Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
I think the last time I discussed firewalls in one of these articles was about 5 years ago, so I thought it was about time to bring them back up again. As a start, I am writing this article from my laptop which is connected to the world only via wireless. As a result, there are serious security issues associated with my use of this network. Of course someone could get a copy of this article before you do and go and say what I would otherwise have said first, but that's not much off a risk because nobody is in a big rush to be painted as a radical security guru and the total potential loss is not so great that I would worry about it. The big risk seems to come from the keyboard bounce of this laptop, which has a nasty habit of doubling almost every letter I type. Thank goodness for spelling checkers.
Of course when I brought up this wireless network so I could write and cruise the web while using the bathroom, I knew there would be security issues. After all, WEP is defeated, the LAN is wide open to anyone who is war driving, and that means I am pretty much as exposed as if this computer were directly on the Internet just because of the wireless link-up. The real issue I had to cover was the problem off isolating this LAN from the rest off the computers I use so that attackers couldn't exploit the wireless to attack my other computers. Something about peer-too-peer access that is inherently risky and all. The web of trust and like that.
So the firewall I decided to use is a bit strange for most firewallers and naturally I figured I would talk about it. But first, a word from our sponsor...
The firewall "I use today was the direct result of my lack of planning. It started out planned well enough all right. I had a firewall back in the mid-1990s that grew out off the need to protect my Sun workstation from the evils of the Internet. Over time it moved to a PC running a Linux version that will remain unnamed - and then to another unnamed Linux version, and finally, about six months ago, push came to shove.
All of my planning ended up in a 3-year old computer with one too few interfaces for my current needs. So I went to the office supply store and bought 4 LAN cards to plug in to expand the firewall add found out that the box I was using has one too few slots for interfaces. So naturally, I delayed, until... a disk crash.
When the disk crash happened I didn't have the time to really fix the thing, so I used a bootable CD (our White Glove product) and floppy customization disk - copies the firewall rules off the firewall backups, and was back up and running in short order. I had intended to come back and fix it 'right' later, but later didn't happen again and again until one weekend when I decided to really fix the thing. So of course, I put the network cards in another box, went to transfer to the new box, and naturally, put another CD in the new box, pulled the floppy from the old box (while it was still running the firewall of course), and booted the new box. I plugged wires into hubs, unplugged the old firewall from the same hubs, and the transition was done, except...
OK - so the old coax cable had to be upgraded anyway, so I went out and got a few hundred feet of CAT 5 cable, pulled it through the wireway while pulling the coax out, and had the 4th interface up and running in an hour or so. Now I was almost done. The only thing left - the wireless part... which is where I began this thing in the first place.
Now I was ready for the big move to wireless, but what to do about security? I had a separate interface for the wireless access point, so I connected it up, and got the thing working as a gateway to the Internet. Now I could go to the Internet directly from the wireless network (and vica versa except for the network address translation making it into a network not routed through the Internet anyway). The problem remained that I wanted to access my printers, file servers and so forth from the wireless computers while protecting them from attack by interlopers. I was also concerned about others using my wireless LAN to warspam the Internet via my connection, but that is a different issue.
The next step was to secure all the computers connecting to the wireless network. Did you hear me right? I think so. As far as I am concerned, my wireless network is on the Internet and attackable from anyone out there. Even if it is not strictly true, it is a good idea to make this assumption because of the ease of getting LAN-like access to the wireless network. So it was...
Yes, you heard me right. The only secure wireless computer is a secure wired computer. And the only hope for a secure laptop is to not run Windows. I wish it were not so, but the truth is simple enough. You cannot reasonably secure Windows when connecting it to the Internet. It is not impossible of course, but it is beyond what you can expect to happen with real users in the real world. They are simply too easy to get insecure and they tend to stay insecure once they get insecure. So, I pulled out my bag of tricks and figured out the real issues.
The real reason we wanted to have wireless in the first place was to be able to do some sorts of work while moving from place to place within our facilities and when at our remote sites and, yes, when on the road. So we needed a way to be road warriors without the security risks of wireless to Windows. And the problem gets even worse. Sometimes we need the functions of Windows for demonstrations or one thing or another. It is rare, but occasionally needed. Our solution was rather different than most. Windows on laptops is only allowed to run stand-alone. We didn't load the network drivers and if you try to plug in your wireless card, it will not work under Windows. So we can do all of our Windows work in the safety of isolation, but this prevents us from using the very things we wanted to use - the wireless LAN capabilities.
Not! It turns out that we can still cruise the web and send and get emails from remote servers and even print things out, all using Linux and various combinations of applications. OF course this means we have to secure the Windows side of the house for network use in the wireless network. Which gets us back to the original issue - the new firewall setup we have.
Our firewall has evolved from a simple two-interface piece of simplicity to the monster 5-interface system of today. It has never been properly specified in detail, but it does have a policy, and several of our LANs are considered outside relative to others of our LANs. We generally have five areas: (1) The Internet, (2) Wireless LAN, (3) Trusted LAN, (4) Protected LAN, and (5) the DMZ.
Internet: We don't trust it and we hope it doesn't trust us. We allow secure shell links to send files to places we want them to go, we pick up mail from servers out there (in the DMZ actually, but that comes later), and we get information from there for use in our other places.
Wireless LAN: This is where our wireless stuff goes. We treat it like the Internet and it deserves to be treated that way. We only use secure workstations there when connected to the Internet. It cannot come into the firewall or anything behind it, but you can drop content on the DMZ servers and load them from your workstation on the inside if you have a business need to do so. You can also attach your wireless system to a printer via the parallel cable if you should need to print something...
Trusted LAN: The trusted LAN is trusted in the sense that its content is considered to be of high integrity as far as the firewall is concerned. If you get into it, you will have to face the internal protection mechanisms and management brutality if you do anything you are not supposed to, which is why our users tend to stay away from it. Good for them, good for us.
Protected LAN: The protected LAN is not really all that protected, but it uses network address translation (NAT) so it is not reachable from the Internet unless it starts the communication (sort of) and of course we only let authorized services out and prevent access to bad places and watch the packets and so on and so forth. They have their printers and computers and so forth, and they are happy and do as they please.
DMZ: The DMZ is for servers, and they are on the Internet as far as we are concerned. They are to protect themselves and they are not trusted. We do boot them from CDs, make backups via the network and load content onto them via secure shell file transfers, but we do not read from the backups except to restore and we do not trust them any more than other servers on the Internet. If something goes wrong, we reboot from CD and reload over the net. It take a few minutes to get started and up to an hour to do a full restore, and that suits us fine.
What good is all of this? Is it easy to attack? I guess it must be, but so far we have never had a virus infestation - although we certainly get plenty of spam with viral content, we have never had a serious denial of service (of course right now our ISP is missing 8 of 10 packets, but internally things are still going great), and we have never had a more severe loss than a few days of effort lost since last backups of a file or so.
Why is that? You might reasonably well ask that question. It's not because of our firewall - I'll tell you that. The firewall helps a lot, primarily by making everything relatively safe as long as the people do the right thing and understand what that is. And I guess that is the real point of the firewall anyway...
So now you know the real truth about my firewalls. They evolve from historical conditions, operate on a CD ROM and a floppy disk (write protected except when under maintenance), assume that people do the right thing, and otherwise prevent unauthorized folks from doing bad things.
Our firewalls are completely ineffective when insiders do bad things, except to the extent that they keep some insiders separated from others from time to time. They are only one line of defense, and they do what they are supposed to very well and don't do what they are not supposed to do at all.
Our firewalls are really more defined by what they are not than what they are. They are not replacements for people doing their jobs and understanding how they are allowed to work. They are not virus checkers or email blockers or configuration managers. They are not intrusion detectors, workstation security systems, or encryption devices. They are only what they are purported to be. Devices that hold back certain types of fires for some amount of time and allow those who are behind them to keep from getting burned for a while if they stay behind them and don't open up other ways for fire to come in.
It gets hot out there sometimes, and our firewalls allow us to stay a bit cooler.
About The Author:
Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/