W2Knews[tm] Electronic Newsletter Vol. 5, #38- August 23, 2000 - Issue #212 Published by sunbelt-software.com since 1996 - ISSN: 1527-3407 'Immediate Notification Of Important Windows NT/2000 Events' *******************over 600,000 subscribers************************** This W2Knews 'TechFlash' is a primer about the three most used firewall technologies. Hi W2K and NT-ers, Firewalls were being discussed a lot on the NTSYSADMIN list lately and I found that there was quite a bit of unknown data and confusion about the existing technologies, so here is a fast overview of what is out there in this area. And since the recent survey showed security is your headache number one, I hope this helps! We will also announce a revolutionary new security tool in the W2Knews September 11 issue. See you next weekend. Warm regards, Stu. (Email feedback to [EMAIL PROTECTED]) *************************SPONSOR********************************* HOW ABOUT FREE ONSITE SUPPORT FOR YOUR NEXT DEPLOYMENT PROJECT? Is just thinking about your next deployment project keeping you awake? All that planning, inventorying, testing, scheduling - not to mention cleaning up all those post-deployment problems - it's enough to give anyone nightmares. So we'd like to help. If you qualify, Perpetual will come on site and work with you, using our software and services, to show how our Client Management System will make your life easier AND save you money. Sign up now at: http://www.perpetual.com/sunbelt0823.html ------------------------------------------------------------------ FIREWALL OVERVIEW: A very popular class of firewalls at the moment are so called proxy servers. What does that word mean to begin with? 'Proxy' simply means that the machine runs an application 'on behalf of' services that run on a system that is hidden behind the proxy server. It is a type of firewall that helps you to securely communicate with the Internet, which we call 'untrusted'. Untrusted because it is a scary place out there. You would be surprised how many would-be hackers are trying to penetrate systems on an hourly basis and what holes they find. One other type of firewall that is used a lot are essentially routers that filter packets and translate IP addresses based on a set of rules. (But they do not process the data that sits inside the packets). Now, the three technologies in order of increasing security are: 1) Packet Filters 2) Circuit-level Proxies 3) Application-level Proxies 1) Packet Filters ----------------- There are two sorts of these: static and dynamic. Static packet filters simply inspect the IP address and port number of traffic passing through the firewall and either route or drop the packet based on rules defined by you, the administrator. Dynamic packet filtering firewalls can open and close ports 'on the fly'. They do this based on the type of initial connection request and the port numbers that the client and remote server negotiate. In this way, packets based on protocols that do not use fixed port numbers, such as the popular Remote Procedure Calls (RPC's) can be let through by opening just one port instead of a whole range of ports. Dynamic firewalls sometimes have the latest technology built in. This is called "stateful inspection". That is a technique which uses even more intelligence in tracking the progress of a connec- tion and looking for unexpected changes of state that might indicate a hacker attack. MS Proxy Server V2.0 supports dynamic filters but not stateful inspection. The new MS ISA Server 2000 adds support for stateful inspection, but not for all protocols. 2) Circuit-level Proxies ------------------------ TCP/IP uses special identifiers called 'sockets' to make sure that packets intended for a particular application are not only routed to the correct host, but are also directed to the correct application in that host. The special upgrades that were made by MS to the WinSock API (which handles TCP/IP packets in Windows) allow you can securely 'remote' a socket to a proxy server. That allows the proxy server to perform the low-level networking functions on behalf of the client. Until the client initiates a "circuit" with the proxy, the network traffic from the client is completely hidden from the outside. A proxy server uses its own (outside) IP address to communicate via the Internet instead of the actual IP address of the client which remains hidden this way. A plus with circuit-level proxies is you can base access rules on the requester's name or group membership. A minus is that they are unsuitable for peer-to-peer protocols lime SMTP, or Voice-over-IP. 3) Application-level Proxies ---------------------------- These are generally considered to have the tightest security of the three methods. But it's expensive in resources on the proxy server. Application proxies provide separate processes for a few high-level protocols like http, https, smtp, and dns. For instance, with http, the app-level proxy looks like the requested web server to the client, and in turn emulates the client to the web server. It intercepts the browser's requests, inspects the http content to ensure validity and then repackages the packet and sends it to the actual web server, while giving its (external) IP address as the source address. The process is reversed when the requested content comes back. MS Proxy Server V2.0 and the new MS ISA Server 2000 include application- level proxies for http, https, and ftp protocols. Some other security features: ---------------------------- All firewalls can log traffic, and you can configure rules to send alerts when specific types of activity occur. But a major headache is false positives. They happen too much and drive everyone mad. When a real attack occurs it gets dis- regarded. You can normally configure the firewall so that some traffic is denied based on source or destination IP address, protocol types and in some cases on user and/or group names. Quite a few third party tools interface with both MS proxy server and ISA server to filter out various classes of Internet content. That's all for this short intro and explanation. Hope it has clarified a bit. Later! Stu (grateful acknowledgements to www.directionsonmicrosoft.com)