Firewalls, Proxy Servers, and Web Security

If you are a network administrator who is responsible for the web environment on your UNIX machine, you will need to know how to make your environment secure as well as efficient. There are a couple of ways to do this. You can put software called firewall software between you and the rest of the network on your UNIX machine to provide security. To improve performance, you can send information to and receive information from the outside world via software running on your UNIX machine called a proxy server. You can even combine these two functions into the same physical machine and call it a proxy/firewall machine. We will discuss each of these briefly here.

Firewalls for UNIX

There are many different commercial firewall products for different UNIX variants, but many UNIX variants include a built-in packet firewall that can be configured to handle network packets differently, depending on their source and other characteristics. These firewalls are controlled using rules loaded into the UNIX kernel. How packets are handled is specified using a set of rules. These rules can either block or allow packets to flow, depending on the source of the packet, the packet type, the protocol, and other data. For instance, these rules can be used to block all incoming traffic or block all incoming traffic but allow anyone to set up an HTTP connection to a particular port or to allow all hosts to set up an SSH connection to a particular port. (Generally, it is good administrative practice to disallow all traffic that is not explicitly permitted for specific uses.) These rules can also specify what is allowed for outgoing traffic.

Different UNIX variants support one or more packet firewalls. The most important of these are the iptables firewall, which is part of Linux, the ipfirewall (also called ipfw) (Free BSD and Mac OS X), and ipfilter (also called ipf), which comes with Solaris, NetBSD, and OpenBSD, and which runs on other many other UNIX variants, including HP-UX and Linux. We will illustrate how packet firewalls work with a brief introduction to iptables.

Commercial firewall can be much more sophisticated than these built-in packet firewalls. They can provide much more flexibility on how packets are handled, and they can integrate other functions, including the function of a proxy server, which we will discuss later in this chapter.

The iptables Firewall in Linux

All newer Linux distributions include a firewall called iptables. This firewall is built on top of netfilter, a set of hooks in the kernel of Linux that are used to intercept and manipulate packets sent over a network. Network address translation (NAT), which allows the source and/or the destination of packets to be rewritten, primarily so that multiple hosts can access the Internet using a single IP address, is also built on top of netfilter. Although iptables technically refers to the tool controlling packet filtering and NAT, it often refers to the entire infrastructure including netfilter, NAT, and connection tracking, as well as the iptables firewall itself.

A network administrator can use iptables to define rules specifying how network packets are handled. A rule specifies which packets it applies to and what is to be done with these packets. These rules are grouped into ordered list of rules, called chains. These chains are grouped into tables; each table is associated with a particular type of packet processing. Every network packet arriving at or leaving a host traverses at least one chain; each rule on that chain attempts to match the packet, and when the rule matches the packet, the target of that rule specifies what is done with that packet. If a packet reaches the end of a chain without matching any rule on the chain, the packet is handled using the default target of the rule of the chain.

We will not go into the details of the use of iptables and its various command options, but we will illustrate its use with an example. Suppose that you have iptables running on your desktop computer connected to the Internet with a dedicated connection. To have your computer ignore all packets trying to set up a connect with it, you include the line

iptables −p tcp −A INPUT -syn −j DROP

Here, the --syn option is used to match those TCP packets that are used to initiate TCP connections. Blocking such packets on the INPUT chain will prevent incoming TCP connections, while outgoing TCP connections will be unaffected. (Another useful option is-source, which can be used to block or allow inbound TCP connections from specified hosts or networks.) The –j option is used to specify the target that specifies what to do with packets that match the rule specification. Here, the DROP option specifies that all packets matching the rule specification are dropped. For more details on how to use iptables, consult its manual page.

Keeping Your Network Safe

Many more issues than we can discuss here are involved in managing a firewall effectively. This topic is beyond the scope of a book of this nature. If you are a firewall administrator, there are many good books on this topic that you will want to read before undertaking the task. We mention some good ones, such as the books by Cheswick and Bellovin and by Rubin, as well as a few others, listed in the section “How to Find Out More” of this chapter. What we will discuss here is why it is important to recognize that firewalls need to be administered to prevent against firewall attacks, or attempts by unauthorized users to get into your network.

As a network administrator, you probably already understand the importance of keeping files and programs from being accessed by unauthorized people. You probably use combinations of NIS and NFS to ensure security for these things. In the Internet environment, the same types of issues are present. Because the connection method of the Internet is TCP/IP, all of your services that use TCP/IP must be monitored to ensure that no one is trying to get into your systems over the network. The most common way to prevent this is to implement a firewall between your network and the outside world. This firewall can check all incoming traffic to see if there are attempts to take information from, or to deliver information to, the machines on your network by outsiders. The most common type of attacks on firewalls are called intrusion attacks, where an outsider tries to make your system believe he or she is a legitimate user on your system. The risk here is that-once the person is validated as a legitimate user-the intruder has all of the privileges of a legitimate user, such as erasing or moving files or programs. A second type of attack is the service denial attack. An intruder can get into your system and disable certain files or programs so that you cannot use them. An example of this is a virus or a worm, both of which can cause irreparable harm to your system if left undetected. A third type of attack, which may not cause physical harm to your system, is called an information theft attack. Since this type of attack does not require you to do anything immediately to repair damaged files or programs, it can go unnoticed for a while. However, it is potentially more damaging, especially if the information that is being stolen is proprietary to you or, perhaps, to your company

So how can you protect against these types of attacks? One way is to protect each host machine that connects to the outside world separately You install security software so that any unauthorized attempts to access a machine generate alarms and reports to the network administrator. While this is good for small environments with a few hosts, it becomes difficult when the network grows to dozens-or scores-of network hosts. For large systems, a better way is to install network-based security The difference in this method is that you spend time looking at network issues that affect security rather than machine issues. For instance, two hosts in your system may deny service to anyone but users on a certain network. As long as the address trying to access them is on this network, the user is let in, using the host-based model. But what happens if an intruder spoofs (fools) the network into thinking that it is getting a request from a legitimate internal network address? With the network-based model, only one machine-the one that connects your network to the outside world-has to worry about monitoring the network for these illegal intrusions. This is the machine on which you put all of your firewall protection.

Intrusion Detection

You can also increase the security of your hosts using an intrusion detection system. An intrusion detection system attempts to determine when someone is trying to break into your system, or when someone has already successfully broken in. Among the intrusion detection systems available for variants of UNIX are PortSentry the Linux Intrusion Detection System (LIDS), and SNORT. PortSentry watches possible scans of network ports on your system that might indicate that your system is under attack. When PortSentry sees suspicious activity, it can takes various actions, depending on the contents of a configuration file. You can download PortSentry free of charge from http://sourceforge.net/projects/sentrytools/.

The Linux Intrusion and Detection System (LIDS) adds a module to the Linux kernel, together with a set of administration tools that implements Mandatory Access Controls. These controls can be used to block access to all users, including root, except that access to resources can be allowed by configuring LIDS. LIDS can detect port scanning within its kernel. It can hide files completely and make files read-only to everyone, using root, it can hide processes to everyone or block which other processes are able to send signals to particular processes. LIDS also supports access control lists, discussed in Chapter 12. LIDS provides time-based restrictions on when tasks can be performed or a file can be accessed. You can download LIDS and obtain more information about LIDS from http://www.lids.org/.

SNORT is an open-source network intrusion detection, and prevention, system. You can obtain SNORT free of charge from Sourcefire, which offers commercial versions with integrated hardware and support services. SNORT can perform real-time traffic analysis and packet logging on IP networks and can perform protocol analysis; carry out content searching and matching; and detect a variety of attacks and probes, including buffer overflows, stealth port scanning, and CGI attacks, as well as many other types of attacks. It can also be used to prevent intrusions, not just detect them. To download, and learn more about, SNORT, go to http://www.snort.org/.

Proxy Servers

As the number of users on your network grows, the amount of requests for information on the Internet grows. Although most of these requests are legitimate and pose no security threats, there are some that may To prevent unauthorized requests from being made to services outside your firewall, there is an additional service that can be used besides firewall software, called a proxy service. The function of a proxy service is to let a machine that connects your network to the outside world, called a proxy server, act on your behalf (proxy) to send requests.

When you request to access a specific network address or URL (see Chapter 10), your request goes to the proxy server. Depending on rules that are set up by the software running on the proxy server, you may either be allowed to connect to the end site or be denied. Examples of when you would be denied are when specific URLs are deemed inappropriate for access by business employees, or when the site that you want to access is known to be a malicious site that may introduce a virus into your network if you access it.

Squid

If you do not already have a proxy server installed on your network, you may want to install one. One option is to use Squid, a high performance proxy caching server for web clients. Squid is available for use free of charge for AIX, HP-UX, Solaris, Linux, Mac OS X, FreeBSD, OpenBSD, and NetSD, and other UNIX variants. You can download Squid from http://www.squid-cache.org/. You can also find directions and help for compiling, installing, and running Squid at this site. You can also consult Squid: The Definitive Guide by Duane Wessels, published by O’Reilly and Associates, to learn more about Squid.

We will not go into details about Squid or other proxy servers here. Instead, we will offer an overview of network administration issues involving proxy servers.

Administering Proxy Servers

Administering a proxy server basically centers on being aware of the potential for a breach of security or a misuse of the network. There are tools, called proxy monitors, that allow a network administrator to look at what sites are being accessed, how often, and by whom. By analyzing this information, a network administrator can determine whether or not to limit or completely eliminate the capability for users to access a particular site or network address via a proxy server. In addition to the security and misuse potentials, another potential issue can be addressed by monitoring your proxy server: performance. Since the proxy server acts as a “traffic cop” between the users and the outside world, its performance is directly related to the number of people that are trying to access it simultaneously A strong part of proxy server management is to track the load that is being placed on it at various times. From this analysis, the network administrator may implement one or two strategies to avoid congestion. The first method may be to implement additional proxy servers. When one becomes heavily used, users are switched over to another one to make their requests. This process will work until you are using the full capacity of the last available proxy server. Then, the network administrator may have to employ the second method, which is to restrict users or services on each proxy server. This second method can be done as effectively as the first, but you need to really understand the needs of your users before you attempt to implement this second solution instead of the first one.