Transcript AMIA 2000 Presentation as PowerPoint

The Futility of Common
Firewall Policies
November 8, 2000
James E. Ries, M.S.
Phillip V. Asaro, M.D.
Arturo Guillen
Jordanka Ivanova
Overview
• Many organizations utilize firewalls to protect
their internal networks.
• Firewalls are also often configured to deny access
to certain external services from within the
internal network.
• The latter policy can be subverted through a
protocol "tunneling" strategy, which has been
implemented as a set of programs called
"Firehole".
Contents
Motivation
 What are firewalls?
 Common firewall policies
 What is “Firehole”?
 Why did we create Firehole?
 Discussion

Contents (cont.)
Conclusions
 References
 Questions

Motivation
Information Systems Security is a
timely issue (see recent Microsoft
penetration).
 Healthcare organizations have
especially sensitive information, and
must pay close attention to security
policies (and are mandated to do so
by HIPAA).

What are firewalls?
Barrier between secure intranet and
open Internet.
 Barrier may range from
impermeable to porous, but likely at
least somewhat porous.
 Barrier typically configured to
selectively allow in-bound and/or
out-bound traffic.

What are firewalls? (cont.)

Screening Routers
What are firewalls? (cont.)

Proxies
Common firewall policies

Allow only connection-oriented
traffic which was initiated internally.
– This prevents external entities from
accessing internal resources, but
allows most client applications to
enjoy unrestricted usage.
Common firewall policies (cont.)

As above, but also restrict TCP/IP
ports (e.g., HTTP [80], Telnet [23],
etc.)
– Prevents unknown or “custom”
applications from functioning.
– Still allows unfettered internal use
for most applications.
Common firewall policies (cont.)

As above, but require all traffic to go
through a proxy.
– Provides finer control (e.g., URL
filtering).
– Facilitates logging (which may give
rise to privacy issues).
– Extremely common example is to allow
only HTTP traffic through proxy, thus
denying all other applications.
What is “Firehole”?
Combination client and server
application which encapsulates
arbitrary traffic in HTTP.
 Enables arbitrary traffic (e.g., email)
to travel through an HTTP proxy.
 Requires a server deployed on the
open Internet, and a client deployed
on the intranet.

What is Firehole? (cont.)
Client
Application
FireWall &
News
Proxy
Server
NNTP
Netscape,
Outlook
119
80
POP
SMTP
NNTP
25
119
HTTP
80
HTTP
80
FireHole
Server
25
25
POP
SMTP
FireHole
Client
119
Mail
Server
Why did we create Firehole?

Aren’t you guys really just a bunch
of hackers?
– What if we called it an “Email
Gateway”?
Make administrators aware of this
technology.
 Argue for properly motivated access
policies.

Discussion

Add encryption.
– Prevents internal “eavesdropping”.
– May thus make Firehole useful even for native
HTTP traffic.
– Prevents external eavesdropping.

Improve performance.
– Support persistent connection.
– Support anticipated response.
– Use POST method instead of GET.
Discussion (cont.)

Support asynchronous applications
through polling (e.g., Telnet).
– Polling raises additional security concerns.

Compare our mechanism to emerging
standards (e.g., SOAP).
 Survey network administrators regarding
firewall policies.
– Do they believe firewalls prevent access to
external email, or other resources?
– What are their concerns regarding access to
external resources?
Conclusions
Firewalls can block external access
to internal resources.
 The capability of a firewall to
selectively block internal access to
external resources is illusory.

Conclusions (cont.)
Internal access to the Internet in
ANY form can be utilized to achieve
arbitrary access to the Internet.
 Administrators should be aware of
this fact, and may consider that
blocking access to legitimate
external resources may incite users
to subvert their policies.

References

Firehole home page
http://riesj.hmi.missouri.edu/Firehole/

“Firewalls” by Chapman, Zwicky
http://www.sunworld.com/swol-01-1996/swol-01-firewall.html

Internet Firewalls and Network
Security by Siyan, Hare, New Riders
Publishing, 1995.
Questions