This chapter provides an overview of some of the basic features and terminology of the Internet, and introduces the Gauntlet Firewall and its basic features. This chapter contains the following sections:
“The Internet” summarizes the Internet—the major reason for interest in creating firewalls today.
“Network Security Issues” describes the role of firewalls in establishing and maintaining network security.
“Gauntlet Firewall Functional Description” summarizes the specific Gauntlet firewall functions which implement network security on an IRIX host.
The Internet is a vast, connected network of heterogeneous computer resources, spanning the globe and growing daily. Increasingly, individuals and organizations are finding access to the Internet to be important for a wide variety of services pertinent to their businesses and other interests, including electronic mail, access to vast information archives, and keeping abreast of current developments in a host of areas.
Undoubtedly the most recent spur to the growth of interest in Internet access is the development of the World Wide Web, which provides both a “friendly” graphical interface to Internet resources and a standardized means of presenting and accessing them. Products designed for this market, such as WebFORCE, allow their users to establish an Internet presence that can be accessed around the world.
The Internet presents ways to share data that you want to share, but you must take measures to protect data that you want protected. The Gauntlet system presents one of the best ways to protect your internal, trusted network from the Internet (or any untrusted network), while still allowing you easy access to the resources that are out there.
If you are connecting to any untrusted network such as the Internet, you should configure your connection so that you do not unwittingly risk the exposure or corruption of important data. You should know exactly which (if any) data you are making publicly accessible, and you should guard against the possibility of unwanted intruders gaining access to your site. The Internet has many known (and some famous) instances of unwanted intrusions, vandalism, and so on, and acknowledging and acting on such possibilities is the best way to ensure that your Internet presence is a pleasurable and profitable one.
While it is beyond the scope of this document to detail particular instances of malicious or criminal activity on computer networks, a great deal of such information is available on the Internet itself, and makes for useful reading for those responsible for computer security (refer to “Additional Resources” for pointers to additional information).
In general, you need to establish a line of defense between your trusted computer resources (your internal network) and the computer resources publicly accessible through the Internet (the external network). This line of defense should shield you from direct, external accesses, and it may be as simple as a single router or computer host or as complex as multiple routers and an entire computer network. (This document is concerned with establishing the secure firewalls possible with a computer host or network, not with the limited firewall protection of a router-only configuration.) Behind this line, you choose the degree to which you want to allow internal, trusted users access to the Internet, and the degree to which external users can access your internal resources. Your choices constitute your security policy.
One way of establishing the line between the external world of untrusted hosts and the internal world of trusted hosts is by creating a firewall. A firewall is a combination of computer hardware and software that allows you to restrict interactions with the Internet to the degree you desire. The simple formula is the more access you allow, the greater the security concerns; the greater the restrictions you place on access, the easier it is to monitor and maintain security. The trade-off is one of ease of use versus peace of mind. For system and network administrators, this often translates as balancing the wishes of users with the needs and capacities of the administrator(s). The balance achieved must be determined individually for each site.
An example of a simple firewall is shown in Figure 1-1. In this illustration, a single computer host is configured with two network interfaces to become what is known as a dual-homed host—a host with a presence on each of two different networks. When it is configured as described in this document, it represents a single, controlled barrier between your internal network and the Internet where you can focus your security efforts.
The Gauntlet firewall system is a standard IRIX system that has been modified to serve as a secure and flexible firewall. While firewall hardware can be implemented in one of several ways, the most secure and the one Silicon Graphics recommends is the dual-homed host configuration depicted in Figure 1-1. This configuration forces all traffic to go through the firewall and thereby eliminates some of the common holes in network security.
The Gauntlet firewall is designed to enforce security on connections between networks that are in different administrative domains, or which do not trust each other. In addition to enforcing security via access controls, Gauntlet firewalls provide detailed traffic reports and complete audit trails for information passing through the firewall. The Gauntlet firewall is implemented with a conservative design philosophy, placing security and assurance of correctness as the primary design objective for all services it provides.
To provide connectivity, the Gauntlet firewall does not rely on network-level filtering or traffic control as do many firewalls. Gauntlet firewalls act as a complete traffic block and transport all traffic through application layer service software (known as “proxies”) that act as a gateway to each service on behalf of the user. The basic services supported through a Gauntlet firewall are: TELNET, rlogin, FTP, NNTP (USENET NetNews), Gopher+, HTTP (World-Wide Web), the X-Window System, and SMTP-based electronic mail. For each service provided, there is a separate secure forwarding proxy server that performs protocol-specific access control and auditing. While this approach is less direct than simply using a router or packet-screening system that operates at the network layer, it is the only approach that provides a high degree of assurance and traffic control.
The default configuration of the Gauntlet firewall is that all networks other than the Gauntlet system itself are untrusted. Since the Gauntlet firewall starts with an empty user authentication database, no interactive traffic is permitted to cross it until either trusted networks are added, or until users are added to the authentication database.
Gauntlet V3.0 supports two additional functions that make it a superior application-level firewall: transparent proxies and IP- level encryption. Proxy transparency means that the firewall automatically “intercepts” outgoing connections and automatically invokes a proxy server on behalf of the user. Transparent proxies make it possible for the user never to have to explicitly interact with the firewall at all, while the administrator is still provided with precise access control and auditing information.
When the Gauntlet firewall is configured in transparent mode (see Figure 1-2), the network interfaces are labelled to the operating system as “internal” or “external.” Traffic originating from the internal interface is a candidate for transparent proxies, while traffic from the external interface is not. Internal workstations must be configured to route traffic through the firewall as if it were a router. Routes to the network are not advertised to the Internet by the Gauntlet firewall.
IP-level encryption can be used to build Virtual Network Perimeters (“VNPs”, as shown in Figure 1-3) between remote facilities operating with an untrusted network between them.[1] All traffic between the networks forming a VNP must be routed through the firewalls, which encapsulates and transmits the traffic encrypted using DES. When operating in this manner, the firewalls gateway, at an IP level, all traffic destined for the local networks—proxies, therefore, are not required and any protocol and application may be used. An interloper who was monitoring traffic between the two firewalls would only see a single multiplexed stream of encrypted data between the firewalls, and would be unable to determine anything about the contents, source, or protocol of the traffic. The process used also “authenticates” traffic at a network layer, such that an attacker would have to mount a sophisticated cryptologic attack in order to be able to produce traffic that would decrypt as valid traffic at each firewall.
To simplify installation and configuration, the Gauntlet firewall implements an access control policy based on the originating network. For general use, the Gauntlet Internet Firewall's configuration system supports a notion of “trusted networks” and “untrusted networks.” Trusted networks are networks that are inside the security perimeter and from which access is permitted without an authentication step being required. Untrusted networks are outside the security perimeter and require authentication prior to being permitted access. Individual components of the Gauntlet software can be configured to further restrict or more precisely control traffic through the firewall.
In addition to the core security services provided, the Gauntlet firewall includes a forms-based systems management interface, which provides easy-to-use control over configuration and daily operation. (See Chapter 3, “Management Interface,” for details.) The Gauntlet platform is a truly open platform, and includes complete source code and documentation for its software.
[1] The IP Encryption option is available only within the US and Canada, due to US Government export regulations.