Forwarded From: rio <rioat_private> http://www.cnn.com/TECH/computing/9809/22/fireburns.idg/ Burned by firewalls September 22, 1998 Web posted at 4:50 PM EDT by Ellen Messmer (IDG) -- Firewalls do a darn good job of keeping hackers out of your network - maybe too good of a job. Increasingly, customers are finding that firewalls are blocking legitimate traffic and are keeping end users from accessing key applications. But firewall suppliers are having a tough time keeping up with the demand for new capabilities. One challenge is that the growth of remote access and electronic commerce has boosted the number of people trying to get into a network. In addition, those inside the firewall are looking to interact more with the outside world through technologies such as Internet telephony, audiostreaming, and multimedia conferencing. They also want workgroup or database access. "We were only allowing e-mail through our firewall, but then we wanted to do pcAnywhere access out of our office," says Brian Davids, director of computer operations and information services at Los Angeles-based NFL Properties, which publishes game programs and other literature for the National Football League. A Symantec product, pcAnywhere lets users access their desktops remotely via a modem or the Internet. NFL Properties uses a firewall from Elron Software, which doesn't come with out-of-the-box support for pcAnywhere, though the company does support more than 75 different applications. However, Elron technicians helped NFL Properties open a port for pcAnywhere, essentially bypassing the firewall's advanced filtering. But at the same time, the technicians told Davids that NFL Properties was opening itself to a greater security risk. "Security experts all tell you that opening up a firewall is a potential hazard," Davids says. "You give someone a hole to hack in." After thinking about it for a while, Davids decided to close the hole. "I keep thinking that with the pcAnywhere application, anyone might be able to get control of our machines," he says. "You have to try and accommodate the users as best you can. But in this case, it seemed too dangerous." Other users have taken the port approach. Community Credit Union of Plano, Texas, opened a port on its Novell BorderManager firewall to let Lotus Notes through. "We wanted to offer this functionality to select employees," says John Bock, Community Credit Union senior vice president and chief information officer. Novell's BorderManager supports only a handful of applications, including: HTTP, File Transfer Protocol (FTP), Gopher and the Internet videoconferencing application, CU-SeeMe. Neither Novell nor Elron have tool kits or other means to extend the firewall's application support. Nor does Cisco, which sells two firewalls - the IOS firewall and PIX - which support about 20 applications and network-address translation. Three types of firewalls Firewalls generally can be divided into three types. The simplest is the packet filter, set up to allow or disallow packets through the firewall based on IP address. The second type is the application-layer firewall, which is proxy-based and directs each application to a specific proxy on the firewall to examine the traffic and check for source and destination address. The third type of firewall is known as stateful inspection, and it intercepts packets like a packet filter but also inspects all the communications layers to make sure they comply with a security policy. A debate is raging among firewall vendors over the merits of application-layer proxies vs. stateful inspection. Regardless of which a corporation uses, however, the firewall administrator still faces the basic problem of what to do if the firewall doesn't support a desired application. The simplest solution is punching a hole through the firewall by opening a port. Some ports are assigned for specific applications by the Internet Engineering Task Force's Internet Assigned Numbers Authority, while others are designated as random ports for random use. Punching a hole through a firewall poses a risk because "every time you open a communications channel, someone can use this channel for covert activities," says Fred Avolio, a security consultant based in Lisbon, Md. "Any kind of database access to a firewall needs close scrutiny." According to Bob Blakley, IBM's lead security architect, users need to form a risk-acceptance policy when they open firewalls to new incoming applications. "If you have a battle between the firewall administrator and the users to let any old flaky protocol through the firewall, the protocol might represent a hazard," Blakley says. In his view, the flakiest thing of all might be Microsoft's ActiveX. "Allowing ActiveX through your firewall is definitely punching a hole in your firewall," Blakley says. "It can be used to control your machines from the outside. You can try to put a proxy in your firewall to scavenge the datastream, look at the ActiveX controls and kill off the bad ones. But in general, it's hard to tell the good ActiveX controls from the bad ones." Extending the firewall Not long ago, firewalls supported only a handful of standard applications, such as FTP, Simple Mail Transfer Protocol, telnet and the World Wide Web. As users asked for Oracle and Microsoft database support, or pointed to new proprietary voice- or data-conferencing products they wanted to use, some firewall vendors upgraded their products. For instance, many firewall vendors now support Progressive Networks' streaming protocols RealAudio and RealVideo. "The hot requirements now are IP telephony, fax and the conferencing protocols H.323 and T.120," says Ray Suarez, product marketing manager at Axent Technologies, which sells the Raptor firewall. Axent is also hearing demands that its firewall support a proprietary voice and fax product from Clarent. One vendor, Check Point Technologies, went gung-ho with its Firewall-1 product by supporting almost 300 applications, including several security services from Security Dynamics and Axent. But there's always some unique or cutting-edge application not supported by any firewall. Because opening a port is considered a bit risky, a few firewall vendors offer tool kits and similar means to let the user prepare a custom proxy for an application-layer firewall or stateful inspection custom code. Check Point has what it calls Inspect, a high-level language to do this. And Network Associates, which markets Trusted Information Systems' Gauntlet firewall, a product gained when Network Associates acquired the company, soon plans to release a proxy development tool kit. At present, the tool kit is used internally at Network Associates by a software-design team service that builds custom proxies for users by assignment. A recent custom project involved designing a proxy for the Internet Inter-ORB Protocol (IIOP), the data-exchange mechanism defined in the Common Object Request Broker Architecture. Using this new proxy, IIOP-based applications can be filtered through the Gauntlet firewall. According to Gauntlet Product Manager Marvin Dickerson, such custom proxy work, depending on its relative difficulty, can cost "a few thousand dollars to several hundred thousand dollars." "Any time we do a custom project, we reserve the right to put the developed code into a general product," adds Jeff Graham, Network Associates senior architect for firewall technology. This is the way custom work becomes generally available. Network Associates is also changing its underlying firewall architecture to what it calls "adaptive proxy," described as a way to allow protocols through the firewall based on the network layer or the application layer, while screening the protocols for viruses, URLs or other parameters. "All the proxies we write will work like this," Graham says. Pete Vogel, managing director at New York consultancy Outlink Market Research, says Network Associates' firewall tool kit will be a significant help. "Applications and certificate services all have to work through the firewall, and by opening up the way you make custom proxies, you make the firewall product easier to install and maintain," Vogel says. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:25 PDT