| Previous | Table of Contents | Next |
Can anything be done to improve network security? Sure. First, think about the problem abstractly. Security is based on a security model. The model defines subjects, objects, and access control rules. Supporting facilities, such as auditing, assist in implementing security. The problems mentioned here can be put into three categories:
Firewalls are the most widely known commercial tools for improving upon weaknesses due to the first two items (Chapman and Zwicky, 1995; Cheswick and Bellovin, 1994). Protocol design problems are not solved by off-the-shelf solution products. You cannot easily find a product that will safely design your client-server protocols to be resistant to attacks. Using cryptographic libraries that are commercially available or by relying on cryptographic services provided by firewalls, you can avoid security problems in your protocols.
Firewalls are designed to provide a secure boundary between an untrusted network, such as the Internet, and a trusted network, such as your private corporate network. Other terms used are unsecure and secure network. Today, firewalls consist of one or more of the following:
Other software accompanies host firewalls to support these core functions. Examples include virus scanners, log reporting tools, strong authentication, and file system integrity checkers.
Firewalls are implemented using screening routers, bastion hosts, or both. A screening router can be configured to control network packet routing based on attributes of the packet, such as source address, destination address, port number, and direction. A bastion host is a hardened computer, with the operating system locked down to a minimum of services. The bastion host can run proxies and perform packet filtering.
Packet filters improve upon the access control capabilities of network software delivered as part of operating systems. Access control rules are constraints or predicates that are evaluated to determine whether to permit an operation. Conceptually, the values held by a set of variables are compared against rules in the access control database. The variables are derived from state information representing attributes of the subjects and objects. For example, two important values in network traffic are the source and destination IP addresses. A packet filter rule can be configured to permit or deny IP traffic based on these values.
A packet filter is an access control mechanism for network traffic. Instead of processing or forwarding all packets that arrive on the node’s network adapters, the packet filter consults its access control rules before handling each packet. Most packet filters are implemented as extensions or replacements for kernel components of operating systems because the lower layers of the network stack are running in the kernel. This practice is a very important because some firewalls completely replace part of the kernel, and others hook in and intercept function calls. What can a packet filter control?
Because the packet filter is the network stack, it can make access control decisions based on any of the fields that appear in the headers of network packets. If necessary, a packet filter also can inspect the contents of the data portion of packets to enforce a security policy or look for attacks. First generation packet filters passed or dropped packets by looking at fields such as:
As protocol attacks became common, packet filters were enhanced to look at settings for SYN and ACK fields as well as other characteristics of the packet. When new protocol attacks are discovered, firewall vendors are quick to implement defenses. In other words, packet filtering access control capabilities are always being improved.
Packet filters are installed as screening routers or bastion hosts. Both routers and bastion hosts are multihomed, meaning that they have two or more network adapters. A router is a special-purpose computer that, in its simplest form, controls the flow of network packets between subnets. A bastion host is a general-purpose computer that has been hardened to remove unnecessary or security threatening software. A network node, such as a router or bastion host, with two communication adapters, can know the adapter on which a packet arrived. Notice that this knowledge is not explicitly encoded in the packet itself. A generic term meaning either a router or a bastion host is gateway.
The purpose of a gateway is to inspect packets and, based on the destination network addresses of the packets, send them to the appropriate subnet for delivery to the target hosts. If you want to block all incoming traffic from networks other than packets whose addresses begin with 1.22.333, you easily can configure a router to do so. In addition, most screening routers can detect attempts to impersonate IP addresses. A router or bastion host can look at inbound packets arriving on the network adapter connected to the untrusted Internet, and if the source IP address has a prefix of one of the private network subnets, then an address impersonation attempt is in progress. If a packet is received on the secure side adapter that means it’s supposed to be delivered to the Internet, and the source IP address has a prefix that is not from one of the private subnets, one of the inside systems has been compromised. Both of these situations should be logged and flagged for the security administrator.
Besides blocking address impersonation attempts, firewalls are configured to reject inbound packets that have source routing defined for IP. An option of the IP protocol enables the sender to specify the precise route a packet should take. The route is declared as a list of IP addresses. Source routing can be used for a number of hacking purposes, including probing the network to determine its physical layout. Firewalls should be configured to block these packets.
IP forwarding is a feature in operating systems that automatically routes a packet between two network adapters in the same computer if necessary. This feature is undesirable in a firewall because the packet will have bypassed the packet filter rules. Therefore, IP forwarding is turned off in firewalls.
| Previous | Table of Contents | Next |