Firewalls – Do They Work?

Matthew Francis

BSc L3 Computer Science

Word Count = 9996

Identification

Abstract

1 Introduction

1.1 Background

1.1.1 The Internet and its Risks

1.1.2 How Firewalls are Used

1.1.3 Changing Times

1.1.4 Getting Fed Up

1.2 Review of Literature Used

2 Discussion

2.1 Firewall Protection

2.1.1 What Can They Protect Against?

2.1.2 What Can’t They Protect Against?

2.1.3 Attacks From Within

2.1.4 Circumventing Firewalls

2.1.5 Wireless LAN’s

2.1.6 Denial Of Service Attacks and Firewalls

2.1.7 Firewalls and VPN’s

2.1.8 Other Firewall Uses

2.1.9 Famous Hacks

2.2 Firewall Design

2.2.1 Configuration and its Effectiveness

2.2.2 Firewalls and Intrusion Detection Systems

2.2.3 Personal Firewalls

2.2.4 Application Layer Security

2.3 Future Firewall Design

2.3.1 Artificially Intelligent Firewalls

2.3.2 Distributed Firewalls

3 Conclusion

Acknowledgements

Bibliography

Appendix

Abstract

Firewalls – Do They Work?

Matthew J. Francis

Firewalls are often put in place as the only line of defence against the Internet and the internal network. As the amount of hacking activity on the Internet is increasing, relying so heavily on just one mechanism for protection doesn’t always give you the security you need. Although a well-configured firewall can be very secure, ideally additional layers of protection such as an IDS system are needed, and greater security can be accomplished by installing newer Artificially Intelligent firewalls or Distributed firewalls in place of the standard network firewall.

1 Introduction

Nations without controlled borders cannot ensure the security and safety of their citizens, nor can they prevent piracy and theft. Networks without controlled access cannot ensure the security or privacy of stored data, nor can they keep network resources from being exploited by hackers.

(Anon 2001a)

As more and more companies are relying on the internet for their business it is becoming increasingly important to protect these systems.

Prior to the Internet, the only widely available way for a hacker to connect from home to a private network was direct dialling with modems and the public telephone system. Remote access security was a relatively small issue.

In my dissertation I’ll be looking at what benefits there are from installing a Firewall, what they are capable of and what they cannot protect against. I’ll also be researching methods of circumventing them and discussing how and why computers get compromised even though they are protected by a firewall. Different ways of implementing and configuring them and how this changes their effectiveness will be investigated. Examples will be given of what can happen when Firewalls fail and the consequences thereof. A section of my dissertation will look at how most attacks occur from within an organisation by its own employees and how current firewalls are more or less useless to prevent this. My dissertation will include a section on complementing a Firewall with an Intrusion Detection System and discussing the benefits this brings. I’ll look at the newer ‘Personal Firewalls’ which have recently been developed, and I’ll be investigating the feasibility of developing artificially intelligent firewalls. Finally I’ll be discussing how Firewall design is likely to change in the future and what benefits this will bring to the on-line community as a whole.

1.1 Background

1.1.1 The Internet and its Risks

The internet, like any other society, is full of people who would rather cause mischief and problems to others. The more society relies upon the internet the greater potential for problems.

Living dangerously on the Internet. Users seem to be jumping on the Internet without security or simply staying away to avoid risk, according to a survey of 95 security managers conducted at the Computer Security Institute Conference by Security Dynamics. About four fifths of those surveyed felt that unauthorized access via the Internet was a risk, but 55% said they didn't have Internet Security. One third said that the risk will prevent their organizations from expanding Internet access. More managers (an increase of 11% on the previous year) reported that their organizations suffered an increased security risk. Almost 50% of those surveyed said their networks had experienced unauthorized access and 11% reported 'significant' financial loss.

(Anon 1994)

Although the article was published in 1994 its still quite unbelievable that 55% of companies didn’t have any Internet Security. Which is probably why the 50% experienced unauthorised access. It is often the case that companies don’t report security breeches because they don’t want their share holders and customers to lose trust in them. The loss of trust could cost them more than the attack and because of this it is very hard to build an accurate picture of how many attacks actually take place.

Whilst I’ve been typing this part of my dissertation my firewall has logged the following attacks:

[29/Nov/2001 19:40:02] Packet filter: ACL 2:1 drop packet in: TCP 213.122.84.55:2265 -> 213.122.190.169:80

[29/Nov/2001 19:40:26] Packet filter: ACL 2:1 drop packet in: TCP 213.1.175.199:3206 -> 213.122.190.169:80

[29/Nov/2001 19:40:29] Packet filter: ACL 2:1 drop packet in: TCP 213.1.175.199:3206 -> 213.122.190.169:80

[29/Nov/2001 19:46:16] Packet filter: ACL 2:6 drop packet in: TCP 213.122.131.105:3820 -> 213.122.190.169:27374

[29/Nov/2001 19:49:47] Packet filter: ACL 2:1 drop packet in: TCP 213.1.175.199:3773 -> 213.122.190.169:80

[29/Nov/2001 19:49:50] Packet filter: ACL 2:1 drop packet in: TCP 213.1.175.199:3773 -> 213.122.190.169:80

[29/Nov/2001 19:55:03] Packet filter: ACL 2:1 drop packet in: TCP 213.122.1.199:3649 -> 213.122.190.169:80

These were mainly Code Red attacks destined for port 80. Two packets were destined for port 27374 which is a Trojan Horse program called NetBus. NetBus allows people to completely remote control a PC, including monitoring and logging keystrokes, mouse movement, etc.

If you look at the time of the attacks you will see that they all occurred within a 15 minute period – I was on the internet for 15 minutes and 4 computers tried to hack into mine!

1.1.2 How Firewalls are Used

Firewalls are devices or software packages that monitor traffic passing through them and accept or block it depending on their rules. They operate at the network layer of security which is one of the oldest and most common type of protection used within security solutions.

Network Firewalls are located as a gateway between the private network and the Internet as shown in the diagram below:

There are three main types of Firewall:

Packet Filtering – Rejects TCP/IP packets from unauthorised hosts and rejects connection attempts to unauthorised services. Packet Filters compare network protocols and transport protocol packets to a database of rules and forward only those packets that conform to the criteria specified in the database of rules. Filters can either be implemented in routers or in the IP stacks of servers.

Network Address Translation (NAT) – Provides security benefits by hiding the actual IP address of a host computer when that host makes a request from servers on the internet. A firewall that uses NAT does this by using its own IP address instead of the hosts when it sends requests to servers out on the internet. When replies come back in the NAT component, the firewall places the hosts real IP address in the packet and forwards it to the host. NAT also has the advantage that only one IP address is needed for a LAN to be connected to the internet.

Proxy Services – Makes high level application connections on behalf of internal hosts to completely break the network layer connection between internal and external hosts. Proxies are application specific and have to be written to support a particular service such as HTTP.

Most firewalls on the market today are a combination of the above to increase their effectiveness.

Because of the firewalls location as the gateway between the Internet and the local network, if the firewall were to fail it could mean the local network losing Internet access. Unfortunately this is very hard to protect against without special clustering software because firewalls have to know about connections. If these connections are shared amongst firewalls they need a way of sharing the information between them about the connections.

1.1.3 Changing Times

Chris Potter, a partner in PricewaterhouseCoopers' Global Risk Management Solutions Business, pointed out that the latest statistics show that a new site on the internet will be visited on average within the first 28 seconds of its life and will come under some form of attack within five hours. Attacks on networks by malicious outsiders are increasing as never before.

(Harrington 2000)

This is a frightening figure especially because if a server is installed and configured whilst connected to the internet it will probably be hacked into before the administrator has been able to install all of the security patches even if they are working on it solidly.

And the Net total is ...: Is it 16 million Internet users and 26 per cent more every year. Or 40 million and doubling annually? Both claims could be true

(Arthur1995)

The exponential growth in the internet has been accompanied with the exponential growth in hacking attacks against other Internet users. The graph below shows incoming hacking attempts per day over the course of a year from a system connected via BT Internet in the UK:

http://www.btinternet.com/~shawweb/george/hacks/graphs1.html

You can see the increase in the amount of hacks per day as time goes on. Interestingly enough though, I am also connected to the Internet via BT and I experience attempts far in excess of the amount recorded here. The graph below shows these attempts on a monthly basis but from my logs, the average number of attempts in a day equals over 50 per day!

I’ve done a similar analysis on my own firewall log files at home. It’s not really very conclusive especially since my connection time can vary from month to month depending on my usage but it does show the huge amount of extra connection attempts generated by the CodeRed worm and variants.

More and more people and businesses are relying on the Internet every day and a loss in this medium could cost them greatly financially. Because of its rapid growth and immature age, it’s not a proven technology. After all, the Internet was originally designed to allow military installations to communicate in the event of a nuclear war. It was never designed to protect itself from itself and therefore has a very open architecture.

1.1.4 Getting Fed Up

Quite a while ago I got fed up with the amount of scans I was receiving and decided to try and do something about it. Firstly I performed a scan in the same subnet as myself to see what other people were finding (obviously not helping matters, but I needed somewhere to start from). I found a lot of file sharing ports open, which allowed anyone to connect to their systems and do anything they wanted with the files.

I wrote a small script, which uploaded a text file to their desktop alerting them to the fact that they were vulnerable and suggesting ways of fixing it and also recommending that they install a personal firewall. I left an unused email address of mine in the text file in case they wanted to ask me any further questions. Here are some of the responses I got back:

Hi.

I recently discovered a file you left me on my desktop. I am thankful that you did that. You also said to mail you for any advice to stop people being able to access my computer. First of all, how do I disable access to ports like Port 137-139 etc? Second of all, you mentioned blackicedefender (is that a firewall by the way?) are there any other programs similiar? (just in case I hate blackicedefender which i probably won't but still)

Thanks for any help you can provide, and thanks for pointing out that i'd been hacked! :)

-John

STUPID STUPID ME! I had shared my drives for another machine on my network and forgot to remove them (had not even pasword protected them- since they were on my internal network).

I will pop over to www.networkice.com and have a look.

Thank you for notifying me and for not being malicious!

Shaun

Of course I got an irate response back as well:

You left a message on my hard drive that you had hacked my machine. Do you really not have anything better to do with your weekend than break the law? Yes, altering the contents of someone's hard drive without their authorisation is a criminal offence in the UK breaching the Computer Misuse Act. The penalties range from 6 months to 4 years in jail with unlimited fines. Furthermore seeing that you have more than likely attempted to cover your tracks by using other servers and domains you open yourself up to further breaches of the Computer Misuse Act and other laws in other countries around the world.

Now if you are going to break the law why don't you do it properly and go and rob a bank or something. At least the rewards of doing it are worth the risks you are taking.

Cheers

George

I replied with the following email:

Hello,

Firstly did you read what I put on your desktop??? I put a warning to let you know that you were vulnerable. Do you think that if I had any malicious intent that I would leave a note!!??

You are the first person out of many who I have notified that has been ungrateful for my efforts. Would you of preferred me to ignore your weakness and let some 'script kiddie' delete your work and trash your computer? Below is part of a more typical response to my efforts:

>help i got your notepad message on my desktop !!!! did you remove any

>file etc from my drives ? please please tell me how to remove the

>netbeui and ports, please reply asap, as i use this system to earn a

>living and i dare not go online ......steve

As requested I replied and helped him secure his system from attack. If I hadn't helped him he could of lost a lot of money because as he states, he uses his computer for work.

You seem to be so knowledgeable on the subject of the Computer Misuse Act and the efforts I could of taken to cover my tracks by redirecting through other domains, yet you don't take ANY precautions to protect your system, WHY?

Good Day.

The problem is that so many people are vulnerable to very easy exploits that ‘script kiddies’ get so many responses from a single scan. Until companies like Microsoft make it easier by default to be secure, these scans will continue to take place.

1.2 Review of Literature Used

I’ve tried to use many different sources of information for my research to be as thorough as possible. Because of the topic I’ve found the Internet to be the most useful of these sources.

I’ve been interested in firewalls and computer security for a very long time now. During my placement year I worked on firewall/security development, implementation, general up keep and monitoring. My work at the moment also involves me monitoring and configuring firewalls and making the network as secure as possible. I’ve read various books on the subject which I’ve brought over time. I’ve used my collection of books among other sources to research this topic not only for my dissertation but also my professional career.

Unfortunately a lot of companies are very reluctant to release information regarding a hacking attack and some companies don’t even report such events because of fear of lost customer trust and thus lost revenue. This can make it very difficult to research the topic properly and makes it impossible to determine the scope of hacking attacks and the impact they’ve had. This has started very recently to get slightly better as Network Professionals realise that they have to work together and share information in order to secure their systems as best they can.

2.1 Firewall Protection

A firewalls main job is in protecting the internal network from external attack. How well it accomplishes this can depend on a great many factors. If a good firewall is configured properly it can provide a very robust security solution that can be very hard to penetrate.

2.1.1 What Can They Protect Against?

A firewall provides a centralized management point of network security as it relates from the outside world.

(Ogletree 2000)

A firewall can protect against network traffic passing through it. The protection it offers depends greatly on the firewalls rules and configuration. Firewalls can be set to permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. They can also be set to provide less strict protection and only block services that are known to be problems.

If a particular service is found to be insecure, the firewall can be configured to block access from the outside world to that service. The same rules can be configured for outbound traffic thus restricting traffic in both directions.

NAT firewalls also help to protect the internal network computers by hiding their real IP addresses from the Internet. Only the firewall’s IP address is seen by external computers, even if hundreds of computers are accessing the Internet at the same time through the firewall.

Stateful Packet Filters remember the state of communication flowing through them and can use this information to determine whether or not individual packets should be dropped. Ports above 1024 are used for return sockets of initiated connections – say I connect to a website on port 80 in my browser, the page I requested will be returned to me on a port greater than 1024. Rather than allowing all connections through with a port number greater than 1024 a Stateful Packet Filter can let through only those connections which were requested from computers inside the network. This can greatly increase security because a Trojan horse might be set to listen on any port (27374 is a popular one) and a hacker won’t be able to connect to it if a Stateful Packet Filter is used. Although Trojan horses can be set to initiate connections themselves from within a network so it doesn’t get rid of the problem completely.

Proxy firewalls can look for tags in HTML pages that refer to Java or ActiveX embedded applets and then strip out that content from them. This prevents the applet from executing on the client computer and eliminates the risk that a user will accidentally download a Trojan horse.

In reality, a well-configured firewall can be incredibly difficult to bypass.

(McClure 2001a)

2.1.2 What can’t they protect against

Packet Filtering firewalls don’t understand the information they are blocking or allowing through. All they work on is where the information is coming from, where it’s going too and what service its destined too. Because of this, Packet Filtering firewalls (PFF’s) cannot protect against viruses, worms, Trojan horses, and server vulnerabilities which exist in the server software such as the infamous Code Red in IIS.

With the Code Red worm, PFF’s were configured to allow through traffic destined for port 80 (web). The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability in Microsoft’s IIS, which allows the worm to run on the computer. Once data has passed through the firewall, it has no further interaction with the data and therefore cannot do anymore to detect attacks or prevent them from taking place.

If a Proxy Server is put in place in conjunction with a PPF it can intercept traffic and analyse the contents of it before passing it on, both inbound and outbound. If it knows about a particular exploit it can block the data, this can help to reduce the risk of viruses, worms, Trojans, and server vulnerabilities.

Social Engineering is a common technique used by attacks to gain information about a system. Obviously the firewall has no way of stopping this and once an intruder has the correct credentials, as far as the firewall is concerned the intruder is trusted. The following occurrence illustrates this:

This year 'social engineering' is back in a big way. Take the example given by Ira Winkler of how he cracked a bank's security using only a phone. First, he called an executive's secretary, posing as a human resources employee, and grilled her for information on the executive. Then he called human resources, posing as the executive whose identity he had just stolen, and talked a gullible employee out of a list of new employees and their ID numbers. Finally, he called the employees, posing as an IS employee and talked dozens of them into divulging their log-ins and passwords.

(Hayes 1998)

Internet firewall security systems will not guarantee the safety of your network claim users, with a shocking 9 per cent of firewalled networks suffering security breaches.

The startling figures - exclusive to Network News - come from the latest Network Industry Survey sponsored by Black Box Catalogue.

The report was carried out by IFF Research who polled 145,000 network professionals.

It reveals an alarming shortfall in network security. Of those with access to the Internet, 42 per cent protected their networks with a firewall product, but in 9 out of 100 cases, security was still breached.

Firewall vendors charge thousands of pounds for software which they claim makes the network secure, but experts admit the technology is fallible.

George Zarenba, a director of IT Distribution which sells the Interceptor firewall, said: "Some code for first generation firewalls is now on the Internet. It's now possible to breach that security."

He also blamed human breaches. "If you've got a network manager with a grudge who's giving inside help, it doesn't matter how good your technology is."

Other vendors blamed the operating system. "Most firewalls run on a general operating system. There are holes in Unix and NT which the hackers are going after," said Chris Huggett, VP of international operations for ON Technology.

(Jordan 1997)

2.1.3 Attacks From Within

A firewall can only protect computers on the network from attackers on the internet because the information has to travel through the firewall for it to be able to block it.

It has been a belief that attacks to a corporate network would come from an outside source. Such is not always the case. A commonly held thought is that a larger percentage of threats come from with-in the organization that you work for. The common consensus is there is an 80% chance of an attack/threat by an employee.

(Calvert 2001)

The worst threat to network security is not the fact that credit card transactions or sensitive data pass over the Internet and it has even less to do with the nameless, faceless hacker waiting to hack into your Web site. The biggest threat to your network is the people you know, i.e. the people you hired. Bill Hancock from Network-1 says that 568 out of 600 incidents of network hacking are perpetrated by disgruntled employees who are provided with inside information. Brian O'Higgins, director of Nortel Secure Networks believes that at least 85% of all network security breaches are inside jobs.

(Tadjer 1996)

If attacks are mostly occurring from within the network a Firewall between the network and the internet will be of no help in stopping or preventing the attack. The security of the company will be relying on the configuration of the internal workstations and the servers to prevent the employee doing anything they shouldn’t.

A firewall is not a substitute for everyday system management and security measures. It is just another layer of security.

(Ogletree 2000)

Attacks from within the organisation may consist of the following:

Unauthorized access to and/or removal of sensitive corporate data
Human errors and accidents such as the deletion or corruption of critical files by unauthorized personnel
Bypassing established corporate security policies and practices, thereby exposing internal systems and resources to outside security threats
Unauthorized personal use of corporate resources such e-mail and web surfing
Inappropriate use of corporate resources on activities for which the enterprise may be exposed to unwanted publicity or liability; such as workers viewing pornography or participating in online gambling

2.1.4 Circumventing Firewalls

Firewalls are a definite advantage, but given the right amount of time, most sophisticated computer criminals will learn how to penetrate the standard firewall product leaving users unwittingly exposed.

(Anthes 1995)

Some of the security holes in Unix, which most firewalls run, can leave the firewall vulnerable. A firewall is a perimeter defence offering no protection against insiders who bypass the firewall by establishing their own ad hoc Internet connection. Users should view firewalls as a part of a comprehensive security programme that should include such elements as cryptography, intrusion detection and physical security.

(Anthes 1995)

The methods for circumventing firewalls varies depending on the effectiveness of the firewalls rules and configuration. Suppose a firewall is configured to allow DNS zone transfers from the ISP. This rule could be configured as:

Allow all activity from the TCP Port 53

This liberal rule would allow an external attacker to scan the entire network as long as they spoofed their source as TCP port 53. A much more secure rule would be:

Allow activity from the ISP’s DNS server with TCP port of 53

and destination port 53

This rule would only allow the ISP’s DNS server to perform the zone transfer and prevent scanning via port 53.

You may think that it’s fairly rare for this sort of error to occur, but one of the most popular firewalls Checkpoint (3.0 and 4.0) has the “Allow all activity from the TCP Port 53 and destination port 53” rule by default and it isn’t logged! Although this isn’t as devastating as the first rule mentioned above, it does introduce the possibility that if a system has already been compromised within the network and a Trojan horse put in place, that’s set to listen on TCP port 53, the firewall won’t block or log any external attacker connecting to this computer and using it as their own.

Firewalls are set to allow through certain traffic and block others. If an application is installed within an organisation to change the ports an application is using and the same application is installed off site to change them back then the firewall can effectively be bypassed. There is a program called ‘Firewall’ which can be used for this. I’ve included the diagram below of how Firewall works:

Stateless packet filters inspect each packet on its own merit without retaining information about previous packets. For this reason, when a fragmented packet comes through (multiple packets which are not necessarily in the right order), the TCP header will only be available in the 0^th fragments, which means that although the packet filter will drop the 0^th fragment, it won’t drop fragments past 0.

Because many operating systems TCP/IP stacks don’t actually pay attention to fragment ordering, these operating systems will reassemble a fragmented packet until they get a packet with the final fragment flag set. If the data in their IP buffer constitutes a valid packet, they’ll pass it along to the operating system.

Hackers can exploit this weakness to pass data right through a packet filtering firewall to a specific host inside the network. By transmitting all packets with the fragment number set to 1, but containing the entire TCP packet, the filter will ignore the TCP payload allowing it to pass to the internal network. The addressed end system sees that the final fragment message is set and passes the TCP packet along to the operating system. In this way, hackers can connect directly to hosts inside the network as if the packet filter didn’t even exist.

Another method for circumventing firewalls is if a user has connected a modem to an internal client computer which is connected to the network. If this client computer were to get compromised via the modem, the attacker would have access to the internal network without the firewalls involvement.

Security watchers have warned that personal firewalls may be an "exercise in futility" given the latest developments in Trojan techniques.

Just days after the security community advised that Trojans are increasingly using outbound connections to pick up commands and avoid port blocking and intrusion detection, experts have said that firewalls may be highly susceptible to such tricks.

Following a report titled The Futility of Common Firewall Policies from the Department of Health Management and Informatics and the University of Missouri, experts have spent years researching the many ways to circumvent the outbound detection processes of personal firewalls.

As vnunet.com pointed out recently, Trojan authors are increasingly commandeering or hijacking web browsers and forcing them to send out data, disguised as HTTP traffic, on behalf of the attacker.

Although by nature a Trojan must be able to get onto the system in the first place to cause damage, if this does happen, "then it's game over," said Robin Keir, author of proof-of-concept tool, FireHole.

"The rogue program has your computer completely under its control," he added.

Likewise, Bob Sundling, who created a similar tool, TooLeaky, said that his program "very clearly penetrates every firewall on the market, including Zone Alarm. It sends data out to a server and then retrieves data in response, completely bypassing your firewall," he said.

He added: "If a firewall is going to allow some program to transmit and receive data over the internet, and that program allows other programs to control its actions, then there's no point in blocking anything at all."

"Keep your antivirus program up to date, keep your email client locked down with correct security zone settings, never open attachments that can contain executable content, and maybe restrict the ports that your web browser and other commonly used applications can talk on," added Keir.

(Middleton 2001b)

2.1.5 Wireless LAN’s

People might be satisfied and feel comfortable to a certain extent with the security level intrinsic in wired LAN. But as soon as the data packets are being transmitted through the open-air interface, there is a necessity to think twice. In a wired LAN the devices need to be physically connected to the network, but because of the wireless medium, access in a wireless LAN cannot be physically restricted.

Radio signals can propagate outside office buildings depending on building material and surrounding, thus it could be possible for an intruder to access the wireless LAN outside the building for example from a nearby parking lot. The intruder could then eavesdrop on the transmitted data.

This however, requires that the intruder obtain the network access code to be able to join the wireless LAN. Ethernet 10Base-T cabling acts as a remarkable antenna. Anyone with a strong motivation and a good antenna can sit in the parking lot and pick up the wired Ethernet data packets

A wireless LAN gateway is normally located within an organisations network and thus inside the firewall. If an intruder did gain access, the firewall will not help as they are already inside the network.

2.1.6 Denial Of Service Attacks and Firewalls

Denial of Service (DOS) attacks are designed to stop the target computer performing its assigned function, be that a web server, file server, database, etc. There are three main types of DOS attack; those that exploit bugs in the TCP/IP implementations, those that exploit weaknesses in the TCP/IP implementation and brute-force attacks which flood a network with useless data.

Although DOS attacks are often perceived as just a disruptive attack, they are often used to aid more sophisticated attacks. For example if a target computer trusts another computer on the internet, this trusted computer may be attacked with a DOS and the identity of this trusted computer taken via a spoofed IP address. Thus making the target computer think its talking to the trusted computer when really its talking to the hacker.

During February 2000 some of the most popular Internet sites (CNN, Yahoo, E-Bay and Datek) were subject to DOS attacks. Their networks were clogged with false requests sent by multiple computers under the control of a single hacker, these commercial sites lost untold millions in sales.

Firewalls help when dealing with all 3 types of DOS attack, but they can’t prevent them completely. If a DOS attack exploits a bug or weakness in the TCP/IP implementations, it is possible (more often probable) that the firewall doesn’t suffer from the same bug thus thwarting the attack.

An example of a brute-force DOS is an attack called ‘Smurf’. The Smurf attack is one of the most frightening DOS attacks because of the amplification effects of the attack. The amplification effect is a result of sending a directed broadcast ping request to a network of systems that will respond to such requests. A Smurf attack takes advantage of directed broadcasts and requires a minimum of three actors: the attacker, the amplifying network, and the victim. The attacker sends spoofed ICMP Echo packets to the broadcast address of the amplifying network. The source address is forged to make it appear as if the victim system has initiated the request. All the systems on the amplifying network will respond to the victim. If an attacker sends a single ICMP packet to an amplifying network that has 100 systems, the attacker has effectively multiplied the DOS by a magnitude of 100. This can result in the attacker consuming all the available bandwidth to a particular network thus rendering it cut off from the internet.

The only way to stop a brute-force DOS is to get in-touch with your ISP and get them to filter the traffic reaching your network - of course the ISP has to be able to cope with the amount of traffic.

The only protection a firewall offers in a brute-force DOS is in preventing your network from becoming an amplifying network by blocking incoming ICMP to the broadcast address.

It is believed to be possible to completely disconnect an entire country (such as England) from the Internet by using such an attack in a very coordinated manner. I guess we’ll have to wait and see if this is true!

2.1.7 Firewalls and VPN’s

A Virtual Private Network (VPN) uses the Internet to route LAN traffic from one private network to another by encapsulating the LAN traffic in IP packets. The encrypted packets are unreadable (because of their encryption by intermediary Internet computers and can contain any kind of LAN communications, including file and print access, LAN e-mail, Remote Procedure Calls, and client/server database access. VPN’s are a cost effective way to extend a LAN over the Internet to remote networks and remote client computers.

Because of a firewalls location on the network it is ideally suited to control/host the VPN connection.

Reserved: Client

VPN Link

Pure VPN systems do not provide adequate network protection. You also need a firewall and other Internet security services to keep your network safe.

(Anon 2001a)

VPN’s are often used to allow remote workers to connect to the corporate LAN and access files and data. The problem with this scenario is that if the remote users machine has been compromised, it would be possible for the attacker to use this machine to gain access to the corporate LAN. This is exactly how Microsoft were hacked into a couple of years ago by a Russian group of hackers who were rumoured to have downloaded source code.

Reserved: Remote Worker

VPN Link

A solution to this problem can be to use certificates and smart cards to permit logon remotely. Unfortunately this isn’t that popular because of the costs involved and the time in setting up and maintenance.

2.1.8 Other Firewall Uses

Firewalls because of their location as the only connection between the internal network and the internet, are often used to also provide other services and information such as:

· Bandwidth Usage – Companies are often charged by their ISP for the amount of data they transmit and receive. The firewall can be used to monitor and log this usage to verify the bill from the ISP. Companies can also see if they should consider upgrading to a higher capacity internet link.

· Cache Service – Firewalls often feature the ability to cache information they receive. This means that if another request is received for data that is already in the cache, the firewall can supply the data from the cache and not have to download it from the internet again. This has the advantage of reducing the amount of traffic over the internet link and speeding up internet access. The downside is that if the data has been changed since it was stored in the cache (such as a different web page), the old data may be displayed rather than the new.

· Access Logs – Firewalls often log any access made to internet resources by users so that if needed the logs can be viewed and any sites visited or other information can be displayed on a per user/department/etc basis.

NAT firewalls have the advantage of only needing a single public IP address for the entire network to access the Internet. Because IP addresses are running short and can be expensive, only needing one is very beneficial.

2.1.9 Famous Hacks

In 1972, John T. Draper discovered he could make free long-distance phone calls using a whistle from a Cap'n Crunch cereal box. The whistle emitted a 2,600-hertz tone that got him into the internal authorization system at the phone company.

In 1988. Robert Tappan Morris, the 22-year-old son of a security expert for the National Security Agency and a bit of a geek in his own right, decided to write a benign program to map every server on the Internet. His program, now known as the Worm, was supposed to hop between servers on the Internet, copy itself onto each server, and move on. However, a misplaced decimal point in the code made the Worm copy itself not once but indefinitely on each server. More than 6,000 servers crashed--one out of every ten servers on the Internet at the time. It took a full day to get the Net back online, by which time network administrators wanted blood.

In July 1997, Kashpureff used his knowledge of the domain name system (DNS) to divert traffic from Network Solutions. For one whole day, people who entered www.internic.net into their browsers found themselves not at the official domain registry but at AlterNIC. Kashpureff dubbed this manoeuvre Operation DNS Storm.

On June 22, 2001, Prime Suspectz, a Brazilian hacker group, defaced four Microsoft sites in less than one hour. The hackers group slammed Microsoft's web server security in one of their defacements: "Prime Suspectz again! One, two, three in only 30 minutes. As we can see, this server IIS is very good!! Micro$oft, where i find secure products made by you? WHERE?"

A Brazilian group known as Inferno.BR broke into NASA and NATO. Inferno.BR was a group of Brazilian hacktivists, whose primary goals was to voice its disapproval of the Brazilian government, as well as point out objectionable international policies that affected Brazil and other developing nations. Two members of Inferno.BR were caught: JxLxMx, 21 years old, and JamiezJamiez who was 22. Neither had a previous criminal record.

The article below is a very frightening illustration of how hacking in the future might change in to something which more resembles the 80’s film ‘War Games’:

Army officials are concerned that skilled computer enthusiasts, and in particular those engaged by hostile military organisations, can hack into military weapons systems and control them remotely, Federal Computer Week reports. The potential exists for hackers to access computerised systems used for navigation and weapons targeting, US Army Information Assurance Program Manager Major Sheryl French explained during a recent military information management conference in Houston, Texas. According to the article, the US Department of Defence (DoD) has established through testing that a malicious hacker could penetrate the control systems of major weapons. According to a Defense Information Systems Agency training CD-ROM, an Air Force officer in a Boston hotel used a laptop computer to break into the computers of a Navy ship at sea, and implanted spurious data in its navigation systems. "This actually happened," the training module warns. "Fortunately, this was only a controlled test to see what could be done. In reality, the type of crime and its objective is limited only by people’s imagination and ability." But not everyone is losing sleep over the dark possibilities of cyber-warfare. Federation of American Scientists (FAS) defense and intelligence analyst John Pike says the threat can easily be exaggerated. Remotely hacking into weapons systems would be extremely difficult under highly-fluid battlefield conditions, Pike believes. "The problem for the enemy is that computer security vulnerabilities will almost certainly prove fleeting and unpredictable," he said. He described the true threat as a matter of random instances of harassment by the enemy. That's fine, so long as they don't gain access to strategic nuclear weapons systems, in which case a random instance of harassment could result in a nightmare of distinctly Biblical proportions.

(Greene 2000)

2.2 Firewall Design

Firewalls can be either special dedicated hardware devices designed specifically for the purpose or can be normal computers (or routers) with firewall software running on them.

A firewalls effectiveness can have a lot to do with the quality and therefore bug freeness of its code. If the software developers have left unknown holes or vulnerabilities in the software they will probably be discovered at some point and a exploit may become available which can be used to bypass the firewall thus rendering it useless.

Firewalls range in cost from completely free to costing tens of thousands of pounds, and there effectiveness is not normally relative to the cost. Extremely secure solutions can be constructed from freely available applications. However, the time taken to implement and configure these solutions is often very long.

2.2.1 Configuration and its Effectiveness

In reality, a well-configured firewall can be incredibly difficult to bypass.

(McClure 2001a)

A firewall can be configured to provide an internet connection to more than one network. This is a very good practise when different parts of the network require different security levels. A good example of this is in implementing a ‘Demilitarised Zone’ (DMZ) where web servers and other internet servers are located separate from the internal network. If a server in the DMZ is compromised the attacker still doesn’t have access to the internal Lan.

Alternatively two firewalls can be put in place that get more restrictive. The diagram below illustrates this: