Professional Documents
Culture Documents
A Summary
1
2
Two broad models have been defined for discussing Network Security. In the
first, there is one insecure communications channel and four participants.
The participants are:
3
The other model relates to network access. In this model, there is a collection
of (hopefully) protected information systems. A mechanism is implemented to
protect these systems from unwanted access from an insecure network. This
mechanism is essentially a gatekeeper function and is typically manifested
in some type of firewall system. The single participant in this model is the
Opponent, who is intent in achieving unauthorized access to the information
systems on some protected internal network. On the Internet, the Opponent is
typically a human, however, a growing collection of automated software tools
(and, in some cases, computer viruses) would also be classed as a participant
in this model.
1.6 Firewalls
Taking their name from the construction industry, the network firewall is a
network device that is positioned between a network to be protected and the
Internet. In effect, a firewall is a manifestation of an organization’s security
policies as they relate to in-bound network traffic arriving from the Internet,
and out-bound network traffic going to the Internet, from a protected internal
network.
6
Checking All Traffic - network traffic to and from the Internet must
be passed through the firewall so that it can be checked against
the organizations security policies. This checking is referred to
as filtering.
Forwarding Authorized Traffic Only - network traffic that satis-
fies the organizations security policies may pass. All other net-
work traffic is logged, then discarded, as it is treated as suspect.
Better to be safe than sorry.
Avoiding Being Compromised - the firewall itself needs to be de-
veloped in such a way that it itself is immune to penetration.
Under no circumstances should a ‘faulty’ firewall allow any net-
work traffic to bypass the security policies2 .
When it comes to using a firewall to control access, four types of control (or
filters) can be identified, thus:
A few example rules should help clarify how packet-filtering routers are typ-
ically configured. A rule may look like this:
block;payroll;*;www.hotmail.com;*;
which blocks (discards) network traffic from the internal system called payroll
8
allow;mailsys;25;*;*;
which allows (forwards) network traffic to the internal system called mailsys
using protocol port-number 25 (the well-known protocol port-number for
SMTP, the Simple Mail Transfer Protocol, which is used by all Internet-
based e-mail systems). Network traffic is allowed from any Internet server
(the * wild-card) using any protocol port-number (the * wild-card, again).
block;*;*;*;>1023;
which blocks (discards) all network traffic from any internal system (the *
wild-card) using any protocol port-number (the * wild-card, again) to any
system (the * wild-card, yet again) using a protocol port-number that is
greater that 1023 (that is, a protocol port-number outside the range of the
well-known protocol port-number assignments).
The IP Spoofing attack attempts to send network traffic from the Internet
through the firewall by tinkering with the Source IP Address of the sending
IP datagram. By changing the source IP address to an IP address on the
protected side of the firewall (that is, an IP address of an internal network
device), a packet-filtering router that has been configured to allow all traffic
with a source IP address on the protected network to pass through the firewall
may allow the spoofed network traffic onto the protected network. This can
be easily dealt with by arranging that the packet-filtering router only allow
network traffic through if the IP datagram claiming to be from the protected
internal network is in fact arriving on the protected internal network’s router
interface.
The Source Route attack exploits a mechanism built into IPv4 which allows a
network device to explicitly direct an IP datagram to follow a specified route
into or out of the protected internal network. This can sometimes result in
the packet-filtering router allowing such traffic through. The solution to this
attack is to disallow the use of this option with any IP datagram, whether
the network traffic is inbound or outbound.
The Small Fragment attack creates IP datagrams that are two things: frag-
mented and very small. So small in-fact that the TCP header information
will not fit into a single IP datagram, but is instead fragmented into a col-
lection of IP datagram fragments. If the packet-filtering router is not con-
figured to watch for datagrams like this, some traffic may pass through the
packet-filtering router that ought not to. The solution is to inspect all IP
datagrams and discard any that indicate that fragmentation has occurred
and that also indicate that TCP header information is in the IP datagram
10
Unlike firewalls that are based on packet-filtering technology, and which oper-
ate at the Network and Transport Layer, the Application-Level Gateway acts
as a proxy on behalf of users on the protected side of the internal network,
and on behalf of unknown users on the Internet. In effect, the application-
level gateway pretends to be the internal network user when communicating
with the insecure Internet for inbound and outbound network traffic.
The Circuit-Level Gateway does not allow TCP connections between two end-
points (one internal and the other external) to come into existence. Instead,
the circuit-level gateway establishes two TCP connections: one between the
circuit-level gateway and a user of the internal protected network, and an-
other between the circuit-level gateway and an external network device on
11
the Internet. These connections are only established if they are determined to
be allowed, and if they are, and once they are established, all network traffic
flows from the internal user to the external network device without further
checking. What constitutes an ‘allowed’ connection is determined by the lo-
cal network manager and his/her level of trust of the users of the internal
protected network.
The term Bastion Host is used to refer to a networked system that plays
a central role in enabling the implementation of a firewall on a protected
internal network. In effect, the bastion host runs the application-level gateway
or the circuit-level gateway. The bastion host has a number of characteristics.
It typically runs on a secure operating system (often referred to as a trusted
system). Only those services required are installed as proxies on the bastion
host, and they are usually configured to allow a restricted set of functionality,
in addition to running within chrooted sand-boxes. Each proxy is designed
to operate in isolation: if a proxy is compromised or goes off-line, the other
proxies installed on the bastion will not be affected by this.
Of course, it is far from the case that only one of the types of firewall system
discussed in the last section are deployed in an attempt to secure a protected
internal network. Typically, sites implement a combination of firewall mech-
anisms. Three popular configurations are described in the subsections which
follow.
work traffic is blocked (that is, discarded). Note that, with this configuration,
both network-level and application-level filtering is occurring (as the bastion
host is acting a the sole proxy to services on the Internet and services on
the protected internal network). This is seen as this configurations greatest
advantage, coupled with the fact that an intruder needs to compromise two
firewall systems in order to attack the protected internal network.
Note that the bastion host is connected to the protected internal network
with a single connection (that is, the bastion host is single-homed ). This
can, under extreme circumstances, cause security problems. Specifically, if
the packet-filtering router is compromised, network traffic will no longer be
‘forced’ to travel through the bastion host, but could instead travel to any
network-attached device which shares the bastion host’s LAN segment.
traffic to and from the bastion host from the protected internal network.
1.8 Conclusion
4
Such as LAN segment is often referred to as a demilitarized zone or DMZ.
Bibliography
[1] Simon Singh, The Code Book: The Science of Secrecy from Ancient
Egypt to Quantum Cryptography, Fourth Estate Ltd., 1999. ISBN: 1-
85702-879-1. (This is a book on cryptography that is written for those
of us that do not have a third-level qualification in Mathematics but still
need to understand this important technology).
14