Firewalls are only the first car in a long train of security best practices. Networking hed: Network lockdown dek: firewalls are only the first car in a long train of security best practices. dek: firewalls work best when they can discriminate broadly. dek: the stronger the encryption key, the less likely it will be broken. by Joe Rudich
Long before the Information Superhighway, America was linked by the Iron Roadway. Like the Internet, it was virtually impossible to accurately gauge its value or its cost. And like the engines of the Internet, the steam engines that plied the transcontinental railroad had their own security problems. They even used firewalls to solve some of them.
Firewalls of the Computer Age are devices that filter data packets sent to a private network from the Internet. Their purpose is to block unwanted packets, such as viruses or probes from hackers. The Age of Steam’s firewall was a thick iron wall separating the engine compartment from passengers (the killer application). The firewall was needed because packets-or, grains-of coal dust could infiltrate the engine compartment and start a fire. Note, however, two key features of those iron firewalls: They did not cure every security problem (such as raids by bandits), and they did not protect the engineers within the locomotive.
The latter may be an especially interesting analog for today’s network administrators: Even with a firewall in place, you can get burned. “I don’t think you can rely on any one security technique,” says Michele Delio, a security analyst for Wired Magazine. “A multitiered approach to security is far more effective. If one of your defenses falls, it’s good to have some backup defenses that can halt, or at least slow, the activities of a malicious hacker.”
“Too many companies install a firewall, and then are lulled into a false sense of security,” says Michelle Drolet, CEO of Conqwest, a Holliston, Mass.-based Internet security firm. “Firewalls alone only do about 75 to 80 percent of the job. The rule of thumb is, if you want to make sure it gets between person A and person B, and no one in between can use it, encrypt it.”
“Firewalls have given the corporate world a false sense of security on the Internet,” claims Bruce Schneier, founder of Counterpane Internet Security. “They are an important part of any company’s network security, but they can’t do it all. Important, yes. A panacea, no.”
Cracks in the firewall
Ten years ago, many CIOs found the Internet more frightening than thrilling, and security risks were the chief reason. Somewhere between then and now, something allayed those fears. In most business organizations, the firewall is what soothed the nerves of CIOs. There are more than 100 different firewall products currently available, and more are introduced all the time. Firewalls have become essential equipment for private LANs, and the cornerstone of many data security plans.
The firewall idea and products deserve the high esteem they command. Isolation (or one-way isolation) of private LANs at the protocol (TCP/IP) level has proven highly effective in thwarting network attacks. A firewall is a good security cornerstone; it may only prove to be a vulnerability if it is relied upon as the only stone in that defense. Unfortunately, some LAN administrators seem to read about new operating-system exploits and think, “We won’t be affected because we can rely on our firewall.”
In many ways, the appeal of the firewall is its nearly universal power. By their nature, restrictions on specific computers or transactions are specific in their scope. Their deployment, configuration, or maintenance must be performed repeatedly in any LAN environment. IPSec, for example, a powerful security/encryption system, requires configuration on each and every computer. Set up a firewall, though, and all an administrator needs to do is place every computer “behind” it.
Think about the analogous problem with railroad fires: It could also be solved by installing some sort of fireproofing, like an asbestos lining, around every car in the train. As with using IPSec for computer security, each car added to a train would require fireproofing. Install the firewall and there is no limit to the number of cars it will protect, so long as it is between them and the fire.
A network firewall, like the train firewall, is simple in concept and powerfully effective against the problems it was designed for. Yet there are flaming attacks that can defeat firewalls. Many firewalls act as routers modified to filter out certain types of packets based on where they originated, what type of packets, the type of program operating, or other factors. They work best when they can discriminate broadly, rejecting applications like FTP and Telnet and all but one-way Web browsing.
As uses and expectations of the Internet have expanded, firewalls have been forced to gain the intelligence and flexibility to determine how to deal with complex communications like Java applets, cookies, stateful transactions, and secure e-commerce. Firewalls have adapted to the added functionality demands with complex management software and filtering tools, but extra flexibility means new vulnerabilities.
“There are three basic ways to defeat a firewall,” says Schneier. “Go around it, sneak something through it, or take over the firewall. These aren’t necessarily easy, hackers can find them if they are persistent.”
Perhaps the easiest circumvention of a firewall is to start out behind it: A Computer Security Institute study completed in 1998 reported that 70 percent of all successful computer attacks are generated from within the private LAN.
Fireproofing with encryption
A firewall is not a security system that should be replaced, but one that should be augmented. Many security technologies can add to that protection, including demilitarized zones (DMZ), intrusion detection monitors, and vulnerability scanners like SATAN (Security Administrator Tool for Analyzing Networks). Like firewalls, all of those consider security from a network-wide approach. Individual computers, even specific communication sessions, can be secured by encrypting the data being exchanged.
Data encryption is a form of cryptography, or writing in codes. Cryptography does not need to be a substitution code, only a secret; the U.S. Army used the Navajo language, unaltered, as code during World War II, and it worked because no Japanese code breakers understood the language.
While a firewall accomplishes security by keeping intruders away from data and resources, encryption does not care if an eavesdropper listens in, because they are unable to understand the communication. A hacker cannot take control of a server if the server has been configured to accept only encrypted commands from a confirmed source.
“Over 60,000 Web sites last year were publicly defaced. Many of them had firewalls,” says Chris Klaus, CTO of Internet Security Systems, an Atlanta-based security consulting firm. “The greatest threat to corporate LANs is to not address security as a real priority.”
To decipher any coded transmission, a recipient-intended or unintended-must possess the key, or sequence of numbers that describes how to interpret a message. For a hacker, there are two means of obtaining a key: cracking, or processing a message by brute force interpretation of (potentially) all possible keys, and stealing a copy of the key.
The difficulty of cracking a key depends on its complexity, which is ultimately determined by its numeric length. Key strength is expressed by the number of bits used to store it, and doubles with the addition of each bit, so a six-bit key is twice as strong as a five-bit key. Some encryption systems use keys as large as 512 bits.
Symmetric and public key encryption
As encryption keys grow larger and stronger, forcibly cracking any key becomes a more difficult task. As a result, most hackers try to break encryption by illicitly obtaining a copy of the key.
Encryption technologies are divided into two categories, based on the means by which they distribute their keys. Every German U-boat in World War II possessed the key-generation device for reading and writing the Enigma cipher. Technically, Enigma was never cracked; Allied code breakers were able to read it only after Enigma machines were captured.
Codes like Enigma are classified as symmetric because keys are identical at both ends of a communication. Symmetric-key data encryption systems include S/MIME (Secure Multipurpose Internet Mail Extension), used specifically for encrypted e-mail; TLS (Transport Layer Security), and SSL (Secure Sockets Layer). The latter two secure Web-based transactions.
In terms of key strength, symmetric-key encryption is just as strong as asymmetric; its weakness is in securely distributing keys. For the German navy, that distribution method consisted of bringing the vessels to port periodically and handing out code books. Network users, let alone Internet customers, aren’t likely to come into your office to receive keys. Yet if the code key is transmitted through the network, it must be sent as plain, unencrypted text, and is likely to be intercepted by anyone trying to eavesdrop on transactions. The encryption key itself is the most vulnerable component of any code.
Public-key encryption utilizes a two-part key, with one half held by the sender and one half by the receiver; both halves are required to read a message. There are actually four keys involved in client-server communication: a publicly known and privately held key for each party. The key algorithm has been constructed to function with a specific combination of these. In transmitting data, a sender uses the recipient’s public key, and that data can only be translated using the recipient’s private key. It is not necessary for both sides of a communication to know the full key combination, and every key is unique.
PGP (Pretty Good Privacy) popularized the PKE idea (as well as the U.S. government’s encryption restrictions) in the late 1980s and early 1990s, and remains an excellent means of encrypting e-mail. Commercial PKI (Public Key Infrastructure, including the key generation systems and public key storage repositories) systems are offered by VeriSign, Entrust, Microsoft, and other vendors.
One encryption and general security technology that every network administrator should be familiar with is the IP Security standard, commonly known as IPSec. IPSec is not an encryption methodology per se, but a standard that can be used to mandate the use of security requirements (including encryption) by all computers in a network. IPSec actually provides three security enhancements:
Mutual authentication of communicating computers Agreement between the two computers that defines packet-level restrictions Encryption of transmitted data IPSec depends on agreement between communicating systems through predefined policies. If a computer is configured restrictively with IPSec, it will only be able to communicate with other systems configured similarly. IPSec configuration must be performed on all of the systems that will communicate; even the lack of a policy on a system acts as a form of design-an effective “No Policy” configuration.
IPSec is likely to become one of the most widely used network security tools, if only because it is such a rigor to guarantee the uniform application of security at each computer within a network. During the past few years, when firewalls came to be considered the only network security needed, LAN administrators may have gotten away from using distributed security configuration, so IPSec will be invaluable in guiding their renewed configuration efforts.
The best defense
Whether a network uses a firewall, encryption, IPSec, or any other security technology, system administrators must avoid the temptation of complacency. “Virtually every report of a hack attack that I read says, ‘The hackers used a known exploit for which a security patch was released,'” notes Wired’s Delio. “That’s why a big part of a system administrator’s job is to read all of the security alerts, mailing lists, and newsgroups to find out what patches have been released and what effect they are having on other systems.”