close this bookTidBITS#247   19941010
View the documentMailBITS/10-Oct-94
View the documentApple Cool Tools Awards
View the documentSystem 7.5 & Language Kits
View the documentOlder Hard Disk ToolKit Driver Buggy
View the documentFirewalls, Part II
View the documentReviews/10-Oct-94
View the documentFoot Notes

Firewalls, Part II

by Jonathan Hue <hue@island.com>

In Part II of our article on firewalls, we look at some of the most popular Macintosh Internet applications and describe a few of the ways you can make them work from behind a firewall. We also look at how you can get through your firewall from the outside with your Macintosh. Many of the terms used in this article were explained back in Part I, so if you haven't read Part I, check out TidBITS-246 first.

Note: Always check with your network manager before you run a new application which accesses the Internet through your firewall. Your company may have a security policy in place and you might accidentally violate it by trying to "punch through" your firewall with a new program.

Working with a packet screening router -- Packet screening routers are usually the most friendly towards Macs, since they don't favor any particular operating system (the mechanisms employed by other firewall components are generally easier to work with from Unix clients). It is always possible to configure a router to permit a particular Mac client to pass its traffic through the router, although some network managers prefer more restrictive filtering on their firewall routers, and end up blocking the ports which your applications use. In general, if you have a good enough reason to pass a certain type of traffic through the router, your network manager can configure the router to allow it.

If a firewall uses a packet screening router in conjunction with an application-level gateway, you need to worry first about the more restrictive of the two components, the application-level gateway. However, you may still need to open a hole through the router after you get your Mac client to work with the application gateway.

Working with application level gateways -- Application-level gateways are available for most of the popular Mac Internet applications. HTTP (HyperText Transfer Protocol, used by Web browsers such as Mosaic and MacWeb), Gopher, FTP, and Telnet are fairly easy to support, and free gateways are available.

The most common HTTP gateway is the CERN HTTP server operating in proxy mode, which also supports FTP and Gopher. The most secure way to run this is to put the proxy server inside your firewall, and have the server use SOCKS to get through the firewall. This method is more secure because the CERN HTTP server is a large, complex piece of code, and one of the basic rules of firewalls is that you should not run large, complex pieces of code on them. Mosaic 2.0a8 for the Mac supports the CERN proxy server, as does MacWeb 1.00A2.2 [1].

An additional benefit of the CERN proxy server is that it can be configured to cache documents you retrieve, thereby reducing the network load on the Internet, while at the same time speeding future access to the files.

FTP and Telnet can be proxied with the FTP gateway and Telnet gateway from Trusted Information Systems' freely available Firewall Toolkit. Although both require slight changes in the way you use FTP and Telnet clients, they do work with existing Macintosh FTP and Telnet clients, such as Fetch, Anarchie (the TIS ftp-gw FTP proxy requires a small modification to work with Anarchie 1.3.1), and NCSA Telnet. For instance, with Fetch, instead of putting the remote host name in the host field, you enter the name of your firewall, and instead of "anonymous" for the user, you enter "anonymous@ftphost.domain.org", where <ftphost.domain.org> is the name of the remote FTP server you are trying to access. Similarly, with the Telnet proxy, you always connect to the Telnet proxy on the firewall first, and then give the proxy a command to connect to the remote host. This may sound as though you are first logging onto the firewall, and then running the client, but in fact, the proxy method is much better. Except for making the initial connection, the proxy is transparent to the Macintosh client. Furthermore, actual logins onto the firewall do not occur (allowing users to log onto the host running an important part of your firewall is considered very bad).

Commercial firewalls based on application-level gateways provide similar functionality. Some make the gateway completely transparent to the user.

The most Macintosh-unfriendly firewall is one which uses the SOCKS circuit-level gateway. Few Macintosh applications have been "socksified." NCSA Mosaic 2.0a8 supports the use of a SOCKS gateway, as does the latest version of Peter Lewis's Anarchie. SOCKS support is planned for MacWeb as well, but these are the only applications I know of which support a SOCKS gateway. As mentioned in Part I, it is easy to "socksify" a Unix application (source code is not even required on some platforms), but there is currently no easy way to support SOCKS on the Macintosh. For more information on SOCKS, see:

ftp://ftp.nec.com

The only consolation in this is that the Web browsers support multiple protocols, so you can still get to Gopher and WAIS resources through a firewall via a Web browser.

Anarchie merits special attention, since Archie clients are a bit different from most other Macintosh clients. Archie uses the UDP protocol, rather than TCP. Because of this, an Archie client cannot be "socksified," or relayed by a generic TCP relay program such as "plug-gw" from the TIS Firewall Toolkit.

ftp://ftp.tis.com

Fortunately, there is a solution in the form of a program called "udprelay", which is very similar to plug-gw, except it works with programs that use UDP. It also provides a SOCKS-like replacement library, which is not terribly useful to the typical Mac user, although it is useful for those who wish to get Unix UDP clients to work from behind a firewall.

Accessing your network from outside the firewall -- If you have a firewall, you may find you want to access to your network from the outside. For example, you might travel to a customer site which has Internet access and find you need to FTP a file from your desktop workstation. Since the Internet is an untrusted network, you should not use reusable passwords when accessing your network from the Internet; instead, you should use a strong authentication method, such as a challenge/response using hand-held authentication tokens or single-use passwords. One way to incorporate these devices into a firewall is to present the user with the challenge before access to the gateway is allowed. If the user does not provide the proper response, access to the gateway is denied. Support for this type of authentication is not supported in Anarchie or Fetch, so you must use NCSA Telnet for Telnet and FTP access when a challenge/response system is used.

More information about firewalls -- There are many excellent sources of information on firewalls available on the Internet. Two of the best are the Firewalls mailing list (available in regular and digest format, subscribe by sending email to <firewalls-request@greatcirle.com> or <firewalls-digest-request@greatcircle.com>) and the Web site and FTP archive at:

http://www.greatcircle.com/
ftp://ftp.greatcircle.com/pub/firewalls/

The recent book by the architects of Bellcore's firewall ("Firewalls and Internet Security" by Bill Cheswick and Steve Bellovin) should be required reading for anyone who works with firewalls. Trusted Information Systems also maintains Web and FTP servers that have good information on firewalls.

http://www.tis.com/
ftp://ftp.tis.com/pub/firewalls/

[1] Currently, you must use ResEdit to enable MacWeb to use the CERN proxy HTTP server. Edit STR# resource number 803 (entitled "Proxy Info"). Strings are of the form: "<protocol>;<http_proxy_url>"; one per protocol. For example, using host <proxy.foo.com> for gopher would be declared as:

gopher;http://proxy.foo.com/

Other examples include:

http;http://proxy.foo.com/
ftp;http://proxy.foo.com/

Commercial Firewall Products

ANS Interlock
by ANS -- <info@ans.net> -- 703/758-7723
Firewall-1
by Checkpoint Software Technologies -- <support@checkpoint.com>
800/429-4391
Gauntlet
by Trusted Information Systems -- <netsec@tis.com>
301/854-6889
JANUS Firewall Server
by Border Network Technologies Inc. -- <info@border.com>
Raptor Eagle
by Raptor Systems -- 302/996-3331

Companies That Offer Firewall Consulting

Trusted Information Systems
3060 Washington Road
Glenwood, MD 21738
<netsec@tis.com>
301/854-6889
Great Circle and Associates
1057 West Dana Street
Mountain View, CA 94041
<info@greatcircle.com>
415/962-0841