[Home]
[Edit this page]
[Recent Changes]
[Special Pages]
[Help]
Firewalls
FIREWALLS
An Internet firewall can be considered to be a single system or group of systems that enforces a security policy between an organization's network and the Internet.
The firewall determines which inside services may be accessed from the outside, which outsiders are permitted access to the permitted inside services, and which outside services may be accessed by insiders.
It is important to note that an Internet firewall is not just a Router, a Bastion host, or a combination of devices that provides security for a network. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. This security policy must include published security rules to notify users of their responsibilities, business policies defining network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security.
For a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be inspected .The firewall must permit only authorized traffic to pass, and the firewall itself must be immune to penetration. Unfortunately, a firewall system cannot offer any protection once an attacker has gotten through or around the firewall.
Benefits of an Internet Firewall
Internet firewalls manage access between the Internet and an organization's private network. Without a firewall, each host system on the private network is exposed to attacks from other hosts on the Internet. This means that the security of the private network would depend on the "hardness" of each host's security features and would be only as secure as the weakest system.
Internet firewalls allow the network administrator to define a centralized "choke point" that keeps unauthorized users such as hackers, crackers and spies out of the protected network; prohibits potentially vulnerable services from entering or leaving the protected network; and provides protection from various types of routing attacks.
Firewalls offer a convenient point where Internet security can be monitored and alarms generated. It should be noted that for organizations that have connections to the Internet, the question is not whether but when attacks will occur. Network administrators must audit and log all significant traffic through the firewall. If the network administrator doesn't take the time to respond to each alarm and examine logs on a regular basis, there is no need for the firewall, since the network administrator will never know if the firewall has been successfully attacked! For the past few years, the Internet has been experiencing an address space crisis that has made registered IP addresses a less plentiful resource. This means that organizations wanting to connect to the Internet may not be able to obtain enough registered IP addresses to meet the demands of their user population.
An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers ISP’s.
An Internet firewall is the perfect point to audit or log Internet usage. This permits the network administrator to justify the expense of the Internet connection to management, pinpoint potential bandwidth bottlenecks, and provide a method for departmental charge-backs if this fits the organization's financial model. An Internet firewall can also offer a central point of contact for information delivery service to customers. The Internet firewall is the ideal location for deploying World Wide Web and FTP servers. The firewall can be configured to allow Internet access to these services, while prohibiting external access to other systems on the protected network. Finally, some might argue that the deployment of an Internet firewall creates a single point of failure. It should be emphasized that if the connection to the Internet fails, the organization's private network will still continue to operate--only Internet access is lost.
Limitations of an Internet Firewall
An Internet firewall cannot protect against attacks that do not go through the firewall. For example, if unrestricted dial-out is permitted from inside the protected network, internal users can make a direct SLIP or PPP connection to the Internet. Savvy users who become irritated with the additional authentication required by firewall proxy servers may be tempted to circumvent the security system by purchasing a direct SLIP or PPP connection to an ISP. Since these types of connections bypass the security provided by the most carefully constructed firewall, they create a significant potential for back-door attacks. Users must be made aware that these types of connections are not permitted as part of the organization's overall security architecture.
Internet firewalls cannot protect against the types of threats posed by traitors or unwitting users. Firewalls do not prohibit traitors or corporate spies from copying sensitive data onto floppy disks or PCMCIA cards and removing them from a building. Firewalls do not protect against attacks where a hacker, pretending to be a supervisor or a befuddled new employee, persuades a less sophisticated user into revealing a password or granting them "temporary" network access. Employees must be educated about the various types of attacks and about the need to guard and periodically change their passwords.
Internet firewalls cannot protect against the transfer of virus-infected software or files. Since there are so many different viruses, operating systems, and ways of encoding and compressing binary files, an Internet firewall cannot be expected to accurately scan each and every file for potential viruses. Concerned organizations should deploy anti-viral software at each desktop to protect against their arrival from floppy disks or any other source.
Conclusively, Internet firewalls cannot protect against data-driven attacks. A data-driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack.
Basic Firewall Design Decisions
When designing an Internet firewall, there are a number of decisions that must be addressed by the network manager:
The attitude of a firewall system portrays the basic security philosophy of the organization. An Internet firewall may take one of two completely opposed stances:
After making decisions about firewall stance, security policy, and budget issues, the organization can determine the specific components of its firewall system. A typical firewall is composed of one or more of the following building blocks:
· Packet-filtering router
· Application-level gateway or proxy server
· Circuit-level gateway
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
Firewalls
FIREWALLS
An Internet firewall can be considered to be a single system or group of systems that enforces a security policy between an organization's network and the Internet.
The firewall determines which inside services may be accessed from the outside, which outsiders are permitted access to the permitted inside services, and which outside services may be accessed by insiders.
It is important to note that an Internet firewall is not just a Router, a Bastion host, or a combination of devices that provides security for a network. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. This security policy must include published security rules to notify users of their responsibilities, business policies defining network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security.
For a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be inspected .The firewall must permit only authorized traffic to pass, and the firewall itself must be immune to penetration. Unfortunately, a firewall system cannot offer any protection once an attacker has gotten through or around the firewall.
Benefits of an Internet Firewall
Internet firewalls manage access between the Internet and an organization's private network. Without a firewall, each host system on the private network is exposed to attacks from other hosts on the Internet. This means that the security of the private network would depend on the "hardness" of each host's security features and would be only as secure as the weakest system.
Internet firewalls allow the network administrator to define a centralized "choke point" that keeps unauthorized users such as hackers, crackers and spies out of the protected network; prohibits potentially vulnerable services from entering or leaving the protected network; and provides protection from various types of routing attacks.
Firewalls offer a convenient point where Internet security can be monitored and alarms generated. It should be noted that for organizations that have connections to the Internet, the question is not whether but when attacks will occur. Network administrators must audit and log all significant traffic through the firewall. If the network administrator doesn't take the time to respond to each alarm and examine logs on a regular basis, there is no need for the firewall, since the network administrator will never know if the firewall has been successfully attacked! For the past few years, the Internet has been experiencing an address space crisis that has made registered IP addresses a less plentiful resource. This means that organizations wanting to connect to the Internet may not be able to obtain enough registered IP addresses to meet the demands of their user population.
An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers ISP’s.
An Internet firewall is the perfect point to audit or log Internet usage. This permits the network administrator to justify the expense of the Internet connection to management, pinpoint potential bandwidth bottlenecks, and provide a method for departmental charge-backs if this fits the organization's financial model. An Internet firewall can also offer a central point of contact for information delivery service to customers. The Internet firewall is the ideal location for deploying World Wide Web and FTP servers. The firewall can be configured to allow Internet access to these services, while prohibiting external access to other systems on the protected network. Finally, some might argue that the deployment of an Internet firewall creates a single point of failure. It should be emphasized that if the connection to the Internet fails, the organization's private network will still continue to operate--only Internet access is lost.
Limitations of an Internet Firewall
An Internet firewall cannot protect against attacks that do not go through the firewall. For example, if unrestricted dial-out is permitted from inside the protected network, internal users can make a direct SLIP or PPP connection to the Internet. Savvy users who become irritated with the additional authentication required by firewall proxy servers may be tempted to circumvent the security system by purchasing a direct SLIP or PPP connection to an ISP. Since these types of connections bypass the security provided by the most carefully constructed firewall, they create a significant potential for back-door attacks. Users must be made aware that these types of connections are not permitted as part of the organization's overall security architecture.
Internet firewalls cannot protect against the types of threats posed by traitors or unwitting users. Firewalls do not prohibit traitors or corporate spies from copying sensitive data onto floppy disks or PCMCIA cards and removing them from a building. Firewalls do not protect against attacks where a hacker, pretending to be a supervisor or a befuddled new employee, persuades a less sophisticated user into revealing a password or granting them "temporary" network access. Employees must be educated about the various types of attacks and about the need to guard and periodically change their passwords.
Internet firewalls cannot protect against the transfer of virus-infected software or files. Since there are so many different viruses, operating systems, and ways of encoding and compressing binary files, an Internet firewall cannot be expected to accurately scan each and every file for potential viruses. Concerned organizations should deploy anti-viral software at each desktop to protect against their arrival from floppy disks or any other source.
Conclusively, Internet firewalls cannot protect against data-driven attacks. A data-driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack.
Basic Firewall Design Decisions
When designing an Internet firewall, there are a number of decisions that must be addressed by the network manager:
- The attitude of the firewall
- In general security policy of the organization
- The machinery or building blocks of the firewall system
The attitude of a firewall system portrays the basic security philosophy of the organization. An Internet firewall may take one of two completely opposed stances:
- Everything not specifically permitted is denied.
- Everything not specifically denied is permitted.
After making decisions about firewall stance, security policy, and budget issues, the organization can determine the specific components of its firewall system. A typical firewall is composed of one or more of the following building blocks:
· Packet-filtering router
· Application-level gateway or proxy server
· Circuit-level gateway
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
