computer with two network interfaces, with forwarding between the two interfaces disabled for use in a firewall application). Application-level gateways are application-specific programs which act as proxies, forwarding traffic through the firewall for a specific protocol. A separate proxy is required for each supported protocol (FTP, Telnet, HTTP, Gopher, and so on).
Some of the simpler protocols, such as NNTP and AOL’s Internet access , can be proxied with a "generic" gateway. Application proxies offer excellent security, as you completely block all traffic through the firewall, and since they are application-specific, they understand the traffic that passes through them and can create detailed audit trails of the traffic they pass. The big disadvantage is that a separate proxy must be written for each supported program, and it requires detailed knowledge of the protocol used in each application to write a proxy.
The third common firewall component is the circuit-level gateway. The most popular example of this is the SOCKS package, originally written by David Koblas, now maintained by Ying-Da Lee of NEC. Circuit-level gateways have the disadvantage that the application generally must be recompiled to use the gateway (a shared library implementation of the SOCKS client library has been developed for some versions of Unix, removing the need for recompilation on some platforms). Recompiling is typically not a problem in the Unix world, as almost everyone has a compiler and access to the source code of the client they want to "socksify," but recompiling poses a significant problem in Macintosh world – even if you have the source code, the SOCKS client library is in the form of replacement functions for the BSD socket interface, so it isn’t directly usable on the Macintosh. The advantage of a circuit-level gateway is that you can support just about any program which uses TCP with just a recompile, and your firewall can block all traffic. The SOCKS daemon runs on the firewall to gateway traffic through it.
Which services do I not need to worry about? Typically, you need not worry about email or Usenet news. This is because most network administrators will have set up a way to pass SMTP and NNTP traffic through the firewall to their internal mail and news hubs, and your Mac simply talks to the local SMTP, POP, and NNTP servers on the inside of the firewall. To access one of these servers on the other side of the firewall, you must talk to your network manager.
In Part II, I plan to discuss how to get popular MacTCP applications to work through a firewall, both from the inside out, and the outside in.
 A port is a 16-bit number used by TCP/IP to identify a network service. Servers are normally found at "well-known" port numbers. For example, an SMTP (Simple Mail Transfer Protocol) server (typically Unix sendmail) listens at TCP port number 25. Other services with well-known ports are Telnet, FTP, NNTP (Usenet news), and Gopher.
 AOL’s Internet access uses TCP port number 5190 on host <americaonline.aol.com>. You can redirect the AOL software to a proxy server on your firewall by editing one of the CCL scripts which comes with the AOL software.