NCSA Firewall Policy Guide

Download PDF Version

GENERAL PREFACE

This document, the second edition of the NCSA Firewall Policy Guide was written by the NCSA's Director of Special Projects, Stephen Cobb, CISSP, as an educational publication. As with the first edition, you may, within certain limits, copy and distribute the document for educational purposes. The two main limits are that you may not charge a fee for distribution and the document must be reproduced in its entirety. For permission to use or distribute the document by any means or in any form not covered by this paragraph, please contact NCSA's Director of Education, Dr. Mich Kabay by e-mail or by conventional mail to the physical address at the end of the document. If you would like additional copies in booklet form, please order them through our catalog department.

Preface to Version 2
The second edition adds new material on Internet risks, firewall testing, and the need for firewalls and so-called SOHO users, that is, small office and home office users. This last addition arises, in part, from the regularity with which the question "What about when I surf the Internet from home?" comes up at firewall seminars and presentations. There is expanded discussion of the different types of firewall; we hope we have again avoided making any statements that might further fuel the war between the different vendor camps. In other words, this document does not claim that one technology is better than another. Instead, we defer to the results of the NCSA firewall certification program, which will tell you which firewalls meet the published security benchmark. These may be found on the NCSA Web site at www.ncsa.com.

Purpose and Permissions
The purpose of the NCSA Firewall Policy Guide is to promote a better understanding of firewalls among executives, information managers, system administrators, and MIS staff. It is not meant as a technical treatise for system engineers (but if you are one, you are certainly free to read it and send us any comments you may have -- addressed to mkabay@ncsa.com). By drawing upon a wide range of sources, documented in the Bibliography, this document aspires to serve not only as a starting place for people who need to learn about firewall technology, but also as a high-level guide to its deployment. This is a rapidly evolving area of information security, a field of activity which is itself undergoing a massive transformation. We hope that feedback from the publication of this second version of the NCSA Firewall Policy Guide will lead to further revisions that are more accurate and more helpful.

Acknowledgements
As in the first edition, we wish to express our thanks to the many pioneers in this field, many of whose names appear in the Bibliography, for both their ground-breaking work and their open sharing of insights and knowledge, which are helping people around to create safer means of sharing the information which they want to share, and stronger protection for that which they don't. We particularly want to thank the National Institute of Standard and Technology (NIST) for producing the excellent Keeping Your Site Comfortably Secure document, upon which we have drawn freely in this guide. Another very helpful document was the Firewall FAQ maintained by firewall pioneer Marcus Ranum, Chief Scientist, V-ONE Corporation. We also appreciate the assistance provided by member companies of the Firewall Product Developers' Consortium (FWPD) who provided white papers, research reports, and many other documents that were helpful in creating this guide. Members of NCSA's Laboratory and Research groups contributed, notably Director of Education, Dr. Mich Kabay, CISSP; Director of Research David Kennedy, CISSP; and Lab Manager, Jon McCown, who provided the new section on firewall testing.

Note: When this report mentions specific vendors and commercial products, the presence or absence of a particular trade or product name does not imply endorsement or criticism by NCSA. Also note that NCSA is a registered trademark of the National Computer Security Association. All other products or services mentioned herein are trademarks or registered trademarks of their respective owners.
 

Outline

The guide is divided into eight parts:
1. Introduction
2. Defining Terms
3. Policy as the Key
4. Policy In Practice
5. Specifying & Procuring a Firewall
6. Firewall Testing
7. Other Issues
8. References/Bibliography/Glossary
 

1. INTRODUCTION
 

The Internet, the global network of computers that is the basis for universal electronic mail, the World Wide Web, and numerous forms of electronic commerce, has variously been described as bigger than the personal computer, more significant than the printing press, and as revolutionary as the discovery of fire. These days, the computer section of every book store is crammed with Internet titles. Every new movie has a Web site. Billboards and advertisements without URLs are becoming the exception.

Yet firewalls, which are designed to control the flow of information between two networks, were being developed even before the world at large had heard of "The Internet". Indeed, common sense says you should consider using a firewall whenever you internetwork. This term refers to the process of connecting two networks together. The result is referred to as an "internet" without the capital 'I.' Typically, we reserve the term "Internet" for the TCP/IP-based descendant of ARPAnet's marriage to CSnet in 1982, now serving tens of millions of users via hundreds of thousands of host machines.

Internetworking
For computers to successfully communicate with each other, they have to follow standards and observe rules or protocols. TCP/IP stands for Transmission Control Protocol/Internet Protocol, the fundamental protocol of the Internet. Although initial development of TCP/IP occurred within a defense and government environment, it is important to note that it was designed to be reliable, not secure. The intent was to develop a protocol that is good at getting information to its destination, even if different parts of the information have to travel different paths. However, because this development took place within an environment of trust, with a relatively small number of participants, many of whom were known to each other, security of the data in transit, or the internetwork connections which it traversed, was not a major concern.

Now the Internet has become global, with tens of millions of users, almost all of whom are completely unknown to you. So it is no longer wise to trust other computers or users on the Internet. But the Internet is not the only place you will find "untrusted" computers. Think about any network that you do not manage or control. To what extent can you trust it? Do you really want to connect it to your network without any way of controlling the traffic between the two? These days, whenever you connect your trusted network to someone else's untrusted network, it is wise to place a firewall of some kind between the two. This helps you keep insiders in and outsiders out. For example, firewalls would be appropriate at points C and D in Figure 1, but may not be needed at points A and B.

Figure 1: The placement of firewalls

The idea is not to cut off communication at these points, but to control it. This means controlling which users can data pass between the networks on either side of the firewall as well the types of data they are allowed to exchange. These principles apply at all levels of internetworking, from small offices to corporate offices, from a couple of interconnected LANs to corporate WANs, from Web surfing machines to electronic commerce servers.

Internet Risks
So what risks do you face when connecting networks to each other or the Internet? A recent Ernst & Young survey found that four out of five large organizations (those with more than 2,500 employees) are running mission-critical applications on local area networks. Those LANs, and the vital information they are processing, are increasingly threatened by internetwork connections. For example, when NCSA studied a profile group of 61 large organizations they reported 142 separate security breach and system hacking encounters in the last three months. IP spoofing, which can be used to gain widespread access to an internal network, accounted for 49 of these encounters. Yet a recent Corporate Information Technology Policies Survey conducted by the Chicago-based information technology law firm of Gordon & Glickson revealed that less than half of respondents performed routine security checks. Only 44% had the ability to track access to sensitive data and only one third used any form of encryption.

At the same time 98% of these same companies provide access to the Internet to some employees, 97% provide remote access to corporate networks, 61% host their own Web site, and 9 out of 10 permit some level of access to commercial on-line services such as CompuServe. To this recipe for disaster you can add another ingredient: the way that people in the Gordon & Glickson survey dealt with access to the Internet. While 75% say they would like to restrict access to some parts of the Internet, only 62% had policies governing Internet access, 42% did not monitor employee Internet use and only 30% actually applied access controls. Furthermore, fewer than two out of five respondents said they imposed restrictions on downloading files from third parties. No wonder that one out of six surveyed corporations reported experiencing damage associated with Internet usage by employees (one in eight reported legal claims arising from the use of information technology by an employee).

The risks related to using the Internet range from public embarrassment, when a Web site is defaced (as happened to the U.S. Department of Justice and the Central Intelligence Agency in 1996) or internal correspondence is revealed, to theft of trade or government secrets from a poorly protected internal network. Risks include coordinated and systematic abuse of computing resources, sometimes for mounting attacks on other sites [Stall95a]. Consider the findings of the United States General Accounting Office, which was asked by the Senate Committee on Governmental Affairs to report on the current vulnerability of Department of Defense non-classified computer systems. Here are some highlights:

"Unknown and unauthorized individuals are increasingly attacking and gaining access to highly sensitive unclassified information on the Department of Defense's computer systems....as many as 250,000 attacks last year...successful 65 percent of the time....At a minimum, these attacks are a multi-million dollar nuisance to Defense. At worst, they are a serious threat to national security. Attackers have seized control of entire Defense systems...stolen, modified, and destroyed data and software...installed unwanted files and "back doors" which circumvent normal system protection and allow attackers unauthorized access in the future. They have shut down and crashed entire systems and networks, denying service to users who depend on automated systems to help meet critical missions. Numerous Defense functions have been adversely affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll."

Whether it is viruses, Trojan horses, or penetration of internal networks, the most important factor affecting network security today is clearly the Internet. If your network is connected to the Internet you have a whole new set of problems, some of which make pre-existing problems worse. If your network is not connected to the Internet, you are most likely facing pressure to make that connection, even if it is merely a demand for electronic mail. The is pressure is so strong that some organizations find that they are already connected to the Internet even though upper management have not authorized any such connections.

Connecting to the Internet is a bit like opening the shades on the office windows and letting in the full glare of the midday sun. Problems with network security that were previously invisible are thrown into sharp contrast. Unprotected guest accounts and obvious passwords might not have been much of a problem when your network was only visible to insiders. But if people manage to penetrate your network from the outside (something experienced by at least one out of every six respondents in several recent surveys) you can bet these weaknesses will be exploited. And news of such vulnerabilities can spread through "the underground" at the speed of electrons, leading to rapidly escalating attacks and system abuse.

Such incidents represent more than kids getting their kicks with modems. Systematic and automated probing of new Internet connections is being carried out by a shady cast of characters that includes hackers-for-hire, information brokers, and foreign governments. One in five companies responding to the annual Information Week/Ernst & Young Security Survey admitted that intruders had broken into, or had tried to break into, their corporate networks, via the Internet, during the preceding twelve months [Info]. And most experts agree that the majority of break-ins go undetected. For example, attacks by the Defense Information Systems Agency (DISA) on 38,000 Department of Defense computer systems had an 88% success rate but were detected by less that one in twenty of the target organizations. Of those organizations, only five5% actually reacted to the attack [Wash]. The bottomline is that when you connect your network to another network, bad things can happen.

Internetwork Protection
Firewalls come into the picture when any of the networks that you are internetworking are untrusted. The Internet is always assumed to be untrusted, but experience tells us that we really shouldn't trust any network, even ones within our own company, unless we have full assurance of their security status. In other words, if you are responsible for the company's sales and marketing network you shouldn't just assume that the company's production and inventory network is trustworthy, at least not without some fairly strong assurances. Besides, can you really trust, or do you even know about, all of the other networks that are connected to the production and inventory network? This might sound paranoid, but that doesn't mean it is unreasonable. An analogy might be a floppy disk handed to you by a colleague. Even though you are assured it is virus-free, prudence dictates that you scan it for viruses anyway.

So firewalls should be considered whenever you connect trusted networks to untrusted networks. This means they are sometimes appropriate within an organization, for example to control access between segments of a wide area network, but they are almost always appropriate when you connect a company network to the Internet. In a moment we will discuss how firewalls work and the role they play in internetwork security.

Firewall Limitations
Information security professionals often find themselves working against misconceptions and popular opinions formed from incomplete data. Some of these opinions spring more from hope than fact, such as the idea that internal network security problems can be solved simply by deploying a firewall. It is true firewalls deserve to be near the top of the agenda for organizations who have, or are thinking about creating, a connection between their network and another network. However, firewalls are not the whole answer.

For a start, firewalls are not the answer to attacks behind the firewall. The nature of firewall protection is perimeter defense [Amor]. Firewalls are not general-purpose access control systems and they are not designed to control insiders abusing authorized access behind the firewall. Information security surveys consistently report that more than half of all incidents are insider attacks (many seasoned security professionals refer to the 80/20 rule to describe the relative probability that a problem was caused by insiders as opposed to outsiders).

Firewalls are not a solution to the malicious code problem. There are two parts to this problem, viruses, self-replicating code that can cause considerable disruption on networks as well as individual workstations, and Trojan horses, programs pretending to be something they are not, such as "password sniffers." To put this problem in perspective, the 1997 NCSA Virus Study reports that virtually all North American companies and large organizations have experienced virus infections. Some 90% of organizations with more than 500 PCs experience, on average, at least one virus incident per month. The cost of incidents averages over $8,000 and can run as high as $100,000, with survey results indicating that the problem is getting worse rather than better. New types of viruses which use macro languages are spreading through shared documents, not programs. They can travel over the Internet or through the World Wide Web as e-mail attachments. The Web itself is a source of virus programs, which can be downloaded from a number of sites. An additional complication is that many naïve users allow their e-mail program or their operating systems to load and interpret e-mail attachments such as MS-Word documents or HTML files without scanning for harmful code. The Web is also a potential path for Trojan code (e.g., Java applets or ActiveX controls), which is a potentially serious problem for distributed application technologies.

Some firewalls can be configured to check incoming code for signs of viruses and Trojan horses; however, defenses, while helpful, are not foolproof. As far as Trojan code is concerned, current defenses are essentially limited to barring known programs, which leaves a big gap through which new Trojan programs may slip. Furthermore, firewalls can only be expected to address one aspect of the malicious-code problem. Many virus infections still occur because people have introduced infected disks into the network. A typical example is the traveling salesperson who returns with an infected laptop which is then attached to the network and infects it. Another classic is the maintenance engineer who uses an infected disk to test machines. Proper anti-virus policies and procedures can reduce these risks, but virus-scanning firewalls are only part of the answer.

Another fact lost in the hyperbole about the Internet is that many of the hacking incidents reported by the media have very little to do with the Internet itself. Indeed, one of the most widely used hacking techniques is social engineering, which essentially means tricking someone, either in person or over the telephone, into revealing something like their network password. And even though many companies now have an Internet connection, phone lines intended for data, such as remote maintenance lines and field office access lines, are still popular as means of gaining access to internal systems.

In other words, efforts to protect data from Internet threats should not take place in a vacuum. It must be stressed there is little point installing a firewall if you haven't addressed the infosec basics, like classifying and labeling data according to its sensitivity, password protecting workstations, enforcing anti-virus policies, and tracking removable media. One effect of the Internet phenomenon has been to hold up a mirror to internal networks. What a lot of companies see is not pretty. The problem of securing desktop PCs was not adequately addressed before we cabled, some might say cobbled, them together to form local area networks (LANs). The problem of securing LANs was not solved before they became wide area networks (WANs). These facts come back to haunt us as we rush toward GANs or global area networks [Eward].

Other Internet Problems
Another oft-neglected security-related Internet fact is that nobody owns the Internet. While the lack of ownership is sometimes mentioned in articles about the Internet, the implications for security, which are both positive as well as negative, are seldom highlighted. The most obvious negative implication is that the Internet includes some wild and lawless places. Traditionally a playground for hackers, the Internet has no central authority. Despite recent rumblings about "cyber-cops" from the U.S. Department of Justice, there is currently no Internet police force and we are not likely to see one. The trans-national nature of the Internet alone makes any such attempts at policing problematic at best.

Ironically, this very lack of ownership has resulted in a growing awareness of security. Because nobody owns the Internet, nobody is obliged to minimize the risks associated with using it. Not so long ago, mainframe makers assured users that their systems were safe and secure behind locked doors. When personal computers first started appearing on corporate desktops they were blasted as a security risk by some purveyors of big iron, but soon these vendors were talking up their own PCs and talking less about security. The trend continued as PCs came together as LANs.

With the exception of a few vendors selling security products, the lack of talk about security persisted during the aggregation of LANs into WANs and the enormous marketing push towards client/server solutions. But when you start talking about the transition from WANs to Internet-based GANs, the lack of security is well documented. We now hear major hardware and software vendors talking publicly about Internet risks as they market their security solutions, no longer obliged to overlook security issues. The potential benefits of using the public Internet rather than dedicated private networks are so financially compelling that few organizations feel they can afford to turn their back on the Internet just because it is inherently insecure.