Building Your Own Firewall

For years, firewalls were strictly a do-it-yourself affair. A big innovation was the introduction of several firewall toolkits - ready-made proxies and client programs designed to build a simple, straightforward firewall system. Lately, a number of companies have started offering complete firewall "solutions."

Today there are four basic types of firewalls in use:

• Packet firewalls
• These firewalls are typically built from routers that are coded to pass some types of packets and to block others.
• Traditional proxy-based firewalls
• These firewalls require that users follow special procedures or use special network clients that are aware of the proxies.
• Packet-rewriting firewalls
• These firewalls rewrite the contents of the IP packets as they pass between the internal network and the Internet. From the outside, all communications appear to be mediated through a proxy on the firewall. From the inside network, the firewall is transparent.
• Screens
• These firewalls bisect a single Ethernet with a pair of Ethernet interfaces. The screen doesn't have an IP address. Instead, each Ethernet interface listens to all packets that are transmitted on its segment and forwards the appropriate packets, based on a complex set of rules, to the other interfaces. Because the screen does not have an IP address, it is highly resistant to attack over the network. For optimal security, the screen should be coded through a serial interface or removable media (e.g., floppy disk), although you can design a screen that would be addressed through its Ethernet interface directly (speaking a network protocol other than IP). Some manufacturers of screens provide several network interfaces, so that you can set up a WWW server or a news server on a separate screened subnet using the same screen.

In this section, we will discuss the construction of a firewall built from a choke and a gate that uses proxies to move information between the internal network and the external network. We describe how to build this kind of firewall because the tools are readily available, and because this type seems to provide adequate security for many applications.

For additional useful and practical information on constructing your own firewall, we recommend that you read Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky (Anonymous, 1995).

Planning Your Configuration

Before you start purchasing equipment or downloading software from the Internet for your firewall, you might first want to answer some basic questions:

• What am I trying to protect? If you are simply trying to protect two or three computers, you might find that using host-based security is easier and more effective than going to the expense and difficulty of building a full-fledged firewall.
• Do I want to build my own firewall, or buy a ready-made solution? Although you could build a very effective firewall, the task is very difficult and one in which a single mistake can lead to disaster.
• Should I buy a monitored firewall service? If your organization lacks the expertise to build its own firewall, or it does not wish to commit the resources to monitor a firewall 24 hours a day, 7 days a week, you may find that paying for a monitored firewall service is an economical alternative. Several ISPS now offer such services as a value-added option to their standard Internet offerings.
• How much money do I want to spend? You can spend a great deal of money on your own systems, or on a commercial product. Often (but not always) the extra expense may result in a more capable firewall.
• Is simple packet filtering enough? If so, you can probably set up your "firewall" simply by adding a few rules to your existing router's configuration files.
• If simple packet filtering is not enough, do I want a gate and one choke, or two?
• Will I allow inbound Telnet connections? If so, how will I authenticate them? How will I prevent passwords from being sniffed?
• How will I get my users to adhere to the organization's firewall policy?

Assembling the Parts

After you have decided on your configuration, you must then assemble the parts. This assembly includes:

• Choke
• Most organizations use a router. You can use an existing router or purchase a special router for the purpose.
• Gate
• Usually, the gate is a spare computer running the UNIX operating system. Gates do not need to be top-of-the-line workstations, because the speed at which they function is limited by the speed of your Internet connection, not the speed of your computer's CPU. In many cases, a high-end PC can provide sufficient capacity for your gate.
• Software
• You'll want to get a variety of software to run on the gate. Start with a firewall toolkit, such as the one from Trusted Information Systems. You should also have a consistency-checking package, such as Tripwire, to help you detect intrusion. Finally, consider using a package such as Tiger to help find security weaknesses in the firewall's UNIX configuration.

Setting Up the Choke

The choke is the bridge between the inside network and the outside network. It should not forward packets between the two networks unless the packets have the gate computer as either their destination or their origination address. You can optionally further restrict the choke so that it forwards only packets for particular protocols - for example, packets used for mail transfer but not for telnet or rlogin.

There are three main choices for your choke:

1. Use an "intelligent router." Many of these routers can be set up to forward only certain kinds of packets and only between certain addresses.
2. You can use a standard UNIX computer with two network interfaces. If you do so, do not run the program /usr/etc/routed (the network routing daemon) on this computer. Set up the program so that it does not forward packets from one network interface to the other (usually by setting the kernel ip forwarding variable to 0).[7] A computer set up in this fashion is both the choke and the gate.

   [7] On Linux, IP forwarding is a compile-time option.

3. You can alter your operating system's network driver so that it only accepts packets from the internal network and the choke. If you are running Linux, you can use the operating system's kernel-based IP filtering, accessible through the ipfw command, to prevent the system from receiving packets from non-approved networks or hosts. In the not too distant future, other vendors may offer similar features.

The details of how you set up your choke will vary greatly, depending on the hardware you use and that hardware's software. Therefore, the following sections are only general guidelines.

Choosing the Choke's Protocols

The choke is an intelligent filter: it is usually set up so that only the gate machine can talk to the outside world. All messages from the outside (whether they're mail, FTP, or attempts to break in) that are directed to internal machines other than the gate are rejected. Attempts by local machines to contact sites outside the LAN are similarly denied.

The gate determines destinations, then handles requests or forwards them as appropriate. For instance, SMTP (mail) requests can be sent to the gate, which resolves local aliases and then sends the mail to the appropriate internal machine.

Furthermore, you can set up your choke so that only specific kinds of messages are sent through. You should configure the choke to reject messages using unknown protocols. You can also configure the choke to specifically reject known protocols that are too dangerous for people in the outside world to use on your internal computers.

The choke software should carefully examine the option bits that might be set in the header of each IP packet. Option bits, such as those for IP forwarding, fragmentation, and route recording, may be valid on some packets. However, they are sometimes set by attackers in an attempt to probe the state of your firewall or to get packets past a simple choke. Other options, such as source routing, are never acceptable; packets that specify them should be blocked.

You also want to configure the choke to examine the return addresses (source addresses) on packets. Packets from outside your network should not state source addresses from inside your network, nor should they be broadcast or multicast addresses. Otherwise, an attacker might be able to craft packets that look normal to your choke and clients; in such cases, the responses to these packets are what actually do the damage.

The choke can also be configured to prevent local users from connecting to outside machines through unrestricted channels. This type of configuration prevents Trojan-horse programs from installing network back doors on your local machines. Imagine a public domain data-analysis program that surreptitiously listens on port 49372 for connections and then forks off a /bin/csh. The configuration also discourages someone who does manage to penetrate one of your local machines from sending information back to the outside world.

Ideally, there should be no way to change your choke's configuration from the network. An attacker trying to tap into your network will be stuck if your choke is a PC-based router that can be recoded only from its keyboard.

NOTE: The way you configure your choke will depend on the particular router that you are using for a choke; consult your router's documentation for detail.