Instant Internet
Security Guide
"Security Firewalls" and Why You Need Them
You need to secure your computer network against break-ins just like you secure your building against unauthorized physical entry, break-ins.
The Internet is a system of linked networks that communicate through the use of a common protocol, TCP/IP (Transmission Control Protocol / Internet Protocol).
The Internet is a marvel of sophistication. It literally runs itself through a distributed set of rules for relaying messages and control. The remarkable efficiency of the Internet has come about after years of evolution.
Messages that get lost, or go to the wrong place, and messages that seemingly travel forever trying to find their homes have been tracked by those who keep the Internet going. Components and protocol designs which cause these problems are then changed to properly route messages.
These Internet fixers follow the course of traffic by extracting the standard information provided by gateways and hosts which connect to the Internet.
A little standard information supplied from here and there, when put together, can provide a potential intruder with the key necessary to use the Internet Protocol (IP) to access your TCP/IP network.
For example, nearly every node will echo a response to a "Ping" request to tell you that it is there and alive. Responding to a Ping request has been built into every TCP/IP protocol stack in Internet hosts. network administrators depend upon this system along with status information to effectively manage their networks. So do hackers and other unauthorized intruders.
A completely unguarded network has all its private data, as well as its stability, at the mercy of ill-motivated outsiders. It's even easier than leaving the keys in your car with the doors unlocked.
Since outside-generated IP packets normally flow into all TCP/IP networks connected to the Internet during the normal course of Internet participation, the traditional solution has been to erect a "firewall" to guard against the dangers of intruders.
What does a firewall do?
An Internet firewall blocks unauthorized users from gaining access to the internal network and its components and workstations. More extensive firewalls can completely "hide" the connected workstations on your network from prying eyes.
However, the Internet firewall needs to permit authorized and desirable operation to continue unimpeded. A cascaded set of security barriers can make using the Internet so uncomfortable and burdensome for the local network users that it becomes useless.
The more complicated a firewall becomes, the more necessary it is to provide logging and audit trails of the events that it has allowed, as well as the events that it has denied. Using this log, a system administrator can track down attempts to bypass the security. It also helps bring attention to user problems resulting from overzealous constraints.
While some aspects of having such a log may seem positive, keeping it functional may entail more than just reading it. For example, it may become necessary to write analytical programs to automate the investigation.
How does a typical firewall work?
An Internet firewall sits between the Internet and the local network.
Filtering Firewalls
One type of firewall is a filter. A router is a simple version of a filtering firewall. Filtering firewalls require that every packet pass through the firewall device. One the way through, the filtering firewall examines every packet to determine if it is proper or if it violates security.
Although this system seems simple enough, there are many protocols riding IP packets. What a packet is doing, or why it is there is often not evident. Blocking all such packets cripples the access to the Internet.
The simplest filters, such as those found in routers, limit the permitted connections based upon specified clients connecting to specified servers. Just maintaining a list of these connections is monstrous even in a modes-sized local area network.
Another problem arises because the flexibility in protocols required by popular browsing programs such as Mosaic, Netscape Navigator, and WinWeb makes such a list of questionable value. The browsers often use UDP datagrams instead of TCP/IP connections in internal operations like those used in Archie and WAIS.
The relationship of the two systems communicating through UDP datagrams is not structured into a client and server model as are communications controlled by TCP/IP. Therefore, a packet's history is not self evident, and it's nearly impossible to track the source of the packet.
This problem has been tackled by filtering firewalls of amazing complexity. These firewalls are very expensive and run on very expensive computers. However, they do work.
They work by tracking every user and knowing every permitted applications. They follow the course of that application and scrutinize every packet to see if ti follows the rules put into the firewall.
There are lots of rules that must be programmed by hand, and these rules are installed by the administrator. The rules are checked by the firewall filter for every packet. Only a super-fast computer can make these checks for every single packet without significant deterioration in performance.
Proxy Firewalls
Proxy application firewalls sit on the Internet and do the work for the local network. Proxy application firewalls don't allow any IP packets from the Internet to show up on the local IP network.
Typically, in such installations, there is no interconnection at all between the local network and the Internet except for the proxy machine which sits alone, connected to the Internet, and runs the user's desired applications.
A proxy application firewall must be taught each application that local network users wish to run on the Internet. Since no IP packets can travel from the Internet to the local network, the intruders have a very hard time invading the local network.
However, since the proxy application firewall must be taught each application, it may be very limited in the number of users that it can support. Clearly, new applications may not be introduced to the LAN users on a timely basis or without significant effort and expertise.
Breaking through firewalls: The latest scourge "Protocol Spoofing"
Protocol spoofing, a technique used by a set of hackers in early 1995, has become popular in the news media recently and has caused havoc in some prominent systems.
It's a bit complicated, but is worth a summary since it shows why a firewall that seemed safe in barring only certain traffic into your IP network was broken by a technique which was not imagined and against which defenses were not typically established.
Protocol spoofing is a technique made possible because of the more relaxed, less disciplined protective structures that are often in place in large corporate intranets.
The problem demonstrates both sides of security: the more complex the security is, the more secure it can be; but, the more troublesome it becomes to go about your normal work.
Using an extensive, complex security system involving a large assembly of computers is like having to carry a large ring of keys for each door in a building. However, in most establishments, after passing through the front door, checks are relaxed, and access is granted to most internal places within the building. You're trusted once you are on the inside.
In TCP/IP, identifications are by address. Large, multi-computer installations tend to trust IP addresses that come from within the same group, especially those which have successfully logged onto one of the other internal machines. Demands on further identification, such as passwords, are often relaxed once successful access is established.
Spoofing, or faking, a TCP/IP address is easy to do, but using that address is not all that easy, particularly because TCP/IP communications do not take place until a lot of give and take occurs between the participating stations.
The rogue address-faker won't receive any responses from the target machine. The Internet NEVER returns a packet to the sender just because he was the sender. It routes the return packets only to the REAL addressee. This effectively prohibits the address-faker from being able to tell the target machine "send me this file."
The successful spoofers anticipate predictable responses from the target machine and are able to carry on a seemingly protocol-compliant dialog. Eventually, spoofers command events to occur which forges trust for their real address. After that, the fox is in the henhouse.
Instant Internet: Security by means of total IP blocking
If a system were designed to protect a company against letter bombs, the xray machines and bomb-detecting sniffers could not possibly guarantee that a letter bomb would never come into the building.
However, protection could be guaranteed if every incoming letter were sent only by facsimile machine!
That is, the original material is never allowed into the building, only the data itself makes it to the final destination, in this case, as a fax page.
Instant Internet works in much the same way. The IP packets from the Internet never pass beyond the TCP/IP firewall of the Instant Internet device.
With Instant Internet installed, only information requested by a LAN workstations is allowed in. And, only the information itself is allowed onto the LAN cables. The Internet information packets, IP packets, are never allowed on the LAN cables. The information is transmitted on a different, totally secure protocol, called IPX, which is already installed on your company network!
On the Internet side, a single-purpose PC program drives a single-purpose TCP/IP interface. No other program is allowed access to the TCP/IP. Unlike UNIX, Windows NT, and other popular multi-programming platforms, the Instant Internet serves only one purpose, and the programming code is burned into its hardware and can not be altered via TCP/IP...the Instant Internet is absolutely secure from Internet hackers.
With Instant Internet, there is nothing to hack. There is nothing to control. There is nothing that can be spoofed. Everything on the Internet side is fixed and cannot be subverted.
Instant Internet satisfies the design requirements for secure access to the Internet. It demonstrates a simple, well-understood mechanism to assure protection from outside access.
What if I already have IP on my LAN?
Many networks already have TCP/IP stacks loaded for various applications. These LANs may even have non-registered IP addresses. In the past, if a LAN running IP wanted access to the Internet, the network administrator would have to incorporate a huge firewall, register a domain name, and acquire proper, legal IP addresses. Such an effort is not only extremely time consuming, but also very expensive.
By contrast, Instant Internet allows workstations to use the IPX protocol even if TCP/IP is already installed on the LAN. While IP continues to run on the LAN, IP traffic from the Internet is blocked by the Instant Internet device and converted to secure IPX packets before being transmitted on the LAN.
All incoming Internet packets stop at the Instant Internet, therefore outsiders cannot penetrate the firewall and they cannot gain access to the LAN. Instant Internet totally isolates the local IP LAN including the IP addresses and configurations from outside access. Your network remains secure. What's more, no change to the local network is required in order to use Instant Internet.
You may contact sales@dgl.com directly or if you would like more information, complete the information request form.
Return to main Instant Internet information page.
CERT Advisory CA-96.21 TCP SYN Flooding and IP Spoofing Attacks
Damar Group, Ltd.
PMB 616
6030-M Marshalee Dr
Elkridge, MD 21075-5987 USA
voice 1.888.290.6200
voice 410.567.5366
fax 801.650.0423
WebPhone: info@dgl.com
http://dgl.com/docs/iisec.html
updated November 26, 1996
Return to DGL homepage
Copyright © 1996, Damar Group, Ltd., All Rights Reserved