Now that the basic components of firewalls have been examined, some examples of different firewall configurations will give readers a more concrete understanding of firewall implementation. The firewall examples shown here are:
Figure 10.1: Packet-filtering-only firewall.
The packet-filtering-only firewall (fig. 10.1) is perhaps most common and easiest to employ. Basically, one installs a packet-filtering router at the Internet (or any subnet) gateway and then configures the packet-filtering rules in the router to block or filter protocols and addresses. The systems ``behind'' the router usually have direct access to the Internet, however inherently-dangerous services such as NIS, NFS, and X Windows are usually blocked.
Depending on the flexibility of the filtering rules as well as the size of the protected subnet, the packet-filtering-only firewall may be adequate for many sites. However, there are a number of disadvantages with this approach, including the following:
Thus, a packet-filtering-only firewall is best suited to environments that do not require complex filtering or that do not have a large number of hosts to protect. Sites with high security needs may wish to consider a more robust firewall such as the filter-choke or screened-subnet firewall.
The dual-homed gateway (fig. 10.2) is used as an alternative to packet-filtering routers. The gateway host system is configured to block all traffic between the Internet and the protected subnet by disabling IP forwarding capability. Users on internal systems can gain access to Internet systems by either having accounts on the gateway itself, or by configuring the gateway to pass certain protocols such as telnet, ftp, or mail (i.e., an application gateway).
Figure 10.2: Dual-homed gateway.
Dual-homed gateways are often the least-expensive option for many sites and, if used mainly as an application gateway, can be quite secure. Unlike packet-filtering routers, a dual-homed gateway can perform some logging and provide more evidence to administrators of attacks or break-ins. Unfortunately, configuring the gateway to act as an application gateway can require modified operating system software. In situations in which modified software is not possible, users need to log on to the gateway to access the Internet. This may present a problem if there are a large number of users, since either every user must have an account on the gateway or group accounts must be used. If a user's account is somehow compromised, the intruder could potentially subvert the firewall and re-enable IP routing. Authentication tokens, Kerberos, and other methods should be used to decrease the likelihood of break-ins.
[GS91] discusses a method to pass ftp and telnet traffic that uses group accounts in a creative way. Essentially, a group account for telnet, called telnetout is created along with a .rhosts file that lists all the internal users who are allowed to telnet out to Internet hosts. Users can then rlogin to the gateway without requiring individual accounts, and the .rhosts file restricts which users and systems can login much better than a wide-open group account. The ftp service is configured the same way, with a ftpout account that users can rlogin to and then use the ftp service on the gateway to transfer files with Internet hosts. Of course, security on the gateway must be quite high, since any compromise of the telnet and ftp accounts could wreak havoc. Other user accounts on the gateway should be kept to a minimum.
The dual-homed gateway must be set up to pass e-mail to and from internal systems. For mail destined to internal systems, simple mail aliases can be used at the gateway to forward mail. For mail from internal to outside systems, the mailers on internal systems must be configured so that all mail not destined for internal systems is sent to the gateway. The gateway would then rewrite the message headers and forward the mail on to the outside system. Both [GS91] and [Ran93] discuss advantages and disadvantages of dual-homed gateways used as firewalls.
The choke-gate gateway (fig. 10.3) is a step up in terms of security and flexibility from the filtering-only and dual-homed firewalls. It combines a packet-filtering router with an application gateway located on the internal side of the router ([GS91] refers to the application gateway as the gate and the router as the choke). The application gateway is used for passing telnet, ftp, and SMTP. The router filters or blocks inherently dangerous protocols, however it also rejects (or accepts) application traffic according to the following:
Figure 10.3: Choke-gate firewall.
The gate would be logically set up like the dual-homed firewall to forward e-mail, and would handle ftp and telnet traffic using group accounts and .rhost files. Note that figure 10.3 shows the gate physically connected to the same subnet as other systems behind the choke. The choke-gate firewall is more flexible than the dual-homed firewall, however, and more secure. Unlike the dual-homed gateway, the gate does not need to block all IP traffic; less-risky traffic such as NTP, NNTP, or SMTP can be restricted to certain internal systems via the packet-filtering router. Both the choke and the gate would need to be compromised to fully subvert the firewall. Refer to [GS91] for more details on setting up a choke-gate firewall.
Some vendors have offered gateway products that appear as hybrid dual-homed gateways. The products may use modified operating system software to filter packets and pass protocols such as telnet and ftp. [Ran93] and [Ran92] discuss one such firewall that uses separate systems for application gateways and a ``screened'' subnet between the Internet and the internal subnet to isolate one of the application gateways. In figure 10.4, a router is shown as the connection point to the Internet; the router would be used as well to block packets such as NFS, NIS, or any other protocols that should not be allowed to pass to or from the Internet. On the screened subnet, a telnet/ftp application gateway is used for all telnet and ftp traffic. A dual-home gateway with packet-filtering capability passes traffic between the internal subnet and the Internet. An e-mail application gateway resides on the internal subnet; all e-mail to internal systems must be sent to the e-mail gateway.
The dual-homed gateway acts as a second packet-filter, however it enforces the following:
Depending on site policies, all ftp or telnet traffic from internal systems may be forced to use the telnet/ftp gateway and similarly with e-mail. The dual-homed gateway would in essence trust traffic only from or to the application gateways.
Figure 10.4: Screened subnet firewall.
The telnet/ftp and e-mail gateways could be set up such that they would be the only systems accessible from the Internet; no other system name need be known or used in a DNS database that would be accessible to outside systems. The telnet/ftp application gateways act as proxies: users from the outside (or possibly the inside) would need to connect first to the gateway, authenticate themselves using possibly an authentication token, and then connect internally as permitted. The ftp gateway filters the ftp protocol itself, with the capability to deny puts or gets to or from specific systems.
This type of firewall arrangement provides a high level of security and offers more flexibility for internal systems that need to connect to the Internet. It is, of course, more complex to configure, however the use of separate hosts for application gateways and packet filters keeps the configuration more simple and manageable. Refer to [Ran93] and [Ran92] for more details on screened-subnet firewalls.