Internet connectivity has become critical for many companies. Vast resources are made available by the World Wide Web for many employees, and E-mail has become a preferred method of communication with many clients, vendors, and suppliers. Supplying Internet Access company-wide has become more and more of a priority, but it brings with it potential security risks that must be examined.

The first problem that can arise is that of intrusion. There are three intentions behind this. Intruders may enter your system intending to read information that you have stored on your computers, they may enter your system in an attempt to change information that you have, or they may wish to subvert your system to their own ends (to execute their own programs). "Execute" attacks are, in theory, the easiest to protect against, while "read" attacks are the hardest to prevent. Most security models are most concerned with 'change' and 'execute' attacks, since when those occur the server can be compromised -- i.e. subverted for other ends. The usual method a hacker uses for this is either to find an undefended computer system, or to exploit a software bug in one or more machines and use that to gain entry (see Gotcha #1: Security Patches). Usually their intent is to subvert the server to modify the web pages there, to store their own information such as pirated software, or to use the server to launch denial-of-service attacks.

The second problem of Internet security comes from snooping, also called packet sniffing. Using this method, an intruder attempts to intercept data in transit and decode it to obtain sensitive information, including passwords. In fact, a common practice is for a hacker to subvert one or more computers on a network and instruct them to monitor network traffic across the network in order to capture password information, which can then be used to intrude into other systems on the network. It's rare for a hacker to attempt to snoop on the connected Internet, simply because in order to do so they must successfully hack into one or more core routers, which are usually well guarded.

The third problem of Internet security is created by viruses. Many recent viruses, as part of their work of infecting a computer system, will intentionally open one or more security holes in the system, exposing it for outside control. In some cases they will change system permissions to allow anyone to access the system; in other cases, they will set up 'fake' accounts on the system that can then be used for remote access.

The fourth type of security issue involves the actions of internal employees. Many companies are concerned about their employees' actions during working hours, such as the use of non-business-related web sites or abuse of the company's internet connectivity for personal use. A firewall can be part of a solution to monitor or prevent this.

Finally, there are 'denial of service' (DoS) attacks. A DoS attack does not cause any 'permanent' harm to the system, but instead simply makes it unavailable for legitimate users. This includes attacks intending to tie up all of a server's resources with useless requests as well as attacks that intentionally crash a server or take it offline. Most of these are done as pranks or indirectly, as part of another attack.

All of these attacks represent a potential threat to your business operations. A firewall can help protect you against all of these in some fashion or another, though not all firewall systems provide protection against all of these methods of intrusion.

Unlike some real-world security devices, a firewall doesn't have a concept of 'strength'. While enough force can get you through a door, there is no amount of 'force' that will get one through a firewall. This is because the firewall actively 'decides' whether to relay the traffic or not. If it decides not to relay the traffic, then no amount of force will make it begin doing so.

Instead, what sets apart firewalls from one another is another concept that comes up in real-world security: discrimination. How effective is the firewall at discriminating between legitimate traffic and traffic that presents a threat? The simplest firewall is a pair of wire cutters. Snip! Nothing's getting through that shouldn't! Unfortunately, a broad-spectrum approach like this also stops all legitimate traffic.

Firewalls come in many forms: the term itself refers not to a specific device, but instead to a type of functionality. The following is a list of common ways firewalls can be implemented:

• Routers. Many routers that connect you to the Internet provide a simple firewall. However, if it is present, it is usually of the 'packet filtering' type. The ones included on Cisco routers are exceptionally good, but still provide only packet filtering capabilities. Still, this can be sufficient for a small network.
• Low-End Firewalls. There are a large number of these devices, usually costing between $50 and $150. When they first came out, they were either so simple as to be ineffective, or clumsy. However, the newer ones are actually very useful for small networks and come highly recommended. They are well worth the money. They provide address translation and firewalling capabilities and will generally prevent most attacks. They're only really useful for small businesses that have either nothing or only a single server exposed to the Internet, however.
• Personal Firewalls. These are pieces of software installed on an individual computer that deflect attacks only against that computer. They are useful only for small offices or for home users. In a networked environment, where users are sharing files and printers, however, these pieces of software will active interfere with valid network operations, causing a large number of apparent bugs. They are not suitable for a networked environment where anything but Internet access is occurring. Firewall configuration is something that should be set up by a network engineer, not by an end user; a user may, not understanding an option, accept a harmful connection or unknowingly open a security vulnerability.
• Software Firewalls. These are generally higher-end pieces of software installed onto another machine that cause that machine to act as a firewall server. They are intended to function as a full-network firewall, which distinguishes them from personal firewall. Software such as Checkpoint's Firewall One, Cisco's Centri firewall, and other packages are intended to handle this problem. The computer generally has two network cards, and scrutinizes traffic as it passes between the two network cards. Operating systems such as Linux and Windows 2000 offer some minimal firewalling capabilities natively.
• Hardware Firewalls. These are dedicated pieces of equipment whose sole purpose is to act to protect your network security. They are connected between the Internet router and your network, and scrutinize traffic as it passes through them. Cisco's PIX unit and Watchguard's Firebox are two examples of this kind of firewall. These are distinguised from 'low-end' firewalls by their higher degree of configurability and power.

Firewalls configured in pessimistic mode deny all traffic, except what is explicitly allowed. Chances are if you try to run something new, like a multimedia program, across a pessimistic firewall, it will fail until the appropriate exceptions are added to the firewall. However, it is considered more secure because it protects even against those sorts of attacks that have not been considered.

• Firewalls Establish a Perimeter. A firewall adds a 'wall' around your network, in much the way a wall was often built around medieval towns. Gates were built into the wall to provide access to the city, but scaling the wall was difficult or impossible. The idea was to limit the number of openings that had to be guarded down to a managable few, allowing the town guards to concentrate their attentions on that point.
• Firewalls Divide Your Network. A firewall can divide your network into discrete pieces: inside (trusted), outside (untrusted), and, optionally, a DMZ (de-militarized zone) that is somewhere in between. It can also free you from the addressing constraints of the outside Internet, allowing you to use a few 'legal' Internet addresses to provide access to a much larger number of stations inside your network.
• Firewalls Provide Warnings. Many firewall packages can log or notify you of attempted intrusions; many intrusions begin with a 'port scan' looking for vulnerabilities. Many firewall packages (usually the more expensive ones) can provide advance warning of these potential impending attacks.
• Firewalls Monitor and Restrict Your Users. Many of the more advanced firewalling systems can monitor or restrict your internal users in order to either prevent them from visiting certain web sites, or to provide you with logging capabilities to determine what they're doing.
• Firewalls Respond to Attacks. Some more advanced firewalls can actively respond to attacks in progress by shutting out the remote system entirely. For example, if a port scan is detected, some firewalls will automatically begin blocking all traffic from the originating site for a period of time.
• Firewalls Interfere with Networking. Unfortunately, this is a side effect of nearly all firewalls. There are some operations that become more difficult or even impossible through a firewall. In some cases, this is a necessary cost of doing business. Just as locks on doors inside your buildings sometimes slow employees down or even prevent them from doing their jobs temporarily, there are times the security the firewall provides will interfere with legitimate needs. It's a trade-off that must be considered when the firewall is installed.

Any system this simple is making a large number of assumptions about your network. Many of the low-end firewalls are exceptionally guilty of this. When those assumptions are wrong, these firewalls can literally disable your network operations, taking the network down. In addition, they often come pre-configured from the factory with a list of which services are acceptable and which are not. However, the needs of every business are different, and what your company's needs are may differ from the average.

Network firewall implementation should always be done by an experienced network engineer. There are many factors to take into account, and unfortunately the technology has not yet progressed to the point where these determinations can be made automatically by software. With most firewall systems, implementing them without a thorough consideration of their impact on your network can leave you with a non-functional system, open security vulnerabilities, or services that suddenly become unavailable. What's worse is that, in many cases, a company feels 'protected' because they have a firewall -- one that may or may not be doing its job!

A packet filtering firewall is relatively easy to find. All firewall systems that provide this functionality with a greater or lesser degree of sophistication. In essence, it is the most basic function of a firewall, and the essence of what they do. Some packet-filtering firewalls can be set to log, in some fashion, packets which violate one or more rules.

One problem with simple packet filtering is that it does not examine the content of the data sent or received. It will allow anything into your mail server or web server; it cannot distinguish valid requests from those intending to take advantage of a security hole or transmit viruses. Another problem is that packet filtering will generally not catch denial of service attacks, because many of them are based on a large quantity of otherwise allowable traffic.

Also, packet filtering does not provide any services for monitoring or preventing the actions of internal users. Settings can be made based on the internal address of the computer, preventing it from going out, but rulesets to deny specific web addresses or otherwise restrict traffic tend to get overly complicated very quickly.

A packet filter is entirely passive. It does not change its behavior based on circumstances.

However, most computers do not really need a 'legal' IP address. If they perform only 'client' activities -- sending and receiving E-mail, browsing web pages, etc. -- then they do not need to be visible from outside the network. In fact, for security reasons, it's better if they are not!

A firewall that provides NAT functions like a PBX switchboard. Most organizations with PBX's have far more phones in their offices than they have phone lines. The PBX takes care of the task of routing the calls to the correct extension, and selecting which line to use when calls are placed. NAT works the same way. Your 'outside', legal addresses are your phone lines; most of your machines inside the network are set up with 'internal' addresses, like extension numbers. In this way, a large number of machines can be connected with only a few addresses.

NAT provides another advantage. Since those internal machines do not have addresses that are recognizable to the outside world, it actually works out that they cannot be accessed from outside your network. Attempts to connect to them fail with the message, "No route to host" -- the Internet literally doesn't know how to use their address. Yet they can still make 'outbound' calls -- perform client activities on the Internet. In this way, access from the outside world can be limited only to those machines that truly have services to provide: web servers, E-mail servers, and so forth. This greatly limits your vulnerability.

Nearly all firewalls have some form of NAT capability. Some of the more advanced firewalls can completely hide the internal way your network is arranged, exposing only the services that you wish to provide and mapping requests for those services to the machines in a highly abstract fashion. This, as well, helps prevent outside intrusion.

When a workstation needs a web page, it is forbidden (usually by a packet filter) to request the page itself. Instead, it asks a proxy server for the page it needs. The proxy server downloads the web page from the web server on the Internet and then delivers it to the workstation. In most cases, the process is fast enough that it's no slower than doing the connection directly. In fact, through a process known as caching, it may be somewhat faster since, after retrieving a document, the proxy server can store a copy of it and deliver the copy if the page is requested again.

There are three types of proxy servers. The first type, called a transparent proxy, simply watches the traffic for requests of a certain type. When a request is seen, it 'captures' the session and handles the request itself, passing back the results. The system requesting the web page sees nothing unusual happening; instead, it acts just as if it would if it had submitted the request directly. This approach is probably the best, because when properly implemented it will work with any software.

The second type of proxy server is service-based. In this model, the web browser or E-mail program is specially set up to connect to the proxy server directly. Unfortunately, only software that is specially written to use a proxy server may be used in this environment. Software that does not support this capability will simply fail to work.

The third type of proxy server is software-based. It combines some of the features of both systems. A special piece of client software is installed on the client machine and intercepts requests for internet traffic. When it occurs, the request is automatically forwarded to the proxy server for action. Of course, the primary disadvantage is that, without the software component, the internet access will fail.

Proxy servers are useful for several reasons. First, they permit a much higher degree of monitoring than is possible with packet filtering, since the full content of the request is available. Attempting to monitor employee activities through packet filtering is much like trying to randomly eavesdrop on phone lines, hoping you'll hear something important. With proxy servers, however, it's much easier to pick out the relevant details, just as it's much easier to look at a purchase order to see what an employee is buying.

Second, certain services work very poorly through Network Address Translation and packet filtering. One common example is the FTP protocol. Because of how it was originally designed, it is difficult to permit it to function through a normal firewall without opening the firewall up to all sorts of potentially dangerous traffic. A proxy server gets around this problem by allowing that one machine to perform requests on behalf of the entire network, thus limiting the vulnerability.

A third problem solved by proxy servers is that of user authentication. Normal network traffic does not contain the notion of 'logging in'; data simply moves through the wires relatively unimpeded. A proxy server provides a step where the user's identity can be confirmed, either by matching it to an already existing login session or by actively asking for a username and password to go out onto the Internet.

The biggest problem with proxy servers is that they are one more component with the potential to fail, especailly for service-based and software-based proxies. When a software application or a computer is purchased, it is not set up, by default, to function with a proxy server. These settings must be added, or the appropriate software component installed. In addition, there are some services, such as certain multimedia or chat services, that will function poorly or not at all through proxy servers.

However, with the change of the Internet from a purely educational and military network to one with a significant entertainment component, it's become important for many organizations to place some sort of security and accountability around its use. To provide this feature, two important components are needed: the ability to tell who is doing something; the ability to make sure it's really them, and to prohibit access on a user by user basis.

The IP protocol used on the Internet, though, is not based around connecting users. Instead, like all network protocols, it's based around connecting computers together. Normal routers cannot make distinctions about who is doing something; to them, it's all simply packets of data to be delivered to the appropriate address. Just like the telephone company doesn't try to make sure you are who you say you are when you place a simple local call, routers are concerned only with getting information where it belongs, not on permissions and identification.

Firewalls, though, have the ability to potentially check a user's identity when a session begins, by connecting to a password database of some kind to validate the user's information. This feature is primarily found in higher-end firewalls, and is one of the primary advantages they provide. While proxy servers can also provide this feature, the use of network authentication extends its reach down to the packet level, providing a greater degree of security.

Authentication is also important because of the need for accountability. If a suspicious transaction is performed from a given computer, was it done by the person who normally sits there or someone using their computer while they were away from their desk? If we don't want our customer service representatives to access the Internet, how can we make sure connectivity is there when an IS Department employee needs to download a driver? The key, of course, is authentication.

One advantage of a firewall, especially one that functions via a transparent proxy, is the ability to examine not just the fact that a connection is occurring, but instead the type of information being transferred. For example, it is well known that a large number of viruses attach themselves to E-mail messages with a '.VBS' extension. Wouldn't it be nice to be able to strip out those '.VBS' files while still letting '.DOC' and '.XLS' files through? A content-based firewall can make these decisions and many more.

Perhaps administrators are concerned about the negative effects of Java applets on machines that might not be secured properly. With a click, those can be turned off globally and prevented from working. Of course, this disables all java-based interaction with the outside world, but it may be decided this does not cause any serious problems for the company.

Of course, this is not a replacement for having a virus scanner or applying the proper security patches. However, it can be an extra line of defense while a problem is being addressed or simply to increase the level of protection through a multi-layer strategy.

This level of discrimination is not possible with packet filters simply because of the need to examine the content of what's being transferred. The ability to discriminate more finely between 'allowed' and 'disallowed' traffic improves the ability of a firewall to provide protection without impeding functionality.

First, it is intended to discourage potential attacker by greatly increasing the time required between attempts. Most automated scripts will simply move on, assuming that connectivity has been lost, and attempt to locate a different host. In addition, while obviously the firewall detected and blocked the first incoming attempt to violate security, it is feared that the attacker might continue to probe security if not stopped and perhaps locate another vulnerability that was not so well guarded.

There are other forms of active firewalling, such as techniques to halt denial of service attacks that simply detect an excess of traffic and stop passing it through to the target, thus shielding it from the attack. Still other forms consist of automatically tracing back attacks and recording logging information and even automatically notifying the originating Internet Service Provider of the attacks.

However, there is a down-side to active firewalling. Sometimes, innocuous packets will be interpreted as an attack. A remote network may have gotten infected with a virus, and as a result the firewall shuts down all communication with that remote site, making them unable to transact business with you. A 'reactive' firewall policy can, if improperly set up, turn into a 'reactionary' policy that pre-emptively shuts down communication when it is not warranted. This feature must be enabled with care.

A VPN functions by setting up a 'tunnel' through the firewall through which traffic can pass. Think of the tunnel as a virtual data highway tunneled through the mountain that is your firewall. The tunnel provides an exception to the rule -- data passing through this tunnel is considered trusted, even though the way it arrives is not.

In order for the tunnel to be established between the two sites, authentication must be performed. The two ends of the tunnel must have some way to recognize each other, to validate that they are, in fact, who they say they are. Sometimes this can be as simple as recognizing one another's Internet addresses; in other cases, the use of a password, a smart-card encryption key, or a hardware security device may be required. However, the general rule is the same -- the tunnel is available only to authorized users.

Since the data being transferred may well be of a sensitive nature and might even contain passwords and other data that would permit an attacker to establish their own tunnel, it's important that the information not be viewable by any third party. For this reason, the data is sent using an encryption scheme -- a code just like the ones used in World War II to communicate with ships at sea. Anyone could receive the messages, and the enemy often did, but (it was hoped) only those with the proper encryption key -- the codebook -- could decipher the message. The same technology, albeit much more sophisticated, is used today to protect the privacy and security of these tunnels.

VPN tunnels use a bewildering variety of protocols, encryption schemes, and sometimes incompatible authentication schemes. This is still a new technology, and with time the playing field will be emptied of all by the strongest participants. VPN technology is something that should be set up by an experienced network engineer.

Windows 95, 98, and Millenium Edition ship with virtually no security at all. Their security system is, frankly, a joke, intended primarily to make end users feel more comfortable. By default, sharing your hard drive or a portion thereof makes that section available for reading (and, often, writing) by anyone who can access the machine, and often doesn't even require a password. Most users don't understand how to do the extra steps necessary to require a password to connect, and this leaves most workstations vulnerable to intruders who may wish to connect. While it's possible to protect these systems without a firewall, each workstation's settings must be carefully configured, and an end user can easily change these settings, unknowingly exposing their machine (and potentially the entire network) to risk.

Windows NT and Windows 2000 possess a powerful, robust security system that is disabled by default when the system is installed. All file systems are marked "Everyone: Full Control" by default, and when a new share is created, it is marked the same way. In Windows NT and Windows 2000 both, "Everyone" means literally that: Everyone. Not just legitimate users. Not just your receptionist or your accounting workers inside the network. Everyone, including a random teenager sitting in his bedroom at home and looking for fun. Once again, it's possible to lock this down, but it requires enough of an effort to be sure that everything is covered that it's best to also use a firewall to limit the number of potential security holes that could be exploited.

Every organization more than a few people should have some kind of firewall. Even just an access-list on a router blocking ports 137 through 139, the kerberos port, the LDAP port, and the RPC port (the standard ports by which Windows NT and Windows 2000 communicate). It at least will prevent the most obvious attacks and provide a second layer of security. The ability to perform network address translation is also useful.

The only organizations that can legitimately justify not using a firewall are Internet Service Providers, who make their business out of providing connectivity to their customers, and for whom the possibility of blocking a customer's access to some needed Internet service would be highly detrimental. All other organizations should implement some form of firewall.

I do not recommend personal (software) firewalls for anyone who wishes to share files and directories. A software firewall doesn't discriminate based on the source of the traffic, and they typically aren't very configurable. Instead, consider one of the inexpensive low-end firewalls. The ones made by Netgear are excellent in my experience, and provide a lot of configurability for a very low price (under $150, typically). The primary limitation a lot of these systems have is that they can only utilize a single outside ('legal') IP address to expose to the Internet. So, for example, you could not have two World Wide Web servers on the same internal network using different addresses.

A network engineer should analyze the organization's networking needs and determine the optimum system and configuration required. Just as a building security system for anything but the smallest and simplest office should not rely on a security system for their building that is packaged in a box and sold at a retail store, so they should have their firewall professionally installed and configured.