A Toolkit and Methods for Internet Firewalls

Marcus J. Ranum

Frederick M. Avolio

Trusted Information Systems, Inc.

The purpose of an Internet firewall is to

Abstract provide a point of defense and a controlled and
As the number of businesses and audited access to services, both from within and
government agencies connecting to the Internet without an organization´s private network. This
continues to increase, the demand for Internet requires a mechanism for selectively permitting or
firewalls — points of security guarding a private blocking traffic between the Internet and the
network from intrusion — has created a demand for network being protected1. Routers can control traffic
reliable tools from which to build them. We present at an IP level, by selectively permitting or denying
the TIS Internet Firewall Toolkit, which consists of traffic based on source/destination address or port.
software modules and configuration guidelines Hosts can control traffic at an application level,
developed in the course of a broader ARPA- forcing traffic to move out of the protocol layer for
sponsored project. Components of the toolkit, while more detailed examination. To implement a firewall
designed to work together, can be used in isolation that relies on routing and screening, one must permit
or can be combined with other firewall components. at least a degree of direct IP-level traffic between the
The Firewall Toolkit software runs on UNIX® Internet and the protected network. Application level
systems using TCP/IP with the Berkeley socket firewalls do not have this requirement, but are less
interface. We describe the Firewall Toolkit and the flexible since they require development of
reasoning behind some of its design decisions, specialized application forwarders known as
discuss some of the ways in which it may be “proxies.” This design decision sets the general
configured, and conclude with some observations as stance of the firewall, favoring either a higher degree
to how it has served in practice. of service or a higher degree of isolation. [1]
A proxy for a network protocol is an
Overview application that runs on a firewall host and connects
Computer networks by their very nature specific service requests across the firewall, acting as
are designed to allow the flow of information. a gateway. Figure 1 represents a minimal TELNET
Network technology is such that, today, you can sit service proxy, in which the proxy forwards user´s
at a workstation in Maryland, and have a process keystrokes to a remote system, and maintains audit
connected to a system in London, with files mounted records of connections. Proxies can give the illusion
from a system in California, and be able to do your to the software on both sides of a direct point-to-
work just as if all of the systems were in the same point connection. Since many proxies interpret the
room as your computer. Impeding the free flow of protocol that they manage, additional access control
data is contrary to the basic functionality of the and audit may be performed as desired. As an
network, but the free flow of information is contrary example, the FTP proxy can block FTP export of
to the rules by which companies and governments files while permitting import of files, representing a
need to conduct business. Proprietary information granularity of control that router-based firewalls
and sensitive data must be kept insulated from cannot presently achieve. Router-based firewalls can
unauthorized access yet security must have a provide higher throughput, since they operate at a
minimal impact on the overall useability of the
network. 1Or, in general, between any two networks where
one needs to be protected from the other.
protocol level, rather than an application level, but the bottleneck tends to remain the T-1 link rather
practical experience running firewalls on modern than the firewall itself.
RISC processors shows that with a T-1 connection,

Figure 1: An Application Proxy

Server output
Server output
forwarded
Telnetd
on remote
Telnet
system
Application
Proxy
User's Workstation
User keystrokes User keystrokes
forwarded

Audit Logs
Maintained

systems on which it was running. In our design, we

Proxies exist for a wide variety of services,
attempt to sidestep the issue by providing proxies
such as X, FTP, TELNET, etc. Perhaps the most
that can run locked into a specific subdirectory by
significant security benefit of employing proxies is
means of “chroot” — a UNIX system call that
that they provide a convenient opportunity to require
permanently restricts the working filesystem of a
authentication. For example, when connecting into a
process. Proxies are also designed to run without
protected network from the Internet, one must
special system privileges, to further reduce the
typically first connect to the proxy, authenticate to it,
chance that they might be able to damage the system.
and then complete a connection to a host within the
Ideally it should be impossible for an outside user to
protected network. The proxy protects the firewall
ever interact with a privileged process. Practically
host itself, by eliminating the need for the user to log
speaking, the Internet service master daemon inetd,
into the firewall itself, and it protects the network by
which is responsible for starting other service
permitting only authenticated users to gain access
daemons, needs to run with privileges, but outside
from the outside. While hosts on the private network
users cannot interact directly with it. There is a
may still be rife with security holes, restricting the
possibility that the kernel may have trapdoors or
incoming traffic to authenticated users only is a good
hidden network services built into it, but it is
step in the right direction.
impractical to attempt to obtain and examine kernel
Other services, such as Internet (SMTP) sources for such flaws. Instead, make every effort to
mail and USENET news, act as store-and-forwarders remove unnecessary kernel services at system build
already, and fit in with the proxy approach to time.
firewalls. These service daemons sometimes run with
system privileges and may contain bugs that an Design Philosophy
attacker can exploit. Many existing firewalls rely on
approximate assessment of privileged systems The TIS Firewall Toolkit (hereafter
software for their trustworthiness. This is sufficient referred to as “the toolkit”) is designed to be
if there are “well known working versions” of informally verified for correctness as a whole or at a
common programs such as the FTP server, ftpd. In component level. Since the firewall consists of
some cases, however, the server can itself discrete components, each providing a single service,
compromise security. A recent version of the each may be examined separately from the rest of the
WUArchive ftpd[2] contained a bug that permitted system. Components of the toolkit are as simple as
anyone on the Internet to gain super-user access to possible in their implementation, and are distributed
in source code form to encourage peer review. This
appears to be a fairly novel approach for a network minimize risks, the services that are provided on the
firewall, as many existing firewall systems rely on external machine, which we will refer to as a
software that is “known to be good” or that is “bastion host”, following the terminology proposed
considered trustworthy because it has been used by Ranum[3]. are sharply curtailed and each service
extensively for a long time. is subjected to review. On the “standard” firewall
configuration, the only services supported are
One problem with the “known to be good”
SMTP, FTP, NNTP, and TELNET. Other proxies
approach is that historically it hasn´t been very
such as Digital Equipment Corporation´s X Window
reliable. Certain software components are frequently
System proxy [4] can be added to this architecture.
exploited in break-ins, no matter how carefully they
are maintained. Problem programs are usually SMTP service is supported through a non-
complex pieces of software, implemented in tens of privileged front end that runs locked in a “safe
thousands of lines of code, which require system directory” via chroot. FTP is supported via a proxy
privileges in order to operate. As a step towards that runs without requiring special privileges. NNTP
addressing this, the firewall toolkit operates in is supported via a “tunnel” server that permits traffic
accordance with the following general firewall between a host on the inside and its news server on
design principles: the outside. TELNET service is via a proxy that
runs unprivileged. Since all other services on the
• Even if there is a bug in the implementation of a
system are disabled selectively, it is only these four
network service, it should not be able to compromise
services that must be analyzed for risk. By analyzing
the system. Services that are misconfigured should
of the security of each service in isolation, we are
not work at all, rather than opening holes.
able to gain a degree of trust in the system beyond
• Hosts on the untrusted network should not be able merely being able to state “Well, we don´t think there
to connect directly to network services that are are any bugs.” With all the services running
running with privileges. unprivileged we can make a stronger statement, to
wit, “The security of an individual service is
• Network services are implemented with a
irrelevant to the overall security, as the server is
minimum of features and complexity. The source
running in a captive mode.”
code is simple enough to be reviewed thoroughly and
quickly.
Configuration and Components
• There should be reasonable and pragmatic means
of testing that the system is correctly installed. Figure 2 represents the toolkit installed in
an environment that combines routers and a firewall
The toolkit is designed to be used with a bastion host. The implementation of the security
host-based security policy, but its components can be controls is shared (in this example) between the
used with router-based firewalls. In this paper, we routers and the firewall: the routers are responsible
will focus on the former. In a host-based firewall, the for controlling network-level access, and the bastion
security of the host is crucial; once it is compromised host provides application-level control. A simpler
the entire network is open to attack. Still, we believe firewall configuration would consist of a dual-homed
that a host-based firewall is superior to other gateway, in which a workstation with two network
solutions because of the ease with which it can be interfaces is connected to both networks, and has IP
maintained, configured, customized and audited. forwarding disabled. Dual homed gateways are less
When the toolkit is used with router-based firewalls, flexible than firewalls that combine routers and
it is assumed that the toolkit software is running on a hosts, since the option to route services at a network
secure host that is permitted some degree of access level is generally not available.2 On the other hand,
between the protected network and the Internet, by with a dual-homed gateway, the administrator can
means of routers. This leaves the option of have a higher degree of confidence that no network
configuring the routers to provide additional avenues traffic will be able to somehow “leak” through a
between the protected network and the Internet for router, since routers are no longer an integral part of
whatever reason; such additional avenues are outside the security system.
the scope of the toolkit and should be provided only
after careful security analysis.
The toolkit may be used in conjunction 2Some versions of UNIX support packet screening
with router-based screening as extra security. To
within the operating system.
Figure 2: A Screened Host Firewall

Traffic to Other Nodes Blocked

Private
Internet
Screening Router Network
Other Hosts
Traffic Permitted

Bastion Host
SMTP Applications
FTP relayed via
TELNET proxies
rlogin
way. The configuration rules are designed to provide
The toolkit is designed to build a host-
both configuration and service and access
based firewall, with security being enforced by a
permissions information, being read top-to-bottom
single bastion host. For ease of management, all the
and left-to-right. Hostnames or IP addresses
proxies and access control tools use a single
including simple wildcards can be used in
configuration file with a regular syntax. We thought
configuration rules, but IP addresses are preferred
this was useful due to the generally complex
since DNS addresses are vulnerable to spoofing.
configuration of various publicly available firewall
tools, of which no two are configured in the same

# Example ftp gateway rules:

# --------------------------
ftp-gw: authserver 127.0.0.1 7777
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
ftp-gw: permit-hosts 192.33.112.100
ftp-gw: deny-hosts 128.52.46.*
ftp-gw: permit-hosts 192.33.112.* -log { retr stor } -auth { stor }
ftp-gw: permit-hosts * -authall

“net2” sources, with some modifications to support

The firewall toolkit functionality can be
pattern-matching and program execution on matched
broken down into six areas: logging, electronic mail,
patterns. Many systems administrators have batch
the Domain Name Service, FTP, TELNET, and TCP
processes set up on their systems to alert them of
access control.
possible security problems by searching the system
Logging logs at regular intervals. By permitting the system
manager to add regular expressions to the syslogd
Significant security events and audit configuration, security-related log messages can be
records are logged to a protected host on the internal identified instantly. Syslogd contains further
network via the syslog facility. The version of modifications that permit an arbitrary command to
syslogd that the toolkit uses is based on the BSD be invoked with any specified logging rule, so that,
for example, vitally important security log events can bugs is a sizable task when compared to analyzing
be delivered to the system manager´s beeper or smap´s 700 lines. Smap is not a panacea, however, as
delivered by electronic mail. Adding command firewalls remain vulnerable to data-driven attacks in
execution to syslogd implies that the syslogd which messages may be mailed to hosts on the
configuration file must be protected against private network, possibly triggering security holes in
unauthorized modification. internal mailers. Since many of these attacks have a
distinctive signature, smap or the firewall´s mailer
Electronic Mail can be configured to attempt to identify these letter-
Mailers are one of the favorite points of bombs, but the security administrator is forced into
attack against UNIX systems. The Morris Internet the unfortunate position of an arms-race in which a
worm exploited a well-known hole in the standard reactive role must be taken as new attacks are
UNIX SMTP server, sendmail. Many systems invented. To reduce the risk of attacks that exploit
running sendmail, including those with Internet mailing through programs, the mailer on the firewall
firewalls, were penetrated by the worm. A few that itself is configured so that program execution is
had replaced sendmail with other SMTP servers disabled. Disabling program execution is often an
were not. Since that time, a variety of other security unacceptable solution on a multi-user system, but
holes have been identified in sendmail and fixed in since the firewall is not a general use host, we prefer
more recent releases. to reduce the risk of someone being able to execute
arbitrary commands from afar.
The problem with mailers is twofold: they
are complex and perform file system activity, and Domain Name Service (DNS)
they require privileges so that they can manipulate
The name service software available for
mailboxes or execute mail processing programs on
UNIX implements an in-memory read-only database.
the behalf of users. To help secure mail service,
As such, it cannot be used to gain unauthorized
direct network access to sendmail is prevented. A
access to a system. Some past attacks on firewalls
simple program that implements a skeleton of the
have used name service spoofing as a technique for
SMTP protocol is presented on the SMTP port on the
impersonating trusted network hosts. In order to
mail server. This SMTP proxy, called smap, is small
remove the threat of name service spoofing, the
enough to be subjected to a code review for
firewall does not rely on name service for any
correctness (unlike sendmail) and simply accepts all
security related information. The name server
incoming messages and writes them to disk in a
software is necessary for high performance large-
spool area. Rather than running with permissions,
scale mail systems and is configured so that the only
the proxy runs with a restricted set of permissions
application that relies on name service for
and runs “chrooted” to the spool area. A second
addressing is the electronic mail system. DNS names
process is responsible for scanning the spool area
are also used in audit records, but are always
and delivering the mail messages to the real
presented along with host network addresses;
sendmail for delivery — a mode of operation in
mismatches are flagged as possible spoofing
which sendmail can operate with reduced
attempts.
permission. Many Internet firewalls run sendmail
and rely on “trustworthy” versions of the software; FTP
running the mail software in a reduced-permissions
mode is a more general solution to the problem, side- The FTP application gateway is a single
stepping the issue of whether or not a given version process that mediates FTP connections between two
of sendmail contains bugs. networks. Since it performs no disk access other
than reading its configuration file and is a small and
While smap answers all valid SMTP relatively uncomplicated program, it can be argued
commands sent to it, it does not execute any of them that it is not capable of compromising the security of
except those directly involved with mail exchange: the system. Just to be certain, the application
HELO, FROM, RCPT, DATA, and QUIT. Other gateway runs as a non-privileged user, after
commands, such as VRFY and EXPN return a polite “chrooting” itself to a private directory on the
error message. Smap preserves sendmail´s system. To control FTP access, the application
functionality, while preventing an arbitrary user on gateway reads a configuration file, containing a list
the network from communicating directly with it. of FTP commands that should be logged, and a
Analyzing sendmail´s 20,000 lines of source code for description of what systems are allowed to engage in
FTP traffic. All traffic can be logged and as, but there is no provision for limiting access based
summarized. Optionally, the gateway can permit on the source of the request. A variety of
FTP traffic from the Internet to the campus network implementations of “wrapper” processes are
for users who first authenticate themselves to the available on the Internet with varying
system. functionality[5].
TELNET The toolkit uses a “wrapper” process
called netacl, which provides support for all TCP-
The TELNET application gateway is a based services. (If only TCP-based services are
small, simple application that mediates TELNET supported, UDP services are disabled and are no
traffic. As with the FTP application gateway, the longer a threat worth worrying about.) Netacl has
only file accessed is the configuration file that is read no great advantages over other versions of TCP
at start-up. Immediately after the configuration file is wrappers, other than its minimal size (240 lines of
read, the TELNET application gateway is “chrooted” code, including a large copyright header and
to a restricted directory, where it runs as a non- comments), its lack of support for UDP (purposely),
privileged process. The TELNET gateway´s and its sharing a common configuration mechanism
configuration file allows specification of which with the other tools in the toolkit.
systems or networks can use it, and what systems or
networks it will permit connection to. Initially, it TCP Plug-Board Connection
will be configured to permit campus systems to use Server
the gateway to connect to Internet systems, but not
vice-versa. Optionally, the TELNET gateway can Certain services such as Usenet news are
require authentication before permitting use. All often provided through a firewall. In such a
connections and their durations are logged. situation, the administrator has the choice of either
running the service on the firewall machine itself or
UDP-Based Services installing a proxy server. Since running news on the
firewall itself might expose the system to any bugs in
Since we decided that no direct traffic
the news software, it is safer to use a proxy to
would be permitted between an outside system and
gateway the service onto a “safe” system on the
an inside system, and since UDP is connectionless
campus network. Plug-gw is a general purpose proxy
and point-to-point (and so cannot be used through
that “plugs” two services together transparently. Its
network proxies), UDP services are not allowed.
primary use is for supporting Usenet news, but it can
Many UDP-based services such as NTP and DNS
be employed as a general-purpose proxy if desired.
can be provided transparently through a firewall by
Plug-gw is configurable, as are the other proxy
configuring the servers to act as forwarders for
servers. Since it only acts as a data pipe, it performs
queries originating within the protected network.
no local disk I/O and invokes no subshells or
TCP Access and Use processes. Like the other proxy servers, it logs all
connections.
On BSD-based UNIX systems, most
network processes are started up by an initial Plug-boarding TCP connections through
connection to a general-purpose network listener one´s firewall should be undertaken with a degree of
inetd, which establishes a connection between the caution, since plug-gw uses no authentication other
incoming request and the program to service the than the host address of the client, and does no
request. For example, an incoming request for the examination of the traffic passing across it. In the
TELNET service is “heard” by the running network case of NNTP, for example, a security flaw in the
listener. The program, according to inetd´s NNTP server on the internal host could still be
configuration file and the entry for TELNET, is exploited. The firewall will make it much harder for
executed and connected to the incoming request. an attacker to gain access to the internal system to
further exploit the hole; if the flawed NNTP server
Inetd, the Internet services daemon, were running on the firewall bastion host itself, the
performs no function other than to invoke specified entire firewall might be vulnerable. Alternate
processes to manage network services when a system approaches, such as engineering the news server to
attempts to connect to them. Some vendor run “chrooted” are potential areas for future
implementations permit a systems administrator to research. From a standpoint of systems
specify the user-id that the service should be invoked administration, we have found that news
administration is simplified by running it a readily this operation properly, all files will be created in the
accessible internal server. proper directory, with the proper user permissions. If
the administrator verifies that this is indeed the case,
User Authentication he can rely on the security of the operating system´s
The network authentication server authsrv support for “chroot” and user file permissions. By
provides a generic authentication service for toolkit examining the assumptions of each service proxy, a
proxies. Its use is optional, required only if the degree of assurance that the firewall is well protected
firewall FTP and TELNET proxies are configured to can be gained. This does not address the problem of
require authentication. Authsrv acts as a piece of possible bugs or protocol errors in the proxy
“middleware” that integrates multiple forms of implementations that might still permit a service to
authentication, permitting an administrator to pass through the firewall. To attempt to address this,
associate a preferred form of authentication with an every effort is made to keep the implementation of
individual user. This permits organizations that the proxies, especially the parts that deal with access
already provide users with authentication tokens to control, as simple as possible.
enable the same token for authenticating users to the Firewall administration requires a
firewall. A secondary goal of authsrv was to provide seasoned UNIX systems manager. While the toolkit
a simple programming interface for authentication is fairly easy to install, it assumes an amount of
service, since commercial authentication systems expertise on the part of the administrator, since he
tend to have unique, nonstandard, interfaces. Several must know how to interpret error conditions,
forms of challenge/response cards are supported, configure the system, and disable potentially
along with software-based one-time password threatening services. While it is a temptation to
systems, and plaintext passwords. Use of plaintext make the toolkit software self-installing and self-
passwords over the internet is strongly discouraged, configuring, doing so raises the possibility that
due to the threat of password sniffing attackers. someone might install it who lacks the basic skills
A simple administrative shell is included necessary to know if they have in fact secured their
that permits the authentication database to be network. Packaging the toolkit as a set of
manipulated over a network, with optional support components that can be used freely has proven
for encryption of authentication transactions. The effective, since it fills a need on the part of those
authsrv database supports a basic form of group experienced system managers who would have had
management; one or more users can be identified as to design, write, debug, and test their own
the administrator of a group of users, and can add, implementations if ours were not available.
delete, enable, or disable users within that group.
Authsrv internally maintains information about the Future Directions
last time a user authenticated to the server and how
In the future we will focus on the problem
many failed attempts have been made. It can
of adding newer interactive information retrieval
automatically disable or time-lock accounts that have
services such as Gopher, WAIS and World Wide
multiple failures. Extensive logs are maintained of
Web and broadcast services such as MBONE.
all authsrv transactions. Authsrv is intended to run
Possible avenues for future research include
on a secured host, such as the bastion host itself,
integrating cryptography with the firewall software
since its database must be protected from attack.
to permit firewall-to-firewall service and firewall-to-
firewall authentication, possibly using kerberos
Testing Firewalls protocols. Support for IP-on-demand services like
Throughout the design of the toolkit, we PPP pose a problem for firewalls: is the dial-up user
tried to design each component so that it relied to be treated as an untrusted Internet host or as a part
wherever possible on protections in the UNIX of the protected network? Adding support for
environment, rather than on elaborate code designed authenticated and encrypted PPP service on the
to check and deter threats. While the toolkit software firewall itself is being examined.
doesn´t include a test suite, it is designed to be easy
to verify that each component operates as it is Observations
intended. As an example, the SMTP proxy smap
In practice, we find that running servers
runs “chrooted” to a subdirectory as an unprivileged
without special system privileges increases our
process. It stands to reason that if the proxy performs
assurance that the firewall is secure. More
importantly, the methodology of turning off all [4] G. Winfield Treese and Alec Wolman, “X
services but a minimum, and then auditing each one Through the Firewall, and Other Application
on a case-by-case basis further increases confidence Relays,” Proceedings of USENIX Summer
that the system is harder to break into. The basic Conference, 1993. Also available as Cambridge
design decisions in setting up a firewall (to route or Research Lab Technical Report 93/10, Digital
not to route, to rely on the host or the router) remain Equipment Corporation, May 3, 1993.
unchanged, but the toolkit will work with either
[5] Wietse Venema, “TCP WRAPPER, network
model.
monitoring, access control, and booby traps,” UNIX
Firewalls are a stop-gap measure that is Security Symposium III Proceedings (Baltimore),
needed because many services are developed that September 1992
operate either with poor security or no security at all.
[6] Frederick M. Avolio and Marcus J. Ranum, “A
Perhaps the most important lesson we can learn from
Network Perimeter With Secure External Access,”
firewalls is the need for strong session-level
Internet Society Symposium on Network and
authentication in applications and well-designed
Distributed Systems Security, February 1994.
application protocols.
William Cheswick, “The Design Of a Secure
Availability Internet Gateway,” Proceedings of the 3rd USENIX
Security Symposium, September 1992.
The TIS Internet Firewall Toolkit is
available in source form via anonymous FTP from Stephen M. Bellovin and William Cheswick,
ftp.tis.com: /pub/firewall/toolkit/fwtk.tar.Z. “Firewalls and Internet Security: Repelling the Wily
Information is available from the authors at fwall- Hacker,” Addison-Wesley, Spring 1994
[email protected]. Send mail to fwall-users-
[email protected] to be added to the firewall toolkit
user´s mailing list. Future enhancements to the Frederick M. Avolio is a principal
toolkit will be announced on fwall-users and other analyst with Trusted Information Systems,
relevant mailing lists. Incorporated, and active in network security
consulting and product development. He has
Acknowledgements lectured on the subject of Internet gateways and
firewalls and electronic mail configuration and has
This work was done, in part, under a performed consulting services in these areas, both for
contract from the U. S. Department of Defense, government and in the private sector. He has
Advanced Research Projects Agency (ARPA), worked in the UNIX and TCP/IP communities since
number DABT 63-92-C-0020. [6] 1979.
Mr. Avolio has an undergraduate degree
References in Computer Science from the University of Dayton
[1] Marcus J. Ranum, “Thinking About Firewalls,” and a Master of Science from Indiana University.
Proceedings of Second International Conference on
Systems and Network Security and Management
Marcus Ranum is a senior scientist at
(SANS-II), April, 1993
Trusted Information Systems. He is the chief
[2] Washington University Saint Louis, FTP server architect of the firewall toolkit and spends most of
daemon. Available for FTP from his time on Internet security issues.
wuarchive.wustl.edu
UNIX is a registered trademark of X/Open
[3] Marcus J. Ranum — “An Internet Firewall,”
Company, Ltd.
Proceedings of First International Conference on
Systems and Network Security and Management
(SANS-I), Nov, 1992