A firewall is one of the tools used to secure a computer network. A firewall can prevent unwanted access to departmental systems while preventing local systems from attacking systems on other networks (on the other side of the firewall). Firewalls require on-going monitoring in order to ensure that they do not unnecessarily restrict access to important computer resources while preventing unwanted access and to ensure that the firewall is operating as expected. Firewall logs should also be reviewed regularly in order to evaluate traffic patterns including denied connections.

Installing and operating a firewall to protect a departmental LAN is only one of many criteria that Network Administrators need to consider when determining the security requirements of their environment. A complete security assessment will help identify other areas of vulnerability.

The open source firewall developed by CNS is based on a widely accepted technique called packet filtering. Each packet going through the firewall is evaluated against rules set by the administrator and is either passed along or rejected. The firewall logs its activities to help the administrator understand whether there has been an attempted attack. To reduce administrative costs this firewall can be administered locally (from the console) or remotely (using a secure connection). It can also be configured to watch a particular computer for new rules.

No firewall can prevent malicious people from exploiting known vulnerabilities in software (as buffer overflow exploits and worms do). This firewall is no different. What it does is to ensure that the traffic entering and leaving the secured LAN is talking to the correct applications on the correct computers.

A crucial point about this firewall is that it uses a low-level approach to configuration; the administrator must analyze his or her needs at the level of ports and packet types in order to choose the required permissions. Commercially available products can simplify some configuration task by allowing the administrator to simply choose from a set of applications to be allowed/disallowed but these products typically cost many thousands of dollars. However adding this functionality to the CNS developed firewall would be hugely expensive.

The open source firewall available to all departments on campus. CNS also provides a service to assist departments in performing security evaluations of their networks.

Current Practice:

• Departments routinely maintain sensitive and confidential information on Internet connected computers.
• Departments routinely deploy business systems that are critical for the day-to-day operations of the unit on Internet connected computers.
• The built-in security features of typical departmental computers are inadequate to protect them from mischief and malice when connected to the Internet.

The Threats:

• Theft or corruption of important data. The consequences of compromised data can range from a loss of staff and student productivity, to public embarrassment (and liability).
• Denial of service. All computer systems have vulnerabilities that can be exploited to cause the computer to work poorly or not at all. Software is widely available on the Internet that exploits these vulnerabilities, and these programs are routinely directed at University computers.

How a firewall helps:

• Any requests from non-trusted hosts can be rejected; this technique can be used to provide a simple level of confidentiality, and it can be used to prevent Denial of Service attacks, and other known intrusion techniques.
• Often it is necessary to allow traffic (e.g. SMTP, IMAP) from non-trusted hosts. In these cases, the firewall will not prevent certain types of attacks; for instance, it won't protect against viruses in e-mail, nor will it stop attacks which use buffer overruns.

• Successful firewall deployment and operation requires a very precise set of technical networking skills and a concerted effort to remain current on the "state of the art". This is necessary because of the technical complexity of the problem, the sophistication of the attacks being crafted, and the evolving nature of attacks.
• Departments' capacities to deploy and operate firewalls vary through the university.

Departments with firewalls

Departments with firewalls have engaged in a self-assessment, which determined the need to protect their systems. As the complexity of the problem and the sophistication of the threats increases, many of these departments are experiencing unacceptable costs in terms of providing the level of technical support within their own organization or via a commercial service provider. Organizations experiencing this are interested in avenues that consolidate security support (thereby reducing individual costs).

Departments without firewalls

In many areas of the university, some departments with the competence to deploy firewalls have not done so, perhaps based on a perception that:

• Their systems and data are not a risk.
• Firewalls unacceptably compromise academic freedom.
• Installing/maintaining a firewall would be too great an additional workload.

These perceptions may be quite accurate, in that they are based on a thorough understanding of the values and risks to the department, and because most system administrators review their environment periodically, with a view to responding to the increasingly hostile attacks that come from the Internet.

In departments without the competence to deploy firewalls there is often:

• A lack of awareness of the risk their systems are exposed to
• A lack of expertise to carry a project forward
• The perception that the cost of commercial firewall products is too much

Hardware Requirements

At a minimum, the firewall machine should be equivalent to a Pentium II, with 64 Mb of RAM, a 5Gb hard drive, and 2 PCI NICs; in addition, the hardware must be supported by FreeBSD (see http://www.freebsd.org/relnotes/4-STABLE/hardware/i386/). Required processor speed will be dependent on IP traffic. Required hard drive capacity will be dependent on the desired degree of log retention.

Host Setup

A step-by-step Installation Guide is provided with the distribution package; this covers the installation of both FreeBSD and the firewall software itself. The firewall software installation has an option that allows the creation of a second firewall machine as a hot spare.

The installation can usually be accomplished in less than two hours. The installation should pose few problems, because of the straightforwardness of the process itself, and because of the completeness of the Installation Guide.

The default filtering rules allow all traffic to pass between the "inside" and the "outside". All access to the firewall itself is blocked, except for SSH access through a port, and via hosts, chosen during the install; this SSH connection is used for remote administration.

Administrative Functions

There are several classes of function available:

• System configuration and control, rebooting, etc.)
  • System summary, IP settings, date and time
  • Reboot, shutdown, exit
• Group management (i.e. Groups of IP nos.)
  • Show, edit, add, delete groups
• Permissions and rules (see Creating new filter rules)
  • Show, add, delete permissions
  • Update rules (after changing permissions)
  • Show rules
• Importing rules (see Creating new filter rules)
  • Add, delete, view URLs for normal rules
  • Add, delete, view URLs for emergency rules
• Logs and mail management
  • Review or watch current or archived log (complete)
  • Review or watch current or archived (denials only)
  • Manage email addresses (for recipients of notifications)
  • Send log or archive to recipients (entire or summary)
  • View log summary
• Maintenance
  • Save configuration to remote site, floppy, or locally
  • Restore configuration from remote site, floppy, or locally
  • Configure ports for sshd, snmpd
  • Manage maintenance list (tracking)

Administrative Interface

The interface consists of a set of text menus; these have built-in help, activated by entering either an empty response or question mark.

Remote Administration

The firewall can be configured to accept SSH connections from specific hosts, so that an administrator can log in and make changes.

Logs, Alerts, Reporting

All traffic is logged; log entries for outbound traffic can be marked selectively, using the RECORD permission. Logs are rolled and compressed daily, and logs and/or summaries can be e-mailed to specified addresses.

Creating new filter rules

The Administrative interface is used to define permissions which control traffic flow, based on IP address (or group of IPs) and port number; there are four types of permission, each of which is a macro which expands to a set of IP firewall rules.

The defined rules may be modified (presumably to handle temporary situations) by downloading (importing) another set of rules from a specified URL. These can be normal rules, which augment those already defined, or emergency rules, which replace them.

The syntax and semantics of the permissions is beyond the scope of this report; in fact, there was a consensus that it would be difficult for an inexperienced administrator to fashion a set of permissions that would achieve a particular desired effect without assistance. It should also be pointed out that the approach used in configuring this firewall is a low-level one. For instance, one cannot just pick from a set of applications to be allowed; one must know which ports and packet types an application uses, and establish permissions based on them.

Failure recovery

If a second machine has been configured as a hot spare, it will automatically take over if the primary fails, and become the primary; when the old primary is re-started, it becomes the hot spare. Rule changes made on the primary are automatically mirrored on the hot spare. This facility was felt to be a valuable and convenient feature.

If there is no hot spare and the primary fails, connectivity between inside and outside can only be restored by bypassing the firewall.

Performance

Throughput

The effective performance can be measured by testing with the firewall in and out of the network path. No quantitative measures of this sort have been made to date; however, a comparison of the throughput of several workstations, only one of which was behind a firewall, showed no apparent differences. The pilot projects showed that the firewall is transparent to users.

Security

Firewalls using this technology have been in use, here and around the world, for years. They have stopped known attacks and prevented unauthorized probing of the secured network. No strenuous deliberate attacks have been carried out against this firewall; however, the regular sweeps have disclosed no vulnerabilities.

By way of example:

• The installation of the firewall on the Simcoe Hall network eliminated attacks (LPR and others) which had previously been experienced.
• While some 60 servers on campus were infected by the Code Red Worm, both the Simcoe Hall network and the CANS network (also behind one of these firewalls) were unaffected, even though the servers there did not have the protective patch applied.

Upon request, the Computer Security Administration Group of CNS will assist departments with a security assessment of their computing environment. This process includes the following steps:

• Information Gathering - The department should gather all pertinent information to help with he assessment. This should include:
  • Network Topology
  • Hardware & Software Inventory
  • List of Services provided
  • Information on any security incidents
• Preliminary Review - Computer Security Administration will meet with a representative of the department to conduct a preliminary review of the department's computing environment
• Conduct Assessment - Computer Security Administration will enlist expertise from within CNS to assist the department in conducting the assessment of their computing environment
• Draft Recommendations - Computer Security Administration will assist the department representative with recommendations for enhancing the security of the department's computing environment
• Draft Assessment Report - An assessment report is drafted and distributed to affected parties

Local Area Network security guidelines are available at http://www.utoronto.ca/security/LAN.htm

Please contact us at security.admin@utoronto.ca for more information on this service.

The Open Source Firewall is available via anonymous FTP from:

    ftp://cns.utoronto.ca/pub/filbert/

If you run into any problems, please contact: filbert@cns.utoronto.ca

The directory at the FTP site includes the following files:

• README
• Install - firewall installation guide
• feb.tar - the firewall software itself
• FreeBSD_install_CD-ROM.iso - image of the FreeBSD install CD

Computing & Networking Services will provide assistance and advice to system administrators to the extent possible with available resources.

Although the Open Source Firewall has been designed in such a way as to require minimal knowledge by the departmental administrator, if you need assistance with the installation or configuration of the firewall or if you need help following failure of the firewall, please contact Computer Security Administration.