Firewall

From Hill2dot0

Firewall is a term used to describe a mechanism to protect a local network from external, untrusted networks. Like the firewall found in automobiles and some buildings to limit the spread of fire, a network firewall protects a user’s site from purposeful and inadvertent attacks from the outside. One lesson of the Internet is: without adequate security, your site is not merely attached to the Internet, but it is a piece of the Internet. (Another lesson is that the firewall is like a Maginot Line; the defenses are directed towards the outside. System managers should be aware that most attacks are launched from the inside!)

Not all VPN implementations require or even use a firewall. Nevertheless, more and more VPNs rely on one or more firewalls to provide privacy. So the firewall, for better or worse, has become a convenient vehicle for creating and deploying VPNs.

Firewall operation relies on a secure operating system as a foundation. There is no reason to use a firewall if anyone can log in and remotely change the rules of access from public outside (e.g., the Internet) to private inside (e.g., intranet).

Filtering is a common firewall feature. Filters establish a set of rules for IP packets moving between public and private portions. Many firewalls add screening of higher layer protocols carried within IP packets. This screening is commonly called a gateway function, and firewalls that perform this type of packet filtering and screening exclusively are sometimes called gateways. The point is that gateways supply higher layer access to servers.

Firewalls can provide two more functions. First, the firewall can perform DNS translation from host ID (www.hill.com) to IP address so that users “outside” are never given the actual IP address of the server “inside.” This affords a level of protection for a Web site. Second, this type of address hiding can even be used for email sent out of or into the organization.

Rarely does one firewall or device do all of the above. To do so would create a natural network bottleneck where it is least needed—at the point of contact between private “inside” and the rest of the world.

Firewall Features

Firewalls can be generally classified into three generic types, which might be employed in combination.

• Packet filters: Block packets based on a set of rules derived from the direction the packet is traveling, the protocol employed, host address(es), protocol port number (i.e., the TCP/IP application), the physical interface, and/or other factors. Packet filtering is generally employed in routers.

• Higher layer inspection Firewall: Similar to packet filters, these firewalls are more sophisticated due to their awareness of all layers in the protocol stack. They also typically maintain state tables to enable the scanning of packets within the context of the overall data stream. Higher-layer firewalls are sometimes called “stateful” firewalls.

• Proxy servers: One or more systems that appear to provide a set of services to the outside, but actually act as a proxy for the real server. An external client does not connect directly to an internal server, but instead attaches to the proxy which, in turn, attaches to the internal server. Proxy servers can operate at the circuit level or the application level.

Firewalls enforce the security strategy that each site adopts. The rule set of the firewall depends upon the site’s security philosophy.

Personal Firewalls

Computers on corporate networks are not the only ones who pose security risks on the Internet today. Residential/small office, home office (SOHO) machines are also in danger, especially with “always on” access methods such as DSL and cable modems. Working from home and telecommuting present IT personnel with additional problems, as home users typically lack the security provided by corporate firewalls, thus exposing information assets to the Internet at large. After spending so much money and energy to build a bank vault door for the company’s network, the SOHO employee represents the same amount of protection as a screen door!

With the proliferation of well-known distributed forms of denial of service (DoS) attacks, home users also pose a risk to the entire Internet community. They often don’t understand how to protect themselves from intrusions. While educating users is part of the solution, users also need tools to help them ward off attacks.

Issues have also been raised about service provider liability when attacks are traced to a particular network. Customers have sued their providers in the past when their personal systems have been compromised. In the interest of overall Internet security—and to protect themselves from potential legal action—many Internet, DSL, and cable providers are offering their customers low-end personal security products bundled with their services.

The market offers many choices in personal firewalls. Hardware products from vendors such as Linksys and Macsense often take the form of a DSL/cable modem integrated with a router, hub, and/or firewall. These products cost about a hundred dollars. Software products offered by companies like Network ICE and Zone Labs also exist. These firewalls are usually installed on the client machine itself, making them appropriate not only in DSL/cable environments, but also in the dial-up world. Prices range from free to fifty dollars.

Many of these products have intrusion detection capabilities in addition to simple filtration mechanisms, stealth capability (by hiding the computer’s real IP address with NATP), and new features that are continually added. Like their high-end counterparts, personal firewalls do not offer 100 percent security. They do, however, increase the hacker work factor, making the home computer less likely to be used in criminal escapades.

PodSnacks

| Firewall