-
Reliable,
but
not Secure?
-
- By
Vladimir Kaminsky, Sr. Associate
-
- This
ViewsLetter addresses an important part of network
functionality for availliability--the ability to survive constant
security threats. The network hardware, software, and links can be
fully redundant, but that does not prevent disabling attacks unless
certain security measures are implemented.
-
Firewalls
- The most common method to defend a network from
attacks is to
insert a firewall (or firewalls) between the user's LAN and the
Internet.
-
- There's not much
controversy over what is required from network
firewalls, but no single standard defines this device. We can say
broadly that a Network Firewall is a system or group of systems used to
control access between two networks--a trusted network and an untrusted
network. Firewalls can operate only on communications traffic that
physically passes through it--a firewall has no impact on traffic
between two devices when both are on the same "side" of the firewall.
That is, if both are connected to the same firewall network card or
port (usually referring to the "inside" or local LAN) then a firewall
may not see the messages at all. Networks may have internal firewalls
to control such traffic.
-
- Primarily,
firewalls allow or block network traffic between
devices based upon rules set up by the firewall administrator. Each
rule defines a specific traffic pattern one wants the firewall to
detect and the action the firewall should take when that pattern is
detected. Firewalls can look inside packets to examine application
content, referred to as "deep inspection."
- Technically, firewalls are considered to be packet
filtering,
proxy, or stateful firewalls. Note that there are other types of these
devices, but those mentioned are the primary. Also, the firewall
terminology is not standardized, and one can find other terms for these
firewall types.
-
- Packet
filtering firewalls are like packet
filtering routers but with some differences in implementation. A
firewall can be relatively simple, using Access Control Lists (ACL’s)
at the network (IP) layer to:
- Block
traffic to/from particular hosts, internal or external--the existence
of internal hosts can be hidden from people on the other side of the
firewall.
- Block
certain identifiable protocol classes.
- A
proxy firewall acts as a middleman between the
two parties and decides whether or not the communication should be
allowed. There is no direct connection between the two parties: the
firewall terminates layer 3 and 4 protocol sessions with both parties.
This setup shields internal network information like host names and
topology from outside eyes. The proxy is the only machine with a
visible IP address on the Internet. The proxy makes a copy of each
incoming packet, changes the source address, and puts it on the other
wire to the destination address.
-
- The
stateful firewall is the most advanced type. It looks
inside packets to examine application content and may anticipate how a
packet will behave on a server. It keeps track of
the actual communication process by use of a state table, and allows or
disallows packets based on the access policy. It also follows
connectionless protocols like UDP, storing the state and context of the
data in the packets in the state table, updated continuously, to detect
attacks such as packet replay and message injection that can't
replicate the proper state of the connection. The stateful firewall
works at five upper layers of the OSI model.
- And
More
-
- While
doing this filtering, a FW can perform many additional
functions, but the major ones are:
-
-
User authentication. Firewalls can be configured to
authenticate users by asking a database server to confirm the submitted
ID, password, and other credentials (like a token or certificate)
before allowing packets to pass. This function can be quite
sophisticated, allowing network administrators to control access by
each user to specific services and resources after a single sign on.
Authentication also allows network administrators to track specific
user activity and flags unauthorized attempts to gain access to
protected networks or services.
-
Auditing and logging . Firewalls can log every event to
provide auditing capabilities. Firewalls can generate statistics based
on the information they collect, often useful in making policy
decisions that relate to network access and utilization.
- Separation . Firewalls can hide internal or
trusted
networks from external or untrusted networks by changing addresses.
Network Address Translation (NAT) offers an additional layer of
security by shielding services from unwanted scans.
-
- Central Management . Firewalls can
provide a central point
for security management over multiple locations. This can be very
beneficial when an organization's human resources and financial
resources are limited.
- Firewalls
are based on both software and hardware. Next time
we'll look at some best practices for allocating these protective
functions to either, and on what platforms (one multifunction box or
several specialized devices).
-
- ================================
-
- New Books
- FC
Associate Ray Horak recently authored two books on networking.
William Flanagan was the technical editor for both. They offer
extensive coverage of many technologies, and are as accurate as two old
pros can make them.
- The
new titles are:
- Telecommunications and
Data Communications Handbook, 791
pages.
- Webster's New World Telecom
Dictionary, 568 pages.
-
- Wiley
is the publisher. Available in bookstores and on the web
from multiple merchants--do a web search for "Ray Horak" or start with
Ray's profile page at
http://www.amazon.com/gp/pdp/profile/AL7TPWAFURLDA.
================================
How Can Flanagan Consulting Help You?
We understand not only the technology of networks,
but also
the surrounding business processes: procurement,
bid
preparation/analysis, statements of work, financial analysis,
consensus building, and more.
We have current experience in litigation support for attorneys
involved with patents or contracts related to networking or
voice and data communications.
Find out now: call +1.703.242.8381
================================
Subscriptions to ViewsLetter
Mailman, the Linux application, keeps
the mailing list
and posts messages. It is set
up as a "read only" list.
Because of the number of 'out of office'
autoreplies,
replies to this message are
discarded. You can unsubscribe
or subscribe at:
http://lists.viewsletter.com/mailman/listinfo/vl2006
You will need a password to unsubscribe,
but Mailman
will send you one on demand.
If you have a problem with the
list, send an email to
Publisher@ViewsLetter.com.
================================
Special thanks for supporting ViewsLetter to
www.webtorials.com,
your best source for communications tutorials and white papers.