Firewalls: Are We Asking Too Much?
Allowing a new service through a firewall is easy. Doing it while maintaining the same high level of security isn't.
Another magazine cover story on firewalls? Arent they old news by now? In Internet time, dont they fall into the category of "old, stable technology?"
Its true that Internet firewalls have been around a long time, particularly when measured in Internet years. Firewalls are also the oldest Internet security sub-industry (yes, antivirus software has been around longer, but it started on, and still primarily protects, the desktop).
Many of the changes and additions are useful. Some are just responses to market demand. Others may be dangerous. Its possible to add feature upon feature to an Internet firewall, thereby decreasing rather than increasing a networks security. But Im getting a little ahead of myself, so lets back up and start with some basics.
Early Days: Separating "Us" From "Them"
The original, and still useful, definition of an Internetwork firewall came from Bill Cheswick and Steve Bellovin in their book, Firewalls and Internet Security: Repelling the Wily Hacker (Addison-Wesley, 1994). To paraphrase, Cheswick and Bellovin said that a firewall is a single point between two or more networks (a) through which all
traffic must pass (a chokepoint), (b) with which traffic can be controlled and often authenticated and (c) in which all traffic is logged. The earliest firewalls were network routers; as they segmented LANs, they limited the damage that could spread from one sub-network to another (e.g., due to misconfiguration).
The first security firewalls were also built on routers. Filtering rules on the routers allowed "permit and deny" decisions to be made based on the source, destination and type of IP packet.
As more businesses connected to the Internet, awareness of Internet security issues grew. Incidents such as the Morris Worm, which demonstrated just how vulnerable we really were, spurred this growth. The need for better (read: more granular) security caused some vendors (notably, DEC and AT&T) to develop their own solutions to the need for secure Internet access. Some of these solutions were then made into commercial products. These early firewallsfrom DEC, Raptor, ANS and TISconcentrated on securely providing the basics: Telnet, FTP, e-mail and Usenet news.
Then, everything changed, beginning with the definition of "the basics." To the above list users added Web access, streaming audio and video services, news and weather feeds, audio and video conferencing, voice-over IP and other services. Firewalls were no longer called upon merely to "separate us from them," for arbitrary values of them," in the oft-quoted words of Dr. Bellovin.
The Demand for Add-Ons
The evolution of how we use firewalls mirrors the changes in how we use computers. Our use has evolved from mainframes in glass rooms to PCs on our desks to networked computers and Internet access. The requirements have always included "access"first to computer cycles, then to a computer, then to a network, then to the Internet. Sharing information and communications has always been a requirement as well. But the objects of communications moved from on-site co-workers to co-workers in other cities to business partners to customers and, finally, to prospective customersindeed, to the whole world.
Responding to this change in requirements, firewall technology has become more complex. It would be nice to say that firewalls started off as simple packet filters, moved toward more security with application gateways, branched off into stateful inspection, and evolved to todays superior "hybrid" firewall. It makes a nice diagram. But unfortunately, its not true. Today, we can talk of filter-based, proxy-based and hybrid firewalls, from simple appliances all the way to multipurpose servers.
At the same time, firewalls have had new services added to their basic set of duties, as mentioned above. In addition to new network services, firewalls have become the base system for other network and security services.
Authentication. One of the first additions to firewalls was user-level authentication. This made sense, since firewalls were asked to control access through the firewall from the untrusted network, allowing users from home or elsewhere to access information and other assets on the private side of the firewall. Authentication was a reasonable extension to the role of firewall as access control.
Encryption. The next "add-on" was firewall-to-firewall (and then firewall-to-mobile PC) encryption. Virtual private networks (VPNs) provide confidentiality of transmissions (as well as authentication and integrity). While there are stand-alone VPN devices, making the VPN mechanism a part of the firewall is also a reasonable extension. To work well, there has to be close interaction between the devices. While a firewall is primarily an access control device, both firewalls and VPNs are, generally speaking, prevention devices. Close interaction allows VPN access to the entire internal network from the outside (as in office-to-office VPNs), or confidentiality with the firewall enforcing access control (as in connections between a consumer and a supplier).
QoS. Recently, some firewalls have rolled out quality of service (QoS) features as well. QoS allows the owner of the Internetwork gateway to control how much of a particular network connection will be dedicated to (or allowed by) a particular service. For example, you could ensure that incoming Web connectionssay, from a customer or supplierwere given priority over inside-out connections. Or, you could make sure that someone downloading a very large filesay, the latest version of Internet Explorer or Communicatordoesnt clog up the Internet gateway, making access miserable for everyone else.
Arguably, QoS is a function that should be handled by the Internet router. On the other hand, it is an access control function, and thus fits on a firewall platform. Moreover, some vendors, notably Check Point, have built their QoS engine using the same technology thats in their firewall. The philosophy here seems to be, access control is access control.
Screening. Content screening is now a part of just about every firewalls architecture. Content screening includes virus scanning, URL (Web site) filtering and screening for key words (typically in inside-to-outside e-mail). Though some have argued that virus scanning on the desktop, even with marginal coverage, is more beneficial than scanning at the gateway, gateway scanning fits nicely into a perimeter defense model. If there werent such a performance hit, it would be a non-issue.
How Much Is Too Much?
Authentication, VPNs, QoS, content filteringas if these security-related add-ons werent enough, lately theres a tendency to add non-security-related functions to the firewall as well. Firewalls now come with built-in Web servers, FTP servers and e-mail systems. Even non-security-related proxies are added to firewalls (e.g., proxy servers for streaming audio and video).
While this sort of all-in-one system has its attractive qualities, we have to keep in mind a fundamental tenet of security: Security and complexity are often inversely proportional. Also, its usually good practice to separate functions (e.g., Web management from security management). The only practical exception to this advice is in the case of a very small organization, in which the firewall administrator is the Webmaster as well as the sysadmin for all systems. Still, the more the firewall does, the more that can go wrong. The more the services, the larger the log file. The more people logging into the firewall box to administer it, the greater the possibility a mistake will be made.
While Ill leave the market prognostications to the experts (see sidebar), I will venture a few predictions about the next generation of firewall technology. Currently, there are two interesting developments (or modifications) to the firewall model that amount to more than simply adding on another feature or increasing performance.
The first of these is something I will call "adaptive firewalls." As mentioned earlier, hybrid firewallsthose that mix filters, circuit gateways and proxieshave been around since the first commercial firewalls. They are still around today. Since filters are less granular than circuit gateways (which, in turn, are less granular than application gateways), hybrid firewalls do not necessarily increase security, though they often increase functionality. We have to keep in mind that security mechanisms added in parallel with each other do not usually increase security. However, putting security mechanisms in seriesone after the otheroften does.
Adaptive firewalls tie filters, circuit gateways and proxies together in series. They operate in such a way that the firewall administrator has greater control over the level of security used for different servicesor, at different points in the use of those services.
For example, the administrator may decide that the security of an application gateway is required for setting up an FTP connection and processing the commands. During the actual file transfer, however, he may decide that speed is more important, thus dropping down to the granularity of a packet filter. Then, once the file is transferred, he may put the connection back into "high security" mode.
The second development is with what I call "reactive firewalls." In the world of prevention, detection and response systems, firewalls are primarily prevention systems. They do some detection (e.g., connections to unused ports and login attempts) and responding (e.g., logging), but these are not their primary purpose.
In reactive firewalls, intrusion detection and help desk products work in concert to allow the firewall to be more active than passive. With these additions, a firewall can not only police access and services, but also change its security posture (and that of the whole network), issue pages and sound alarms.
Firewalls: More or Less?
As business requirements change and threats and risks from the Internet grow, firewalls can certainly keep up. The question is, can they keep up and stay secure? Allowing a new service through a firewall is easy. Doing so while maintaining the same high level of security is difficult. Adding complexity to a system makes it that much harder to trust.
The pulls for change in firewalls come from many different directions: Internet users behind the firewall have new business requirements; outside crackers have new attacks; the number of targets for attack grows as more and more businesses connect to the Internet; the number of possible avenues of attack increases as we grant access to different kinds of users.
Some additions to firewalls make sense, because they enhance security. Others are almost always a bad idea. They may represent cost savings in the short run, but over time they almost always represent a decrease in security and an increase in vulnerability.
Frederick M. Avolio is a computer and network security consultant (www.avolio.com). He can be reached at firstname.lastname@example.org.
© 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!