firewalls , security

Introducing Firewalls

May 29, 2010

Firewall Advantages and Limitations

Now that the theory behind a firewall has been presented, this section will focus on examining the several kinds of firewalls available as well as highlighting the kind of protection they can offer. The position that a firewall sits with respect to the rest of the network restricts entry to the system to a single, carefully controlled point. This point is usually where the internal network connects to the Internet. This then allows the firewall to act as a choke point that provides a significant amount of leverage over controlling the amount, and kinds of traffic that will pass to the internal network. As was mentioned in passing earlier, it is now obvious that a firewall can be seen as a method of preventing attackers from getting close to your network’s other defences present at the host level. A firewall will limit the systems exposure to potential threats as well as provide an efficient place from which to log Internet activity. Keep in mind that no security model protects against every possible attack, but aims to make break-ins rare, brief and inexpensive.

As well as understanding what a firewall can do, it is equally as important to understand what a firewall cannot do. No matter what kind of firewall is being considered, all of the below limitations are present to some degree.

1. A firewall will provide no protection against malicious insiders. Once an attacker is inside the firewall, it can do very little to protect you.

2. A firewall cannot protect against connections that don’t go through it. To obtain the best protection from a firewall, all ways into the system must pass through a firewall. This implies that one site could choose to have any number of firewalls present.

3. Since a firewall is designed with today’s threats in mind, you can’t rely on it to protect you against completely new threats. The firewall must be kept up to date through regular maintenance activities.

4. A firewall can’t fully protect against viruses. A firewall could look at every single packet that enters the system, but they are not designed to detect whether a packet contains part of a valid email message, or part of a virus.

Another issue that must be brought to light when discussing the limitations of a firewall is the fact that it interferes with the Internet. Although this is more of an essential design issue as opposed to a limitation, it is true that a firewall interrupts the end-to-end communication model of the Internet. This can result in a decrease in speed, or even the introduction of all sorts of problems and annoying side effects. Integrating a firewall into a network where there previously was none, can be a difficult challenge to do transparently.

Types of Firewalls

There are four basic kinds of firewalls in use today. The first of which are referred to as Packet Firewalls. These firewalls are usually present on a router and will effectively pass some packets and block others.

Each IP packet contains the source and destination address, the protocol (TCP, UDP or ICMP), the source and destination ports, the ICMP message size as well as the packet size. Some advantages to a Packet Firewall are:

Every network requires a router in order to connect to the Internet and so this is an attractive alternative for low budget organizations

A single screening router can protect an entire network

Simple packet filtering can be very efficient

Packet filtering is widely available

A Packet Firewall is not without its disadvantages though. The rules used to filter packets can be difficult to configure and test. The presence of a packet filter on a router can reduce its performance somewhat, but this is highly dependant on the make of the router. It is also not always possible to readily enforce a security policy by using just packet filtering on a single router.

The second major type of firewall is known as a Traditional Proxy Based Firewall. All of the users on the system must use special procedures and network clients that are fully aware of the proxy. These proxies are specialized programs that take requests for Internet services and provide replacement connections and act as gateways to the service. There is some excellent software that is available for proxying.

There are several toolkits available that will either allow you to easily convert existing client / server applications into proxy based versions or provide you with a suite of proxy servers for common Internet protocols.

Proxy services have the following advantages:

they can be quite effective at logging, since they understand the application protocol and they can therefore only log the essential information which makes for more efficient, and smaller logs

they may also provide a form of caching, which can help to increase performance and reduce the load on network links

they can be configured to do much more intelligent filtering

since they are actively involved in the connection, they provide a place to do user level authentication

they automatically provide protection against deliberately malformed IP packets since the generate completely new IP packets to be delivered to the client

a single proxy machine can relay requests to the Internet for a number of other machines at once. The proxy machine is the only machine that requires a valid IP address, which makes proxying an easy way to economize on address space.

It can prove to be difficult to find proxy services that are as up to date as the same non-proxy service, since the development of the proxy can only begin once the new service is available. Finding proxy services for newer or less widely used services can also present a challenge. The services that a proxy provides may require different servers for each service. Setting up and configuring all of these servers can take a lot of time. One major disadvantage to proxy services is that the internal user is aware of the proxy, and documentation for applications that the user is trying to use is usually not written with the firewall in mind.

A packet rewriting firewall is the third major type of firewall and it attempts to solve the problems a firewall creates for the internal user by making the firewall transparent. It does this by taking the contents of inbound IP packets and rewriting them as they pass between the internal network and the Internet. From the outside all communications appear to be mediated through a proxy on the and from the inside it appears that each machine is talking directly to another host on the Internet.

Most proxy and packet rewriting based firewalls are effective only when they are used in conjunction with some way of controlling IP traffic between the internal clients and the servers on the Internet. Two of the most common hardware configurations used to accomplish this task are known as a screening router and a dual homed host. Both of these configurations provide a way to examine packets travelling in both directions and filter (or rewrite) them based on the sites security policy. A screening router and a dual homed host both sit between a network and the Internet. A screening router is effectively the same as a packet filtering router and a dual homed host is just a host with two NICs (Network Interface Card).

The last type of firewall to examine is known as a screen. This is another way of bisecting Ethernet traffic with a pair of interfaces, however in this case, the screen doesn’t have an IP address. It contains a complex set of rules on which it bases its decisions regarding which packets to forward to its other interface. The fact that it has no IP address makes it nearly transparent, and highly resilient to attacks over the network.

Firewalls are built with different combinations of the essential building blocks mentioned above. Using an additional two concepts provides a large number of alternate firewall architectures designed to suit any situation.

Firstly is the concept of a Bastion Host. This is a computer that represents an organizations public presence on the Internet. It is a highly secured machine that is accessible by everyone. This machine has been built and designed from the beginning to be configured as the most fortified host on the network due the fact that it is also the most exposed host on the network. It can be likened to the lobby of a building. Anyone can come in and ask questions to the people at the desk but they may not be permitted to go up the stairs or use the elevators to access the rest of the building.

The second concept is that of a subnet, or more precisely a screened subnet. This can basically be thought of as a group of computers that are all connected together on the same wire. The computers are all able to talk to one another locally, but all other connections must first pass through a router that is acting as a screen.

Now, combining these two concepts, with an exterior router, then a bastion host followed by an interior router, a perimeter network can be formed with this screened subnet architecture. This effectively places all of the machines that are most likely to be attacked together, and introduces another degree of separation between these more vulnerable machines and the rest of the internal network.

https://www.bestitdocuments.com/Samples