At best, a firewall protects a network from undesired access from the rest of the
Internet; it cannot provide security to legitimate communication between the
inside and the outside of the fi rewall. In contrast, the cryptography-based security
mechanisms described in this chapter are capable of providing secure communication
between any participants anywhere. This being the case, why are fi rewalls so
common? One reason is that fi rewalls can be deployed unilaterally, using mature
commercial products, while cryptography-based security requires support at both
endpoints of the communication. A more fundamental reason for the dominance
of fi rewalls is that they encapsulate security in a centralized place, in effect factoring
security out of the rest of the network. A system administrator can manage the
fi rewall to provide security, freeing the users and applications inside the fi rewall
from security concerns—at least some kinds of security concerns.
Unfortunately, fi rewalls have serious limitations. Since a fi rewall does not
restrict communication between hosts that are inside the fi rewall, the adversary who does manage to run code internal to a site can access all local hosts. How
might an adversary get inside the fi rewall? The adversary could be a disgruntled
employee with legitimate access. Or the adversary’s software could be hidden in
some software installed from a CD or downloaded from the Web. Or an adversary
could bypass the fi rewall by using wireless communication or telephone dial-up
connections.
Another problem is that any parties granted access through your fi rewall, such
as business partners or externally located employees, become a security vulnerability.
If their security is not as good as yours, then an adversary could penetrate
your security by penetrating their security.
Another problem for fi rewalls is that a service that appears safe to expose may
have a bug that makes it unsafe. A classic example is PHF, a phone booklike service
that was available on many websites for looking up names and addresses. A bufferoverfl
ow bug in PHF made it possible for anyone to execute an arbitrary command
on the web server by using her browser to enter the command in an input fi eld of
the PHF form. Such bugs are discovered regularly, so a system administrator has to
constantly monitor announcements of them. Administrators frequently fail to do
so, since fi rewall security breaches routinely exploit security fl aws that have been
known for some time and have straightforward solutions.
In addition to the (unintended) bugs that may be left accessible by a fi rewall,
there are also what could be thought of as intended, deliberate bugs. Malware
(malicious software) is software that is designed to act on a computer in ways concealed
from and unwanted by the computer’s user. Viruses, worms, and spyware
are common types of malware. ( “ Virus ” is sometimes used synonymously with malware,
but we will use it in the narrower sense in which it refers to only a particular
kind of malware.) Like buggy software, malware code need not be natively executable
object code; it could as well be interpreted code such as a script or an executable
macro such as those used by Microsoft Word.
Viruses and worms are characterized by the ability to make and spread copies
of themselves; the difference between them is that a worm is a complete program,
while a virus is a bit of code that is inserted (and inserts copies of itself) into
another piece of software, so that it is executed as part of the execution of that
piece of software. Viruses and worms typically cause problems such as consuming
network bandwidth as mere side effects of attempting to spread copies of themselves.
Even worse, they can also deliberately damage a system or undermine its
security in various ways. They could, for example, install a backdoor , which is software
that allows remote access to the system without the normal authentication.
This could lead to a fi rewall exposing a service that should be providing its own
authentication procedures but has been undermined by a backdoor.
Spyware is software that, without authorization, collects and transmits private
information about a computer system or its users. Usually spyware is secretly
embedded in an otherwise useful program, and is spread by users deliberately
installing copies. The problem for fi rewalls is that the transmission of the private
information looks like legitimate communication.
A natural question to ask is whether fi rewalls (or cryptographic security) could
keep malware out of a system in the fi rst place. Most malware is indeed transmitted
via networks, although it may also be transmitted via portable storage devices such
as CDs and memory sticks. One of the two approaches used by antimalware applications
is to observe programs for suspicious behavior as they execute—clearly
not feasible for a fi rewall that is not on the end-user machine. The other approach
is searching for segments of code from known malware, an approach already limited
by the ability of clever malware to tweak its representation in various ways.
The main problem with implementing this approach in a fi rewall is the impact on
network performance. Cryptographic security cannot eliminate the problem either,
although it does provide a means to authenticate the originator of a piece of software
and detect any tampering, such as when a virus inserts a copy of itself.