FIREWALL POLICY

It didn’t last long. Very quickly, it was found that neither of these policies were up to the task. Now, everyone blocks all incoming ports and only opens ports inwards that are required for the business to operate. This is not always successful. For instance, if the application now visible to the internet has a vulnerability for which an exploit has been written, then the firewall will not provide any protection. However, it is the starting point of security and allows the more effective use of other defensive techniques.

“A lot of malware that gets installed attempts to contact other machines”

Of course, in the early days, outgoing traffic was considered to be fine and all outgoing traffic was allowed outbound. As with incoming firewall rules, the initial approach was modified by blocking the offending ports. But, as the security threat has increased, it has become necessary to block all outgoing ports by default and only open up those which are required for the organisation in much the same way as incoming ports are configured.

But why is this good practice? Surely everything inside the network is trusted?

MalwareA lot of malware that gets installed attempts to contact other machines. The recent Downadup worm is an example of a Trojan/worm that gets into the network via a USB key and then attempts to contact other machines in the domain and brute force the admin password to gain access and install itself.

It is not the first. Many others have had functions that try to access the internet on commonly used ports, or try the old favorite of installing an smtp server and mailing to all the people in the host’s email address book.

By blocking all smtp traffic except from the legitimate mail server, these types of malware cannot mail out and hence will not embarrass the company or get its IP on a blacklist. Similarly, blocking other ports will prevent access on 137 or 138 – or any other port that the malware might use to spread itself – or just ‘call home’ for instructions.

Of course, malware writers have become much more cunning now, and they look to use the ports that they know must be open, like port 80. However, the job is now more difficult and with good gateway protection with application firewalls and intrusion detection and prevention, the closing of the ports can force the malware out of ports that are heavily scanned for such activity.

EmployeesA major issue for IT departments is their end users, the organisation’s employees. Not so long ago, it was okay to install any application you wanted so that you could have the tools you felt comfortable with at your fingertips. The problem was that with the increase of malware hiding itself in ‘free’ applications, the network was getting infected. In addition, of course, some employees were happily connecting to peer-to-peer (P2P) networks and downloading files, videos and software. This of course was another source of malware but even without that, it meant that company’s bandwidth was

being used for non-business purposes and in some cases by people who did not even work for the firm.

To try and combat this, many companies have now implemented lists of authorised software that employees can install on their machines, but this does not necessarily stop the more determined user from still using their favourite chat program.

However, by blocking all the ports, the users are forced to abandon some applications while having to configure others to use the ports that are left open. This again helps the IT manager to monitor and control the applications that are in use.

ApplicationsThe use of the internet has increased enormously in the past few years. With the advent of instant messaging, twittering, social networking, P2P, VoIP and Web 2.0 applications like MySpace and Facebook, there is an ever increasing number of applications available for use. More than 15 000 applications alone have been written for Facebook.

Before, it was possible to block messaging applications by simply blocking port TCP/1863 (see figure 1) but now IM employs port hopping techniques to find another port to go out of. This can be port TCP/80 or TCP/443 which are likely to be open or through a web proxy if one is implemented (see figure 2).

However, having corralled IM into using the proxy, the IT manager can use a number of different techniques to control IM. For instance, if the firewall or gateway solution deploys a content filtering engine, then it is a case of using

12Network Security April 2009

A good policySimon Heron, internet security analyst, Network Box

A long time ago, I installed my first firewall and took the unusual approach at the time of blocking all incoming ports below 1024 and only opening up those incoming connections that the company needed. Back then, it was far more common to allow all incoming connections and to block only certain specified ports (such as telnet, rsh etc.). It seems incredible now that that was a realistic approach to perimeter security.

Simon Heron

FIREWALL POLICY

a ‘chat’ category to define who is allowed to access IM and when. This is even true when IM uses HTTPS (TCP/443) as the use of the proxy will still allow this control to be implemented.

“Before, it was possible to block messaging applications by simply blocking port TCP/1863, but now IM employs port hopping techniques”

More difficult is when Skype is being used. As with IM, it has port hopping capabilities and is extremely aggressive in finding open ports if they exist. So closing down all outgoing ports is crucial if it is to be controlled or blocked at all. This usually forces it onto HTTPS and this is where the fun and games start as it is a P2P application. This means that it doesn’t have a nice list of servers that are known and can be used to block as in IM. Now that the body is encrypted, the content of the packets are not known, and are almost indistinguishable from genuine https traffic.

But now that we know where it is, there are now a number of tools in the IT manager’s tool kit that will allow us to manage the protocol.

Man in the middle attackIn this solution, the gateway product acts as the man-in-the-middle. When a client makes an HTTPS request, the request is intercepted by the gateway, and the gateway makes the request to the intended site. When it receives back the certificate it accepts on behalf of the client and returns to the client its own certificate. The user has to accept this or decide not to go to the secure site. Once accepted, the gateway simply relays the data from the remote site and scans the decrypted information using deep packet inspection for evidence of the user agent or other identifier of the traffic.

The obvious downside of this is that the secure link is compromised by the gateway device and there are privacy implications. Any company using this

must make it perfectly clear to their employees that this is what they are doing. For employees and especially management, this might not be an attractive option, but with the ability to intercept traffic in this fashion, other tunnelling protocols can then be monitored and the https link can effectively be scanned for viruses and other malware.

SignatureIn some cases it is possible to see a signature in the encrypted traffic and identify that traffic as Skype or whatever application that is being sought. This signature can then be used to control the traffic.

This is dependent on the vendor of the application keeping the packets the same and not introducing variety that changes the signature. It is usual that in this case the gateway product updates the signature as it changes enabling the identification of the traffic. Obviously, a signature for each type of traffic has to be developed and maintained which can limit the number of protocols that can be controlled in this way.

Walled gardenIf the gateway product has a content filtering application like SurfControl/Websense, then some companies are happy to implement what is known as a ‘walled garden’. In this solution, users are only allowed to visit sites that have been categorised by the content filtering application or subsequently whitelisted by the company’s IT department. This ensures that access to the super nodes used by P2P software like Skype can be denied; and again allows the company to control or block the application.

The downside here is that the ‘walled garden’ can be quite limiting on the company’s employees and might affect productivity. However, if this can be tolerated and there is a quick way of whitelisting sites which are requested by the employees, then not only is it effective, but also protects the company from the majority of infected websites and P2P nodes.

April 2009 Network Security13

Figure 1: Firewall using proxies.

FIREWALL POLICY

Raw IP format block

In the case of most P2P applications, they are trying to access nodes where they can download data, or in the case of Skype, make voice calls. These nodes are not referred to by name as they are dynamic in nature and use distributed computing over ‘volunteer’ machines. They are instead accessed by the actual IP address (21w.22x.13y.04z). They also use the CONNECT request over HTTPS, which means that any

respectable web proxy can put in an access control list (acl) that will block any CONNECT requests over TCP/443 that uses ‘raw’ IP format. Once again, the IT team have control of the protocol and can block it if they choose.

“In practice, IT staff find that management does not ask for a port to be closed”

With this solution, it may be that some legitimate sites will no longer

be accessible, but the vast majority of secure websites that would be accessed by HTTPS using the CONNECT request will have an URL and will not be accessed using the IP address. If the P2P application does start using an URL it is very easy to add that to either the content filtering engine blacklist or to the acl.

ConclusionsIn practice, IT staff find that management does not ask for a port to be closed. What management want is to block an application like Skype or MSN Messenger, or ICQ or some other protocol/application. The problem is that it is trivial to drill through a firewall with open (unfiltered) outbound ports – either using tunnelling software or by the application searching through all available ports until it finds one open. The solution is to use the same approach to security policy outbound as inbound. Block all ports, and then allow (in a controlled manner) what is strictly required. For most companies, the firewall can be configured to block all outbound connections except those to secure proxies such as DNS, SMTP email, and so on, and to force all web access through a web proxy (for control and policy enforcement) – with little or no negative impact on user productivity, but with huge improvements in security and control.

Once the default is ‘block all’, then fine-grained controls can be put in place or even opened up for specific workstation addresses that require it. This isn’t the golden bullet: there are still ways round and through firewalls (either in error when a route is inadvertently opened up that bypasses the firewall or with the more sophisticated tunnelling techniques that can be used); but it is good policy and reduces the problem to a few exceptions which require more knowledge and a deliberate intent to ignore company policy. Removing the bulk of the issues allows the IT team to focus on those exceptions rather than dealing with the trivial, which is far more interesting!

14Network Security April 2009

Figure 2: Tunnelling through the HTTP proxy.

Figure 3: Man-in-the-Middle.