Are Firewalls Foolproof?

Are firewalls foolproof? Are humans foolproof? The answer to both questions is no. Firewall products have not been proven to be flawed, but human implementation has. Crackers have conducted various studies on breaking firewalls. The majority of those studies point to two phases of an attack. The first is to discover what type of firewall exists on a particular network and what type of services is running behind it. That first task has already been encapsulated in an automated package; the Jakal scanner can accomplish this for you.

The second task, finding a hole in the firewall, is a bit more difficult. Cracker studies indicate that if there is such a hole, it exists as a result of human error (or rather, misconfiguration on the part of the system administrator). This is not a rare occurrence. One must recognize that no matter what platform is in use, this is a problem. In UNIX networks, it can be at least partially attributed to the fact that UNIX is so complex. There are hundreds of native applications, protocols, and commands. This is before you begin to construct a firewall. Failed firewall implementation on Microsoft platforms might occur for other reasons (for instance, because administrators might be unfamiliar with TCP/IP). In either case, human error is a likely possibility. For this reason, companies should be extremely selective when choosing the personnel responsible for implementing the firewall. Some common cracker agendas include

* Sorting out the real components from the fake ones--Many firewalls use sacrificial hosts, machines designed either as Web servers (that the owners are willing to part with) or decoys. Decoys are nothing more than traps, places where an inexperienced cracker's activities are captured and logged. These can employ complex means of veiling their bogus character. For example, they might issue responses to emulate a real file system or real applications. These generally are deeply entrenched in a chroot'd environment. The cracker's first task is to identify what viable targets might actually exist.

* Trying to get some definitive information about the internal system--This applies especially to machines that serve mail and other services. At a minimum, you should attempt to get an insider to send you a mail message so that the paths can be examined. This might give you a clue as to how some portions of the network are constructed.

* Keeping up with the current advisories--In certain situations, new bugs arise in commonly used programs that can run on or behind the firewall. These holes might be able to get you at least the minimum access necessary to gain a better look.

Also, no firewall can effectively prevent attacks from the inside. If a cracker can place someone (perhaps himself or herself) in your employ, it won't be long before your network is cracked. I know someone who managed to gain employment with a well-known oil company. That hacker collected extensive information not only about the internal network there, but also about the firewall hosts.

Finally, firewalls have been bypassed or broken in the past. The Quake site at Crack dot Com is one such example. Although relatively little information has been distributed about how the crack was accomplished, it was reported in Wired that:

Hackers broke into the Web server and file server of Crack dot Com, a Texas gaming company, on Wednesday, stealing the source code for id's Quake 1.01, as well as Crack's newest project, Golgotha, and older games Abuse and Mac Abuse...The hackers, who were able to get through the Crack's firewall, left intact a bash-history file that recorded all their movements.

It is possible to identify the type of firewall being run on a given server. However, printing that is beyond the level of irresponsibility to which I am prepared to stoop just to sell a book. I will say this: You can do it with a combination of the Jakal scanner and a script written to jackhammer a site. Which addresses are blocked matters less than how they are blocked (that is, you need to elicit responses from the firewall).

Commercial Firewalls

The Eagle Family of Firewalls by Raptor

Company: Raptor Systems

Raptor has been around a long time. It introduced its line of firewall products in 1991. The company has a solid reputation. As stated in its online company description:

...Raptor Systems' award-winning Eagle family of firewalls provides security across a range of industries, including telecommunications, entertainment, aerospace, defense, education, health care, and financial services. Raptor has numerous strategic relationships with world-class companies like Compaq Computer Corporation, Siemens-Nixdorf, Hewlett-Packard, Sprint, and Shiva Corporation.

Its products combine a wide range of firewall techniques, including heavy logging; specialized, event-triggered treatment of suspicious activity; and extremely granular access controls. This family of firewall products integrates application proxies.

Check Point Firewall and Firewall-1

Company: Check Point Software Technologies Ltd.

Check Point is based in Israel and was founded in 1993. It also has outposts in eight U.S. cities, including Redwood City, Los Angeles, New York, and others. The product line offers cross-platform support.

One of the more interesting elements of Check Point Firewall-1 is that it includes time object control. That is, one can assign certain times of the day to perform certain access restrictions. Firewall-1 also has provisions to distribute process loads among a series of workstations.

SunScreen

Company: Sun Microsystems

Sun's SunScreen is comprised of a series of products. In the SunScreen product line, Sun has addressed one of the primary problems I mentioned previously: If your bottleneck is broken, your network is completely exposed. Sun's new line of products will likely revolutionize the firewall industry (certainly on the Sun platform). The chief products include

* SunScreen SPF 100/100G--Turnkey solution that provides non-IP-address capability. That is, crackers from the outside cannot reliably identify the nodes behind the wall. Moreover, heavy packet-filtering technology has been added.

* SunScreenTM EFS--Implements heavy-duty packet filtering and more importantly, encryption. Special amenities include provisions for remote administration and administration through an HTML interface.

* SunScreenTM SKIP--This is an interesting product that provides PCs and workstations with secure authentication.

IBM Internet Connection Secured Network Gateway

Company: Internal Business Machines (IBM)

This product is designed for AIX. Like Sun's SunScreen product line, it is capable of hiding the IPs of your internal network. It supports application proxies and has exceptional logging and reporting capabilities, as well as isolated Web services.

Cisco PIX Firewall

Company: Cisco Systems

This firewall relies not on application proxies (which can consume additional network resources and CPU time) but instead on a secure operating system within the hardware component itself. Special features include an HTML configuration and administration control tool, IP concealment and non-translation, easy configuration, and support for 16,000 instant connections.

Firewalls now comprise the most commonly accepted method of protecting a network and, for the most part, seem to be impenetrable when attacked by 95 percent of the cracking community. Moreover, firewall technology is yet in its infancy. Nevertheless, firewalls have been cracked in the past. It is also worth noting that some firewalls can raise security issues themselves. For example, it was recently found that the Gopher proxy in a Raptor product can, under certain circumstances, leave a Windows NT server vulnerable to a denial-of-service attack. (The CPU climbs to near 100 percent utilization.)

The future of firewall technology is a very interesting field indeed. However, if you have truly sensitive data to protect (and it must be connected to the Internet), I advise against using a firewall (commercial or otherwise) as your only means of defense.