<P><PRE>------------------------------------------------------------------|                             POLICY                             |------------------------------------------------------------------                                |                                |---------------------------------------------------|                   PERSONNEL                     |---------------------------------------------------                        |                        |---------------------------------|              LAN              |---------------------------------           Enet |           Enet |        -----------------        |  INTERNAL-D   |        -----------------           Enet |           Enet |-----------------   UNIX server with two Ethernet interfaces and| GATEWAY-SERVER|   custom software and configuration to implement-----------------   security policy (proxy services, auditing).     Enet |     Enet |-----------------| PACKET-FILTER |   cisco IGS router with access lists-----------------          X.25 |               |        -----------------        |   EXTERNAL-D  |     leased DID line to WAN service        -----------------               |               |        + Public Access +</PRE><P><H3>3.1  PUBLIC or NON-PRIVATE CONNECTIVITY</H3><P>     This layer of the model characterizes all external physicalconnectivity to your network.  This normally includes equipment andtelephone lines that you do not own or do not have control over.   The point of illustrating this is to show this part of theconnectivity as part of the overall model.  At some point at thislayer, equipment that you do own or have control of will connect tothe external or public network.  Your own policy and implementationmust take the dynamics of this connectivity into account.<P><H3>3.2  ROUTER (FIREWALL PHYSICAL LAYER)</H3><P>     This layer of the model depicts the point at which yourphysical connectivity and your data stream become one.  Withoutgoing into hysterics about all of what a router is and does; thepoint is that at this layer, your electrical connectivity, whichcontains encapsulated data in some form, becomes information.  Yourrouter will decode the electrical signals from the physicalconnectivity and turn it into packets of encapsulated data for anyone of various networking protocols.  Within this packet ofinformation is contained the source address, destination address,protocol ID, the datagram itself, etc.<P>     Many routers available today include the capability to createaccess control lists (ACL) for either one or both of the outgoingand the incoming data interfaces [1][5].  This normally includesthe capability to filter out or allow in packets based upon sourceaddress, destination address, protocol (such as TCP, UDP, ICMP,etc.) and specific port numbers (TCP and UDP).  This provides youthe flexibility to design your own network access control policy,enforced at the router, before access to your internal networkresources is required or granted.  In this way, routers alone areoften used to provide the firewall functionality.<P>     While the router ACL capability offers a big advantage, itshould not be your only protection because, basically the routeronly provides protection at the first three levels of the OSI model(Physical, Data Link, and Network layers).  The rest of the layersof this firewall model discuss ways to address functional securityof the other four OSI layers (Transport, Session, Presentation, andApplication).<P>     Availability:  I only have personal experience with CISCOrouters, however I've been told that Wellfleet and Proteon routersalso have this feature.  There may be other vendors as well, butthey probably all implement it a little differently.<P><H3>3.3  DUAL-HOMED UNIX GATEWAY SERVER (FIREWALL LOGICAL LAYER)</H3><P>     This layer of the model illustrated the point at which yourvarious IP packets (to and from the router) are used by the networkoperating system (such as TCP/IP under UNIX) to provide theservices identified in the upper four layers of the OSI model.  Ofcourse, this UNIX server is actually doing work at the bottom threeOSI layers also, in order to communicate with:  (a) the router onone side of the server, and (b) the local-area network on the otherside of the server.<P>     At this point the router is already implementing your securitypolicy for the bottom three OSI layers, now it's up to your dual-homed [10] UNIX server (acting as a gateway) to implement yoursecurity policy relating to functions of the network for the upperfour OSI layers.  This can mean a lot of things.  Depending on whatyour security policy says you are supposed to enforce, what you doat this point varies.  The following tools and methods are exampleof some of the tools and methods (functionality) available today:<P><H4>3.3.1  TCP Wrapper</H4><P>     The "TCP WRAPPER" tool [2] provides monitoring and controlof network services.  Essentially, what happens is that youconfigure inetd on your dual-homed gateway to run the TCP WRAPPERsoftware whenever certain services (ports) are connected to.   Depending on how you configure TCP WRAPPER, it will then LOGinformation about the connection and then actually start theintended SERVER program that the connection was intended for.   Since you have the source to the tool, you can modify it to domore depending on what your needs are. For example, you may wantTCP WRAPPER to connect the user to a proxy service instead of theactual program, then have your proxy software handle thetransaction in whatever way your security requirements demand.<P>     Availability:  This is available from several sources, butto ensure that you get the most recent copy that CERT hasverified, you should use anonymous FTP to retrieve it fromcert.org in ~/pub/tools/tcp_wrappers/tcp_wrappers.*.<P><H4>3.3.2  SOCKS library and sockd</H4><P>     The "sockd" and "SOCKS Library" [3] provide another way toimplement a "TCP Wrapper."  It is not intended to make the systemit runs on secure, but rather to centralize ("firewall") allexternal internet services.  The sockd process is started byinetd whenever a connection is requested for certain services,and then only allows connections from approved hosts (listed in aconfiguration file).  The sockd also will LOG information aboutthe connection.  You can use the Socks Library to modify theclient software to directly utilize the sockd for outgoingconnections also, but this is described as very tedious and ofcourse requires you to have the source to those client programs.<P>     Availability:  The socks package, which in addition toincluding both the daemon and the library, has a pre-modified FTPclient and finger client; it is available via anonymous FTP froms1.gov in ~/pub as socks.tar.Z.  Contact the authors for more   information.  David Koblas (koblas@netcom.com) or Michelle R.Koblas (mkoblas@nas.nasa.gov).<P><H4>3.3.3  Kernel_Wrap for SunOS RPC via Shared Libraries</H4><P>     Essentially this is a wrapper for SunOS daemons that use RPC[4], such as portmap, ypserv, ypbind, ypupdated, mountd,pwdauthd, etc.  To utilize this, you must have SunOS 4.1 orhigher and must have the capability to rebuild your sharedlibraries (but, you don't need the source to your entire system).   Essentially what happens is that you modify the function callsthat the kernel uses to establish RPC connections, such asaccept(), recvfrom() and recvmsg().  Since these calls aremaintained in the shared libraries, you have access to modifythem without rewriting the kernel.<P>     Availability:  The secured C library package to implementthis is available via anonymous FTP from eecs.nwu.edu in~/pub/securelib.<P><H4>3.3.4  Swatch</H4><P>     Simple WATCHER [6] is really two things, it is a programused to parse through the myriad of LOG data generated by thevarious security programs, in particular "syslog."  But, it'smore than that.  It is fully configurable with triggers(actions), so that while it is continuously monitoring the LOG in"real-time," it can take actions based upon certain high-priorityevents that you tell it to watch for.  To get full use of this,you will need to modify your network service daemons such as ftpdand telnetd so that enhanced logging is added to syslog, to feedSWATCH.<P>     Availability:  The SWATCH source and documentation isavailable via anonymous FTP from sierra.stanford.edu in~/pub/sources.<P><H4>3.3.5  Controlled Access Point (CAP)</H4><P>     This is more of a method or protocol definition than aspecific product.  CAP [7] provides a network mechanism intendedto reduce the risk of:  password guessing, probing for well-knownaccounts with default passwords, trusted host rlogin, andpassword capture by network snooping.  It is really a design fora variation or enhancement to the general firewall approach toconnecting two or more networks.  In the paper describing thisthere is an example of two local nets, one a secure segment withan authentication service, and the other an unsecure segment.Both communicate with each other via a CAP, while there is arouter for communication to public networks connected on theunsecure side of the CAP.  The CAP is essentially a router withadditional functionality to detect incoming connection requests,intercept the user authentication process, and invoke theauthentication server.<p>        Availability:  Unknown.  Contact the authors for moreinformation.  J. David Thompson (thompsond@orvb.saic.com) andKate Arndt (karndt@mitre.org).<P><H4>3.3.6  Mail Gateway</H4><P>     This is more of a procedure than a software package(although there are packages designed just to do this).  Iincluded this to maintain continuity with what I'm trying toillustrate in this paper.  This really should be applied to allnetwork services that require external connectivity (meaning anycommunication over non-private or non-secure channels).  In thesimplest implementation of this, you configure your router tofilter packets so that all mail traffic (SMTP protocol forexample) is only allowed to and from one host, the "MailGateway."  Likewise, your DNS and MTA software will need to beconfigured for this as well.<P><H4>3.3.7  Tty Wrapper</H4><P>     This is one of my pet ideas.  I have not seen something likethis around, and I'll probably never have time to develop it.   But, essentially this would be like "TCP Wrapper," only it isdesigned specifically for serial communications.  After that, wewill need a "Pseudo-Tty Wrapper," (something more than justfiltering out the telnet port) but that is for another day.<P><H4>3.3.8  HSC-Gatekeeper</H4><P>     The HSC-Gatekeeper from Herve' Schauer Consultants [8], is acomplete solution to both layers 1 and 2 of this firewall model.   It consists of a thorough firewall methodology and authenticationserver, providing pass-thru FTP and TELNET services.  The author(Herve Schauer) noted that HSC-Gatekeeper is alone to be able tooffer fully transparent authentication for these services.  Ihave not had personal experience with HSC's products, so I cannotmake a conclusive statement about it other than to comment thatthe description of it in HSC's paper "An Internet Gatekeeper"(available in the USENIX Proceedings) depicts it (IMHO) as a verycomprehensive solution.<P>     Availability:  For more information, contact Herve Schauervia e-mail at Herve.Schauer@hsc-sec.fr.<P><H4>3.3.9  AT&T Inet</H4><P>     Since I discussed HSC's firewall solution, I thought it onlyfair to mention AT&T's INET Gateway.  For a complete descriptionof AT&T's internal solution, you should read Bill Cheswick'spaper [9] "The Design of a Secure Internet Gateway."  Foradditional information, contact the author via e-mail atches@research.att.com.  I do not believe that AT&T is in thebusiness of selling this solution to anyone, but the paperdescribes in good detail how it was done.  It should provide the   puritan firewaller additional depth to the problems and possiblesolutions to an Internet firewall approach.<P><H3>3.4  COMPUTERS ON THE LOCAL-AREA NETWORK</H3><P>     This layer of the model depicts the place where you you arepotentially at the greatest risk.  The previous layers discussedways to protect access to this layer of the network.  This layerincludes all of you local-area network, workstations, fileservers, data bases, and other network resources.  This is alsothe point at which your user community sits at their desks anduse the network.<P>     There are several things to be concerned about here, accessto this layer in the first place notwithstanding.  Just because