Home > News & Events > MITRE Publications > The Edge >

Cause for Concern

A serious problem with the Internet is its inability to protect information. Like a small town that has rapidly grown into a city, the Internet, which now includes the World Wide Web, is no longer a safe place to leave doors unlocked.

An increasing number of DoD computer systems are connected to the Internet. It provides a convenient, ready-made infrastructure for exchanging information with other military installations, government organizations, and contractor facilities worldwide.

On the other hand, a 1996 Government Accounting Office report says that using the Internet has increased DoD exposure to attack. Although DoD information on the Internet is unclassified, it is sensitive and must be restricted. The report cites the Defense Information Systems Agency's (DISA's) estimate that "the DoD is attacked about 250,000 times a year" and "only about 1 in 500 attacks is detected and reported." (Report GAO/AIMD-96-84)

How can we make networks less risky while maintaining operational readiness? Since the DoD depends on its Internet connectivity, severing that connection is not an option. One solution that balances these needs and addresses the network security concerns is a firewall.

Firewalls

A firewall enforces a boundary between two or more networks by controlling access. For instance, a firewall may protect an Air Force base network from the Internet. Network firewalls furnish this security by forcing inter-network traffic through a centrally managed choke point or set of choke points. Traffic attempting to cross this threshold is subject to a set of rules; if it does not meet the specified criteria, it is not permitted through. Usually these rules, (such as "only allow authorized users to access protected network web servers") are spelled out in a network security policy. Policies can be defined to allow or deny protocols, IP addresses, Domain Name Service domains, or individual users. It is the firewall's job to enforce the stated policy.

Firewalls serve as the front door for many networks and web sites. There are several reasons for their widespread use:

First, firewalls are a cost-effective way to add security to a network. They concentrate network control in a small number of systems easily managed by a few administrators.

Second, firewalls are flexible; they allow a custom set of network-access rules to be enforced. A tailored policy can be specified for a network firewall and then can be updated as network needs evolve.

Next, firewalls can provide a permanent record of network activity. Most firewalls have a logging capability that can monitor inter-network traffic and alert administrators to problems.

Finally, a growing set of network security features can be integrated into a firewall architecture. From strong user authentication and virus scanning to encrypted Virtual Private Network tunnels and router-access control management, firewalls offer a ready framework for incorporating additional security capabilities.

On the other hand, firewalls are not absolute guarantees of network security. They extend only a perimeter defense around a network. Once an attacker (who could be an authorized user) gains access to the protected network, all systems are at risk.

Firewalls also do not prevent attacks through network back doors like dial-up modem connection, direct leased-line connections, or other network departure points. Only network traffic that actually passes the firewall can be held to its rules; the firewall cannot enforce the policy against traffic using other network entry points.

Firewalls can also be vulnerable to viruses. Because most firewalls base their access-control decisions on traffic header information, viruses (which are usually carried in the data portion of packets) can pass without being stopped. On the other hand, virus-scanning products have emerged that do work with firewalls. These products scan for viruses in files that are either attached to mail messages or downloaded via FTP (File Transport Protocol) and HTTP (Hypertext Transfer Protocol).

Finally, a firewall can make a good target for a network predator, because it concentrates network security in just one point. Nevertheless, robustly configured firewalls and strong contingency configurations cut down the risk.

Considerations for a Firewall

Do you really need a firewall? If the value of the network information resources is not worth the cost of buying, installing, and maintaining a firewall, then it may make sense to accept the risks associated with unprotected Internet connectivity.

On the other hand, if protection is justified, the next decision is what level of security is needed. The value of the network information resources will help drive that decision. For instance, if a network contains personnel information, it probably warrants a more robust firewall implementation than a network containing the local social calendar. Once the degree of protection is determined, the firewall network security policy should be defined.

Increasingly, local network communities are separating from the overall corporate or enterprise network and are installing intranet firewalls. That can make sense for organizations with different network security needs.

There are additional reasons for implementing a network firewall. A firewall can provide a framework for easy integration of other network security capabilities. One common configuration that takes advantage of a firewall infrastructure is the placement of public servers, such as web and anonymous FTP servers, on an isolated network segment. This approach, (see Figure 2) was used to provide access to Hanscom Air Force Base (AFB) public servers while limiting the exposure of the internal, protected network. Since intruders recently broke into and rewrote parts of Home Pages of the CIA and Department of Justice, more importance has been put on securing service platforms and using architecture like one shown in Figure 2.

MITRE and Firewalls

MITRE has considerable experience with network firewalls. In 1989 MITRE became one of the first companies to implement its own corporate network firewall--long before the term was coined. Since that time, MITRE, led by personnel in the Information Security Center, has also helped its sponsors with several firewall efforts.

MITRE has:

• Led numerous firewall deployments, including those at Hanscom AFB, OSIS, TRANSCOM CINCPACFLT, and the Portsmouth Naval Shipyard.
• Developed and operated a firewall testbed environment for NSA/X31, AFIWC, and others.
• Assessed sponsor networks and provided firewall policy recommendations for several Air Force Materiel Command (AFMC) bases.
• Conducted firewall research and written reports for AFIWC, SPAWAR, and numerous other sponsors.
• Provided firewall consulting and advice to various sponsors.

In helping sponsors with firewall security, MITRE has developed a process for collecting sponsor site protocol information, and selecting and installing a firewall in phases so that any interference with the sponsor's mission is minimized.

---

For more information, please contact Julie Connolly using the employee directory.

---