[ISN] Burned by Firewalls

From: mea culpa (jerichoat_private)
Date: Wed Sep 23 1998 - 09:03:35 PDT

  • Next message: mea culpa: "[ISN] Novell Updates Security Suite"

    Forwarded From: rio <rioat_private>
    Burned by firewalls
    September 22, 1998                   
    Web posted at 4:50 PM EDT
    by Ellen Messmer
    (IDG) -- Firewalls do a darn good job of keeping hackers out of your
    network - maybe too good of a job.  Increasingly, customers are finding
    that firewalls are blocking legitimate traffic and are keeping end users
    from accessing key applications. 
    But firewall suppliers are having a tough time keeping up with the demand
    for new capabilities. One challenge is that the growth of remote access
    and electronic commerce has boosted the number of people trying to get
    into a network. 
    In addition, those inside the firewall are looking to interact more with
    the outside world through technologies such as Internet telephony,
    audiostreaming, and multimedia conferencing. They also want workgroup or
    database access. 
    "We were only allowing e-mail through our firewall, but then we wanted to
    do pcAnywhere access out of our office," says Brian Davids, director of
    computer operations and information services at Los Angeles-based NFL
    Properties, which publishes game programs and other literature for the
    National Football League. A Symantec product, pcAnywhere lets users access
    their desktops remotely via a modem or the Internet. 
    NFL Properties uses a firewall
    from Elron Software, which doesn't come with out-of-the-box support for
    pcAnywhere, though the company does support more than 75 different
    applications.  However, Elron technicians helped NFL Properties open a
    port for pcAnywhere, essentially bypassing the firewall's advanced
    filtering. But at the same time, the technicians told Davids that NFL
    Properties was opening itself to a greater security risk.  "Security
    experts all tell you that opening up a firewall is a potential hazard,"
    Davids says.  "You give someone a hole to hack in."  After thinking about
    it for a while, Davids decided to close the hole. "I keep thinking that
    with the pcAnywhere application, anyone might be able to get control of
    our machines," he says. "You have to try and accommodate the users as best
    you can. But in this case, it seemed too dangerous." 
    Other users have taken the port approach. Community Credit Union of Plano,
    Texas, opened a port on its Novell BorderManager firewall to let Lotus
    Notes through. 
    "We wanted to offer this functionality to select employees," says John
    Bock, Community Credit Union senior vice president and chief information
    officer. Novell's BorderManager supports only a handful of applications,
    including: HTTP, File Transfer Protocol (FTP), Gopher and the Internet
    videoconferencing application, CU-SeeMe. 
    Neither Novell nor Elron have tool kits or other means to extend the
    firewall's application support. Nor does Cisco, which sells two firewalls
    - the IOS firewall and PIX - which support about 20 applications and
    network-address translation. 
    Three types of firewalls
    Firewalls generally can be divided into three types. The simplest is the
    packet filter, set up to allow or disallow packets through the firewall
    based on IP address. The second type is the application-layer firewall,
    which is proxy-based and directs each application to a specific proxy on
    the firewall to examine the traffic and check for source and destination
    address. The third type of firewall is known as stateful inspection, and
    it intercepts packets like a packet filter but also inspects all the
    communications layers to make sure they comply with a security policy. 
    A debate is raging among firewall vendors over the merits of
    application-layer proxies vs. stateful inspection.  Regardless of which a
    corporation uses, however, the firewall administrator still faces the
    basic problem of what to do if the firewall doesn't support a desired
    The simplest solution is punching a hole through the firewall by opening a
    port. Some ports are assigned for specific applications by the Internet
    Engineering Task Force's Internet Assigned Numbers Authority, while others
    are designated as random ports for random use. 
    Punching a hole through a firewall poses a risk because "every time you
    open a communications channel, someone can use this channel for covert
    activities," says Fred Avolio, a security consultant based in Lisbon, Md.
    "Any kind of database access to a firewall needs close scrutiny." 
    According to Bob Blakley, IBM's lead security architect, users need to
    form a risk-acceptance policy when they open firewalls to new incoming
    "If you have a battle between the firewall administrator and the users to
    let any old flaky protocol through the firewall, the protocol might
    represent a hazard," Blakley says. In his view, the flakiest thing of all
    might be Microsoft's ActiveX. 
    "Allowing ActiveX through your firewall is definitely punching a hole in
    your firewall," Blakley says. "It can be used to control your machines
    from the outside. You can try to put a proxy in your firewall to scavenge
    the datastream, look at the ActiveX controls and kill off the bad ones.
    But in general, it's hard to tell the good ActiveX controls from the bad
    Extending the firewall
    Not long ago, firewalls supported only a handful of standard applications,
    such as FTP, Simple Mail Transfer Protocol, telnet and the World Wide Web.
    As users asked for Oracle and Microsoft database support, or pointed to
    new proprietary voice- or data-conferencing products they wanted to use,
    some firewall vendors upgraded their products. For instance, many firewall
    vendors now support Progressive Networks' streaming protocols RealAudio
    and RealVideo. 
    "The hot requirements now are IP telephony, fax and the conferencing
    protocols H.323 and T.120," says Ray Suarez, product marketing manager at
    Axent Technologies, which sells the Raptor firewall. Axent is also hearing
    demands that its firewall support a proprietary voice and fax product from
    One vendor, Check Point Technologies, went gung-ho with its Firewall-1
    product by supporting almost 300 applications, including several security
    services from Security Dynamics and Axent. 
    But there's always some unique or cutting-edge application not supported
    by any firewall. Because opening a port is considered a bit risky, a few
    firewall vendors offer tool kits and similar means to let the user prepare
    a custom proxy for an application-layer firewall or stateful inspection
    custom code. Check Point has what it calls Inspect, a high-level language
    to do this. 
    And Network Associates, which markets Trusted Information Systems'
    Gauntlet firewall, a product gained when Network Associates acquired the
    company, soon plans to release a proxy development tool kit. At present,
    the tool kit is used internally at Network Associates by a software-design
    team service that builds custom proxies for users by assignment. 
    A recent custom project involved designing a proxy for the Internet
    Inter-ORB Protocol (IIOP), the data-exchange mechanism defined in the
    Common Object Request Broker Architecture. Using this new proxy,
    IIOP-based applications can be filtered through the Gauntlet firewall. 
    According to Gauntlet Product Manager Marvin Dickerson, such custom proxy
    work, depending on its relative difficulty, can cost "a few thousand
    dollars to several hundred thousand dollars." 
    "Any time we do a custom project, we reserve the right to put the
    developed code into a general product," adds Jeff Graham, Network
    Associates senior architect for firewall technology. This is the way
    custom work becomes generally available. 
    Network Associates is also changing its underlying firewall architecture
    to what it calls "adaptive proxy,"  described as a way to allow protocols
    through the firewall based on the network layer or the application layer,
    while screening the protocols for viruses, URLs or other parameters. 
    "All the proxies we write will work like this," Graham says. 
    Pete Vogel, managing director at New York consultancy Outlink Market
    Research, says Network Associates' firewall tool kit will be a significant
    "Applications and certificate services all have to work through the
    firewall, and by opening up the way you make custom proxies, you make the
    firewall product easier to install and maintain," Vogel says. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:25 PDT