qq The demand for good Internet firewalls is spurred by the growing number of intrusion incidents.

With new connections to the Internet appearing at the rate of 1 million per month, internetworking may be the biggest revolution in computing since personal computers. But changes of this magnitude often create problems. It's no secret that the rate at which Internet connections are being hacked, cracked, or otherwise compromised is also growing at an alarming rate.

That has caused many companies to look to Internet firewall technology to protect their network resources. However, many companies, when searching for solutions, are finding that they are stymied by a lack of common definitions for key firewall functions. This makes it difficult to tell what functions you are paying for and makes comparisons of similar products impossible.

The National Computer Security Association (NCSA), an independent security association, is trying to bring some order to the confusion created by marketing hype. The NCSA has formed a group called the Firewall Product Developers' (FWPD) consortium. It brings together leading vendors of firewall products in an effort to address such common issues as customer education, standards, product testing, research, and certification.

The FWPD consortium is similar in structure to the Anti-Virus Product Developers' (AVPD) consortium, which was founded by the NCSA in 1991. That group, which included virtually all the major antivirus product vendors, helped clear up the confusion in the antivirus market. For example, the AVPD consortium agreed to use a common naming scheme for viruses. All vendors counted the number of viruses their products detected in the same way, letting customers easily compare products. The FWPD consortium seeks to do the same thing for firewalls.

Meeting a Need

The demand for good Internet firewalls is spurred by the growing number of intrusion incidents. The number of violations reported to the Computer Emergency Response Team (CERT) in 1990 was 130. That number increased to 2300 in 1994.

People involved in these incidents are not just kids getting their kicks with modems. Systematic and automated probing of new Internet connections is being carried out by a shady cast of characters that includes hackers-for-hire, information brokers, and foreign governments. Katherine Hutchison, director of secure business for Harris Computer Systems, points out that computer crackers gained unauthorized access through the Internet in more than 80 percent of the computer crimes investigated by the FBI.

Fortunately, network administrators can avail themselves of some effective countermeasures, notably firewalls. A firewall can be defined as a collection of systems, router s, and policy placed at a site's central connection to a network. This definition comes from the paper "Keeping Your Site Comfortably Secure," an excellent introduction to Internet firewalls from the National Institute of Standards and Technology (NIST Special Publication 800-10). It can be downloaded free of charge from the NIST World Wide Web site ( http://www.nist.gov ), as well as from sources such as the NCSA InfoSecurity Forum on CompuServe (type GO NCSA to get to the forum).

According to Rich Kosinski, president of Internet Security (Lexington, MA), a firewall is a form of access-control technology that prevents unauthorized access to information resources by placing a barrier between an organization's network and an unsecured network (see the figure "What Is a Real Firewall?" ). You can also use a firewall to prevent the unauthorized export of proprietary information from a corporate network. In ot her words, a firewall functions as a gateway, controlling traffic in both directions.

The Firewall Dilemma

Firewalls have been called condoms for corporate networks. They provide digital protection for participants in the packet-level intercourse associated with the rapid growth of internetworking and commercialization of the Internet. As with condoms, many people have heard of firewalls, and some people use them. However, the number of security incidents arising from Internet connections strongly suggests that not enough people are using them properly.

You might think this is a no-brainer: If you can't make a safe connection to the Internet without a firewall, you get one or you don't connect. But both of these options are fraught with problems. The current level of information-superhighway hype is so intense that network managers who don't provide users with Internet services are likely to find users doing it for themselves.

"Users buy a $100 modem with petty cash, plug it into a PC on the network, and, since our machines are already running TCP/IP, just turn on SLIP or PPP and dial out to a local service provider," says one network manager (who preferred to remain anonymous) at a major automobile plant. "What these users don't realize is, they have just made the company network part of the Internet."

If you decide to take the preferred approach, an officially sanctioned and properly managed Internet connection, you will find that installing a firewall is several orders of complexity beyond plugging in a modem or configuring NetWare directory access rights. For a start, you have to decide whether to build your own firewall (perhaps using a router and one of the available toolkits), buy an off-the-shelf product, or budget for a specialized firewall consultancy.

Next, you have to decide what type of firewall you want. Do you want a packet filtering router, a dual-homed gateway, a screened or bastion host, or a screened subnetwork? Do you want to integrate a m odem pool while you're at it? Are you going to run the firewall software on Unix or under Windows NT? What sort of access controls will you place on the host to prevent internal tampering with the firewall settings?

When you look at the current offerings in the marketplace, you see a wide range of prices, from tens of thousands of dollars down to a few hundred dollars. You may wonder what could possibly make the top-end product worth so much more than the bottom-end product. This is where customer education is critical. Most vendors will gladly supply you with white papers and briefings, point you to Web sites, and otherwise assist you in understanding their product.

However, you may well discover that one vendor's definitions are not consistent with another's. That can cause much confusion. In fact, the lack of a standard terminology with which to describe this rapidly evolving technology means that you will probably have difficulty reaching the decisions required to successfully implement a fire wall, causing further delays.

Unfortunately, the lack of a common vocabulary, combined with the urgent need for protection, is being exploited by unscrupulous vendors. Some vendors have slapped the word firewall on products that do not measure up to the NIST definition given earlier. If a firewall is not installed properly, it could be worse than not having one due to a false sense of security.

Some Relief in Sight

This is where the FWPD consortium comes in. It was formed in June by a group of vendors and several security agencies ( see the table ). The FWPD wants to foster codes of practice for the industry. "The FWPD will promote awareness and understanding of firewalls, explore product certification and testing, and serve as an authoritative but independent contact point for inquiries about firewall technology," says Peter Tippett, president of the NCSA.

Tippett describes the public information role as countering the media hype and being t he voice of calm. To provide the necessary depth of knowledge in firewall technology, the NCSA has formed a strategic partnership with Marcus Ranum. Head of Information Works, Ranum is well known for his seminal 1992 paper "Thinking About Firewalls." Ranum also designed the TIS Internet Firewall Toolkit, which forms the basis of more than a dozen commercial products.

Noting that many firewall product descriptions use similar jargon in dissimilar ways, Ranum proposed, and the inaugural meeting of the FWPD agreed, that the first order of business should be to develop a common language for talking about firewalls. As a starting point, Ranum presented a draft version of the Firewall Product Functional Summary, a standardized format in which vendors can describe the distinguishing features and advantages of their products. The Summary's second major purpose is to give users a way to compare and contrast the features and design principles of firewall products.

The goal of the Firewall Product Functional Summary is to provide plenty of scope for vendors to present the strengths and advantages of their particular offerings, but in a way that has some real meaning to users. The document can be accessed via the Web at http://iwi.com or by sending an E-mail message to firewall@ncsa.com.

Beyond Standards

The FWPD is not "yet another standards committee," says Bob Bales, executive director of the NCSA. Noting that the industry already has appropriate committees, such as ANSI, for setting standards in areas such as firewall-to-firewall encryption, Bales says that the goals of the FWPD are more in the direction of customer education and industry self-regulation.

"The bottom line is getting more people to use more firewalls more effectively," says Bales. The formation of the FWPD means that the people who need firewalls and the people who make them will be able to work together more effectively to better de fend the network systems upon which we all increasingly rely.