[ Go to October 1997 Table of Contents ]

NT Enterprise
NT Feature
Standing Guard
Internet firewalls can protect your corporate kingdom from high-tech attacks. The trick is finding the right one.

-- by David Hafke and Amy Helen Johnson

Whether you manage a sprawling enterprise network or a PC workgroup, Windows NT Server 4.0 and its bundled Internet server are an ideal combination for putting your business on the Web. But before you take the Internet plunge, give careful consideration to firewall technology. Without it, your network could go down in flames.

A firewall is specialized security software (typically for NT, UNIX or a proprietary hardware box) that serves as a border guard between two or more networks. The firewall scans data as it attempts to move between networks, such as the Internet and your private NT network, or two subnets within your intranet. If the data lacks approved access rights, the firewall denies the connection request.

Generally, a firewall has one external and two internal network interfaces. The external interface links the firewall to a T1 line that, in turn, leads to the Internet. The first internal interface, usually an Ethernet adapter card, leads to PCs, workstations and servers on a private network. This connection typically offers only outbound Web access, thereby protecting PC users from probing eyes on the Internet.

The second internal Ethernet interface ties the firewall to a secured area known as the Demilitarized Zone (DMZ). The DMZ typically includes Web servers that are protected from Internet hackers. When a network administrator opens selected ports on this internal interface, external users can access only selected services within a DMZ. For instance, by opening port 80, external Internet users can pass through the firewall and access only HTTP services from the DMZ's Web server.

During the last 18 months or so, according to International Data Corp. (IDC) of Framingham, Mass., fierce competition has pushed the average firewall price down more than 50 percent to $6,000-although some advanced firewalls still cost $15,000 or more.

Check Point Software commands 35 percent of the firewall market, followed by Cisco Systems and Trusted Information Systems (8 percent each), Raptor Systems (7 percent), Secure Computing (5 percent), IBM (3 percent) and a host of other players. Even Microsoft is jumping into the firewall market with Proxy Server 2.0, which includes IP filtering capabilities and, when coupled with Microsoft's Routing and Remote Access Service for NT 4.0, can create secure virtual private networks (see sidebar "Microsoft's Internet Combo")

Three means of protection

For the sake of comparison, the National Computer Security Association (NCSA, an independent organization in Carlisle, Pa., that certifies firewall gear) lumps firewalls into one of three categories: packet filter firewalls, application-level servers, and stateful inspection firewalls.

A packet filter firewall, as its name implies, inspects the contents of an IP packet. Each IP packet has a header containing a source address and destination address, among other things. A packet filter examines data passing to and from a network, and can block access according to data type, source and destination address, and other factors. An administrator configures the firewall to admit or refuse particular types of data or addresses and to grant permissions-which can be a tedious and time-consuming job.

Packet filters typically are based on router hardware from the likes of Cisco Systems, and are therefore very fast. On the downside, routers can be difficult to manage. Even worse, hackers occasionally penetrate entry-level packet filters using a technique called IP spoofing. This involves altering an IP packet originating from the Internet so that it's disguised as an internal packet. That is, the firewall thinks the packet has an internal-rather than external-source address and therefore grants it network access.

Application protection

An application-level server, also known as a proxy server, won't fall prey to IP spoofing. While basic packet filters scan an IP packet's source and destination addresses, a proxy server sets up Internet connections (such as Telnet, FTP or X Windows) by examining application-layer protocol information. It also inspects user names, passwords, IP addresses, URL information and domain names. Microsoft, Netscape Communications and Oracle are among the industry heavyweights vying for your proxy server business.

Proxy servers can manage inbound and outbound traffic. For outbound traffic, the process goes something like this: First, a proxy server intercepts an internal user's request for an Internet connection. Next, it examines the request to make sure it's allowed (based on URL, IP address or other parameters previously mentioned). If the request is validated, the proxy server creates the Internet connection using itself-rather than the internal user-as the originator. Any return data is sent to the proxy server, which then hands it over to the user. This ensures that internal IP addresses and passwords are never passed over the Internet.

Stateful inspection servers

For the very latest in firewalls, check out a stateful inspection server. Internet experts consider this class of firewall incredibly secure because it intercepts packets at the network layer of the Open Systems Interconnection (OSI) reference model.

Many vendors offer stateful inspection firewalls, but the technology was first developed and patented by Check Point Software. Check Point's Firewall-1, a stateful inspection solution, examines the network layer to either accept, reject, authenticate or encrypt the requested communication. It also ensures that incoming packets have been requested by internal users, and supports numerous Internet protocols, including TCP, User Datagram Protocol (UDP) and Remote Procedure Call (RPC). Routers and proxy servers typically don't support UDP or RPC.

Firewall-1 also supports address translation, a key benefit first offered in proxy servers. Address translation hides the IP addresses of all private systems. If you can't see a system, hacking it is difficult. Typically, all protected systems are identified as the IP address of the external interface on the firewall. So the only system that a hacker can attack is the firewall (which should be the most impenetrable system anyway)

Common vulnerabilities

Once you've chosen a firewall, it's important to configure it correctly and test it thoroughly. This is where security analysis programs, like Internet Security Systems' Internet Scanner, come into play (see "Hack Yourself" sidebar)

As you examine your firewall installation, keep some of these common configuration flaws and security holes in mind:

Common gateway interface: It's possible to extract passwords and hack a network using a CGI's Packet Handling Function (PHF) program, which helps inexperienced programmers write CGI code. Simply delete the PHF program-which experienced CGI developers don't need, anyway-to ensure CGI security.

Default accounts: Never leave default accounts and default passwords installed on your firewall, its underlying operating system or your Web servers. Whenever possible, delete the guest account and rename the administrator account.

Dual-purpose servers: Be extremely cautious about using a server for two different services, especially if one service connects to the outside world. A classic mistake is to put your e-mail gateway on the same machine as an internal application server. An attacker who gets in through the mail service may have access to sensitive data or another path onto your network.

Modems: Instead of attacking a firewall, hackers may try to circumvent it by accessing your network via modems that are linked to your PCs or servers. Utilities called "war" dialers systematically dial phone numbers searching for modems on the other end.

Ports and protocols: Turn off any services, ports or protocols that you don't need.

Remote access: Build virtual private networks (VPNs) to secure any connections between your corporate network and branch offices or home offices. A VPN is an encrypted link between two or more firewalls.

Internet viruses: McAfee, Symantec and other companies now make antivirus software that works in conjunction with firewalls, which don't filter viruses on their own.

Continued vigilance

Once you've installed, configured and tested your firewall, review and revise your security system whenever necessary. The moment you let your guard down, your network could be at risk.


Windows Magazine, October 1997, page NT14.

[ Go to October 1997 Table of Contents ]