INTERNETWORK SCREENS - FIREWALL

	Preface Internet is a combination, in the whole planet scale, of a group of networks, which uses a single data transmission protocol - TCP/IP (Transmission Control Protocol/Internet Protocol). A large number of organisations and private users are now connecting to the Internet in order to use its advantages and resources. Businessmen and public organisations use the Internet for many diverse purposes - including electronic mail exchange, distribution of information among interested people and to conduct research. At the present time many organisations attach the existing local area networks to the Internet so that workstations of these local area networks can get direct access to the Internet services. Connecting to the Internet can have tremendous advantages, though in this case it is necessary to take a serious account of matters concerning the security of the connection. There are sufficiently serious safety risks connected with the Internet, which often are not evident for beginner-users. In particular, a malevolent activity is being observed in the world, in addition, there are many vulnerable places, which can facilitate it. The actions of deliberate criminals are difficult to foresee and, at times, difficult to detect and stop. Many organisations have already lost much time and confidential information and have suffered considerable damage due to the activity of deliberate criminals. Some organisations have suffered severe damage to their reputation when it became known of an intrusion into their networks. Such intrusions are possible (moreover, they are sufficiently easy to implement) due to the fact that the Internet was established as an open system designed for free information exchange. Therefore, it is not at all strange that TCP/IP, a set of protocols which provides communications in the Internet and local area networks (LAN) and are becoming more and more popular, have "congenital" protection drawbacks. The same can also be said about such services based on TCP/IP as FTP and DNS This situation has developed for a number of reasons. One of the main reasons is the fact that safety requirements were not taken into account at the development of the Internet, as the main requirement at Internet implementation was to provide convenience of information exchange when conducting research. Nevertheless, the phenomenal success of the Internet, in combination with the appearance of a large number of user categories, including users who lack a concept of ethics, has aggravated the existing drawbacks in safety assurance to the degree that networks open for access from the Internet began to be subject to a risk of intrusion and damage. Other reasons are the following: vulnerability of TCP/IP services - a number of TCP/IP services are unsafe and can be compromised by clever, deliberate criminals; services being used in LAN for the improvement of network control are especially vulnerable; easiness of observation over information channels - a great deal of the Internet traffic is not ciphered; electronic mail, passwords and files being transmitted, can be intercepted using come-at-able programs, then deliberate criminals may use the passwords for the intrusion into systems; lack of policy - many networks can be configured, because of ignorance, so that they will permit access to them from the Internet, with no suspicions about possible malignant implications connected with it; many networks admit using a larger number of TCP/IP services than is required for the activity of their organisation and do not try to restrict the access to the information about their computers, which may help the deliberate criminal make an intrusion into the network; complexity of configuring - means of access control in hosts are frequently complicated in setting and management; non-proper configured means often result in unauthorised access. Fortunately, there are simple and reliable solutions, which can be used to improve safety of the organisation's network, which is based on such popular and widely used protocols as TCP/IP. The firewall system is one of these methods, which has proved its high effectiveness with the improvement of total network security. The firewall system is a set of systems and routers added to the network in place of its connection with the Internet and a policy of access determining the rules of their operation. The firewall causes all network connections to pass through a gateway where they can be analysed and assessed from the point of view of security and provides such other means as enforced authentication instead of passwords. In addition, the firewall can restrict access to certain systems or access to the Internet from them, lock out certain TCP/IP services or provide other safety measures. A well-configured firewall system can perform the role of the organisation's press service and can help to form a good impression of the organisation with the Internet users.
	What is a "firewall" or an internetwork screen? The term "firewall" is translated as fire wall. The word "firewall" in the non-computer sense means a wall made from non-combustible materials and prevents the spread of fire. In the computer network sense, a firewall is a barrier protecting the computer from a "virtual" fire - deliberate criminal attempts to intrude into the network in order to copy, modify or delete information, or to use a bandwidth, memory or computing capacity of computers being operated in this network. The firewall is installed at the junction of two networks - the Internet network and the LAN, therefore, it is also called an internetwork screen. It filters all inbound and outbound data, allowing the passage of only authorised packets. The firewall is an approach to safety as it helps to implement a security policy which determines authorised services and type of access to them and such other protection measures as enforced authentication instead of static passwords. The main purpose of the firewall system is to manage the access TO or FROM the network being protected. It realises the network access policy by making all connections with the network pass through the firewall where they can be analysed, permitted or denied. Schematically, the principle of the firewall operation can be depicted as follows: The firewall system can be a router, a personal computer, a host or a group of hosts established specifically to protect the network or a subnet against incorrect use of protocols and services by hosts outside the subnet. Normally, the firewall system is established on the basis of the upper level routers, usually on those that connect the network with the Internet, though it can also be established on other routers, to protect only a part of hosts or subnets. The existing firewalls differ strongly from one another, both in the level of protection and the methods of protection used. However, the majority of firewalls provided as commercial products can be,though quite conditionally, related to one of the following four categories: packet-filtering firewalls ; circuit-level gateways ; application-level gateways ; stateful inspection firewalls . Only a few firewalls are related to one of the above-listed categories; even less of them precisely correspond to the definitions, which will be given below for each of the categories. Nevertheless, these definitions reflect key possibilities distinguishing one kind of firewall from another. Packet-filtering firewalls: A packet-filtering firewall is a router or a program operating on the server, configured so they can filter inbound and outbound packets. The firewall passes or rejects packets in accordance with the information contained in the IP-heading of packets. For example, a majority of packet-filtering firewalls can allow or reject packets on the grounds of information associating such packet with a specific sender and recipient (full association), which consists of the following elements: source address; destination address; information about application or protocol; source port number; destination port number. All routers, even those that are not configured for packet filtration, normally check the full packet association in order to determine where it should be sent. In addition, the packet-filtering firewall, before sending the packet to the destination point, compares its full association with the table of rules, in accordance with which it shall allow through or reject this packet. The firewall continues its checking until it has found a rule which matches the full packet association. If the firewall has received a packet not matching any of the table rules, it will use the default rule, which shall also be expressly defined in the firewall table. For security reasons, such rules normally indicate the necessity of rejection of all packets which do not satisfy any of the other rules.
	Rule set-up You may prescribe packet filtration rules, which will "point out" to the firewall which packets shall be allowed through and which shall be rejected. For example, one can determine the rules so that the firewall should reject packets coming from external servers (they are usually called Internet-hosts), the IP-addresses of which are given in the table. One can also prescribe a rule, in accordance with which it will allow through only inbound electronic mail messages addressed to the mail server, or a rule locking out all mail messages incoming from the external host, which previously "flooded" your network with gigabytes of unnecessary data. In addition, one can configure the firewall to filter packets on the basis of port numbers prescribed in the headings of TCP and UDP (User Datagram Protocol) packets. In this case, it is possibile to allow through certain kinds of packets (for example, Telnet or FTP) only if they are sent to certain servers (accordingly, to telnet or FTP). However, the successful performance of a similar rule depends upon the agreements adopted by your network, functioning on the basis of TCP/IP: for the operation of TCP/IP applications, servers and clients usually use specific ports (which are often called "known", i.e. defined beforehand) however, it is not an obligatory condition. For example, a Telnet application on servers of a network with TCP/IP usually operates via port 23. In order to permit Telnet sessions with only the certain server, it is necessary to prescribe rules, one of which will "make" the firewall allow through all packets requesting port 23 at the address 123.45.6.7 (IP-address of your Telnet server), and the other rule will reject the inbound packets requesting this port over other addresses. Of course, to develop real rules is much more difficult than is described above. One can find more complex examples such as the router configuration rules of the Cisco company, which are available on the Internet.
	Circuit-level gateways: The circuit-level gateway monitors the confirmation (acknowledgement) of the connection between the authorised customer and the external host (and vice versa), determining whether a requested session is legitimate. At packet filtration, the circuit-level gateway is based on the information contained in the headings of IP-packets of the circuit-level of TCP protocol, i.e. functions at a level being two levels higher than the packet filtering firewall.
	Communication confirmation control In order to determine whether a request for the communications session is legitimate, the circuit-level gateway performs approximately the following procedure. When an authorised client requests a certain service, the gateway accepts this request, checking whether the client satisfies the basic filtration criteria (for example, whether the DNS-server is capable of determining the client's IP-address and the name associated with it). Then, acting on behalf of the client, the gateway establishes a connection with the external host and monitors the performance of the communication acknowledgement procedure according to the TCP protocol. This procedure consists of exchanging TCP-packets, which are marked with SYN (synchronise) and ACK (acknowledge) flags. The first packet of the TCP session marked with the SYN flag and containing an arbitrary number, for example, 1000, is a client's request to open a session. The external host obtaining this packet sends in reply a packet marked by the ACK flag and containing a number (in our case, 1001), thus confirming the reception of the SYN packet from the client. After that, a reverse procedure is performed: the host sends the SYN packet to the client with the initial number (for example, 2000), and the client acknowledges its reception by transmission of the ACK packet containing the number 2001. This is the end of the communication acknowledgement process. The circuit-level gateway "considers" a requested session legitimately ended only when, at the performance of the communication acknowledgement procedure, the SYN and ACK flags as well as the numbers contained in the TCP-packets become logically connected with each other.
	Pipe proxies After the gateway "has determined" that the trusted client and the external host are authorised participants of the TCP session and has checked the legitimacy of this session, it establishes a connection. Beginning at this moment, the gateway will copy and forward packets back and forth with no filtration. It supports the table of established connections, allowing through the data relating to one of the communication sessions, which are fixed in this table. When the session is finished, the gateway deletes the corresponding element form the table and disconnects the circuit being used in this session. In order to copy and forward packets, special applications are used in the circuit-level gateways, which are sometimes called pipe proxies, as they establish a virtual circuit or channel between two networks, and then permit the packets (which are generated by TCP/IP applications) to pass through this channel.
	PROXY-servers The circuit-level gateway performs one more important protection function: it is used as a proxy server. Though this term supposes the availability of a server on which proxy-programs are operated (which is valid for the circuit-level gateway), in this case it means somewhat otherwise. A proxy-server can be a firewall using the address translation procedure, by which the conversion of internal IP-addresses into one "reliable" IP-address occurs. This address is associated with the firewall, from which all outbound packets are transmitted. As a result, all outbound packets in the network with the circuit-level gateway are sent from this gateway, which excludes a direct contact between the internal (authorised) network and the external network, that being potentially dangerous (in our case, it is the Internet network). The IP-address of the circuit-level gateway becomes the only active IP-address which gets into the external network. So the circuit-level gateway and other proxy servers protect the internal networks against attacks of the spoofing type (address imitation or address substitution), which were mentioned above.
	Bypassing manoeuvres The circuit-level gateways do not have "congenital" vulnerable places, however, after establishment of the connection, such gateways filter packets only at the circuit-level, i.e. cannot check the content of the packets being transmitted, between the internal and the external networks at the level of application programs, i.e. this transmission is carried out "blindly". So a hacker, being in the external network, can "drag" its "malicious" packets through the gateway and contact directly the internal Web-server, which, on its own, may not provide the firewall functions. In other words, if the communication acknowledgement procedure has been successfully completed, the circuit-level gateway will establish a connection and will "blindly" copy and forward all subsequent packets irrespective of their content. In order to filter the packets generated by certain network services in accordance with their contents, it is necessary to have an application level gateway.
	Application level gateways The same as the circuit-level gateway, the application level gateway intercepts inbound and outbound packets, uses proxy programs, which copy and forward information through the gateway as well as functions as a proxy server excluding direct connections between a trusted server or client and the external host. However, proxies being used by the application level gateway have important differences from pipe proxies or circuit-level gateways. In the first place, they are connected with applications, and secondly, they can filter packets at the application level.
	Application proxies Unlike pipe proxies, the application level proxies allow through only packets generated by those applications which they are to service. For example, a Telnet proxy-program can copy, forward and filter only the traffic being generated by this service. If only an application level gateway is operating in the network, then the inbound and outbound packets can be transmitted only for those services for which there are corresponding proxies. So if the application level gateway uses only FTP and Telnet proxy-programs, then it will allow through packets of these services locking out packets of the other services.
	Application level filtration Unlike circuit-level gateways, which copy and "blindly" forward all inbound packets, the application level proxies check the content of every packet passing through the gateway. These proxies can filter separate kinds of commands or information in the application level protocols, which are charged to them. Utilities of these gateways filter certain commands used by these services (FTP, Telnet, HTTP, etc.). For example, one can configure the gateway so that it should prevent the client's use of the FTP Put command, which enables the user connected to the FTP-server to record information on it. Many network administrators prefer to ban use of this command in order to reduce a risk of occasional damage of the information stored on the FTP-server and the probability of its filling with gigabytes of a hacker's data being sent to the server in order to fill up its disk memory and lock up its operation.
	Other protective functions In addition to packet filtration, many application level gateways register all actions being performed by the server and, what is more important, warns the network administrator about possible protection violations. For example, in the case of an attemped intrusion into the system from outside, the "BorderWare Firewall Server" of the Secure Computing company allows identification of addresses of the packet source and destination, the time during which these attempts were made, and the protocol used. The "Black Hole" product of the Milkyway Networks company also registers all server actions and warns the administrator of possible violations, sending a message via E-mail or to a pager.
	Stateful inspection firewalls These firewalls combine elements of all three categories described above. Like packet filtering firewalls, they operate on network gateways, filtering inbound and outbound packets by means of checking IP-addresses and port numbers. The stateful inspection firewalls also perform functions of the circuit-level gateway determining whether the packets are related to the corresponding session. Finally, the stateful inspection firewalls undertake functions of the application level gateway, assessing the content of every packet in accordance with the security policy determined by the specific organisation.
	Best performance, best protection? The same as the application level gateway, the stateful inspection gateway can be configured to reject packets containing certain commands, for example, the Put and Get command of the FTP service. However, unlike the application level gateways, at the analysis of the application level gateway data, such a firewall does not violate the client-server model of interaction in the network. The application level gateway established two connections: the first one - between an authorised client and the gateway, the second one - between the gateway and the external host. After that, it simply sends the information between these two connections. In spite of the high level of protection provided by similar gateways, such setups may affect the operation performance. In contrast, the stateful inspection firewalls admit direct connections between clients and external hosts. In order to provide protection, such firewalls intercept and analyse every ... . Instead of using proxy-programs, the stateful inspection firewalls use special algorithms of recognition and data processing at the application level. By means of these algorithms, the packets are compared with reference data templates that theoretically secure a more effective packet filtration. As the stateful inspection firewall allows a direct connection between the authorised client and the external host, some people say that firewalls of this category provide a lower protection level than the application level gateways. Other people adhere to the opposite opinion.
	Conclusions The stateful inspection firewalls, at the present, provide one of the highest levels of protection for corporate networks and, by the statement of specialists, it is not easy to deceive them. Nevertheless, one should remember that even these reliable firewalls do not provide 100% security.

¹ FTP (File Transfer Protocol), a file transmission protocol, is used for reception or transmission of files between systems in the network.
² DNS (Domain Naming System), a network name service, is used by TELNET, FTP and other services for host name translation into IP-addresses.
³ Authentication is a means of checking whether the object sending a message or request has the authority necessary. For all network users, the authentication looks like a password request at registration in the network. Each subsequent operation for passing the authentication uses the identification information established upon entering the password. However, neither keys, nor a user's password are mainly transmitted over the network.
⁴ - is a router or a computer, on which software is operated, configured in such a way as to reject certain kinds of inbound and outbound packets. The packet filtration is carried out on the basis of information contained in TCP- and IP-headings of packets (sender's and recipient's addresses, their port numbers, etc.).
⁵ - excludes a direct interaction between the authorised customer and the external host. It accepts the request from a trusted customer for certain services, and, after checking the permissibility of the session requested, established connection with the external host. After that, the gateway just copies packets in both directions with no filtration being carried out.
⁶ - excludes a direct interaction between the authorised customer and the external host. The gateway filters all inbound and outbound packets on the application level of the OSI model. Intermediate programs connected with the applications forward, via the gateway, the information generated by specific TCP/IP services.
⁷ - checks the content of packets being received at three levels - network, session and application. In order to perform this task, special packet filtration algorithms are used, by means of which each packet is compared with the reference template of authorised packets.