FIREWALL
CHARACTERISTICS
[BELL94b] lists the following design goals for a firewall:
1.
All traffic
from inside to outside, and vice versa,
must pass through
the firewall. This is achieved by physically blocking
all access to the local
network except via the firewall. Various
configurations are possible,
as explained later in this chapter.
2.
Only authorized traffic, as defined by the local security policy, will be allowed
to pass. Various
types of firewalls
are used, which implement
various types of secu- rity policies, as explained
later in this chapter.
3.
The firewall itself is immune to penetration. This implies the use of a hardened system with a secured
operating system. Trusted computer systems are suitable for hosting a firewall
and often required
in government applications.
[SMIT97] lists four general techniques that firewalls use to control
access and enforce the site’s security
policy. Originally, firewalls focused primarily on service control, but they have since evolved
to provide all four:
•
Service
control: Determines the types
of Internet
services that can be accessed, inbound or outbound. The firewall may filter traffic on the
basis of IP address, protocol, or port number;
may provide proxy
software that receives and interprets each service
request before passing
it on; or may host the server software itself, such as a Web or mail service.
•
Direction
control: Determines the direction
in which
particular service requests may be initiated
and allowed to flow through
the firewall.
•
User control: Controls access
to a service according to which user is attempt- ing to access it. This feature
is typically applied to users inside the firewall perimeter (local users). It may also be applied
to incoming traffic
from exter- nal users; the
latter requires some form of secure authentication technology, such as is provided
in IPsec (Chapter
19).
•
Behavior control: Controls how particular services
are used. For example,
the firewall may filter
e-mail to eliminate spam, or it may enable
external access to only
a portion of the information on a local
Web server.
Before proceeding to the details
of firewall types and configurations, it is best to summarize what one can expect from
a firewall. The following capabilities are within the scope of a firewall:
1.
A firewall defines a
single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering
or leaving the network, and provides
protection from various kinds of IP spoofing and routing attacks.
The use of a single choke
point simplifies security management because
security capabilities are consolidated on a single
system or set of systems.
2.
A firewall provides a location
for monitoring security-related events. Audits and
alarms can be implemented on the firewall system.
3.
A firewall is a
convenient platform for several Internet functions that are not security related. These include a network address
translator, which maps local addresses to Internet
addresses, and a network management function that audits
or logs Internet usage.
4.
A firewall
can serve as the platform
for IPsec. Using
the tunnel mode capabil-
ity described
in Chapter 19, the firewall
can be used to implement virtual private networks.
Firewalls have their limitations, including the following:
1.
The firewall cannot protect against
attacks that bypass the firewall. Internal systems may have dial-out capability
to connect to an ISP. An internal LAN
may support
a modem pool that provides dial-in
capability for traveling employees and telecommuters.
2.
The firewall may not protect
fully against internal
threats, such as a disgruntled
employee or an employee who unwittingly
cooperates with an external attacker.
3.
An improperly secured wireless LAN may be accessed
from outside the organi- zation. An internal firewall that
separates portions of an enterprise network cannot guard against wireless communications between local systems on differ- ent sides of the internal firewall.
4.
A laptop, PDA, or portable storage device may be
used and infected outside the corporate network,
and then attached
and used internally.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.