A firewall is one of the tools used to secure a computer network. A firewall can prevent unwanted access to departmental systems while preventing local systems from attacking systems on other networks (on the other side of the firewall). Firewalls require on-going monitoring in order to ensure that they do not unnecessarily restrict access to important computer resources while preventing unwanted access and to ensure that the firewall is operating as expected. Firewall logs should also be reviewed regularly in order to evaluate traffic patterns including denied connections.
Installing and operating a firewall to protect a departmental LAN is only one of many criteria that Network Administrators need to consider when determining the security requirements of their environment. A complete security assessment will help identify other areas of vulnerability.
The open source firewall developed by CNS is based on a widely accepted technique called packet filtering. Each packet going through the firewall is evaluated against rules set by the administrator and is either passed along or rejected. The firewall logs its activities to help the administrator understand whether there has been an attempted attack. To reduce administrative costs this firewall can be administered locally (from the console) or remotely (using a secure connection). It can also be configured to watch a particular computer for new rules.
No firewall can prevent malicious people from exploiting known vulnerabilities in software (as buffer overflow exploits and worms do). This firewall is no different. What it does is to ensure that the traffic entering and leaving the secured LAN is talking to the correct applications on the correct computers.
A crucial point about this firewall is that it uses a low-level approach to configuration; the administrator must analyze his or her needs at the level of ports and packet types in order to choose the required permissions. Commercially available products can simplify some configuration task by allowing the administrator to simply choose from a set of applications to be allowed/disallowed but these products typically cost many thousands of dollars. However adding this functionality to the CNS developed firewall would be hugely expensive.
The open source firewall available to all departments on campus. CNS also provides a service to assist departments in performing security evaluations of their networks.
How a firewall helps:
Departments with firewalls
Departments with firewalls have engaged in a self-assessment, which determined the need to protect their systems. As the complexity of the problem and the sophistication of the threats increases, many of these departments are experiencing unacceptable costs in terms of providing the level of technical support within their own organization or via a commercial service provider. Organizations experiencing this are interested in avenues that consolidate security support (thereby reducing individual costs).
Departments without firewalls
In many areas of the university, some departments with the competence to deploy firewalls have not done so, perhaps based on a perception that:
These perceptions may be quite accurate, in that they are based on a thorough understanding of the values and risks to the department, and because most system administrators review their environment periodically, with a view to responding to the increasingly hostile attacks that come from the Internet.
In departments without the competence to deploy firewalls there is often:
At a minimum, the firewall machine should be equivalent to a Pentium II, with 64 Mb of RAM, a 5Gb hard drive, and 2 PCI NICs; in addition, the hardware must be supported by FreeBSD (see http://www.freebsd.org/relnotes/4-STABLE/hardware/i386/). Required processor speed will be dependent on IP traffic. Required hard drive capacity will be dependent on the desired degree of log retention.
A step-by-step Installation Guide is provided with the distribution package; this covers the installation of both FreeBSD and the firewall software itself. The firewall software installation has an option that allows the creation of a second firewall machine as a hot spare.
The installation can usually be accomplished in less than two hours. The installation should pose few problems, because of the straightforwardness of the process itself, and because of the completeness of the Installation Guide.
The default filtering rules allow all traffic to pass between the "inside" and the "outside". All access to the firewall itself is blocked, except for SSH access through a port, and via hosts, chosen during the install; this SSH connection is used for remote administration.
There are several classes of function available:
The interface consists of a set of text menus; these have built-in help, activated by entering either an empty response or question mark.
The firewall can be configured to accept SSH connections from specific hosts, so that an administrator can log in and make changes.
Logs, Alerts, Reporting
All traffic is logged; log entries for outbound traffic can be marked selectively, using the RECORD permission. Logs are rolled and compressed daily, and logs and/or summaries can be e-mailed to specified addresses.
Creating new filter rules
The Administrative interface is used to define permissions which control traffic flow, based on IP address (or group of IPs) and port number; there are four types of permission, each of which is a macro which expands to a set of IP firewall rules.
The defined rules may be modified (presumably to handle temporary situations) by downloading (importing) another set of rules from a specified URL. These can be normal rules, which augment those already defined, or emergency rules, which replace them.
The syntax and semantics of the permissions is beyond the scope of this report; in fact, there was a consensus that it would be difficult for an inexperienced administrator to fashion a set of permissions that would achieve a particular desired effect without assistance. It should also be pointed out that the approach used in configuring this firewall is a low-level one. For instance, one cannot just pick from a set of applications to be allowed; one must know which ports and packet types an application uses, and establish permissions based on them.
If a second machine has been configured as a hot spare, it will automatically take over if the primary fails, and become the primary; when the old primary is re-started, it becomes the hot spare. Rule changes made on the primary are automatically mirrored on the hot spare. This facility was felt to be a valuable and convenient feature.
If there is no hot spare and the primary fails, connectivity between inside and outside can only be restored by bypassing the firewall.
The effective performance can be measured by testing with the firewall in and out of the network path. No quantitative measures of this sort have been made to date; however, a comparison of the throughput of several workstations, only one of which was behind a firewall, showed no apparent differences. The pilot projects showed that the firewall is transparent to users.
Firewalls using this technology have been in use, here and around the world, for years. They have stopped known attacks and prevented unauthorized probing of the secured network. No strenuous deliberate attacks have been carried out against this firewall; however, the regular sweeps have disclosed no vulnerabilities.
By way of example:
Upon request, the Computer Security Administration Group of CNS will assist departments with a security assessment of their computing environment. This process includes the following steps:
Local Area Network security guidelines are available at http://www.utoronto.ca/security/LAN.htm
Please contact us at firstname.lastname@example.org for more information on this service.
The Open Source Firewall is available via anonymous FTP from:
If you run into any problems, please contact: email@example.com
The directory at the FTP site includes the following files:
Computing & Networking Services will provide assistance and advice to system administrators to the extent possible with available resources.
Although the Open Source Firewall has been designed in such a way as to require minimal knowledge by the departmental administrator, if you need assistance with the installation or configuration of the firewall or if you need help following failure of the firewall, please contact Computer Security Administration.
All contents copyright © University of Toronto 2000-2003
This Site is maintained by the Computer Security Administration Group
Comments & Questions