'Fire Walls' Stand as a Protectant Between Trouble and the Network.
By Bruce Schneier
Large buildings are often built with fire walls -- fire-resistant barriers between vital parts. A fire may burn out one section of the building, but the fire wall will stop it from spreading. The same philosophy can protect Macintosh networks from unauthorized access and network faults.
A network fire wall usually is nothing more than a router configured to prevent certain network packets from traveling between parts of the network. For instance, a router can partition off the machines in the R&D department, so other network users can't access secret information. Some routers can be programmed to transfer electronic mail but restrict remote-terminal log-ons. And the chairman of the board's laser printer could be hidden from the rest of the network, so the average user can't print on that machine.
The Structure of Restrictions
"Cisco products have three levels of fire walling and two ways of doing it," said Larry Lang, AppleTalk product marketing engineer at Cisco Systems Inc. of Menlo Park, Calif. "You can block packets, you can filter different routes and you can filter zone lists. You can filter these based on network number or zone name."
Cisco's approaches are typical; most AppleTalk router vendors support one or more similar methods. The benefit to users is connectivity without complete openness.
"Using Network Resources Corp.'s MultiGate Hubs, I was able to set up and isolate the accounting department but still connect it to the network," said Brian Sheldon, network manager at software developer DeltaPoint Inc. of Monterey, Calif. "I can still manage that hub from anywhere on the network."
As a site's network systems grow in size and different groups' networks merge, mutual protection can become a top priority.
"The campuswide AppleTalk network covers 15 subnets. Currently, our routers have no fire-wall capabilities whatsoever, so we have to ensure that the departmental network administrator is educated on the possible security problems before adding AppleTalk routing to the subnet," said Greg German, senior research programmer in the Network Design Office at the University of Illinois at Urbana.
"We are working with our routing vendors to define what kind of fire walling we can do. The bare minimum is the ability to limit routing to a range of valid AppleTalk network numbers," he said.
Inside and Out
More common even than LAN fire walling is protection against dial-in and wide-area connections.
"There are two issues in network security: the threat from within and the threat from without," said Simson Garfinkel, co-author of "Practical Unix Security" published by O'Reilly and Associates Inc. "Fire walls are a way of making sure that people dialing into the network don't get access to the entire network."
When a multiprotocol router or hub includes connections for wide-area networks, the fire walls can be configured with the same features that affect LANs. Otherwise, a computer or dedicated device that connects LANs over slower-speed links can filter traffic.
"Our SyncRouter includes an optional feature called zone cloaking," said Tom Ver Ploeg, director of operations for Engage Communication Inc. of Aptos, Calif. "For example, if the SyncRouter connects AppleTalk networks in New York and Chicago to facilitate the transfer of files and electronic mail, a particular zone in Chicago can be cloaked from users in New York. No users in New York can see the cloaked Chicago zone."
It also is common to use the fire-wall capabilities of routers to keep extraneous local traffic off a company backbone and to allow only certain protocols onto the backbone.
This kind of fire wall is created for administrative reasons as often as for security. Isolating protocols to specific areas can add needed order to multiprotocol networks. This type of fire walling also keeps protocol-specific network problems from spreading.
"We allow IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange) and AppleTalk protocols over our network," DeltaPoint's Sheldon said. "In a few months we will move to a minicomputer and will allow only TCP/IP traffic across the backbone. Our intelligent routers will be able to easily implement this filtering."
Said Bill Mulvihill, network analyst for the Global Network Support Department at Motorola Inc.'s Semiconductor Products Center in Tempe, Ariz.: "We use filtering to maintain network integrity on our backbone. The Cayman GatorBoxes allow different LocalTalk zones to access each other via the TCP/IP backbone."
Audits Could be Next
"Fire walls have many benefits," Garfinkel said. "They help isolate physical failure of the network to a smaller number of machines. They limit the number of machines putting information on any physical segment of the network, thus limiting the damage that can be done by eavesdropping. They limit the machines that will be affected by flooding attacks. And they create barriers for attackers who are trying to attack specific machines in a network."
Said Brad Parker, director of advanced development at router vendor Cayman Systems Inc. of Cambridge, Mass.: "Current fire walls are well and good, but it's '80s technology.
"The next step is to provide audit trails. When your network security has been violated, it is very valuable to know who changed what and where they changed it," he said. In highly structured networks with intelligent clients and services that can communicate with each other to share a knowledge of who and where users are, audit trails may be possible. In the meantime, putting "locks on the doors" that lead to vital parts of the company network is the first step for network administrators concerned with security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.