Not everyone on the Internet is your friend. Malicious users known as "hackers" are using very sophisticated tools for gaining unauthorized access to computer systems. Often times, using these systems to attack others in the attempt at covering their tracks.

All of the information on or traveling through a system is insecure, once it has been compromised. Communication between other systems on the same network can also be monitored using "sniffer" programs. A program called a "Trojan Horse" can be installed that can trap and log user passwords. There are many other sneaky ways to break-in, steal information, and destroy or tamper with data.

The Computer Emergency Response Team (CERT) is an organization tasked with the responsibility of researching computer security related incidents and working with the appropriate manufacturers to fix vulnerabilities. They are also an excellent resource for gathering information and keeping up-to-date with issues pertaining to network security.

A firewall is a controlled access point between security domains, usually with different levels of trust. It can be a highly effective tool in implementing a network security policy if it is configured and maintained correctly.

An "intranet firewall" creates security domains within an organization. Possibly between finance, payroll, engineering, or other department with sensitive data. Intranet firewalls typically have a slightly more permissive security policy since it is not the front line of defense to the Internet, but have the requirement to run at LAN speeds that are much higher than typical WAN speeds.

Security is a compromise between the investment in resources and the risk of failure. Not everyone needs Fort Knox security; nobody can affort it. A detailed security policy takes into consideration what is being protected, what the associated risk is, what equipemnt and manpower are required to secure it effectively.

A lock on your front door can help to keep out burglars, however, a determined intruder will look for the easiest way in. An open window or doggie door are the next targets. If the contents are valuable enough, the expense of an alarm will be easily justified.

Computers with classified, life-threatening, or other highly sensitive data should not be connected to the Internet under any circumstances. No firewall can provide perfect and guaranteed security, and no compromise in security can be acceptable.

Ægis, when properly configured, provides very effective security for commercial and educational networks. The embedded operating system was designed to be the most secure, easy to use firewall available on the market today.

A complete security policy will reveal the areas of vulnerability and the appropriate equipment or actions to be taken to secure them. For additional information on defining and implementing a network security policy, please refer to the references listed.

Information Theft and Tampering:
Data theft and tampering do not always require that the system be compromised. There have been many bugs with FTP servers that allow attackers to download password files or upload trojan horses.

Denial of Service:
Any attack that keeps the intended user from being able to use the services provided by their servers is considered a denial of service attack. There are many types of denial of service attacks, and unfortunately are very difficult to defend against. "mail bombs" are one example in which an attacker repeatedly sends large mail files in the attempt at filling the servers disk filesystem thus preventing legitimate mail from being received.

Vandals:
A vandal is malicious. They break in to delete files or crash computer systems either because they don't like you, or because they enjoy destroying things. If a vandal breaks into your computer, you will know about it right away. Vandals may also steal secrets and post them to public bulitin boards.

Spies:
Spies are out to get secret information. It may be difficult to detect break-ins by spies since they will probably leave no trace if they get what they are looking for.

Host security is still very important within a security domain. The Internet firewall cannot protect against internally launched attacks. Intranet firewalls create separate security domains within an organization, thereby controlling access between departments.

• Specific source or destination IP addresses.
• Specific protocol types
• TCP flags set/clear in the packet header.

Packet filtering routers are not dynamic or stateful, which means that their filtering criteria does not change based on packets that have passed recently, or based on which side of the firewall the connection was initiated from. Forwarding decisions are made based only on field values from the specific packet in question, which is not sufficient to distinguish between welcome and unwelcome packets.

For useful sorts of filtering, access lists tend to be lengthy, quite complex and error-prone.

Although performance is not usually a problem in modern implementations, lengthy access lists can degrade throughput and increase latency. Since state is not kept in a packet filtering router, every packet through must be checked against the same access lists.

Packet filters can be very effective in completely blocking specific types of traffic, and for this reason are sometimes part of an overall firewall system. For example, telnet can easily be blocked by applying a filter to block TCP port 23 (telnet). The difficulty and complexity arises when the filtered protocol is allowed to some hosts, or for more complex protocols that specify return data ports dynamically.

A proxy server does not forward packets directly; rather, it acts as an endpoint for client connections from the protected net, and establishes independent connections to the ultimate destinations requested by the clients. The proxy server copies data in both directions to and from the client connection.

Although proxy servers offer more complete filtering than simple packet filters, they suffer several disadvantages:

First, clients on the protected network must be specially modified to implement the proxying protocol. This complicates the configuration and adds considerable network administration. Since they are application specific, only applications that have proxies will work.

Second, because proxy servers operate with a general-purpose operating system, they are vulnerable to whatever security problems that OS might have.

Finally, an OS-based system introduces significant procesing overhead, meaning that throughput degrades as the number of proxied connections goes up. Performance becomes a significant problem at link speeds now in common use for Internet connections.

Proxy severs introduce a lot of latency since two separate TCP connections must be established before any data can be transferred. New connections suffer a from a high connection setup time due to the "process" nature of a proxy. Each connection requires a separate process.

Stateful devices offer the sophisticated decision-making capabilities of proxy servers, yet operate much faster because they use a minimal implementation with no OS processing overhead.

Because stateful packet inspection is transparent, special proxy applications are not required. This reduces the load on the firewall and improves performance when the connection is destined for an internal host, since the firewall will not be involved. This is not the case when an application is configured to use a proxy server.

Performance is being driven by the latest Internet applications. Older applications like telnet and ftp are not as sensitive to long delays and lower throughput. There are fewer, long lived connections for a firewall to contend with.

The World-Wide-Web makes possible the generation of enormous amounts of traffic at the click of a mouse. This increased load is difficult for proxy servers to handle because of their inherent system overhead. Multimedia applications are beginning to appear and also present problems for older technology.

General purpose operating systems when used as the foundation for an Internet firewall are challenged with a difficult task: to provide a secure environment when installed as a firewall and to provide multiple services to client systems in a open environment when acting as a server. On an open system, dozens of files need to be modified and meticulously maintained to ensure a proper level of security. The OS also needs to be free from any CERT advisory bugs. This process is called "hardening" of the OS.

Another problem with general purpose operating systems is their size and complexity. All software has bugs. Large programs are more difficult to secure simply because of their complexity. A firewall with bugs is likely to have security holes.

A firewall is only as secure as its hardening. If an intruder finds a weakness in your firewall system and compromises its security, the entire network is at risk, and the application level firewall becomes useless.

Ægis is an application-specific device designed from the ground up to be secure. It is not hindered with the requirement to run a spreadsheet, database, or word processor. There is no underlying general-purpose operating system, or the risks inherent in complex OS-based systems.

There is no Application Programming Interface (API) to allow the execution of user programs, which means that it is completely invulnerable to viruses. Attacks on firewalls that attempt to read password files, or change system files that affect permissions are not possible; there are none. It is also invulnerable to "trojan horse" attacks that are common on systems with disk filesystems.

Out of the box, Ægis has a secure configuration. General purpose operating systems are quite the opposite. All services are allowed, and the user has to explicitly close everything up.

Stateful packet inspection is implemented by building a table that describes all connections through. Information stored in the connection table include the source and destination IP address, TCP or UDP port numbers, and the TCP sequence numbers. The first packet through creates the connection entry. All ubsequent packets are verified as being part of a valid connection, and the connection statistics are updated before forwarding the packet.

Access List parameters include:

• Source IP address/netmask
• Destination IP address/netmask
• IP protocol (TCP/UCP/ICMP)
• Destination port/service
• Action (allow/deny)

Note that access lists have little to do with security; it is a way to restrict inside users from accessing certain outside locations or services.

Exception List parameters include:

• Source IP address/netmask
• Destination IP address/netmask
• IP protocol (TCP/UCP/ICMP)
• Destination port/service
• Action (allow/deny)

Possible traps include certain IP options (source route, record route), TCP flag combinations, various ICMP types, etc.

It would be unsafe to permit inbound access for connections to arbitrary port numbers from a fixed source port, although this is exactly what plain packet filter systems do, because the source port number is easily spoofed.

Instead, Ægis scans outbound FTP control packets looking for FTP "PORT" commands, which specify parameters for the server-to-client data connection. A temporary inbound connection table entry is created to permit the return data connection and the entry is deleted as soon as the data transfer is complete.

Ægis secures UDP applications by tracking outbound (assumed) requests and allowing responses from the same server on the same port numbers for a programmable time interval. Once the pseudo-connection is opened, it remains open until an inactivity timer expires. Repeated UDP packets on the pseudo-connection that originate on the internal (protected) network will continue to restart the timer.

Access lists may be used to block any or all UDP applications.

Ægis is implemented on a specially-designed kernel; there is no underlying general-purpose operating system. Unnecessary network services are not present, and packets sent to such services on Ægis will be discarded and logged.

It is strongly recommended that you allow Telnet and HTTP access only from hosts that you trust and only on the inside interface. Ægis is password protected, but unauthorized users will not even receive a login prompt if management filters are configured to restrict access. Allowing ICMP echo from both interfaces is not a security risk, but is very useful in troubleshooting.

Firewalls and Internet Security - Repelling the Willy Hacker, by
William R. Cheswick and Steven M. Bellovin,
ISBN 0-201-63357-4, Addison Wesley

Building Internet Firewalls, by
Brent Chapman and Elizabeth D. Zwicky
ISBN 1-56592-124-0, O'Reilly & Associates, Inc.

Internet Firewalls and Network Security, by
Karanjit Siyan, Ph.D.
ISBN 1-56205-437-6, New Riders Publishing

Computer Emergency Response Team (CERT)
An online library of computer security related advisories. You can also receive advisories as they are announced by subscribing to the mailing list. To do so, send e-mail to [email protected] with "subscribe" in the header. A security checklist is available via anonymous FTP from info.cert.org:/pub/tech_tips/security_info

Firewalls Mailing List
A discussion group focused on the topic of Internet firewalls and Internet security. This mailing list has a very high volume of articles. Only recommended for those with serious interest. To subscribe, send e-mail to [email protected] with;

Replace <your-email> with your real email address.

A FAQ (Frequently Asked Questions) is available via anonymous FTP from ftp.greatcircle.com/pub/firewalls/FAQ