Previous Table of Contents Next


SECURITY COMPROMISES IN FIREWALLS

Firewalls, like many other security systems, are not perfect. The compromise or trade-off that they usually represent is between ease of use and security. The more rigorously the firewall checks the user’s identity and activity, the more likely the user is to feel interrupted, pestered, and resentful. When choosing a firewall, user resentment should not be discounted as a factor in the decision-making process. Many sites with firewalls have internal networks festooned with uncontrolled dial-in and dial-out modems installed by users to bypass the firewall by subscribing to commercial online services. If the security system chosen is not useful and easy to use, end users will bypass it, unless there is sufficient authority to prevent them.

Proxy firewalls provide more effective auditing and tighter access control than screening router firewalls, but many do not have sufficient capacity to support network connections faster than ethernet speed. If an organization plans on using ATM networks or T3 lines, the only choice may be to use a screening router type firewall.

CASE STUDIES

Following below are three situations where firewalls need to be employed, but the nature of those individuals seeking Internet connectivity presents some interesting challenges. The first two, academia and research laboratories, present common difficulties, and the third, electronic commerce applications, presents other obstacles to implementing a secure Internet connection.

An Academic Organization

Academic organizations, such as universities, typically have the most difficulty setting up a firewall. This may be due to notions of academic freedom and that the user community usually wants to experiment with a variety of features of the network. These users may also tend to resent or circumvent a firewall that interferes with their activities. Moreover, academic organizations often have independent departmental budgets and semi-autonomous use of the campus network, which makes it difficult to enforce a common security approach. If one department in the university installs a security system that interferes with the others, they can and do simply purchase new network links to bypass it. One approach that seems to work for academia is to isolate critical computing systems behind internal firewalls. Systems where student records, loan information, and paychecks are processed should be isolated from the main campus networks by placing them behind screening routers or commercial firewalls.

A Research Laboratory

Research laboratories are often another difficult case. Scientists expect to use the network for collaboration and research access to late-breaking information. In many cases, however, the research may be economically significant and should be protected. Systems where patent applications or designs for proprietary products reside, for example, should be isolated and protected; or a second network, which is Internet accessible and physically separate from the internal research network, should be considered.

Research laboratories have many of the same problems as academia, because they tend to have user communities that want to be on the cutting edge and they will not tolerate interference. Perhaps more than anything else, it is important to get staff to recognize that intellectual property must be protected. Many research laboratories are connected to the Internet behind commercial proxy-based firewalls that are fairly conservative but which permit access to the Web and other sources of information. Other research laboratories rely on separated networks or isolated systems for storing proprietary information.

An Electronic Commerce Application

As electronic commerce becomes more important, the need to pass commercial traffic into and out of firewalls will become more crucial. Service-oriented requirements analysis is a useful tool for designing and implementing such systems. For example, suppose that an organization wants to put a Web server on an external network and to provide database access of some sort to a system behind a firewall. In this case, the requirement is to get data back and forth for SQL only. A screening router firewall configured to just allow the SQL data between the outside Web server and the inside server might be chosen. A commercial firewall that permitted some kind of generic proxy or which supported a SQL service might be another option.

MANAGERIAL ISSUES

Previously discussed have been the common security issues surrounding firewalls. Other managerial issues, such as maintenance, building a firewall (as opposed to purchasing a ready-made one), and answering the question is it secure, must be considered.

Maintaining Typical Firewalls

Typical firewalls require about an hour of labor power per week to maintain. This hour does not include the other Internet-related time that the firewall administrator (or someone) will expend. Internet connectivity requires someone to act as postmaster for E-mail, Webmaster (potentially), FTP maintainer, and USENET news manager.

Each of these tasks are time-consuming, and each can become a full-time job for an individual. Often, the firewall administrator becomes responsible for a lot of tasks in addition to firewall maintenance. He or she is usually the first person contacted or interrupted when someone detects a problem or cannot get their Web browser to talk to the firewall, for example.

Building a Firewall

A number of tools are available for building a firewall. Trusted Information Systems, Inc.’s Internet Firewall Toolkit is a freely available reference implementation of a set of firewall application proxies. It is available through anonymous FTP from ftp://ftp.tis.com/pub/firewalls/toolkit. When building a firewall by using a router or a router and the toolkit, the router’s built-in screening can be advantageous. Brent Chapman and Elizabeth Zwicky’s book on firewalls, Building Internet Firewalls, describes some approaches to setting up a screening router.

An important factor to weigh when deciding whether to build or buy a firewall is the cost of staff time. Having an employee devote a week to building a firewall may not be cost effective. In addition, providing support over the long term will further increase costs.

Before such a variety of commercial firewalls were available, many companies hired consultants to build their firewalls. Today, this is not a cost-effective option, because consultants eventually cost more than purchasing a commercial firewall, and it may not be able to be supported or enhanced over time.


Previous Table of Contents Next

Copyright © CRC Press LLC