Welcome to Volume 2, Issue 12 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference.
The editorial calendar at this time includes:
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In this issue, Avi Fogel discusses the boundary and host-resident firewalls. Some argue that boundary firewalls are obsolete, fundamentally incapable of providing adequate security in today's internetworking environments, inherently incapable of dealing with latency-sensitive (stream) traffic--and that host-resident firewalls are sufficient. Others argue that a host-resident firewall model is administratively intense, doesn't scale geographically, and not particularly well-suited to securing legacy environments--in these environments, boundary firewalls are necessary. Avi considers both models, and offers real-world examples organizations that have considered both and arrived at different conclusions regarding the firewall model that provides what is necessary AND sufficient.
In an earlier column, "What I worry about", TISC Insight, Issue 1, December 3, 1999, Marcus Ranum expressed concern that technological change might render the firewall obsolete. He was, of course, discussing the traditional boundary firewall. His fear stemmed from the fact that the very environments that firewalls strive to protect have changed, and that inbound-only protection is inadequate given the bi-directional nature of today's potential attacks. . He correctly envisioned systems being infected and used as launch pads for denial of service attacks. His concern was soon validated with the massive DDoS attacks of February 2000.
Marcus alluded to the changing nature of networks from simple environments with sophisticated users who conscientiously monitored file transfers to the permeable environments of today where unsuspecting users nonchalantly punch holes in their network security as they point-and-click Internet icons and links. Time has proven Marcus right when he said, "I think the only answer is to begin fortifying hosts, rather than relying on boundary firewalls."
In his white paper "Distributed Firewalls", Steve Bellovin of AT&T Research Labs expresses the same concerns arriving at the same conclusion. "Conventional firewalls rely on the notions of restricted topology andcontrolled entry points to function. More precisely, they rely on theassumption that everyone on one side of the entry point--the firewallis to be trusted, and that anyone on the other side is, at least potentiallyan enemy. The vastly expanded Internet connectivity in recent yearshas called that assumption into question. We propose a "distributed firewall", using IPSEC, a policy language, and system management tools.A distributed firewall preserves central control of access policy, whilereducing or eliminating any dependency on topology."
Protecting the network by securing it at the host computer level is a model more conducive to an e-Business environment than the traditional bottleneck architecture. In securing the network by protecting the data silos on it, a finer granularity of protection can be implemented without constricting packet traffic.
But don't look for the sudden demise of the boundary firewall. Our experience indicates that there will be room for co-existence of the traditional firewall and distributed, host-resident firewalls for the foreseeable future. This brief article is an unscientific look at some distributed, host-resident firewall users, why they adopted and how they implemented the technology.
Customer choices are being driven by business needs. Some of the variables for the firewall decision include: sources and nature of threats, demands for performance, real or anticipated growth rate, price/value issues, availability considerations, composition of the legacy network, the ability to install and manage a firewall locally, and the need for security policy flexibility.
The main disadvantage in implementing a boundary firewall is in the topology. Once through the single point of protection afforded by a boundary firewall, a network is totally vulnerable to a miscreant. Boundary firewalls also assume that all perpetrators come from the outside, an assumption proven dramatically wrong by multiple industry surveys and numerous security incidents. In addition, boundary firewalls experience a performance degradation as the number and capacity of connections grows and their packet-per-minute processing ability is exceeded. A host-resident firewall has the advantages of processing only those packets addressed to the host it protects and (typically) of working in operating system kernel-mode. Attacks are identified at the kernel level before they get to the protocol stack, when is too late. Compared to proxy firewalls, where packets must traverse the protocol stack for security processing, host-resident firewalls impose little latency. And whereas traditional firewalls have latency problems when processing streaming traffic, host-resident firewalls process as traffic goes through the Network Interface Cards (NICs).
Nevertheless, for monitoring multiple types of inbound traffic, many security-conscious organizations such as certain financial and government institutions and high-end B2B companies will not do away with the boundary firewall, because of its centralized, first level capabilities. A security-sensitive organization is apt to deploy host-resident firewalls in addition to the boundary ones in a multi-level design for high security. The rules are not hard and fast, however. Where performance is the paramount factor, as is the case with online brokerage and large transaction sites, distributed, host-resident firewalls might be used to replace boundary firewalls.
Price/value is an issue with many customers. A boundary firewall can cost an order of magnitude more than a single host-resident firewall. This means that network administrators with limited numbers of servers to protect should be considering host-resident solutions. There are others benefits to consider vis-à-vis the boundary firewall.
Traffic between internal nodes can be monitored and filtered on a bi-directional basis. This type of capability would have prevented some of the Zombie attacks of February 2000 that emanated from compromised internal servers. By serving at the single workstation and server level, infinite scalability (directly proportional to the number of machines) and high availability (no single point of failure and increased mean-time-between-failures, MTBF), is provided. When distributed throughout a network on a server farm in an ASP, for instancehost-resident firewalls enable varying security policies to be implemented; i.e., they offer host-level granularity for security policy implementation. This is handy, perhaps essential, if you are an ASP with several different and possibly competing customer servers, operating next to each other. Distributed, host-resident firewalls can also be centrally administered to simplify the policy provisioning, monitoring, and maintenance tasks across an organization where uniform policy is required. For workstations and laptops, a single policy can be pushed out to protect an organization's machines connected directly to the corporate network or remotely through high-speed Internet connections.
Distributed, host-resident firewalls have made rapid strides in fulfilling the vision of providing security for an open Internet environment. Many vendors provide workstation or personal firewalls. Some provide server firewalls and a small number provide centralized enterprise-level management tools.
The Center for Organizational Research and Development, Southern Illinois University, Edwardsville. Studies are performed for many governmental entities that require security and discretion. Finished research products are typically communicated via e-mail. Hacking was detected by the system administrator who immediately began a search for a security solution. This solution would secure "The Centers" web and e-mail servers autonomously, but complementary to, the lager campus' network. Distributed, host-resident firewalls were selected for the servers. These protect against both internal and external attacks and were easily installed and maintained locally.
The Bethune-Cookman College website provides general information about the college and serves as a front end to a system offering student access to class information and grades. "We have a lot of students, many of which are Computer Science majors who like to test the security," said Henry Butts, the web master and IIS administrator. "Currently we get between 50-75 hack attacks a day mostly port spoofs or people trying out hacking programs. They attack from within the campus or from home seeking open ports. When they find an open port, they may use a brute force attack utilizing a password generator." Mr. Butts reports that no attacks have been successful since installing a host-resident firewall solution on the Web server.
BIZynet is an ISP/ASP providing web and e-commerce design, application hosting, web hosting and e-mail outsourcing. They sought high security with high performance, with the main emphasis on performance. "We chose not to implement the [traditional] type of architecture because we knew the performance overhead would be unacceptable for the types of things we do. "The embedded firewall approach enables us to maximize performance but still get the intrusion prevention we need."
Intellinetics is a provider of document management, document imaging, and mass-storage data systems for government and private sectors. Because many customers are government entities, a multi-layered security approach was implemented. All servers on the network are being protected by host-resident firewalls, but the company also deployed a perimeter firewall for additional protection.
Multiband Communications provides Montana with high-speed Internet access. In addition to DSL service, the company offers 56Kbps Internet connections and dedicated lines, customized computing and networking solutions. "We are building a highly scalable, fault-tolerant connectivity environment," said Scott Kabler, Technical Director of Multiband. "We have partnered with major suppliers in the computer and communications equipment industry in anticipation of expanding our service offering to an interstate model. The company has a heterogeneous network, composed of both Linux and Windows NT servers. They implemented a boundary firewall to protect the Linux network segment. In addition, they installed distributed host-resident firewalls on their Windows NT servers. This provided intrusion detection with high performance and easy scalability for the more vital network segment. This "hybrid" solution demonstrates the need for flexibility in real world customer examples.
While distributed, host-resident firewall solutions are still new they have emerged onto the security scene quite dramatically this year, in large part due to the visible DDoS attacks experienced earlier in the year and the significant growth in broadband communications. They are rapidly proving themselves as "must have" security tools. While they address many customer application environments, most customers will deploy them either as a replacement of traditional firewalls in specific application environments - such as web servers, or in addition to the boundary firewall to protect internal critical hosts, or to secure broadband connected hosts.