Previous Table of Contents Next


Chapter 47
Firewalls: An Effective Solution for Internet Security

E. Eugene Schultz

Firewalls are an effective method of reducing the possibility of network intrusion by attackers. The key to successful firewall implementation is the selection of the appropriate system and regular maintenance.

INTRODUCTION

The Internet has presented a new, complex set of challenges that even the most sophisticated technical experts have not been able to solve adequately. Achieving adequate security is one of the foremost of these challenges. The major security threats that the Internet community faces are described in this chapter. It also explains how firewall — potentially one of the most effective solutions for Internet security — can address these threats, and it presents some practical advice for obtaining the maximum advantages of using firewalls.

INTERNET SECURITY THREATS

The vastness and openness that characterizes the Internet presents an extremely challenging problem — security. Although many claims about the number and cost of Internet-related intrusions are available, valid, credible statistics about the magnitude of this problem will not be available until scientific research is conducted. Exacerbating this dilemma is that most corporations that experience intrusions from the Internet and other sources do not want to make these incidents known for fear of public relations damage and, worse yet, many organizations fail to even detect most intrusions. Sources, such as Carnegie Mellon University’s CERT, however, suggest that the number of Internet-related intrusions each year is very high and that the number of intrusions reported to CERT (which is one of dozens of incident response teams) is only the tip of the iceberg. No credible statistics concerning the total amount of financial loss resulting from security-related intrusions are available, but, judging by the amount of money corporations and government agencies are spending to implement Internet and other security controls, the cost must be extremely high.

Many types of Internet security threats exist. One of the most serious methods is IP spoofing. In this type of attack, a perpetrator fabricates packet that bear the address of origination of a client host and sends these packets to the server for this client. The server acknowledges receiving these packets by returning packets with a certain sequence number. If the attacker can guess this packet sequence number and incorporate it into another set of fabricated packets that are then sent back to the server, the server can be tricked into setting up a connection with a fraudulent client. The intruder can subsequently use attack methods, such as use of trusted host relationships to intrude into the server machine.

A similar threat is DNS spoofing. In this type of attack, an intruder subverts a host within a network, and sets up this machine to function as an apparently legitimate name server. The host then provides bogus data about host identities and certain network services, enabling the intruder to break into other hosts within the network.

Session hijacking is another Internet security threat. The major tasks for the attacker who wants to hijack an ongoing session between remote hosts are locating an existing connection between two hosts and fabricating packets that bear the address of the host from which the connection has originated. By sending these packets to the destination host, the originating host’s connection is dropped, and the attacker picks up the connection.

Another Internet security threat is network snooping, in which attackers install programs that copy packets traversing network segments. The attackers periodically inspect files that contain the data from the captured packets to discover critical log-on information, particularly user IDs and passwords for remote systems. Attackers subsequently connect to the systems for which they possess the correct log-on information and log on with no trouble. Attackers targeting networks operated by ISPs have made this problem especially serious, because so much information travels these networks. These attacks demonstrate just how vulnerable network infrastructures are; successfully attacking networks at key points, where router, firewalls, and server machines are located, is generally the most efficient way to gain information allowing unauthorized access to multitudes of host machines within a network.

A significant proportion of attacks exploit security exposures in programs that provide important network services. Examples of these programs include sendmail, NFS, and NIS. These exposures allow intruders to gain access to remote hosts and to manipulate services supported by these hosts or even to obtain superuser access. Of increasing concern is the susceptibility of WWW services and the hosts that house these services to successful attack. The ability of intruders to exploit vulnerabilities in the HTTP and in Java, a programming language used to write WWW applications, seems to be growing at an alarming rate.

Until a short time ago, most intruders have attempted to cover up indications of their activity, often by installing programs that selectively eliminated data from system logs. These also avoided causing system crashes or causing massive slowdowns or disruption. However, a significant proportion of the perpetrator community has apparently shifted its strategy by increasingly perpetrating denial-of-service attacks. For example, many types of hosts crash or perform a core dump when they are sent a PING or PING packet that exceeds a specified size limit or when they are flooded with SYN packets that initiate host-to-host connections. (PING, is a service used to determine whether a host on a network is up and running.) These denial-of-service attacks make up an increasing proportion of observed Internet attacks. They represent a particularly serious threat, because many organizations require continuity of computing and networking operations to maintain their business operations.

Not to be overlooked is another type of security threat called social engineering. Social engineering is fabricating a story to trick users, system administrators, or help desk personnel into providing information required to access systems. Intruders usually solicit password for user accounts, but information about the network infrastructure and the identity of individual hosts can also be the target of social engineering attacks.

INTERNET SECURITY CONTROLS

As previously mentioned, Internet security threats pose a challenge because of their diversity and severity. An added complication is an abundance of potential solutions.

Encryption

Encryption is a process of using an algorithm to transform cleartext information into text that cannot be read without the proper key. Encryption protects information stored in host machines and transmitted over networks. It is also useful in authentication users to hosts or networks. Although encryption is an effective solution, its usefulness is limited by the difficulty in managing encryption keys (i.e., of assigning keys to users and recovering keys if they are lost or forgotten), laws limiting the export and use of encryption, and the lack of adherence to encryption standards by many vendors.


Previous Table of Contents Next

Copyright © CRC Press LLC