Security has been a major deal concerning when an organization wants to connect your private network to the Internet. Regardless of the type of business has increased the number of users of private networks demand access to Internet services such is the case of the World Wide Web (WWW), Internet Mail (e-mail), Telnet and File Transfer Protocol (FTP). Additionally corporates seeking the advantages of the pages in the WWW and FTP servers on the Internet for public access.
Network administrators need to increase all concerning the security of their systems, because it exposes the private organization of your data and your network infrastructure for Internet Expert (Internet Crakers). To overcome these fears and provide the level of protection required, the organization needs to follow a security policy to prevent unauthorized access of users to the resources of the private network, and protect private information export. Still, even if an organization is not connected to the Internet, this should establish internal security policy to manage user access to network portions sensitively and protect secret information.
* An Internet firewall is a system or group of systems that enforces a security policy between organization private network and the Internet. The firewall determines which network services can be accessed in this for those who are outside, ie who can come to use network resources belonging to the organization. For a firewall to be effective, all traffic information via the Internet must pass through it where the information may be inspected. The firewall will only allow traffic to pass, and the same may be immune to penetration. Unfortunately, this system can not offer any protection once the assailant passes or stays around this.
-1 Illustration security policy creates a perimeter defense.
this is important because we must note that an Internet firewall is not just a router, server, defense, or a combination of elements that provide network security. The firewall is part of a comprehensive security policy that creates a perimeter defense designed to protect sources of information. This security policy may include publications with the help guides where users are informed of their responsibilities, rules for access to the network, policy network services, politics of authenticity in local or remote access to network users themselves , standards dial-in and dial-out, enciptacion rules and data disks, virus protection standards, and training. All potential points of attack on the network can be protected by the same security level. An Internet firewall without a comprehensive security policy is like putting a steel door in a store.
Internet Firewalls manage possible Internet access to the private network. Without a firewall, each server system themselves exposed to attack other servers on the Internet. This means that the private network security depends on the “hardness” with each server account and is only as secure as the fragile security system possible.
The firewall allows the network administrator to define a “choke point” (envudo), maintaining margin non-authorized users (such as., Hackers, crackers, vandals and spies) outside the network, potentially prohibiting entry or exit to violate network services, and provide protection for various types of attacks possible. One of the key benefits of an Internet firewall is to help simplify the work of administration, once it consolidates firewall system security, it is better to distribute it in each of the servers that make up our private network.
The firewall provides a point where safety can be monitored and if any suspicious activity, this will generate an alarm at the prospect of an attack occurring, or a problem occurs in the data traffic. This can be noted by the organization access to the Internet, the general question of “if” but “when” the attack happen. This is extremely important for the administrator to audit and keep a log of significant traffic through the firewall. Also, if the network administrator takes the time to answer an alarm and records examined regularly basis. This is unnecessary for the firewall, since the network administrator has been successfully known if attacked!.
Concentra centralizes access security
Translates security alarms generated addresses (NAT)
Monitors and records the use of WWW and FTP services.
Illustration -2 Benefits of an Internet firewall.
Over several years, the Internet has experienced a crisis in the directions, making the IP addressing is less generous in providing resources. It is hereby organized companies connected to the Internet, because it is not yet possible to get enough logs IP addresses to answer the user population demanding services. A firewall is a logical place to deploy a Network Address Translation (NAT) that can help alleviate the address space narrowing and eliminating the need to re-list when the organization changes the Internet Service Provider (ISP).
An Internet firewall is the perfect spot to audit or record the use of the Internet. This allows the network administrator to justify the expense of the connection to the Internet, pinpointing potential bottlenecks bandwidth, and promotes the method of charge to departments within the model of the organization’s finances.
An Internet firewall provides a rallying point for the organization. If one of your goals is to provide and deliver information services to consumers, the Internet firewall is ideal for WWW and FTP servers deployed.
Finally, the firewall may have problems generating a single point of failure. Emphasizing this point if failure occurs in the Internet connection, yet the internal network of the organization can continue to operate – only access to the Internet is lost -.
The main concern of the network administrator, are multiple accesses to the Internet, which can be registered with a monitor and a firewall at each access point that has the organization to the Internet. These two access points means two potential points of attack on the internal network that will have to be monitored regularly!
* Limitations of a firewall
A firewall can not protect against attacks that are carried out of the operating point.
For example, if a dial-out connection allowing unrestricted enter our protected network, the user can make a connection to the Internet SLIP or PPP. Users with common sense are “irritated” when it requires additional authentication required for Proxy Server Firewall (SPF) which can be caused by a security system that is included in round about a direct connection SLIP or PPP ISP.
These connections result provided by firewall security carefully constructed, creating a leading door. Users can be aware that such connections are not allowed as part of comprehensive security architecture in the organization.
By surrounding Illustration -3 Connection Firewall Internet.
The firewall can not protect against threats to that submitted by users traitors or unconscious. The firewall can not prohibit corporate spies traitors or copy sensitive data on diskettes or PCMCIA cards and substraigan these building.
The firewall can not protect against attacks from the “social engineering”, for example, a hacker claiming to be a supervisor or a new employee confused, persuades the less sophisticated users that allows you to use your password to the corporate server or allowed access “temporary” to the network.
To handle these situations, employees should be educated about the various types of social attack that can happen, and change their passwords periodically if necessary.
The firewall can not protect against possible attacks by virus internal network information through files and software. Obtained from the Internet by operating systems when compressing or decompressing binaries, the Internet firewall can not have a precise system of SCAN for each type of virus that can be presented in the files that pass through it.
The real solution is that the organization should be aware of installing anti-virus software on every desk to protect against viruses that arrive via diskettes or any other source.
Finally, the Internet firewall can not protect against possible attacks in the data transfer, these occur when aparntente innocuous data are sent or copied to an internal server and executed an attack dispatching.
For example, a data transfer could cause a server to modify the security-related files, making it easier for an attacker access to the system.
As we can see, the performance of the proxy servers in a server is an excellent defense of ban on direct connections by external agents and reduce potential threats for attacks with data transfer.
* Firewalls attack is difficult to describe the “typical” of a hacker because intruders have different levels of technicians for their expertise and are also are motivated by different factors. Some hackers are intrigosos by the challenge, some more enjoy making life difficult for others, and many other sensitive data to subtract any gain.
* Collection of information
* Tools hacker
* Firewalls and Internet Security
Generally, the first step is to know how the information is collected and also what information is. The goal is to build a database containing the network organization and collect information about residents servers.
This is a list of tools that a hacker can use to collect this information:
* The SNMP protocol can be used to examine the routing table in an insecure device, this serves to learn the most intimate details about the purpose of the network topology belonging to an organization.
* The traceroute program can reveal the number of intermediate networks and routers around specific server.
* The Whois protocol is an information service that provides information on all DNS domains and the system administrator responsible for each domain. Although this information is outdated.
* DNS Servers can accesarce for a list of IP addresses and corresponding names (Nslookup Program).
* The Finger protocol may reveal detailed information about users (login names, phone numbers, and last login time, etc..) Of a specific server.
* The Ping program can be used to locate a particular server and determine if you can achieve. This simple tool can be used as a small scanning program through calls to the address of a server makes it possible to build a list of servers that are currently resident in the network.
* Polling system to weaken security
After obtained the network information pertaining to that organization, the hacker tries to prove each of the servers to weaken security.
These are some uses of the tools that a hacker can use to automatically explore residents individually servers on a network:
* After obtaining a list obstantemente no small service vulnerability in the network, a well-educated hacker can write a small program that tries to connect to a port by specifying the type of service that is assigned to the server in question. The run of the program presents a list of servers that support Internet service and are exposed to attack.
* Several tools are available in the public domain, as is the case as the Tracker Internet Security (ISS) or Security Analysis Tool for Auditing Networks (SATAN), which can track a subnet or domain and see the possible Leak security. These programs determine the weakness of each of the systems with respect to several points of common vulnerability in a system. The intruder uses information collectada by such trackers to attempt unauthorized access to system commissioning organization targeted.
A skilled network administrator can use these tools in your private network to find potential points where security is weakened and thus determines which servers need to be patched and updated in the software.
* Access protegidosi systems
The intruder uses the results obtained from the tests to try to access a specific service.
After having access to protected system, the hacker has the following options available:
* Threatening destroying all evidence of the assault and also may create new leaks in the system or in subordinate parts with a commitment to continue to have access without the original attack is discovered.
* Can install probe packets that include binary codes known as “Trojan horses” to protect its business transparently. Probe packets collect accounts and passwords for Telnet and FTP services allowing the hacker to expand their attack other machines.
* You can find other servers that actually compromise the system. This allows the hacker to exploit a simple server vulnerably from those who are over the corporate network.
* If the hacker can gain privileged access on a shared system, you can read the mail, file search
* Bases for design of firewall decisive
When designing an Internet firewall, you have to make some decisions that may be assigned by the network administrator:
* Stances Firewall Policy.
* The internal politics of the organization itself for total security.
* The financial cost of the project “Firewall”.
* The building components or sections of the Firewall.
* Firewall Policies.
Firewall system postures described the fundamental philosophy of security in the organization. These two positions are diametrically opposed to the policy of an Internet firewall can take:
* “Not everything specifically permitted is prohibited”
* “Not everything specifically prohibited is allowed”
the first approach assumes that a firewall can block all traffic and each of the services or necessarily desired applications to be implemented on a case by case basically.
This proposal is recommended only to a limited number of carefully selected services supported on a server. The disadvantage is that the point of view of “security” is more important than – ease of use – service and these constraints numbered options available to the user community. This proposal is based on a conservative philosophy where the causes are unknown about having the ability to meet them.
The second approach assumes that the firewall can move all traffic and potentially dangerous equipment every need be basically isolated case by case. This proposal creates environments more flexible by providing more services to the user community. The disadvantage of this approach is based on the importance of “ease of use” that the very – Security – System. Also in addition, the network administrator is in place to increase security in the system as the network grows. Unequal to the first proposal, this position is based on the generality of knowing causes about not having the ability to meet them
* Internal Security Policy
* As discutidamente heard, an Internet firewall not alone – is part of a comprehensive security policy in an organization – which defines all aspects relevant to the defense perimeter. For this to be successful, the organization must know what is being protected. The security policy should be based on a careful analysis of driving safety, risk advisory case, and the business situation. If you do not have the details of the policy to follow, although it is a carefully developed and reinforced firewall, will be exhibiting the private network to a possible attack.
The organization can provide for their safety, A simple packet filtering firewall can have a minimal cost because the organization needs a router connected to the Internet, and this package is already included as standard equipment. A firewall trading system provides increased security but more to its cost can be $ 32,000 to $ 240,000 pesos depending on the complexity and number of protected systems. If the organization has the expertise in house, a home firewall software can be built with public domain but this resource saving impact in terms of development time and the deployment of the firewall. Finally requires ongoing support for administration, general maintenance, software upgrades, repair, security, and incident management.
* Cost of firewall
* System Components firewall
After decisions about the previous examples, the organization can determine specific system components. A firewall typically consists of one, or a combination, of the following obstacles.
* Router Filter-packs.
*-Application level gateway.
*-Circuit level gateway.
for the remainder of the chapter, we will discuss each of the options for building obstacles and describe how you can work with them to build an effective system of Internet firewall.
* The router makes decisions to refuse / allow passage of each of the packets are received. The router examines each datagram to determine whether it matches one of its packet filtering and which in turn has been approved by its rules. Filter rules are based on reviewing the information they have in their header packets, which makes it possible to shift in a process of IP. This information is source IP address, destination IP address, the encapsulated protocol (TCP, UDP, ICMP, or IP Tunnel), the source port TCP / UDP destination port TCP / UDP, ICMP message type, the packet input interface and output interface of the package. If you are the correspondence and the rules allow the packet to pass, it will be moved according to the information to the routing table, if found correspondence and deny the passing rules, the packet is dropped. If these do not match the rules, a default configurable parameter determines the packet discard or move.
Illustration -4 Router Filter-Packs.
* Dependent Filtering Service
* Building obstacles packet filtration router
The rules about filtering packets through a router to refuse / allow traffic is based on a specific service, since many services in many pour your TCP / UDP ports known.
For example, a Telnet server is waiting for remote connections on TCP port 23 SMTP server and waits for incoming connections on TCP port 25. To block all Telnet connection entries, the router simply discards all packets containing the destination TCP port value equal to 23. To restrict Telnet connections to a limited number of internal servers, the router may refuse passage to those packets containing TCP destination port equal to 23 and do not contain the destination IP address of one of the servers allowed.
Some typical filtering a network administrator may request a packet filtration router to perfect its operation would be:
* Allow incoming Telnet sessions only to a specific list of internal servers.
* Allow incoming FTP sessions only to internal servers specified.
* Allow all outputs for Telnet sessions.
* Allow all outputs for FTP sessions.
* Refuse all UDP traffic.
* Independent Filtering Service
* These attacks certainly are difficult to identify using basic information headers because these are independent of the type of service. Routers can be configured to protect against such attacks but are more difficult to specify since filtering rules to require additional information that may be studied and examined by the routing table, inspecting specific IP options, reviewing special fragments editing, etc. Some examples of such attacks include:
Attacks originating from the IP Address.
For this type of attack, the attacker transmits packets from outside pretending spend as internal server
– Packets have a spoofed IP source address of an internal server system -. The attacker hopes that using this impostor can penetrate the system to safely use it as source address where to forward the packets are authenticated and the other server in the system are discarded. Attacks by pseudo-sources can be frustrated if we discard the source address of each packet with a source address “internal” if the packet arrives at a router’s interfaces “external”.
Attacks originating from the router.
In a fit of routing, the source station specifies the path a packet will take when crossing through the Internet. Such attacks are designed to quantify the security and channel leads the pack by an unexpected path to your destination. The attacks originating on the router can be thwarted by simply discarding all packets containing source routing options.
Attacks by fragmentation.
For this attack, attackers use fragmentation characteristics to create extremely small fragments and force the TCP header information in packets separarce. These small pieces are designed to avoid filtering rules defined by examining a router first pieces and the rest goes unnoticed. Even though only simple decoder is exploited by a smallish aggression can be thwarted if all packets are discarded where the type of protocol is TCP and IP fragmentation offset is equal to 1.
Most firewall systems are deployed using only filtered packets routers. Others who have long planned the filters and configure the router, be it small or not, expensive to implement packet filtering is not expensive, since the basic components of routers include standard software revisions for the purpose. Since then, Internet access is usually provided through WAN interfaces, optimizing the operation of the router and defining moderating traffic less options. Finally, the filtering router is usually transparent to end users and applications so it does not require specialized training or specific software need to be installed on each of the servers.
* Benefits packages filtration router
* Limitations packet filtration router
Define packet filtering can be complex because the network administrator needs to have a detailed study of various Internet services, such as forms of packet header, and the specific values expected for each field FOUND. If the needs are very complex filtering, additional support is needed so that the set of filtering rules can start to complicate and lengthen the system making it harder to administration and understanding. Finally, they will be less easy to check for corrections of filtering rules after being configured on the router. Potentially, you can leave an open city without tasting their vulnerability.
Any packet that passes directly through a router can be possibly used as an initial part of a targeted attack data. Remembering these attacks occur when data aparentementes safe travel through the router to an internal server. The data contains hidden instructions that can cause the server to modify their access control and security relating their files facilitate the intruder access to the system.
Generally, setting the router packet decrease as the number of filters used increases. Routers are optimized to extract the destination IP address of each packet, making it relatively easy to query the routing table, and the displacement of packets for transmission appropriate interface. If the filter is authorized, the router can not just decide to move each package, but it also happens even applying all filter rules. This can consume CPU cycles and impact the smooth functioning of the system.
IP packet filtering may not be able to provide sufficient control over the traffic. Filter-Packs A router can allow or deny a particular service, but is not able to understand the context / data service. For example, a network administrator needs to filter traffic from an application layer – limiting access to a subset of commands available by FTP or Telnet, block importation of Mail or Newsgroups concerning specific topics. This type of control is the upper perfected by a proxy server services and application-level gateways to.
* Building obstacles: application-level gateways
* The application-level gateways allow the network administrator to implement a strict security policy that allows a router packet filtration. Much better to rely on a generic tool for filtration packages for managing the flow of Internet services through the firewall, gateway is installed in one special-purpose code (a proxy service) for each application. If the network administrator does not install the proxy code for the particular application, the service is not supported and may not move through the firewall.
Although, the proxy code can be configured to support only the specifics of an application that the network administrator considers acceptable while denying all others.
Increased security of this type increases our costs in terms of the selected gateway type, application services proxy, time and knowledge required to configure the gateway, and a decrease in the level of services that our users can obtain , resulting in a non-transparent system to manage users in a “friendly”. As in all cases, the network administrator must balance the needs of security for the organization with the demand for “easy to use” demanded by the user community.
Note that users access through a proxy server, but they can never sever the application-level gateway. If sectioning allows users in the system firewall, security is threatened from the moment an attacker can potentially execute many activities that compromise the effectiveness of the system.
For example, the attacker could gain root access, install a trojan horse to collect passwords, and modify the configuration files filrewall safety.
* Server defense
A packet filtration router allows direct flow of packets in and out of the system, other than that the application-level gateway to let the information flow between systems but does not allow the direct exchange of packets. The main risk to allow packets are exchanged in and out of the system because the server resident protection systems on the network can be secured against any threat posed by the services allowed.
An application-level gateway is usually described as a “servant of defense” because it is a system designed specifically shielded and protected against any attack. There are several design features that are used to make a server more secure defense:
* The server hardware platform running a defense “safe” version of its operating system. For example, if the server is a UNIX platform defense, were running a secure version of the UNIX operating system that is specifically designed to protect vulnerable operating systems and ensure the integrity of the firewall.
* Only the services that the network administrator considers essential are installed on the server defense. The operating logic is that if the service is not installed, it can be attacked. Generally, a limited set of applications such as Telnet Proxy, DNS, FTP, SMTP, and user authentication are installed on this server.
* Defense server may require additional authentication for the user accesses the proxy services. For example, the server is ideal defense to place a strong monitoring system of authorization (such as technology “one-one-time” password where a smart card generated a unique access code by cryptographic means). Additionally, each service may require authorization Proxy own after the user has access to your session.
* Each proxy is configured to support only a subset of applications a set of standard commands. If a standard command is not supported by the application proxy is that is simply not available to the user.
* Each proxy is configured to allow access only to specified servers in the system. This means that there is a set of features / commands that can be applied to a subset of systems in the protected network.
* Each proxy maintains detailed and audited records of all traffic, each connection, and the duration of each connection. The hearing record is an essential tool to uncover and end the attack by an intruder.
* Each Proxy is a small and simple program designed specifically for network security. This allows the application source code to review and analyze potential intruders and security breaches. For example, a typical application – UNIX mail – can have around 20,000 lines of code when a proxy mailing may contain fewer than a thousand.
* Each proxy is independent of all other applications on the server Proxy defense. If sucitara a problem with the operation of any proxy, or if you discover a vulnerable system, this can be uninstalled without affecting the operation of other applications. Even if the user population requires the support of a new service, the network administrator can easily install the required service on the server Proxy defense.
* A Proxy usually works without disk access all it does is to read its startup configuration file. since the application does not run Proxy his support for disk access, an attacker may find it more difficult to install Trojan horses and other harmful files on the server dangerous defense.
* Each Proxy runs as a non-previlegiado in a secure private directory server defense.
* Example: telnet proxy
The illustrates the operation of a Telnet Server Proxy in a defense. For this example, an external client to run a Telnet server integrated into the security system for the application-level gateway.
Illustration -5 Telnet Proxy.
The Telnet Proxy never allows the remote user to register or have direct access to the internal server. The external client to run a telnet server which is authorized defense technology “one-one-time” password. After being authenticated, the client accesses the user interface of the Telnet Proxy. This only allows a subset of Telnet commands and also determines which servers are available for access via Telnet.
Illustration -6 Terminal session via Telnet Proxy.
External users specify the destination server and Telnet Proxy once made the connection, internal commands are shifted to the external customer. The external client believes the Telnet Proxy is the real internal server, while the internal server believes the Telnet proxy is an external client.
-7 The illustration shows the display output terminal of an external client as the “connection” to the internal server once established. Note that the client is not registering the server of defense – the user starts their session by authenticating server and exchange defense responses once been allowed sectioning communicates with the Telnet Proxy -. After spending the exchange of answers, Proxy limited set of commands and destinations available to external clients.
Authentication can be based on “something known by users” (like a password) and “something you are” having physically (as an e-card) either. Both techniques are subject to plagiarism, but using a combination of both methods increases the likelihood of correct use of authentication. In the example of Telnet, the proxy sends a request for registration and the user, with the help of your e-card, you will get a response by a number validation. Typically, the user is given his card for the disabled enter a PIN and the card is returned, as a key part based on “secret” encryption and an internal clock itself, once the session is established is obtained encrypted response value.
* Benefits of application-level gateway
* There are many benefits in a deployed application-level gateway. They give network management complete control of each service from proxy applications constrained by a set of commands and the determination of the internal server which can access the services. Although, the network administrator has complete control about which services are allowed from the lack of a proxy service to one in particular means that the service is completely blocked. The application-level gateways have the ability to support authentications forcing the user to provide registration details. Finally, the filtering rules for a gateway of this type are much easier to set up and test it in a packet filtration router.
* Limitations of application-level gateway
Probably one of the major limitations of an application-level gateway is required to modify the user’s behavior or require the installation of specialized software on each computer that accesses the proxy services. For example, access via Telnet application gateway-level demand change user behavior from the time that it takes two steps to make a better connection than a step. As always, specialized software may be installed on a finished system for transparent gateway applications by allowing users to specify the target server, better than himself, in a telnet command.
* Building obstacles: circuit-level gateway
A circuit-level gateway is itself a function that can be improved by application-level gateway. A circuit level simply transmits TCP connections without meeting any additional process packet filtering.
-9 Illustration showing the operation of a typical Telnet connection through a circuit-level gateway. As mentioned above, this gateway simply transmits the connection through the firewall without further consideration, filter, or managing the Telnet protocol. The circuit-level gateway operates as a cable copying the bytes before and after the connection between internal and external connection. However, the connection of the external system acts as if caused by the system trying to benefit the firewall conceal information network protection.
The circuit-level gateway is often used for outgoing connections where the system administrator subjected to internal users. The overriding advantage is that the defense can be server configured as a Gateway “hybrid” application or supporting service-level proxy for connections coming and circuit-level functions for one-way connections.
This makes the system easy to use firewall for internal users who want direct access to Internet services while providing firewall functions to protect the organization from external attacks.
Original text in English, by Chuck Semeria – 3Com Corp.
Translated into Spanish and reviewed by Daniel R. Elorreaga
UNAM Mexico. 3Com Global User # 010726