 |
|
|
|
|
INTRODUCTION
With the whole of the networking world moving toward inhabiting a single global village, we inevitably have to start thinking about locking our doors and bolting our windows. It has to be recognised that no computer system can ever be 100 per cent secure, but it has to be secure enough to deter the casual hacker – we don’t want some spotty adolescent spiriting away our corporate secrets from his bedroom using nothing more than a cheap PC, a modem and a few lines of code downloaded from the “Hackers ’R’ Us” Web site. One in five respondents to a recent survey admitted that intruders had broken into, or had tried to break into, their corporate networks, via the Internet, during the preceding twelve months. This is even more worrying than it sounds, since most experts agree that the majority of break-ins go undetected.� �For example, attacks by the Defence Information Systems Agency (DISA) on 9,000 US Department of Defence computer systems had an 88 per cent success rate but were detected by less that one in twenty of the target organisations. Of those organisations, only five per cent actually reacted to the attack (Source: NCSA). The first step in securing our networks is not to rush out and buy the best firewall or encryption software we can find, however. Instead, some thought and effort should be put into developing a comprehensive, yet manageable, corporate security policy. This needs to cover everything from anti-virus protection to business recovery strategy. It should cover network access, password policy, authentication methods and how and when encryption should be employed. It should also cover physical security aspects too, such as building access, shredding of sensitive documents, and physical security of PC’s and file servers. When it comes to implementing the security policy, one of the major tools available to the network administrator is the firewall. What Is A Firewall? There are a number of definitions of the firewall, but perhaps the simplest is “a mechanism used to protect a trusted network from an untrusted network”. A firewall is a system, or group of systems that enforces an access control policy between two networks, and thus should be viewed as an implementation of policy.� The bottom line, therefore, is that a firewall is only as good as the Security Policy it supports. However, it is also true to say that a completely secure firewall is not always transparent to the user, and this can often lead to problems of users trying to circumvent the corporate security policy to get around some unpopular restriction imposed by the firewall. One of the biggest advantages of effective firewalls is that they can present just a single IP address to the outside world, thus hiding the real structure of your network from prying eyes. They will also usually provide full auditing and reporting facilities.� One thing to bear in mind right from the outset is that a firewall is not simply for protecting a corporate network from unauthorised external access via the Internet, it can also be used internally to prevent unauthorised access to a particular subnet, workgroup or LAN within a corporate network.� Figures from the FBI suggest that 70 per cent of all security problems originate from inside an organisation. Thus, for example, if your Research & Development department has its own server, you could protect it and the department’s workstations behind a firewall, whilst still allowing them to remain a part of the corporate-wide network.� One caveat here, however. Be aware that there are few firewalls on the market today that can provide wire speed throughput even at 100Mbps, let alone Gigabit speeds. Whilst this is not always an issue when the firewall is sitting in front of a slow Internet link, it can cause some serious bottlenecks if you try to put it on a Gigabit backbone! As firewalls move from the category of “propeller-head” to “commodity”, the smart vendors are already realising the need to differentiate their products further. This is achieved by layering additional services on top of the firewall, so that critical processes which are best performed at the corporate gateway to the Internet – such as virus scanning or bandwidth control – can be executed by the firewall box. Firewall Architectures When looking at today’s firewall products, there are three main architectures currently in use : Static Packet Filtering Working at the Network Layer of the OSI stack, packet filters make simple deny or permit choices depending on the network address of the packet and a number of rules defined by the administrator.� Packet filtering is fast, transparent (no changes are required at the client), flexible and cheap (most routers will provide packet filtering capabilities, pure packet filter firewalls do not require powerful hardware on which to run). Dynamic Packet Filtering/Stateful Inspection Some vendors are touting this as the “third generation” of firewall architectures, but it is really just an extension of the basic packet filtering architecture employed by most routers.� Stateful Inspection occurs at the MAC or Network Layer, thus making it fast and preventing suspect packets from travelling up the protocol stack. Unlike static packet filtering, however, Stateful Inspection makes its decisions based on all the data in the packet (corresponding to all the levels of the OSI stack).� The state of the connection is monitored at all times (hence stateful inspection), allowing the actions of the firewall to vary based on the administrator-defined rules and the state of previous conversations. In effect, the firewall is capable of remembering the state of each ongoing conversation across it, thus allowing it to effectively screen all packets for unauthorised access whilst maintaining high security, even with connectionless protocols such as UDP. Proxy Servers Working at the Application Layer of the OSI stack, a Proxy Server firewall acts as an intermediary for user requests, setting up a second connection to the desired resource either at the application layer (an application level gateway) or at the session or transport layer (a circuit level gateway).� Proxy code actually “stands in” for both client and server operations, relaying valid requests between the trusted and untrusted networks via the proxies. Unlike Packet Filter and Stateful Inspection firewalls, a direct connection is never allowed between the two networks.� The penalties paid for this level of security, however, are performance (Proxy Server firewalls have large processor and memory requirements in order to support many simultaneous users), and flexibility (since the introduction of new Internet applications and protocols can often involve significant delays while new proxies are developed to support them). Whilst static packet filtering alone is usually confined to the router these days and not considered strong enough for enterprise class firewall devices, the differences between the remaining two architectures are negligible in most real world environments.� True proxy servers are undoubtedly the safest, but impose a severe overhead in heavily loaded networks. Dynamic packet filtering is definitely faster, though most of the high-end firewalls are hybrids these days, incorporating elements of all three architectures. At the end of the day, it is just as important to ensure that you have a comprehensive security policy in place and that your firewall is configured and managed effectively, as it is to have a firewall in the first place. � After all, a badly configured firewall could lead to a false sense of security – and that could be worse than leaving yourself unprotected.
|
|
Send mail to webmaster
with questions or�
|
