Abstract

 

The Goal of our project is to implement different Firewall Architectures, and select a particular architecture and develop a system to evaluate, compare and test different firewall on them. Depending on the result from the tests and research, design a Firewall for Company’s Network, as per its security requirements.

The report consists of detailed information about the different types of popular firewalls currently available in the market, their architectures and vulnerabilities. The report also explains how different firewalls differ from each other, and how they are implemented in different architectures. It also includes thorough test results and their analysis of different firewalls and firewall architectures considered for the project.                                 
Table of Content

 

 

1.            Objective.

 

2.            Introduction.

2.1.    Firewall.

2.2.    Network (WAN/LAN).

2.3.    Security Breaches Statistics.         

2.4.    Project Vision/Direction.

 

3.          Descriptions.

3.1.    Firewalls

3.1.1.      Types of Firewall.

3.1.2.      Architectures.

3.1.3.      Market Availability/Research.

3.2.    Network (LAN/WAN/Security Issues)

3.2.1.      Types of Networks.

3.2.2.      Security Issues.

3.2.3.      Security Policies

3.3.    Popular OS & their Vulnerabilities.           

3.3.1.      UNIX/LINUX

3.3.2.      Windows NT

3.3.3.      MAC

3.4.    Types of Attacks.

 

4.          Market Research.

4.1.    Security Breach Statistics.

4.2.    Need for Firewall/Network Evaluation.

4.3.    Business Plan for “Firewall Evaluation”

4.3.1.      Economic Analysis.

4.3.2.      Income Analysis.

 

5.          Implementation / Project Description.

5.1.    Project Specification.

5.1.1.      Network Setup.

5.1.2.      Alternate Setups.

5.2.    Hardware Specifications.

5.2.1.      Router, Dual-Homed Machine, Workstations, Hub.

5.3.    Software Specification.

5.3.1.      SATAN

5.3.2.      OS (UNIX/LINUX/NT)

5.3.3.      Scripts/other Software Testing Tools.

5.3.4.      Popular Firewalls. (e.g., SOCK, BlackICE, TIS FWTK)

 

6.          Testing

6.1.    From SATAN.

6.2.    Analysis Report for SATAN.

6.3.    Recommendations & Suggestions.

 

7.          Team Responsibility.

 

8.          Project Timeline.

 

9.          Acknowledgements.

 

10.      Conclusion.

 

11.      References.

 

 

 

 

               

 

 

 

 

 

 

 

1.     Objective

 

The Goal of our project is to implement Different Firewall Architectures and develop a system to evaluate, compare and test different firewalls on an architecture. Depending on the result from the tests and research, design a Firewall for Company’s Network, as per its security requirements.

 

2.     Introduction

2.1  Firewall

A firewall is basically a protective device. A set of rules that governs the inbound and outbound traffic of data in and out of Network. A component that restricts access between a protected network and the Internet, or between other sets of networks.

If you are building a firewall, the first thing you need to worry about is what you are trying to protect. When you connect to the Internet, you are putting three things at risk:

§         Your data: the information you keep on the computers

§         Your resources: the computer themselves

§         Your reputation

 

2.2  Network (WAN/ LAN)

The number of computers in use worldwide, according to the International Data Corporation, is in excess of 100 million. Networking plays a role in inter-connecting all these computers worldwide. Local area network (LAN), metropolitan area network (MAN), and wide area network (WAN) are all examples of communications networks.

 

A wide area network (WAN) is a geographically dispersed telecommunications network. WANs are built to provide communication solutions for organizations or people who need to exchange information between two distant places. WANs are usually maintained by the country’s public telecommunication companies. WANs enable an organization to have one integral network between all its departments and offices even if they are not all in the same buildings or city. Typically, a WAN consists of a number of interconnected switching nodes. A transmission from any one device is routed through these internal nodes to the specified destination device. The most important recent development in WANs has been the development of the integrated services digital network (ISDN), which provides circuit-switching and packet-switching services at rates up to 1.544 Mbps.  The continuing development of practical optical fiber facilities has led to the standardization of much higher data rates for WANs. These high-speed WANs provide user connections in the 10s and 100s of Mbps, using transmission techniques known as frame relay and asynchronous transfer mode (ATM).

 

The Local Area Network (LAN) is the most common type of data network. LAN serves the area of a floor of a building or in some cases a distance of several miles. LAN is typically installed in industrial plants, office buildings, colleges or university campuses. The most widely used LAN system is the Ethernet system developed by the Xerox Corporation. LAN is usually connected to another LAN or to WAN using a router. LANs allow users to share resources on computers within an organization and may provide shared access to remote organization through a router connected to a WAN.

 

2.3   Security Breaches Statistics

Network Security has become major concern all over the world with highly vulnerable Internet. With more and more people depending on Internet for their day to day activities, security breaches can be highly costly to the concerned party. Statistics show that there has been a surge in the number of security breaches in recent years. Source: Carnegie Mellon Software Engineering Institute:

 

“Attacks on Defense computer systems are a serious and growing threat. The exact number of attacks cannot be readily determined because only a small portion are actually detected and reported. However, Defense Information Systems Agency (DISA) data implies that Defense may have experienced as many as 25,000 attacks last year. DISA information also shows that attacks are successful 65 percent of the time, and that the number of attacks is doubling each year, as Internet use increases along with the sophistication of hackers and their tools. According to Defense officials,  hackers have shut down and crashed entire systems and networks, denying service to users who depend on automated systems to help meet critical missions. Numerous Defense functions have been affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll. In addition to the security breaches and service disruptions they cause, these attacks are expensive. The 1994 Rome Laboratory incident alone cost Defense over $500,000 to assess the damage to its systems. Although Defense has not estimated the total cost of repairing damage caused by the thousands of attacks experienced each year, it believes they are costing tens or possibly even hundreds of millions of dollars.” GAO Report 96-84, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, May 1996.

 

According to www.cert.org, the number of incidents reported yearly is as follows:

 

 

 

 

 

 

2.4   Project Vision

 

  Here we would like to mention how our project is relevant to today’s needs, why we decided on this project, and what was our guiding light.

 

As mentioned in previous topic (2.3.), the security breach statistics are overwhelming. A security system is a must in any kind of LAN/WAN network. Firewalls are made for this purpose. They are a combination of software and hardware optimized for providing security at all levels of communication over the Internet. The standard of communication over the Internet is the OSI Model Layers.

 

Both of us were interested in Communications and Network Security. We were also doing internships at local companies in the same area. We approached Prof. Khaled Elleithy with some ideas for our senior project. He helped us mold our interest and ideas into a project conceivable in a two-semester span.

 

After going through his suggestions, we decided to do a project on Firewalls. Implementing different firewalls and testing them seemed like a challenging and interesting endeavor to undertake. Thus we finalized on the project. The research papers from Prof. Elleithy and other references books (mentioned in references) has been the guiding light for our project.

3.     Description

 

3.1. Firewalls

3.1.1        Types of Firewall

All major firewalls available in the market can be categorized according to the OSI layer at which they function: namely Network/IP layer, TCP layer, Application Layer.

 

Fig: OSI Layer with Corresponding Protocols

 

                        Network Layer Firewall

Network layer firewalls work at the network layer of the OSI model. They control the flow of the packets at network/IP layer. The security philosophy used by most network layer firewalls is “Whatever is not explicitly allowed is blocked”. Network Layer firewalls route traffic directly through them. They scan for source and destination information and allow or disallow packets based on this information. Network layer firewalls are typically used when speed is essential. Since packets are not passed to the application layer and the contents of the packets are not being analyzed, packets can be processed quicker. Network layer firewalls are susceptible to different exploits. Three common ones are buffer overruns, IP spoofing and ICMP tunneling. Examples of network layer firewall are SOCK v5 and GNAT BOX.

                        Circuit/TCP Layer Firewall

Circuit/TCP layer firewall operates at the session level and requires modified clients to communicate directly with the gateway. Circuit layer firewall relays TCP connections but does no extra processing of filtering of the protocol. It does not interfere in the on going communication after connection establishment. The principal advantage of a circuit level firewall is that it prevents of direct connection between internal and external machines. Example of Circuit layer firewall is TIS FWTK.

 

                        Application Layer Firewall

Application layer firewall is generally considered to be the most secure type firewall. It is configured to be the only host address visible to the outside network, requiring all connections to the internal network to go through the firewall. It is distinguished by the use of proxies for services such as HTTP, MAIL, FTP, TELNET etc, which prevent direct access to services on the internal network. The advantage of this type of firewall is the proxies prevent direct connection between internal hosts and external hosts. All incoming requests for services such as HTTP, FTP, TELNET, etc must first go through the appropriate proxy software on the firewall.

 

            3.1.2 Different Firewall Architectures

 

Dual-Homed Host Architecture

Dual-homed host architecture is built around the dual-homed host computer, which has at least two network interfaces. Such a host could act as a router between the networks these interfaces are attached to. The dual-homed host is a bastion host where it can be reached from both the private network and the Internet. However, to implement a dual-homed host type of firewall architecture, the routing function is disabled at the network layer. Thus, IP packets from outside network are not directly routed to the internal network. Systems inside the firewall can communicate with the dual-homed host, and systems outside the firewall can communicate with the dual-homed host, but these systems cannot communicate directly with each other.

 

 

 

 

 

 

 

 

 

 

 

 

Fig: Dual-Homed Host Architecture

The network architecture for a dual-homed host firewall is pretty simple: the dual-homed host sits between, and is connected to, the Internet and the internal network as shown in the figure above.

 

Dual-Homed permits communication between private network and the Internet in either of two ways:

1.      Users on the Private/Local Network are given accounts on the Dual-Homed machine. In order to use Internet services, user must login on the Dual-Homed Host machine.

2.      Dual-Homed Host runs proxy program for each service you want to permit. Thus there is no more need for users to login to the machine in order to access the Internet. They can communicate via proxy software.

The only host that can be accessed and thus attacked from the Internet is the Dual-Homed host machine. So it must have greater level of security than the ordinary hosts on the private network must. Only secure and necessary software should be installed in it.

 

Screened Host Architecture

This architecture consists of the Screening Router and Screened Host. Screened Host Architecture provides services from a host that is attached to only the internal network, using a separate router. Packet filtering provides the primary security in this architecture. Packet filtering prevents people from going around proxy servers to make direct connections. Screening Router is placed between the Private Network and the Internet which contributes in blocking all the traffic between those two networks but the one that originates on the Internet and goes to the Screened Host or the one that originates on the Screened Host  and goes to the Internet. That’s how the Screening Router stops all the attempts to setup direct communication between host on the private network and the host on the Internet.

 

 

 

 

 

 

 

 

 

 

 

 

Fig. Screened Host Architecture

 

Screened Host is the only host on the private network that can be accessed from the Internet and usually will run proxy programs for the allowed services. The other hosts on the private network must communicate with the Internet through proxy servers located on the Screened Host.

 

Bastion Host sits on the internal network. The packet filtering on the screening router is set up in such a way that the bastion host is the only system on the internal network that hosts on the Internet can open connections to. The bastion host thus needs to maintain a high level of host security.

 

The packet filtering configuration in the screening router may either allow other internal hosts to open connections to hosts on the Internet for certain services or disallow all connections from internal hosts forcing those hosts to use proxy services via the bastion host.

The architecture is more flexible than that of Dual-Homed Host with proxy services, because some secure services for which proxy software does not exist can be allowed to pass through Screening Router directly to a host on the private network.

 

Screened Subnet Architecture

The Screened Subnet Architecture consists of the Screening Routers and Screened Hosts combined in such a way that when one of Screened Hosts is subverted the private network is not automatically open for an attack. In other word, the screened subnet architecture adds an extra layer of security of the screened host architecture by adding a perimeter network that further isolates the internal network from the Internet.

 

By nature, bastion hosts are the most vulnerable machines on your network, which are the machines most likely to be attacked. If someone successfully breaks into the bastion host in screened host architecture, he/she will have all the access to the private network. But in screened subnet architecture, by isolating the bastion host on a perimeter network, you can reduce the impact of a break-in on the bastion host. It gives an intruder some access, but not all.

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. Screened Subnet Architecture

 

Screened Subnet Architecture has two screening routers; each connected to the perimeter network. One router is placed between the perimeter network and the private network, and the other router is placed between the perimeter network and the Internet. Even if the attacker breaks-in into the bastion hosts, he/she will still have pass through the interior router. It is suggested to place less trusted and more vulnerable services on the perimeter network. Thus attackers who made it up to a machine on an outer perimeter network will still have a harder time successfully attacking internal machines because of the additional layers of security between the outer perimeter and the private network.

 

The Perimeter Network is an another layer of security. It is basically an additional network between the Internet and private network. In a case when an attacker breaks into the outer reaches of the firewall, the perimeter network offers an additional layer of protection between that attacker and the private network.

 

The Interior Router, also called as choke router, protects the private network from the Internet and from the perimeter network. It does most of the packet filtering for the firewall by allowing only selected services outbound from the private network to the Internet.

 

The Exterior Router, also called as access router, protects both the perimeter network and the private network from the Internet. The exterior router is provided by the external group, which can be your Internet provider. One of the tasks that exterior router does is to block any incoming packets from the Internet that have forged source addresses. Such packets claim to have come from within the private network, but actually are coming in from the Internet.

 

 

Proxy service provides Internet access to a single or few hosts, but it appears to provide access to all of your hosts. The hosts that have Internet access act as proxies for the machines that do not have the access. The proxy server evaluates requests from the client and decides which to pass on and which is to disregard. In a case when client’s request is passed on, the proxy server talks to the real server on behalf of the client, and proceeds to relay requests from the client to the real server, and to relay the real server’s answers back to the client. That means, clients usually talk to proxy server instead of talking directly to the real server on the Internet. Proxy server runs on a dual-homed host or a bastion host.

 

 

 

Fig: Proxy

 

 

3.1.3   Market Availability/Market Research

 

As hacking attacks and cyber crime incidents continue to increase, many companies are extremely interested in getting insights on the measures their enterprises should take to secure corporate networks. The firewall market has bucked the slowdown in IT spending experienced by the rest of the industry in the first half to 2001. The firewall is the healthy and growing segment in IT market. The Internet is now a critical part of corporate networks, and Internet downtime can cause lost productivity and revenue. The explosion of e-commerce and the growth of the mobile workforce have significantly increased security challenges for the enterprises. Firewall vendors continue to add new features to their products as they compete to solve the increasingly complex problems of securing connections to the Internet, Intranets and Extranets. The following statistics published by International Data Corporation shows how rapidly firewall market is growing up in recent years.

 

According to International Data Corporation (IDC), the worldwide firewall market will create at least US $1.6 billion in revenues this year, and that figure could go up to US $2.1 billion. IDC is predicting that the market will not approach the saturation point at least for another four years, and meanwhile 50 % of large business, 41% of medium-sized businesses and 14% of small businesses in the United States will have firewalls installed. The U.S. is the largest firewall market, which claimed almost 61% of worldwide revenue in 2000. (Source: www.advisor.com)

 

According to ITSecurity.com, worldwide firewall revenues totaled $1.7 billion in 2001, and is forecasted to reach $3.8 billion in 2005.

           

           

Fig. Firewall Marketplace (Source: IDC, June 1997)

 

3.2   Security

3.2.1 Security Issues

The primary objective of Internet security is to control access to information. The Internet is easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network regardless of national or geographical boundaries. Along with convenience and easy access to information, Internet brings new risks.  The risks are that valuable information will be lost, stolen, corrupted or misused and that the computer systems will be corrupted.

 

The basic security concepts important to information on the Internet are confidentiality, integrity, and availability. When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality. Research data, medical and insurance records, new product specifications, and corporate investment strategies are the examples of information whose confidentiality is a very important attribute.

 

When information is modified in unexpected ways, the result is known as loss of integrity. Loss of integrity means that unauthorized changes are made to information by human error or intentional tampering. Integrity is important for financial data used for activities such as electronic funds transfers and financial accounting.

 

When information is erased or become inaccessible, the result is known as loss of availability. In this case, people who are authorized to get information cannot get what they need. Availability of information is often very important in service-oriented businesses that depend on information such as airline schedules, inventory systems. Availability of the network itself is important as most of the businesses rely on a network connection.

 

In the late 1980s and early 1990s, the typical intrusion was straightforward. In most cases, they often exploited relatively simple weakness such as poor passwords and poor configured systems. But in mid 1990s and later, intrusion has become more sophisticated and it’s very common now. Now a day, even intruders with little technical knowledge are becoming more effective as more automated tools are being available and the sophisticated intruders share their knowledge and tools. The tools available to launch an attack have become more effective, easier to use, and more accessible to people without an in-depth knowledge of computer systems. Usually sophisticated intruder shares an attack procedure freely to the intruder community, and thus people who have the desire but not the technical skills are able to break into systems.  Automated tools are available to examine for vulnerabilities and though these tools can help system administrators identify problems, they also help intruders find new ways to break into the systems.

 

With millions of new connections originating from personal computers and small networks, we cannot any longer know who and what is on the other side of the network connection. Securing computers and networks sometimes seems unattainable when we consider the exposure that Internet connection offers. The reliable and practical solution to these kinds of problems could be the Implementation of Firewall.

(Source: www.cert.org/encyc_article/)

 

            3.2.2. Security Policies

  The key objective of the security policies is to protect the enterprise resources, while giving consideration to the impact on user productivity. The security policy should be uniformly enforced across the enterprise. A security policy can be incorporated in several steps.  A security policy should consist of several components to address various aspects of resource protection. Some of the important areas are accountability, access control, data confidentiality, data integrity, and data management policy. The following steps are the procedures for establishing security policy.

§         Identify all key assets of the enterprise, classify them based on their value to the company, and list the objectives for securing the assets selected.

§         Collect all of the existing information flows of each selected asset.

§         Perform risk analysis against all enterprise assets.

§         Define a set of rules to protect the selected assets against the identified risks.

 

 

 

3.3   Popular OS & their Vulnerabilities

 

Operating system is the most important software for a computer. It communicates with the hardware, and let’s other software application run on top of it, letting them utilize the hardware resources. For this reason, the security of the OS cannot be compromised, as it is the heart of a computer and eventually a network, as a network is comprised of computers. Operating systems that are optimized to run on a network is often referred to as Network Operating system, but the term Operating System and Network Operating system are often used interchangeably. These Network Operating Systems often server as a Web Server, Application Server, File/Print Server, Email Server etc. Basically, they server multiple requests from multiple client machines at the same time, for different services.

 

                                                                                                                                     Operating System

     

  There are many kinds of Operating Systems available in the market, both commercial and open source. Even the same type of Operating system can be found in different flavors, e.g., Unix Operating System made by Hewlett Packed (HP-UX) is different from Unix Operating System produced by Sun Microsystems (Solaris). So, what are the most popular types of Operating Systems that are used in a Network and primarily in an inter-network of networks called the Internet.

A survey was conducted by http://www.leb.net/ to find the most popular OS in the Internet. Here is the result of the data collected on the .edu domain.

        Domain : .edu

      DName  : Educational

      Service: ftp+news+www

      Date   : April `99

Host OS recognized (grouped, sorted)   count   %recog

--------------------------------------------------------  

                   Windows 95/98/NT     7055     33.4

                      Solaris/SunOS     4734     22.4

                              Linux     2278     10.8

                          Mac/Apple     1847      8.8