After the basic security events have been completed, such as hardware being clean and locked down, data being backed up, then the outside connection security must be addressed. This brings us to methods of stopping unauthorized persons from gaining access to our computer via connectivity methods. We all know that the safest method of keeping unauthorized persons out of our computer is to never connect it to the outside world. Since we all know that we will not be completely separate from that outside world, we need to have something between our computer and that world. FIREWALL technology provides one of those bits of security to keep unauthorized persons from using our computer.

Firewalls are defined as systems, software or hardware based, that handle the approval or rejection of each connection attempt between our computer and the external world of computers. Firewalls are located at the gateways of your computer or network. They act as border guards for the compute or network. Firewalls provide a centralized location for external security services. By their nature, firewalls create bottlenecks between the internal and external computers as all traffic between them must pass through a single point of control.

We need firewall technology because of the nature of the Internet protocols. Everything sent via the Internet protocol TCP/IP (Transmission Control Protocol / Internet Protocol) standard is open to anyone scanning the data flow at nearly any point between the sender and intended receiver. Security service provided by nearly all firewalls function using three fundamental methods of operation. There are also two other security services concerning encryption that are part of these systems providing five total services. The fundamental methods include Packet Filtering, NAT (Network Address Translation), and Proxy Services. The encryption services are Encrypted Authentication and Encrypted Tunnels.

Packet Filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. Filters implemented inside routers or firewall computers prevent unwanted packets from reaching the computer or network. TCP/IP filters prevent specific machines from receiving unwanted traffic. Filters generally act out three rules. The first action drops inbound connection attempts and allows outbound connection attempts to go through. The second action eliminates TCP packets bound for ports that should not be available to the Internet and allows packets that should to pass. Filters specify exactly which server or machine a specific packet should go to by specifying the exact port for the intended use. Filters restrict inbound access to certain IP ranges. Filters can be from the simple to the very sophisticated, using algorithms to examine all states of all connections, looking for signs of hacking, source routing, ICMP redirection, and IP spoofing.

NAT translates the IP addresses of internal hosts to hide them from outside monitoring. NAT is also called IP masquerading. IP masquerading is a method of hiding internal hosts. (A new meaning must be defined here: hosts in the Internet world is the term used to describe your computer, i.e., the computer being used.) The IP masquerading host makes requests to the outside world on behalf of all internal hosts in the network. This hides the other hosts identity from the public network. NAT hides internal IP addresses by converting each host IP address to the address of the firewall. The firewall then retransmits the data from its IP address using the TCP port number to keep track of connections on the public side to hosts on the private side. The Internet sees all traffic as coming from one computer. Address translation also allows the internal host or network to use any IP address range wanted on the internal network. Security is usually further enhanced by using one the IP addressing schemes containing one of the reserved IP address ranges such as 10.0.0.0 (class A) or 192 168.0.0 (class C). NAT provides the ability to multiplex single IP addresses across a an entire network. This is usually done when the ISP dynamically assigns the IP address from upstream.

The downside of NAT is that it functions only in the TCP/IP protocol level. Unwanted information hidden in the data packets could be transmitted to the internal host and not be caught by the NAT. A TROJAN Horse type virus sent by a hacker is an example. Higher-level services like proxies need to be used in addition to NAT.

Proxies make high-level application connections on behalf of internal hosts to break the network layer completely from the external hosts. Application-level proxies prevent hidden unwanted information in traffic from being sent to the internal hosts. It is possible for hackers or other unauthorized persons to monitor and determine that a firewall is translating IP addresses for other internal hosts. This makes it easy for hackers to take a TCP/IP connection over and spoof connections back through the firewall. Proxies stand in for outbound connection attempts to servers and hosts and then make the request to the actual target server or host. Application proxies do not have to run on the firewall. Any internal host or server can act as the proxy server. Microsoft NT 4.0 Proxy Server is such a program. Some security proxies act as filters as noted earlier, and can be specific to IP and then to TCP and UDP. Whenever possible, use proxy servers for all application protocols and consider disallowing services for which there is no proxy server.

Encrypted Authentication allows users on a public network to prove their identity to a firewall in order to gain access to the internal host computer or network. Encrypted authentication uses any number of secure authentication protocols. Once connections have been made, they may or may not be encrypted depending on the security product or firewall product in use. Once the encrypted connection has been opened, normal application software and operating system logon software will run without hindrance. Encrypted authentication may decrease the security of the firewall by introducing problems such as port acknowledgment, or redirection after authentication is established. Spoofing may be possible by continuous monitoring by the hacker. Lost or stolen laptop computers with the encrypted authentication can be used to gain access. Work-at-home users can become the target of break-ins as they may be lax in their use of the encrypted authentication.

Encrypted Tunnels establish secure connections between two private networks or hosts over a public medium such as the Internet. Encrypted tunnels are also called VPN (Virtual Private Networks) and allow for the secure connection of two physically separated networks or hosts to be made. The connection dues not expose data to any monitoring. When implemented as an integral part of a firewall, the firewall authentication and security services are used to prevent any exploitation while the tunnel is being established and used. Once established, the tunnel is impervious to exploiting so long as the encryption remains secure. Since firewalls sit at the Internet borders, they exist at the perfect terminal points for each end of the tunnel. The tunnel acts as a private subnetwork in the same domain even though it is across a pubic medium. The Microsoft Point-to-Point Tunneling Protocol for Windows 98, Win2000, and NT provides such an encrypted tunnel.

Border security
Firewalls provide security at the borders of the internal (private) host or network. To obtain at least the absolute minimum level of Internet security, control of the borders of the host or network must be made using firewalls performing all three of the basic firewall functions; packet filtering, NAT, and high-level service proxy. The firewall, be it software or hardware orientated, must do only firewall duties. Do not have it doing, especially hardware firewalls, other functions such as e-mail, Web server, or other public services.

Minimize all services running on the firewall, which reduces the prospect of a bug in the firewall software that might be a security hole. For example in Microsoft NT, none of the services in the service control panel are needed for a computer running only as a firewall. By turning off all the services on that machine, their control will be manual. In Linux systems, use only the packages that are required for the firewall or select the “firewall” installation option only if is available. Do not use any of the services normally used in servers such as HTTP, FTP, Telnet, Gopher, and mail on the firewall machine. This rule is relaxed in the case of single hosts using a software firewall such as Zone Alarm or Norton Personal Firewall. Any high-level service running on the firewall machine can provide a hole that can be breached. Even turn off the firewall product logon banners to keep the identity of the firewall secure.

Establish a firewall policy for yourself as a single host or as a network administrator. This policy should have a single point of contact in the policy and in the firewall machine.

There is a misconception that a firewall has to be based on the same operating system as the network or hosts–UNIX firewalls for UNIX-based hosts or networks and NT firewalls for Windows NT-based hosts or networks. The firewall operating system can be different from the network or host operating system. There is, for example, a very good Linux hardware based firewall that uses a 486xx level processor, 16 MB RAM, two NICs and a floppy drive. It can be used with Windows based operating systems. Remember that firewalls filter TCP/IP traffic which runs on both operating systems.

Once the firewall is established, it should run without problem using only minor tweaks to clean up the security policy and changes in work habits. The second most important thing to remember about firewalls is that they should be familiar to the administrator or home user. Know the configuration sequence or routine. Most Windows NT based firewalls are easier to set up than UNIX firewalls.

Problems Firewalls can not solve
Any host or network connected to the Internet can not be made completely secure. Firewalls will keep most unauthorized users from your private data. There are so many different ways to exploit connections that no method is entirely secure. Many users mistakenly assume that once the firewall is online, that the security problem is gone. This is not the case at all.

Forged e-mail addresses can not be stopped. The operating system and the firewall can only respond this type of hack. The firewall can not tell if the Reply To is forged if it is from a previously valid e-mail address. Modems provide a hidden threat to the host or network through “hidden border crossing” by going around the firewall. Modems provide users the means to dial out on their own to the Internet going around the firewall. ISPs for the host using the modem may be accessible by unauthorized users who can exploit the modem breach in the firewall. Finally most users do not realize that all IP connections are a security risk. The PPP dial-up modem software in the operating system is bi-directional and can be exploited. The more connections to the Internet, the greater the risk of being breached.

Conclusion
In today’s connectivity environment, firewalls are one more necessary bit of the security system to be understood. This column is intended to be a basic background exposé to firewalls. Future columns will cover specific hardware and software firewalls.