Keeping Your Site Comfortably Secure - Preface

The Internet is a world-wide collection of networks that all use a common protocol for communications. Many organizations are in the process of connecting to the Internet to take advantage of Internet services and resources. Businesses and agencies are now using the Internet or considering Internet access for a variety of purposes, including exchanging e-mail, distributing agency information to the public, and conducting research. Many organizations are connecting their existing internal local area networks to the Internet so that local area network workstations can have direct access to Internet services.

Internet connectivity can offer enormous advantages, however security needs to be a major consideration when planning an Internet connection. There are significant security risks associated with the Internet that often are not obvious to new (and existing) users. In particular, intruder activity as well as vulnerabilities that could assist intruder activity are widespread. Intruder activity is difficult to predict and at times can be difficult to discover and correct. Many organizations already have lost productive time and money in dealing with intruder activity; some organizations have had their reputations suffer as a result of intruder activity at their sites being publicized.

This publication focuses on security considerations for organizations considering Internet connections as well as for organizations already connected to the Internet. In particular, this document focuses on Internet firewalls as one of the mechanisms and methods used for protecting sites against Internet-borne threats. This document recommends that organizations use firewall technology and other related tools to filter connections and limit access. This document is an expansion of the issues and guidance contained in NIST CSL Bulletin, Connecting to the Internet: Security Considerations

Purpose

The purpose of this document is to provide a basis of understanding of how firewalls work and the steps necessary for implementing firewalls. Users can then use this document to assist in planning or purchasing a firewall. This document does not explain how to build a firewall; references are provided for more detailed information.

Audience

The intended audience of this publication is technical-level management, i.e., those individuals who may be responsible for implementing or maintaining Internet connections. This document would also be appropriate for other management who wish to learn more about Internet security issues.

Some technical background in computer security and computer network communications is assumed. However, this document is intended to be a starting point; more detailed information about Internet security and firewalls can be found in the references section.

Document Structure

This document begins with an overview of the Internet and common services. It describes Internet-related security problems in detail by examining problems with various TCP/IP services and by examining other factors that have caused the Internet to grow less secure. Chapter 2 discusses firewalls, their benefits as well as their disadvantages, and then the various firewall components, including advanced authentication measures and network access policy. Chapter 3 describes several firewall configurations that illustrate how the firewall components fit together and can be used to implement various policies. Chapter 4 discusses procurement, administrative issues, and other actions sites should take to secure their Internet-connected systems. Appendix A provides pointers to other books and information about firewalls and Internet security. Appendix B contains a collection of frequently asked questions about firewalls that is available on-line (see Appendix B for more information).

Terminology

Internet firewalls are often referred to as secure Internet gateways in other literature. This document uses firewall to refer to a secure Internet gateway.

A firewall, as defined in this document, includes a number of items such as policy, network arrangement, and technical controls and procedures. This document uses firewall system when referring to the hosts or routers that implement the firewall.

This document, when referring to a network protected by a firewall, uses protected subnet or protected LAN (Local Area Network).

Some people dispute whether TCP/IP protocols should be referred to as protocols or services. It could be argued, for example, that TELNET is a protocol, a service, or a command. Where it makes obvious sense, this document uses protocol, otherwise it uses service.

This document uses application gateways to refer to some firewall systems as opposed to bastion hosts.

As much as possible, this document avoids using terms such as hacker and cracker, and uses instead the less ambiguous intruder and attacker.

Background

The Internet is a vital and growing network that is changing the way many organizations and individuals communicate and do business. However, the Internet suffers from significant and widespread security problems. Many agencies and organizations have been attacked or probedgif by intruders, with resultant high losses to productivity and reputation. In some cases, organizations have had to disconnect from the Internet temporarily, and have invested significant resources in correcting problems with system and network configuration. Sites that are unaware of or ignorant of these problems face a significant risk that they will be attacked by network intruders. Even sites that do observe good security practices face problems with new vulnerabilities in networking software and the persistence of some intruders.

A number of factors have contributed to this state of affairs. The fundamental problem may be that the Internet was not designed to be very secure, i.e., open access for the purposes of research was the prime consideration at the time the Internet was implemented. However, the phenomenal success of the Internet in combination with the introduction of different types of users, including unethical users, has aggravated existing security deficiencies to the extent that wide-open Internet sites risk inevitable break-ins and resultant damages. Other factors include the following:

  • vulnerable TCP/IP services - a number of the TCP/IP services are not secure and can be compromised by knowledgeable intruders; services used in the local area networking environment for improving network management are especially vulnerable,

  • ease of spying and spoofing - the majority of Internet traffic is unencrypted; e-mail, passwords, and file transfers can be monitored and captured using readily-available software, intruders can then reuse passwords to break into systems,

  • lack of policy - many sites are configured unintentionally for wide-open Internet access without regard for the potential for abuse from the Internet; many sites permit more TCP/IP services than they require for their operations and do not attempt to limit access to information about their computers that could prove valuable to intruders, and

  • complexity of configuration - host security access controls are often complex to configure and monitor; controls that are accidentally misconfigured often result in unauthorized access.

Solutions

Fortunately, there are readily-available solutions that can be used to improve site security. A firewall system is one technique that has proven highly effective for improving the overall level of site security. A firewall system is a collection of systems, routers, and policy placed at a site's central connection to a network. A firewall forces all network connections to pass through the gateway where they can be examined and evaluated, and provides other services such as advanced authentication measures to replace simple passwords. The firewall may then restrict access to or from selected systems, or block certain TCP/IP services, or provide other security features. A well-configured firewall system can act also as an organization's ``public-relations vehicle'' and can help to present a favorable image of the organization to other Internet users.

A simple network usage policy that can be implemented by a firewall system is to provide access from internal to external systems, but little or no access from external to internal systems. However, a firewall does not negate the need for stronger system security. There are many tools available for system administrators to enhance system security and provide additional logging capability. Such tools can check for strong passwords, log connection information, detect changes in system files, and provide other features that will help administrators detect signs of intruders and break-ins.

Recommendations

NIST recommends that agencies and organizations, prior to connecting to the Internet, develop policy that clearly identifies the Internet services they will be using and how those services will be used. The policy should be clear, concise, and understandable, with a built-in mechanisms for changing the policy. Organizations should strongly consider using firewall systems as part of the implementation of that policy. NIST recommends also that agencies and organizations use advanced authentication measures, i.e., smartcards, or authentication tokens, or other one-time password mechanisms, as an integral part of firewalls for authenticating connections to site systems.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred network auditing solution?