NCSA Firewall Policy Guide
This document, the second edition of the NCSA Firewall Policy Guide was written by the NCSA's Director of Special Projects, Stephen Cobb, CISSP, as an educational publication. As with the first edition, you may, within certain limits, copy and distribute the document for educational purposes. The two main limits are that you may not charge a fee for distribution and the document must be reproduced in its entirety. For permission to use or distribute the document by any means or in any form not covered by this paragraph, please contact NCSA's Director of Education, Dr. Mich Kabay by e-mail or by conventional mail to the physical address at the end of the document. If you would like additional copies in booklet form, please order them through our catalog department.
Preface to Version 2
Purpose and Permissions
Note: When this report mentions specific vendors and commercial products, the presence or absence of a particular trade or product name does not imply endorsement or criticism by NCSA. Also note that NCSA is a registered trademark of the National Computer Security Association. All other products or services mentioned herein are trademarks or registered trademarks of their respective owners.
The guide is divided into eight parts:
The Internet, the global network of computers that is the basis for universal electronic mail, the World Wide Web, and numerous forms of electronic commerce, has variously been described as bigger than the personal computer, more significant than the printing press, and as revolutionary as the discovery of fire. These days, the computer section of every book store is crammed with Internet titles. Every new movie has a Web site. Billboards and advertisements without URLs are becoming the exception.
Yet firewalls, which are designed to control the flow of information between two networks, were being developed even before the world at large had heard of "The Internet". Indeed, common sense says you should consider using a firewall whenever you internetwork. This term refers to the process of connecting two networks together. The result is referred to as an "internet" without the capital 'I.' Typically, we reserve the term "Internet" for the TCP/IP-based descendant of ARPAnet's marriage to CSnet in 1982, now serving tens of millions of users via hundreds of thousands of host machines.
Now the Internet has become global, with tens of millions of users, almost all of whom are completely unknown to you. So it is no longer wise to trust other computers or users on the Internet. But the Internet is not the only place you will find "untrusted" computers. Think about any network that you do not manage or control. To what extent can you trust it? Do you really want to connect it to your network without any way of controlling the traffic between the two? These days, whenever you connect your trusted network to someone else's untrusted network, it is wise to place a firewall of some kind between the two. This helps you keep insiders in and outsiders out. For example, firewalls would be appropriate at points C and D in Figure 1, but may not be needed at points A and B.
The idea is not to cut off communication at these points, but to control it. This means controlling which users can data pass between the networks on either side of the firewall as well the types of data they are allowed to exchange. These principles apply at all levels of internetworking, from small offices to corporate offices, from a couple of interconnected LANs to corporate WANs, from Web surfing machines to electronic commerce servers.
At the same time 98% of these same companies provide access to the Internet to some employees, 97% provide remote access to corporate networks, 61% host their own Web site, and 9 out of 10 permit some level of access to commercial on-line services such as CompuServe. To this recipe for disaster you can add another ingredient: the way that people in the Gordon & Glickson survey dealt with access to the Internet. While 75% say they would like to restrict access to some parts of the Internet, only 62% had policies governing Internet access, 42% did not monitor employee Internet use and only 30% actually applied access controls. Furthermore, fewer than two out of five respondents said they imposed restrictions on downloading files from third parties. No wonder that one out of six surveyed corporations reported experiencing damage associated with Internet usage by employees (one in eight reported legal claims arising from the use of information technology by an employee).
The risks related to using the Internet range from public embarrassment, when a Web site is defaced (as happened to the U.S. Department of Justice and the Central Intelligence Agency in 1996) or internal correspondence is revealed, to theft of trade or government secrets from a poorly protected internal network. Risks include coordinated and systematic abuse of computing resources, sometimes for mounting attacks on other sites [Stall95a]. Consider the findings of the United States General Accounting Office, which was asked by the Senate Committee on Governmental Affairs to report on the current vulnerability of Department of Defense non-classified computer systems. Here are some highlights:
"Unknown and unauthorized individuals are increasingly attacking and gaining access to highly sensitive unclassified information on the Department of Defense's computer systems....as many as 250,000 attacks last year...successful 65 percent of the time....At a minimum, these attacks are a multi-million dollar nuisance to Defense. At worst, they are a serious threat to national security. Attackers have seized control of entire Defense systems...stolen, modified, and destroyed data and software...installed unwanted files and "back doors" which circumvent normal system protection and allow attackers unauthorized access in the future. They have shut down and crashed entire systems and networks, denying service to users who depend on automated systems to help meet critical missions. Numerous Defense functions have been adversely affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll."
Whether it is viruses, Trojan horses, or penetration of internal networks, the most important factor affecting network security today is clearly the Internet. If your network is connected to the Internet you have a whole new set of problems, some of which make pre-existing problems worse. If your network is not connected to the Internet, you are most likely facing pressure to make that connection, even if it is merely a demand for electronic mail. The is pressure is so strong that some organizations find that they are already connected to the Internet even though upper management have not authorized any such connections.
Connecting to the Internet is a bit like opening the shades on the office windows and letting in the full glare of the midday sun. Problems with network security that were previously invisible are thrown into sharp contrast. Unprotected guest accounts and obvious passwords might not have been much of a problem when your network was only visible to insiders. But if people manage to penetrate your network from the outside (something experienced by at least one out of every six respondents in several recent surveys) you can bet these weaknesses will be exploited. And news of such vulnerabilities can spread through "the underground" at the speed of electrons, leading to rapidly escalating attacks and system abuse.
Such incidents represent more than kids getting their kicks with modems. Systematic and automated probing of new Internet connections is being carried out by a shady cast of characters that includes hackers-for-hire, information brokers, and foreign governments. One in five companies responding to the annual Information Week/Ernst & Young Security Survey admitted that intruders had broken into, or had tried to break into, their corporate networks, via the Internet, during the preceding twelve months [Info]. And most experts agree that the majority of break-ins go undetected. For example, attacks by the Defense Information Systems Agency (DISA) on 38,000 Department of Defense computer systems had an 88% success rate but were detected by less that one in twenty of the target organizations. Of those organizations, only five5% actually reacted to the attack [Wash]. The bottomline is that when you connect your network to another network, bad things can happen.
So firewalls should be considered whenever you connect trusted networks to untrusted networks. This means they are sometimes appropriate within an organization, for example to control access between segments of a wide area network, but they are almost always appropriate when you connect a company network to the Internet. In a moment we will discuss how firewalls work and the role they play in internetwork security.
For a start, firewalls are not the answer to attacks behind the firewall. The nature of firewall protection is perimeter defense [Amor]. Firewalls are not general-purpose access control systems and they are not designed to control insiders abusing authorized access behind the firewall. Information security surveys consistently report that more than half of all incidents are insider attacks (many seasoned security professionals refer to the 80/20 rule to describe the relative probability that a problem was caused by insiders as opposed to outsiders).
Firewalls are not a solution to the malicious code problem. There are two parts to this problem, viruses, self-replicating code that can cause considerable disruption on networks as well as individual workstations, and Trojan horses, programs pretending to be something they are not, such as "password sniffers." To put this problem in perspective, the 1997 NCSA Virus Study reports that virtually all North American companies and large organizations have experienced virus infections. Some 90% of organizations with more than 500 PCs experience, on average, at least one virus incident per month. The cost of incidents averages over $8,000 and can run as high as $100,000, with survey results indicating that the problem is getting worse rather than better. New types of viruses which use macro languages are spreading through shared documents, not programs. They can travel over the Internet or through the World Wide Web as e-mail attachments. The Web itself is a source of virus programs, which can be downloaded from a number of sites. An additional complication is that many naïve users allow their e-mail program or their operating systems to load and interpret e-mail attachments such as MS-Word documents or HTML files without scanning for harmful code. The Web is also a potential path for Trojan code (e.g., Java applets or ActiveX controls), which is a potentially serious problem for distributed application technologies.
Some firewalls can be configured to check incoming code for signs of viruses and Trojan horses; however, defenses, while helpful, are not foolproof. As far as Trojan code is concerned, current defenses are essentially limited to barring known programs, which leaves a big gap through which new Trojan programs may slip. Furthermore, firewalls can only be expected to address one aspect of the malicious-code problem. Many virus infections still occur because people have introduced infected disks into the network. A typical example is the traveling salesperson who returns with an infected laptop which is then attached to the network and infects it. Another classic is the maintenance engineer who uses an infected disk to test machines. Proper anti-virus policies and procedures can reduce these risks, but virus-scanning firewalls are only part of the answer.
Another fact lost in the hyperbole about the Internet is that many of the hacking incidents reported by the media have very little to do with the Internet itself. Indeed, one of the most widely used hacking techniques is social engineering, which essentially means tricking someone, either in person or over the telephone, into revealing something like their network password. And even though many companies now have an Internet connection, phone lines intended for data, such as remote maintenance lines and field office access lines, are still popular as means of gaining access to internal systems.
In other words, efforts to protect data from Internet threats should not take place in a vacuum. It must be stressed there is little point installing a firewall if you haven't addressed the infosec basics, like classifying and labeling data according to its sensitivity, password protecting workstations, enforcing anti-virus policies, and tracking removable media. One effect of the Internet phenomenon has been to hold up a mirror to internal networks. What a lot of companies see is not pretty. The problem of securing desktop PCs was not adequately addressed before we cabled, some might say cobbled, them together to form local area networks (LANs). The problem of securing LANs was not solved before they became wide area networks (WANs). These facts come back to haunt us as we rush toward GANs or global area networks [Eward].
Other Internet Problems
Ironically, this very lack of ownership has resulted in a growing awareness of security. Because nobody owns the Internet, nobody is obliged to minimize the risks associated with using it. Not so long ago, mainframe makers assured users that their systems were safe and secure behind locked doors. When personal computers first started appearing on corporate desktops they were blasted as a security risk by some purveyors of big iron, but soon these vendors were talking up their own PCs and talking less about security. The trend continued as PCs came together as LANs.
With the exception of a few vendors selling security products, the lack of talk about security persisted during the aggregation of LANs into WANs and the enormous marketing push towards client/server solutions. But when you start talking about the transition from WANs to Internet-based GANs, the lack of security is well documented. We now hear major hardware and software vendors talking publicly about Internet risks as they market their security solutions, no longer obliged to overlook security issues. The potential benefits of using the public Internet rather than dedicated private networks are so financially compelling that few organizations feel they can afford to turn their back on the Internet just because it is inherently insecure.