Forwarded From: rio <rio@dimensional.com>
http://www.cnn.com/TECH/computing/9809/22/fireburns.idg/
Burned by firewalls
September 22, 1998
Web posted at 4:50 PM EDT
by Ellen Messmer
(IDG) -- Firewalls do a darn good job of keeping hackers out of your
network - maybe too good of a job. Increasingly, customers are finding
that firewalls are blocking legitimate traffic and are keeping end users
from accessing key applications.
But firewall suppliers are having a tough time keeping up with the demand
for new capabilities. One challenge is that the growth of remote access
and electronic commerce has boosted the number of people trying to get
into a network.
In addition, those inside the firewall are looking to interact more with
the outside world through technologies such as Internet telephony,
audiostreaming, and multimedia conferencing. They also want workgroup or
database access.
"We were only allowing e-mail through our firewall, but then we wanted to
do pcAnywhere access out of our office," says Brian Davids, director of
computer operations and information services at Los Angeles-based NFL
Properties, which publishes game programs and other literature for the
National Football League. A Symantec product, pcAnywhere lets users access
their desktops remotely via a modem or the Internet.
NFL Properties uses a firewall
from Elron Software, which doesn't come with out-of-the-box support for
pcAnywhere, though the company does support more than 75 different
applications. However, Elron technicians helped NFL Properties open a
port for pcAnywhere, essentially bypassing the firewall's advanced
filtering. But at the same time, the technicians told Davids that NFL
Properties was opening itself to a greater security risk. "Security
experts all tell you that opening up a firewall is a potential hazard,"
Davids says. "You give someone a hole to hack in." After thinking about
it for a while, Davids decided to close the hole. "I keep thinking that
with the pcAnywhere application, anyone might be able to get control of
our machines," he says. "You have to try and accommodate the users as best
you can. But in this case, it seemed too dangerous."
Other users have taken the port approach. Community Credit Union of Plano,
Texas, opened a port on its Novell BorderManager firewall to let Lotus
Notes through.
"We wanted to offer this functionality to select employees," says John
Bock, Community Credit Union senior vice president and chief information
officer. Novell's BorderManager supports only a handful of applications,
including: HTTP, File Transfer Protocol (FTP), Gopher and the Internet
videoconferencing application, CU-SeeMe.
Neither Novell nor Elron have tool kits or other means to extend the
firewall's application support. Nor does Cisco, which sells two firewalls
- the IOS firewall and PIX - which support about 20 applications and
network-address translation.
Three types of firewalls
Firewalls generally can be divided into three types. The simplest is the
packet filter, set up to allow or disallow packets through the firewall
based on IP address. The second type is the application-layer firewall,
which is proxy-based and directs each application to a specific proxy on
the firewall to examine the traffic and check for source and destination
address. The third type of firewall is known as stateful inspection, and
it intercepts packets like a packet filter but also inspects all the
communications layers to make sure they comply with a security policy.
A debate is raging among firewall vendors over the merits of
application-layer proxies vs. stateful inspection. Regardless of which a
corporation uses, however, the firewall administrator still faces the
basic problem of what to do if the firewall doesn't support a desired
application.
The simplest solution is punching a hole through the firewall by opening a
port. Some ports are assigned for specific applications by the Internet
Engineering Task Force's Internet Assigned Numbers Authority, while others
are designated as random ports for random use.
Punching a hole through a firewall poses a risk because "every time you
open a communications channel, someone can use this channel for covert
activities," says Fred Avolio, a security consultant based in Lisbon, Md.
"Any kind of database access to a firewall needs close scrutiny."
According to Bob Blakley, IBM's lead security architect, users need to
form a risk-acceptance policy when they open firewalls to new incoming
applications.
"If you have a battle between the firewall administrator and the users to
let any old flaky protocol through the firewall, the protocol might
represent a hazard," Blakley says. In his view, the flakiest thing of all
might be Microsoft's ActiveX.
"Allowing ActiveX through your firewall is definitely punching a hole in
your firewall," Blakley says. "It can be used to control your machines
from the outside. You can try to put a proxy in your firewall to scavenge
the datastream, look at the ActiveX controls and kill off the bad ones.
But in general, it's hard to tell the good ActiveX controls from the bad
ones."
Extending the firewall
Not long ago, firewalls supported only a handful of standard applications,
such as FTP, Simple Mail Transfer Protocol, telnet and the World Wide Web.
As users asked for Oracle and Microsoft database support, or pointed to
new proprietary voice- or data-conferencing products they wanted to use,
some firewall vendors upgraded their products. For instance, many firewall
vendors now support Progressive Networks' streaming protocols RealAudio
and RealVideo.
"The hot requirements now are IP telephony, fax and the conferencing
protocols H.323 and T.120," says Ray Suarez, product marketing manager at
Axent Technologies, which sells the Raptor firewall. Axent is also hearing
demands that its firewall support a proprietary voice and fax product from
Clarent.
One vendor, Check Point Technologies, went gung-ho with its Firewall-1
product by supporting almost 300 applications, including several security
services from Security Dynamics and Axent.
But there's always some unique or cutting-edge application not supported
by any firewall. Because opening a port is considered a bit risky, a few
firewall vendors offer tool kits and similar means to let the user prepare
a custom proxy for an application-layer firewall or stateful inspection
custom code. Check Point has what it calls Inspect, a high-level language
to do this.
And Network Associates, which markets Trusted Information Systems'
Gauntlet firewall, a product gained when Network Associates acquired the
company, soon plans to release a proxy development tool kit. At present,
the tool kit is used internally at Network Associates by a software-design
team service that builds custom proxies for users by assignment.
A recent custom project involved designing a proxy for the Internet
Inter-ORB Protocol (IIOP), the data-exchange mechanism defined in the
Common Object Request Broker Architecture. Using this new proxy,
IIOP-based applications can be filtered through the Gauntlet firewall.
According to Gauntlet Product Manager Marvin Dickerson, such custom proxy
work, depending on its relative difficulty, can cost "a few thousand
dollars to several hundred thousand dollars."
"Any time we do a custom project, we reserve the right to put the
developed code into a general product," adds Jeff Graham, Network
Associates senior architect for firewall technology. This is the way
custom work becomes generally available.
Network Associates is also changing its underlying firewall architecture
to what it calls "adaptive proxy," described as a way to allow protocols
through the firewall based on the network layer or the application layer,
while screening the protocols for viruses, URLs or other parameters.
"All the proxies we write will work like this," Graham says.
Pete Vogel, managing director at New York consultancy Outlink Market
Research, says Network Associates' firewall tool kit will be a significant
help.
"Applications and certificate services all have to work through the
firewall, and by opening up the way you make custom proxies, you make the
firewall product easier to install and maintain," Vogel says.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Sep 23 13:15:39 1998