1.
Intoduction
2.
What is a Firewall?
3.
Types of Attacks
1.
Intrusion
2.
Informatin Theft and Tampering
3.
Denial of Service
4.
Types of Attackers
1.
Joyriders
2.
Vandals
3.
Spies
5.
Types of Protection
1.Host
Security
2.Network
Security
6.
Defining firewalls
7.
Basic Requirements
8.
Properties of Firewall
1. Firewalls as Filters
2. Firewalls as Gateways
3. Firewalls as Choke Points
9.
Types of Firewall
1.
Packet
Filtering
2. Application Gateways
3. Packet Inspection
4. Hybrid Firewalls
10.
The Active Firewall Concept
11.
Case studies
1. An academic
organization
2. A research lab
3. An electronic
commerce application
12.
Conclusion
13.
Glossary
14.
References
The Internet provides a computer communication path that now spans over 300 countries and has an estimated 50 million users. With this explosive growth in recent years, have come many issues concerned with computer and data security. Not everyone on the Internet is your friend. Malicious users known as "hackers" are using very sophisticated tools for gaining unauthorized access to computer systems. Communication between other systems on the same network can also be monitored using "sniffer" programs. A program called a "Trojan Horse" can be installed that can trap and log user passwords. There are many other sneaky ways to break-in, steal information, and destroy or tamper with data.
"The information he provided includes recent trends: the increasing damage caused by intrusions, more knowledgeable intruders, increased use of automated attack tools, and a 2000% increase in computer incidents handled by the CERT. Coordination Center since its establishment in 1988."
The Computer Emergency Response Team (CERT.) is an organization tasked
with the responsibility of researching computer security related incidents
and working with the appropriate manufacturers to fix vulnerabilities.
The United States General Accounting Office, asked by the Senate Committee on Governmental Affairs to report on the current vulnerability of Department of Defense (DOD) non classified computer systems, found that as many as 250,000 attacks were launched at DOD with a 65 percent success rate.
The Internet has grown to consume all other network security issues,
including viruses, Trojan horses and penetration of internal networks.
A network connected to the Internet embraces a whole new set of risks,
some of which serve to exacerbate existing problems. Organizations whose
networks remain unconnected to the Internet face pressure to make that
connection, if just for e-mail alone. The pressure to connect often becomes
so strong, in fact, that some individual users or departments connect to
the Internet without upper management authorization or knowledge. Determining
whether or not a network is not connected to the Internet can be a formidable
task in itself.
"Firewall"... the name itself conjures up vivid images of strength and safety. It is nearly impossible to compete in today's fast paced business environment without connecting your private network to the public Internet and other untrusted networks. Your employees need to rapidly access and share information with customers, suppliers and the world at large if you are to stay ahead of the competition. Unfortunately, such connectivity provides an easy path for untrusted parties on the outside to penetrate a company's private network and access or tamper with internal information and resources.
A firewall is a security enforcement point that separates a trusted network from an untrusted one, such as the Internet (see Figure). Firewalls screen all connections between two networks, determining which traffic should be allowed and which should be disallowed based on some form of security policy determined in advanced by the security administrator.
The term "firewall" has been used for many years to describe a system that protects a computer network and the Computers on them from various types of attack. There are many ways to implement a firewall, each with specific advantages and disadvantages, so it is impossible to describe exactly what a firewall is. It is accepted however, that the primary goal of a firewall is to implement a desired security policy, controlling access in both directions through the firewall, and to protect the firewall itself from compromise.
Firewall system designed to prevent unauthorized access to or from a
private network. It can be implemented in both hardware and software, or
a combination of both. Firewalls are frequently used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially Intranet. All messages entering
or leaving the Intranet pass through the firewall, which examines each
message and blocks those that do not meet the specified security criteria.
It is located at a network gateway server, which protects the resources
of a private network from users from other networks.
There are many ways to gain unauthorized access to a system. Operating system vulnerabilities, telnet highjacking, and cracked or guessed passwords are some of the more common. Once access is attained, the user can send impostures email, tamper with data, or use the system privileges to attack another system.
2. Information Theft and Tampering:
Data theft and tampering do not always require that the system be compromised. There have been many bugs with FTP servers that allow attackers to download password files or upload Trojan horses.
Any attack that keeps the intended user from being able to use the services
provided by their servers is considered a denial of service attack. There
are many types of denial of service attacks, and unfortunately are very
difficult to defend against. "Mail bombs" are one example in which an attacker
repeatedly sends large mail files in the attempt at filling the servers
disk file system thus preventing legitimate mail from being received.
Not all attacks on computer systems are malicious. Joyriders are just looking for fun or for "bragging rights." Your system may be broken into just because it was easy, or to use the computer as a platform to attack others. It may be difficult to detect intrusion on a system that is used for this purpose. If the log files are modified, and if everything appears to be working, you may never know.
A vandal is malicious. They break in to delete files or crash computer systems either because they don't like you, or because they enjoy destroying things. If a vandal breaks into your computer, you will know about it right away. Vandals may also steal secrets and post them to public built-in boards.
Spies are out to get secret information. It may be difficult to detect
break-ins by spies since they will probably leave no trace if they get
what they are looking for.
In the early days of networked computers, host security provided individual protection of computer systems. Good passwords and controlled user accounts was sufficient. Each computer was responsible for its own security. Bugs in operating systems from various vendors makes it extremely difficult to obtain an effective security policy over a large number of systems today.
Systems outside of a security domain should not even be able to make connections to computers within it. It is often the case where outbound connectivity is allowed. Firewalls provide the mechanism to restrict access inbound while allowing access outbound.
Firewalls enter the picture when an organization distrusts any single network being internetworked. One should always distrust the Internet, of course, but experience tells us that we really should not trust any networks even those within our own company, unless we have full assurance of their security status. In other words, someone responsible for the company's sales and marketing network cannot assume that the company's production and inventory network is trustworthy, at least not without some fairly strong assurances.
An "Intranet firewall" creates security domains within an organization, thereby controlling access between departments. Possibly between finance, payroll, engineering, or other departments with sensitive data.
Internetwork firewalls, also called Internet firewalls
which is typically defined as a system or group of systems that enforces
an access control policy between two networks. It may also be defined as
a mechanism used to protect a trusted network from an untrusted network.
Firewalls have become a security "must have" now that so many organizations
are connecting their internal networks to external networks such as the
Internet.
"A network firewall is a system or group of systems that enforces an access control policy between two networks."
Another approach to firewalls views them as both policy and the implementation of that policy in terms of network configuration. Physically, a firewall comprises one or more host systems and routers, plus other security measures such as advanced authentication in place of static passwords. As shown in Figure, a firewall may consist of several different components, including filters, or screens, that block transmission of certain classes of traffic, and a gateway, which is a machine or set of machines relaying services between the internal and external networks by means of proxy applications. The intermediate area occupied by the gateway we often refer to as the demilitarized zone (DMZ). These terms will all be explained in more detail, starting with traffic.
Basic firewall schematic (filters,
gateway and DMZ)
The exact features a firewall needs in order to effectively implement the specific policies of an organization vary. In general, however, a firewall should be able to do the following:
Basically, routers look at the address information in TCP/IP packets and direct them accordingly. Data packets transmitted over the Internet from the Web browser on a PC in Florida to a Web server in Pennsylvania will pass through numerous routers along the way, each of which makes decisions about where to direct the traffic.
Suppose the Web browser is on a PC on a LAN with a PPP connection to an Internet Service Provider (ISP). A router, or a computer acting as a router, will likely direct the packets out from the LAN to the ISP. Routers at the ISP will send the data to a backbone provider, which will route it, often in several hops, to the ISP that serves the machine that hosts the Web site.
Routers make their routing decisions based on tables of data and rules. It is possible to manipulate these rules by means of filters so that, for example, only data from certain addresses may pass through the router. In effect, this turns a router that can filter packets into an access control device, or firewall. If the router can generate activity logs, this further enhances its value as a security device.
Internet firewalls are often referred to as secure Internet gateways. Like the gates in a medieval walled city, they control access to and from the network.
In firewall parlance, a gateway is a computer that provides relay services between two networks. A firewall may consist of little more than a filtering router as the controlled gateway. Traffic goes to the gateway instead of directly entering the connected network. The gateway machine then passes the data, in accordance with access control policy, through a filter, to the other network or to another gateway machine connected to the other network.
In some configurations, called dual homed gateways, one computer containing two network connectors acts as the gateway. Alternatively, a pair of machines can create a miniature network referred to as the DMZ (See Figure). Typically, the two gateways will have more open communication through the inside filter than the outside gateway has to other internal hosts. The outside filter can be used to protect the gateway from attack, while the inside gateway is used to guard against the consequences of a compromised gateway.
The use of gateways
Through differing mechanisms, depending on what type of firewall it
is, network traffic is controlled. This mediation takes into account source
and destination addresses for the packets, type of packets, and the security
policy of the organization that specifies what is permitted and denied.
Typically, the firewall also logs access or attempts to access one network
from the other.
By concentrating access control, firewalls become a focal point for the enforcement of security policy. Some firewalls take advantage of this to provide additional security services, including traffic encryption and decryption. In order to communicate in encryption mode, the sending and receiving firewalls must use compatible encrypting systems. Current standards efforts in encryption and key management have begun to allow different manufacturers’ firewalls to communicate securely, but these efforts have a ways to go before the customer can assume compatibility. Firewall-to-firewall encryption is thus used for secure communication over the public Internet between known entities with prior arrangement, rather than for any-to-any connections. Nevertheless it is a powerful feature, enabling the creation of virtual private networks (VPN) as a lower cost alternative to a leased line or a value-added network (VAN).
Verifying the authenticity of system users is another important part
of network security, and firewalls can perform sophisticated authentication,
using smart cards, tokens and other methods. Firewalls can also protect
other external network connections, such as remote dial-in. A Company can
apply the same traffic restricting protections, enhanced by authentication.
So far we have talked about firewalls in terms of threats, principles and policy. We now turn to the specifics of implementation—the mechanisms that enable firewalls to enforce policy and provide protection. Today's firewalls tend to combine several different mechanisms, making rigid classification difficult (not to mention contentious—committees tasked with firewall selection should avoid lengthy debates over how to categorize a particular firewall). Our intention here is to describe the ingredients that can go into a firewall design.
Packet filters, called "access control lists", or access lists for short, on Internet routers provide a rudimentary form of security. Filters are configured to discard packets with particular attributes such as:
Although performance is not usually a problem in modern implementations, lengthy access lists can degrade throughput and increase latency. Since state is not kept in a packet filtering router, every packet through must be checked against the same access lists.
Packet filters can be very effective in completely blocking specific types of traffic, and for this reason are sometimes part of an overall firewall system. For example, telnet can easily be blocked by applying a filter to block TCP port 23 (telnet). The difficulty and complexity arises when the filtered protocol is allowed to some hosts, or for more complex protocols that specify return data ports dynamically.
Looks at each packet entering or leaving the network and accepts or rejects it based on user defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
All firewalls perform some sort of IP packet filtering, usually by means of a packet filtering router. The router filters packets as they pass between the router’s interfaces, implementing a set of rules based on firewall policy.
Filtering can block connections from or to specific hosts or networks, and can block connections to specific ports. A site might wish to block connections from certain addresses, such as from hosts or sites considered hostile or untrustworthy. Alternatively, a site may wish to block connections from all addresses external to the site (with certain exceptions, such as with SMTP for receiving e-mail).
Adding TCP or UDP port filtering to IP address filtering results in
a great deal of flexibility. Servers such as the TELNET daemon usually
reside at known ports (port 23 for TELNET), so if a firewall can block
TCP or UDP connections to or from specified ports, then the site can call
for certain types of connections to be made to certain hosts but not others.
For example, a company might wish to block all incoming connections to
all hosts except for several firewall related systems. At those systems,
perhaps only specific services will be allowed, such as SMTP for one system
and TELNET or FTP connections to another system (see diagram in following
figure). With filtering on TCP or UDP ports, this policy can succeed in
a straightforward fashion through a packet filtering router or a host with
packet filtering capability.
Packet filtering
on TELNET and SMTP
A basic example of using packet filtering to implement policy might be to allow only certain connections to a network of address 123.4.*.*. TELNET connections would be allowed to only one host, 123.4.5.6, which may be the site's TELNET application gateway, and SMTP connections will be allowed to two hosts, 123.4.5.7 and 123.4.5.8, which may be the site's two e-mail gateways. NNTP (Network News Transfer Protocol) is allowed only from the site's NNTP feed system, 129.6.48.254, and only to the site's NNTP server, 123.4.5.9; NTP (Network Time Protocol) is allowed to all hosts. The packet filtering router will block all other services and packets. This very basic example of packet filtering can become more complex and flexible as the site further adjusts the filtering rules.
Unfortunately, packet filtering routers cannot do everything. They have also traditionally been less than user-friendly in their configuration and maintenance. This is changing, with vendors paying more attention to the interface.
Packet filtering rules are inherently complex to specify and usually
no testing facility exists for verifying the correctness of the. In addition,
some routers provide no logging capability, so that if a router’s rules
still let dangerous packets through, the packets may not be detected until
a break-in occurs. Sites opting to use a packet filtering router for their
firewall should look for one that offers extensive logging, simplified
set-up and some form of rule checking.
Exceptions to filtering rules will often be needed to allow certain types of access that normally would be blocked. These exceptions can make the filtering rules so complex as to be unmanageable. For example, it is relatively straightforward to specify a rule to block all inbound connections to port 23 (the TELNET server), but some sites make exceptions so that certain specified systems can accept TELNET connections directly. To do this, the administrator must add a rule for each system. (Some packet filtering systems attach significance to the sequential order of the filter rules, allowing the administrator to put an exception PERMIT to a specific system followed by a DENY for all systems.) The addition of certain rules in this manner may complicate the entire filtering scheme. Some packet filtering routers do not filter on the TCP/UDP source port, which can make the filtering rule set more complex and can open up holes in the filtering scheme.
To counter some of the weaknesses associated with packet filtering routers, developers have created software applications that forward and filter connections for services such as TELNET and FTP. Such applications are referred to as proxy servers, also known as application gateways. A proxy server acts as an intermediary between a client and a server, and is typically implemented as an application running in conjunction with a general-purpose operating system. Clients on the protected network must be specially modified to communicate with the proxy.
Host machines running the proxy servers are referred to as application gateway firewalls. Working together, application gateway firewalls and packet filtering routers can potentially provide higher levels of security and flexibility than either alone. For example, consider a site that blocks all incoming TELNET and FTP connections using a packet filtering router. The router allows TELNET and FTP packets to go to one host only, the TELNET/FTP application gateway.
A user who wishes to connect inbound to a site system would have to connect first to the application gateway, and then to the destination host, as follows:
Proxies on an application gatewayApplication gateways offer a number of general advantages over the default mode of permitting application traffic directly to internal hosts. These advantages include:
A modified TELNET client could make the firewall transparent to users by permitting them to specify the destination system in the TELNET command. The firewall would serve as the route to the destination system and thereby intercept the connection, and then perform additional steps as necessary, such as querying for a one-time password. Users would not need to change their behavior; however, a modified client would have to run on each system.
Many modern application gateway firewalls have transparent proxies. While the proxies are still standing in the gap between the client and the server, they do their job transparently. No modification to client software or user behavior is needed.
In addition to TELNET, many application gateways can accommodate FTP and e-mail, as well as X Windows and some other services. Since application gateway firewalls deal with application level data, it is possible to make security decisions not only based on source, destination, and service, but actual data can be examined. For example, some FTP application gateways can even deny put and get commands to specific hosts. For example, an outside user who has established an FTP session, via the FTP application gateway, to an internal system (such as an anonymous FTP server) might try to upload files to the server. The application gateway can filter the FTP protocol and deny all puts to the anonymous FTP server. This would ensure that nothing could upload to the server, providing a higher degree of assurance than relying only on the correct setting of file permissions at the anonymous FTP server.
An e-mail application gateway centralizes collection and distribution of e-mail among internal hosts and users. To outsiders, all internal users under this scheme have e-mail addresses of the form user@emailhost where email host is the name of the e-mail gateway. The gateway accepts mail from outsiders and forwards it to other internal systems as necessary. Internal system users can send e-mail directly from their hosts, or in the case where internal system names are not known outside the protected subnet, to the application gateway, which then forwards the mail to the destination host. Application gateway firewalls can examine and screen e-mail for viruses or unsolicited commercial e-mail (commonly referred to as "spam").
A proxy server does not forward packets directly; rather, it acts as an endpoint for client connections from the protected net, and establishes independent connections to the ultimate destinations requested by the clients. The proxy server copies data in both directions to and from the client connection.
Although proxy servers offer more complete filtering than simple packet filters, they suffer several disadvantages:
It applies security mechanisms to specific applications, such as FTP
and Telnet servers. This is very effective, but can impose performance
degradation.
Stateful packet inspection combines the best aspects of the packet filter and proxy methods above, without their attendant problems. A stateful device performs fundamentally as a packet filter, yet it tracks the state of connections made through it. Such tracking enables the device to reject packets that are not associated with existing connections initiated from the protected network. Rejected packets are dropped and a security log message is generated.
Stateful devices offer the sophisticated decision making capabilities of proxy servers, yet operate much faster because they use a minimal implementation with no OS processing overhead.
Because stateful packet inspection is transparent, special proxy applications are not required. This reduces the load on the firewall and improves performance when the connection is destined for an internal host, since the firewall will not be involved. This is not the case when an application is configured to use a proxy server.
Some Internet firewalls combine the packet filtering and application gateway approaches, using a packet filter screening computer or hardware router to control lower layers communication, and gateways to enable applications. This can create a high degree of access control. However, this arrangement may place limits on transparency, flexibility and connectivity, and may also get expensive in terms of setup, management and expertise.
Another approach gaining acceptance is to inspect packets rather than just filtering them; that is, to consider their contents as well as their addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet intended for other layers, from the network layer (IP headers) up to the application layer. This strategy can provide context sensitive security for complex applications and may be more effective than technologies that can only access data in certain layers. For example, although application gateways have access only to the application layer and routers have access only to the lower layers, the packet inspection approach integrates the information gathered from all layers into a single inspection point.
Some inspection firewalls also take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked. This takes the so-called stateful inspection approach well beyond packet filtering. The inspection module uses previous communications to derive the state of the current communication being attempted.
Intelligent filtering can effectively combine with the ability to do network session tracking, to use information about the beginning and end of sessions in filtering decisions. This is known as session filtering. The filter uses smart rules, thus enhancing the filtering process and controlling the network session rather than controlling the individual packets. A network session contains packets going in two directions, so without session filtering each session requires two packet filter rules. The first rule controls the packets going from the originating host to the destination host and the second controls packets returning from the destination host to the originating host [Amor]. A smart rule, on the other hand, knows that returning packets will head in the opposite direction and so does not require the second rule.
This approach offers considerable advantages, since sites usually treat packets originating outside the firewall differently from packets returning from an authorized connection to the outside. What makes this smart filtering possible is a session cache, which retains information about sessions until they are completed.
An inspection module can typically handle packets faster than an application gateway for a given unit of processing power. This can translate into cost savings; for instance, cheaper hardware can run the firewall. Inspection firewalls can also provide address translation and hiding, as well as other services such as virus scanning that are also being added to application gateway firewalls.
While inspecting packets at levels above the network layer requires more processing power than simple packet filtering, inspecting packet contents purely from the perspective of security is potentially less work than application processing. This approach also removes the need to write a new proxy every time a new service is required. Proponents argue that inspection firewalls therefore provide the quickest way to allow new services, such as a new video-conferencing protocol, to pass through the firewall. Application gateways, by comparison, would deny such a service until a proxy became available.
Advocates of the application proxy approach counter that major vendors, such as Intel, now work closely with firewall vendors to make proxy applications quickly available. (This process is facilitated by ICSA’s Firewall Product Developers Consortium.) They also note that although inspection firewalls can allow a new service very easily, the inspection module will need to be fine-tuned to provide maximum safety.
Some argue that safely modifying inspection code is harder than writing a secure application proxy, but this is an area of debate. Some experts also contend that, by allowing packets to travel through, inspection firewalls open themselves to more danger than application proxies, which create packets rather than let any pass through. Shoppers will need to decide for themselves whether this creates a concern for them.
In practice, many of today's commercial firewalls use a combination of these techniques. For example, a product that originated as a packet filtering firewall may since have been enhanced with smart filtering at the application level. Application proxies in established areas such as FTP may augment an inspection based filtering scheme. Remember, adding security methods do not necessarily mean an increase in security. Additional mechanisms may increase, decrease, or leave unaffected the security posture of the firewall. Buyers should read the functional summaries provided by vendors for more details of how a particular product is designed. Functional summaries for certified firewalls reside at the ICSA Web site (www.icsa.net). Also, bear in mind that all ICSA certified firewalls have passed the same set of tests, regardless of the product type or design philosophy.
All the types of firewalls are functionally equivalent. The type of
mechanism used determines the granularity of the firewall: how much security
work it can accomplish. Packet filters are least granular. Application
gateway firewalls are the most granular. A Packet Inspection firewall can
be made almost as granular as an application gateway firewall. However,
just because a particular product is characterized, as a particular type
of firewall does not mean that it does all of the security processing possible
with that kind of firewall
10. The Active Firewall Concept
In a physical security environment, we also take for granted that the various security components interact with each other, working in concert to share information and adapt to new threats as they occur. When a guard hears an alarm go off on an exhibit, he adapts his actions accordingly. He might, for example, temporarily block all passage through his door until the incident is resolved. Or he might simply increase the level of security checks conducted on those leaving the museum for a period of time. If a side access door is found to have a broken lock during a routine check, security is increased at that exit until the problem can be resolved. If a guard spots suspicious activity or an attempted break-in, he immediately radios an incident report to the central monitoring room so that other guards and those watching the security cameras can be on the lookout.
What if our museum guard ignored alarms, turned off his radio, and responded to an attempted break-in by simply jotting down a written note, but making no effort to notify others? He would probably be fired for incompetence, even if his door were never penetrated. Yet we are often forced to accept this kind of passive performance from our corporate security systems today. Our firewalls may be guarding their respective doors effectively, but they are not empowered to communicate or respond to changing threats and conditions.
The types of active communications we have long taken for granted in the arena of physical security are virtually nonexistent in the realm of network security. Traditional firewalls do not communicate with vulnerability scanners. And they are largely deaf to the alarms of intrusion protection monitors. When suspicious activity is observed elsewhere on the network, traditional firewalls do not increase the detail in their log files to create a better audit trail. They cannot correlate observations from around the network, nor can they close a known security hole without manual human intervention.
To truly address the rapidly growing security threat, firewalls must evolve from passive guards simply watching the gate into active guards working in concert with other security components on the network to actively respond to changing threats.
Making Active Firewalls a Reality
Several of the leading security vendors are working to solve such issues. Some have formed partnerships or licensing agreements to cross bundle complementary security products. Others have announced their intent to develop proprietary APIs (application programming interfaces) that would enable other vendors to integrate around their product line. While such efforts are to be commended, they do not yet offer a practical solution to the problem of passive firewalls in a world of constantly changing threats. Network Associates believes the answer to building and deploying practical active firewall solutions lies in integrating security products around an open event management system, in much the same way that a physical facility directs all communications through a central monitoring room. This method offers several important advantages.
1. More flexible security policy administration.
With a central event management system receiving all alerts and coordinating all resultant actions, administrators can apply a single security policy that takes into account the behavior and activity of multiple scanners, sensors, and monitors at the same time. Hard coded integration between individual security products simply does not allow for this flexibility. Even if an intrusion detection vendor were to offer working integration with a firewall vendor, for example, the two products would have no visibility into events recorded by other security products.
2. Single point of integration.
Hard coded integration between individual point products is also problematic when new versions are released. In most cases, maintaining working integration requires multiple vendors to coordinate release schedules and has intimate knowledge of each other's product road maps. Coordinating all integration through an open event manager eliminates this problem. As long as each component product speaks to the event manager, integration is maintained, regardless of whether or not other connected products are current.
3. Far fewer complexities.
Most industry observers are hard pressed to find examples of multi-vendor
coalitions in any industry segments that have actually produced meaningful
integration between disparate products. In most cases, multi-vendor coalitions
fail because members are simply unwilling to make integration a priority
by coordinating releases and disclosing product road map details. In other
instances, integration efforts break down because the founding member fails
to deliver reliable APIs and integration guidelines. Even integration efforts
that do succeed initially frequently stumble when it comes to ongoing support
of the multi-vendor solution.
Academic organizations such as universities typically have the most trouble setting up a firewall. This is due to notions of academic freedom and to the fact that the user community usually wants to experiment with a wide variety of features of the network, and will tend to actively resent or circumvent a firewall that interferes with them. Additionally, academic organizations often have independent departmental budgets and semi-autonomous use of the campus network, which makes it difficult to enforce a common security approach. If one department in the university installs a security system that interferes with the others, they can and will simply purchase new network links to bypass it. One approach that seems to work for academia is to isolate critical computing systems behind internal firewalls. Systems where student records, loan information, and paychecks are processed should be isolated from the main campus networks by placing them behind screening routers or commercial firewalls.
Research labs are often another difficult case. Scientists expect to use the network for collaboration and research access to late breaking information. In many cases, however, the research may be economically significant and should be protected. Systems where patent applications, designs for proprietary products, etc., should be isolated and protected - or consider adding a second network which is Internet accessible and keeping it physically separate from the internal research network. Research labs suffer many of the same problems as academia, since they tend to have user communities that want to be on the cutting edge and will not tolerate interference. Perhaps more than anything else, it is important to get staff to recognize the need to protect intellectual property. Many research labs are connected to the Internet behind commercial proxy based firewalls that are fairly conservative but which permit access to the Web and other sources of information. Other research labs rely on separated networks or isolated systems for storing proprietary information
3. An electronic commerce application
As electronic commerce becomes more important, the need to pass commercial
traffic into and out of firewalls will become more crucial. Service oriented
requirement analysis is a useful tool for designing and implementing such
systems. Suppose an organization wants to put a Web server on an external
network, and to provide database access of some sort to a system behind
a firewall. In this case, our requirement is to get data back and forth
for SQL only. We might choose a screening router firewall, configured to
just allow the SQL data between the outside web server and the inside.
A commercial firewall that permitted some kind of generic proxy or which
supported an SQL service might be another option.
Firewalls, like many other security systems, are not perfect. The trade-off they usually represent is between ease of use and security. The more rigorously the firewall checks the user's identity and activity, the more likely the user is to feel interrupted, pestered, and resentful.
The Internet firewall cannot protect against internally launched attacks. Firewalls also do not address insider attacks, since they provide perimeter defense only [Amor]. Firewalls are not general-purpose access control systems and do not control insiders’ abuse of authorized access—perhaps the greatest risk of all. Information security surveys consistently report that more than half of all incidents are insider attacks, and many seasoned security professionals believe that insiders cause as many as 80 percent of all security problems.
Another major problem firewalls can't directly resolve is malicious code: viruses and Trojan horses. Viruses are self replicating code that can cause considerable disruption on networks as well as on individual workstations. A Trojan horse program, such as a password sniffer, pretends to be something it is not to accomplish the aims of its creator. In now days, some firewalls can check incoming code for signs of viruses and Trojan horses.
Now a days some systems for detection of attacks from both out side and inside the network is developed such as IDS (Intruder Detection System). It has also a disadvantage of absence of self recovery mechanism. Therefore, user must provide a mechanism to do it or it must use an external system for recovery and it must pay very high penalty of breaking all connections to the protected system.
In any way, Firewall has a major role in the network security and protection and it is most popular and widely used and using security mechanism.
Access Router
A router that connects your network to the external Internet. Typically, this is your first line of defense against attackers from the outside Internet. By enabling access control lists on this router, you'll be able to provide a level of protection for all of the hosts "behind" that router, effectively making that network a DMZ instead of an unprotected external LAN.
Application Level Firewall
A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.
Bastion Host
A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside'' web servers or public access systems. Generally, a bastion host is running some form of general-purpose operating system (e.g., Unix, VMS, NT, etc.) rather than a ROM based or firmware operating system.
De-Militarized Zone
In the context of firewalls, this refers to a part of the network that is neither part of the internal network nor directly part of the Internet. Typically, this is the area between your Internet access router and your bastion host, though it can be between any two policy enforcing components of your architecture. A DMZ can be created by putting access control lists on your access router. This minimizes the exposure of hosts on your external LAN by allowing only recognized and managed services on those hosts to be accessible by hosts on the Internet. By putting hosts with similar levels of risk on networks together in the DMZ, you can help minimize the effect of a break-in at your site.
DNS spoofing
Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain
Host A computer system that is accessed by a user working at a remote location. Typically, the term is used when here are two computer systems connected by modems and telephone lines. The system that contains the data is called the host, while the computer at which the user sits is called the remote terminal. Alternatively, it is a computer that is connected to a TCP/IP network, including the Internet. Each host has a unique IP address.
Intranets
A network based on TCP/IP protocols belonging to an organization, usually a corporation, accessible only by the organization's members, employees, or others with authorization. An Intranet’s Web sites look and act just like any other Web sites, but the firewall surrounding an Intranet fends off unauthorized access.
IP spoofing
A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted port. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted port and then modify the packet headers so that it appears that the packets are coming from that port. Newer routers and firewall arrangements can offer protection against IP spoofing.
Proxy
A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
Proxy Server
A server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. Its main purposes are to improve performance (by avoiding redundancy and so on) and to filter requests
SMTP
Short for Simple Mail Transfer Protocol, a protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an e-mail client using either POP (Post Office Protocol, a protocol used to retrieve e-mail from a mail server) or IMAP (Internet Message Access Protocol, a protocol for retrieving e-mail messages). In addition, SMTP is generally used to send messages from a mail client to a mail server. This is why you need to specify both the POP or IMAP server and the SMTP server when you configure your e-mail application.
Telnet