Protection of information resources in a corporate network using firewalls.

Protection of information resources in a corporate network using firewalls.

Protection of information resources in a corporate network using firewalls

Issues of information security on the Internet remain among the most pressing today. In this regard, the authors of the article introduce readers to an effective means of protection — firewalls (firewall) and offer an overview of the Russian market for these certified devices

Recent years have seen an expansion of the possibilities for using information resources available via the Internet. Many organizations today connect local networks to it in order to access inter-network information resources through their workstations. The Internet has become a vital and constantly growing global network that has changed the way of life and thinking of many people. But at the same time, it has given rise to many problems, primarily related to the organization of security, since the most common protocols used for information exchange do not provide protection against data interception. There are several reasons for this situation:

— the initial lack of a security policy: when developing the principles of the Internet's operation, the main efforts were aimed at achieving the convenience of information exchange, and many networks were designed without access control mechanisms from the Internet;

— vulnerability of basic services: the basic Internet protocol is the TCP/IP protocol suite, the service programs of which do not guarantee security;

— the unencrypted nature of most information transmitted over the Internet, which makes it possible to monitor data transmission channels: e-mail, passwords, and transmitted files can be easily intercepted by an intruder using available programs;

— complexity of configuration — access control tools are often difficult to configure and control, which entails incorrect configuration of such tools and leads to unauthorized access.

For the above reasons, the corporate network administrator constantly faces the problem of protecting local network resources from unauthorized access. This problem is especially relevant for organizations that handle confidential information, be it financial information or information related to the sphere of state interests.

The current level of software development allows a sufficiently competent hacker familiar with the TCP/IP protocol stack to connect to a remote system without authorization, capture legitimate user connections, and even obtain supervisor privileges.

Many companies (Satan, Cops, etc.) have developed software products to facilitate the work of a system administrator in finding and eliminating «holes» in a security system. But in reality, they are often used by hackers, with the only difference being that the crackers are in no hurry to eliminate the discovered «holes», but on the contrary, use them for their own purposes.

— the subnet must be separated by firewalls.

The fact that the Internet does not provide effective means of protection encourages us to search for them. All the problems are caused by the initially laid down principles of openness of Unix systems. Conceived as a system intended for joint work in universities, Unix was subsequently supplemented with elements of protection rather artificially. In addition, the requirements for security systems in existing Unix systems are not standardized. Therefore, administrators have to focus on the existing software platform.

The specificity of protecting information resources of corporate networks is also due to the fact that they most often consist of subnets or segments. At the same time, the protected network may have segments with different degrees of protection:

— freely accessible (WWW server, FTP server);

— with limited access;

— closed for access.

The rules for access to these resources must be determined by the administration in such a way as to, on the one hand, prevent unauthorized access to protected information resources, and on the other hand, provide the user with maximum transparency in working with the information he needs.

Considering the urgency of the problem of protecting networks using TCP/IP protocols, on June 25, 1997, the State Technical Commission under the President of the Russian Federation issued a guideline document «Computer Equipment. Firewalls. Protection from Unauthorized Access to Information. Indicators of Protection from Unauthorized Access to Information» (hereinafter RD to ME) as a supplement to the guideline documents «Computer Equipment. Protection from Unauthorized Access to Information. Indicators of Protection from Unauthorized Access to Information» and «Automated Systems. Protection from Unauthorized Access to Information. Classification of Automated Systems and Requirements for Information Protection», 1992 (RD to AS).

In the RD to the firewall, network firewalls are defined as a «local (single-component) or functionally distributed software (hardware and software) tool (complex) implementing control over information entering the AS and/or leaving the AS. The firewall ensures the protection of the AS by filtering information, i.e. by analyzing it according to a set of criteria and making a decision on its distribution to (from) the AS based on specified rules, thus differentiating the access of subjects from one AS to objects of another AS. Each rule prohibits or permits the transfer of information of a certain type between subjects and objects. As a result, subjects from one AS gain access only to permitted information objects from another AS. The set of rules is interpreted by a sequence of filters that permit or prohibit the transfer of data (packets) to the next filter or protocol level.»

Firewalls typically protect a company's internal network from «intrusions» from the Internet. However, they can also be used to protect against «attacks» from, for example, a corporate intranet to which your network is connected. As with any network security mechanism, an organization developing a specific security policy must also determine what type of TCP/IP traffic the firewall will treat as «authorized.» For example, it must decide whether and to what extent users will be restricted from accessing certain TCP/IP-based services. Developing a security policy will help you determine what firewall components you need and how to configure them to enforce the access restrictions you have defined.

The simplest solution is to install a screen on the border of the local and global networks. Publicly accessible WWW and FTP servers can be installed either in the protected zone (but remember that this will negatively affect the transparency of the system) or moved outside the protected zone. It is also possible to install two screens, one of which will protect the local network, and the other — accessible servers.

Firewalls are implemented on the basis of similar Unix-systems, such as Solaris, BSDI, Linux, etc., as well as Window NT. It is strongly recommended to use a separate station with the appropriate hardware requirements (500 MB of disk space, 32 MB of RAM) for installing the firewall. In addition, some changes are made to the OS kernel for the firewall, increasing the security of the system. Thus, it is prohibited to have user sections on the gateway, some of them work only in single-user mode and generate special codes to track the integrity of the software.

The basic protocol for transmitting data over the Internet is the TCP/IP protocol suite. Data transmitted over the network is a set of packets. Each packet has an outgoing and incoming IP address, as well as an indication of the TCP/IP service that will process the packet.

Firewalls allow you to set flexible rules for delivering packets to any of the segments.

Table 1. Firewalls and OSI models

All firewalls operate based on the use of information from different levels of the OSI model (Table 1). The OSI model, developed by the International Standards Organization (ISO), defines seven levels at which computer systems interact with each other, starting with the level of the physical data transmission medium and ending with the level of application programs used for communications. In general, the higher the level of the OSI model at which the firewall filters packets, the higher the level of protection it provides.

Functionally, firewalls are divided into three categories: packet filtering systems, application-level and connection-level intermediary servers (gateways). In addition, a more detailed version of packet filtering is possible — expert-level screens based on the implementation of a state control mechanism. Each of these systems has its own advantages and disadvantages. The fundamental differences between them will be described below.

Packet filtering systems scan all IP packets entering the protected network and either allow them through or reject them. The rules by which the firewall makes the appropriate decision are explicitly defined in advance by the administrator. The packets' belonging to a particular category is determined from the corresponding values ​​of the «address» and «port» fields in the IP packet header. Since the TCP port number is associated with a specific service in Unix, we can say that packet filtering is performed at the transport, network, and application levels. The administrator can block requests to a specific port and block packets from a specific address or a specific network. For example, you can allow an internal user to work with all network services and reject all packets coming from outside, except for requests to port 80 (HTTP), which, however, will not protect the network from attacks by Java applets and ActiveX objects.

Among the advantages of FP are transparency for users and flexibility in setting up filtering rules. As an example of FP, we will cite ipfirewall, which is freely distributed for BSD systems (a version of this package can be obtained from ftp. bsdi. corn /contrib/networking/security/or ftp.nebulus.net /pub/bsdi/security/).

Filtering rules settings can be set both when called in the command line and in crontab files. For example, the command:

ipfirewall addb reject all from 194.85.21.161 to 194.85.21.129

allows you to «reject» all packets coming from the address 194.85.21.161 to the address 194.85.21.129.

However, the rules must be configured very carefully and cautiously, which requires some knowledge of TCP and UDP technologies. In general, filtering rules are defined as a table of conditions and actions that must be applied in a certain sequence before the system decides to pass the packet or drop it.

Consider the following scenario: The administrator of a Class B network 194.85 wants to deny access to his network (194.85.0.0/16) from the Internet (this entry indicates that the most significant sixteen bits are considered significant and includes all addresses on the 194.85 network). Within the network, there is a subnet 194.85.21.0/24, where machines communicate with an organization outside of this network. The administrator needs to allow access to the 194.85.21.0/24 subnet from the 194.226.0.0/16 network.

In addition, the administrator believes that some threat may be coming from a specific subnet 194.226.55.0/24 of the 194.226 network, and he wants to deny access to his machines from it.

In the described situation, the rules table may look like this (Table 2)

Table 2.

Rule C is the «default rule», it will be activated if the packet does not meet the requirements specified in the first two rules.

According to the requirement of the State Technical Commission of Russia, packet filtering systems must make a decision based on at least two attributes (sender address/recipient address, etc.)

The main advantage of using FP is the low cost of their implementation and minimal impact on network performance. If a hardware or software IP router is already installed in the network that provides the ability to filter packets (for example, manufactured by Cisco Systems, Bay Networks or Novell), setting up the screen will be completely free, not counting the time spent on creating packet filtering rules.

If we talk about the disadvantages of FP, the main one is less reliability than other types of screens. Another negative point is the lack of user authentication. In short, such protection cannot be considered perfect.

Typically, in specific firewall implementations, packet filtering is combined with other architectures, most often with state inspection. In this case, we get an expert-level screen that, like a packet filter, checks IP packet headers, but also remembers the numbers of all connections and resets these connections after completing service. The state inspection mechanism is implemented in the Checkpoint Firewall v 1.2 system.

A firewall can be built using screening agents that establish a connection between a subject and an object, and then forward information, implementing control and/or registration. The use of screening agents adds another protective function — hiding the true object from the subject, while the subject thinks that he is directly interacting with it. Usually, the screen is not symmetrical; the concepts of «inside» and «outside» are defined for it. In this case, the screening task is formulated as protecting the internal area from an uncontrolled and potentially hostile external one.

High-level TCP and UDP services assume that the source address specified in the packet is the true source address when receiving a packet. In other words, the IP address is the basis for screen decisions: the packet is assumed to have been sent from an actual host, and that is the one whose address is specified in the packet. IP has an option called the «source routing option», which can be used to specify the exact forward and reverse path between the sender and receiver. This option allows packets to be transmitted through hosts that are not normally used when transmitting packets from machine to machine. For some services, a packet that arrives with this option appears to have been sent by the last host in the routing chain, rather than by the true sender. This feature of IP can be formulated as protecting the internal domain from an uncontrolled and potentially hostile external one.

The application layer intermediary server, upon receiving a request, launches the corresponding service on the gateway, which controls the data transfer. There are services for all standard services, such as telnet, ftp, http, riogin, etc. An authentication server is also used, which determines whether a particular service is available to a given user. All this, of course, increases the security of the systems, but has a negative effect on the speed and transparency of the system.

The operation of the proxy server can be considered using the example of the software package from Trusted International Security TIS FWTK. This product is not a complete firewall, but a set of tools for preparing one. This package assumes its installation on a number of Unix systems, such as BSD, Solaris, Sun OS, Linux, etc. After installation, the package replaces the existing service daemons called in the /etc/rc file with correspondingly modified ones. Then, upon receiving a request for a certain application, the corresponding daemon accesses a special configuration file /usr/local /etc/netperm-table, which specifies the rules for transmitting information through this network. The daemon reads the rules sequentially and, when it encounters one that pertains to it, checks whether the incoming request matches the established rule and decides whether to allow the packet through.

Most of the existing commercial firewall systems also provide for concealment of the internal structure of the organization's IP network (the so-called network address translation). Firewalls are usually configured for at least two interfaces: internal — for the local network and external. In addition, firewalls may have an interface for connecting so-called demilitarized zones — Web and FTP servers.

Commercial firewall products often have a graphical user interface (GUI) and powerful administration tools that allow you to create flexible filtering rules. However, product manufacturers claim that using a GUI slows down the system and recommend running it from the command line. In addition, a serious firewall should be able to remotely configure and manage the system, as well as log events, such as unauthorized access attempts, etc.

Initially, even before the RD to the ME was issued, the SCC certified products that were essentially firewalls for compliance with the requirements for automated systems, i.e., guided by the RD to the AS. On this basis, the Pandora (SCC certificate dated 16.01.97) and BlackHole (a product of Milkyway Networks, certificate dated 30.01.97) firewalls were certified. Since June 1997, certification of firewalls has been carried out on the basis of the RD to the ME.

Let us characterize some of the certified products that are currently presented on the Russian market (see Table 3 for a full list).

Table 3. Firewalls certified by the State Customs Committee

DataGuard 24/S. In December 1997, Certificate No. 115 of the State Technical Commission of Russia was received by Signal-COM for the DataGuard/24s family of firewalls. These products allow you to create secure corporate networks based on the X.25 and Frame Relay protocols.

Functions of the DataGuard /24s complex:

— filtering requests to establish connections;

— filtering packets (X. 25), frames (FrameRelay) and datagrams (IP) within the established connection;

— protection of information transmitted over the established connection.

Checkpoint Firewall -1— a product of the American company Checkpoint, submitted for certification by OOO «Moscow Information Network», was certified according to the 4th class (certificate of the State Technical Commission of Russia III dated 10/8/97). The Checkpoint company is a recognized world leader in the development of firewalls. Its share in the world market of such products is more than 40%.

Checkpoint uses the original multilayer inspection technology in its screens.

«Zastava Jet». The «Zastava Jet» complex (certificates of the State Technical Commission of Russia No. 146 dated 14.01.98, 146/1 dated 26.06.98146) is one of the most serious domestic developments in the field of corporate network protection tools. This screen was developed by specialists from the well-known company Jet Infosystems. The complex is installed on Sun workstations, runs under the Solaris OS and is based on the Gauntlet package. It should be noted that this toolkit from Trusted Information Systems is generally very popular among Russian developers of network protection tools.

Another thing that speaks in favor of this product is that it is recommended for use in organizations of the Russian Ministry of Defense.

«Pandora». In addition, even before the release of the above-mentioned STC guideline, two products, which are nothing more than firewalls, were certified for compliance with the requirements for automated systems (RD for AS): «Pandora» (certificate of the State Technical Commission of Russia No. 731 dated 16.01.97) and BlackHole (product of Milkyway Networks Corporation, certificate No. 79 dated 30.01.97).

In addition, batches of these devices are certified for compliance with the requirements of the guideline document «Computer equipment. Firewalls. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information». according to the third class of protection (certificates No. 9183 from 10.06.98, No. 184 from 10.06.98)

The Pandora firewall was developed by one of the Russian leaders in the field of information security, Relcom-Alfa CJSC, and is based on the Gauntlet 3.1. Li screen from Trusted Information Systems. It is a hardware and software complex on a Silicon Graphics station running Irix 6.3 OS. This screen has the function of hiding internal network addresses (all IP packets have an outgoing gateway address) and has powerful event logging tools.

Pandora is supplied with source codes, which creates additional convenience for more flexible screen customization.

In conclusion, we can say that firewalls are a flexible and reliable mechanism for protecting corporate network information resources from unauthorized access.

Table 4. Some popular firewalls