Brought to you by EarthWeb
IT Library Logo

Click Here!
Click Here!


Search the site:
 
EXPERT SEARCH -----
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games

EarthWeb Direct EarthWeb Direct Fatbrain Auctions Support Source Answers

EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info

Previous Table of Contents Next


Protocols

Many installations use circuit-level gateways to place limits on outbound Internet connections. Users connecting to outside services must tell the gateway where they want to go. Two protocols—socks and proxy—are available for this purpose. If socks is used, the destination system’s IP address is used to make the connection. If the proxy protocol is used, the destination’s host name is used. Client applications such as Telnet and World Wide Web browsers need to include support for socks or proxy to pass through a gateway of this type.

Proxies can provide another level of protection: security through obscurity. A proxy host can act as a gateway between an the global Internet and an internal network with an IP address that is not registered with the InterNIC and thus does not appear in Internet routing tables. All traffic coming from machines on the internal network would appear to originate from the proxy machine, concealing the structure of the protected network from would-be intruders. There would be no way for an outside intruder to send packets directly to machines on the protected network, because their hosts would not be able to route packets to the obscured network (the Internet routers do not “know” about this network). This approach has two important side benefits:

  It allows sites to use exisiting “illegal” network addresses to avoid time consuming and costly reconfigurations of hosts or to expand the IP address space available to the organization.
  WWW proxy servers can cache frequently accessed Web pages locally, optimizing the use of Internet connection bandwidth.

Circuit-level gateways can be bypassed by users inside the protected network. If users set up a machine that accepts Telnet calls on a nonstandard port and do not secure their systems properly, an outside caller can gain access to the protected network. To close these security gaps, it may be necessary to place limits on such setups and add other types of protection (i.e., packet filtering or application gateways).

Specialized LAN Gateways

Managers of PC-based local area networks have yet another option for protecting their production networks. Several vendors offer software that allows a network file server to multiplex a single IP network connection among many network clients running a non-IP protocol such as Novell’s IPX (see Exhibit 8-3-7).


Exhibit 8-3-7.  Specialized LAN Gateway

All traffic to and from the network clients is encapsulated in LAN protocol packets. An intruder trying to gain access to such a network would be stopped at the server running the gateway software, because the TCP/IP packets would have nowhere to go other than the gateway machine.

FIREWALL MANAGEMENT

Architecting and implementing a firewall is just the beginning of the protective process—ongoing management is key to keeping an organization’s networks safe from intruders.

If the network firewall produces log files, these should be checked daily for evidence of break-in attempts. Event logging should be configured so that important events stand out, making this process less time-consuming and therefore more likely to be followed.

Log files should be kept online for a period of time to allow analysis of trends. Old logs should be moved to a secure system.

It is important to remember to include the firewall machines in the enterprise backup strategy. Regular backups should be made of all essential programs and data files. Files on the gateway machine should be checked for unauthorized modifications periodically.

LIMITATIONS OF FIREWALLS

Although there is no such thing as perfect security, a properly designed and constructed firewall will discourage the casual hacker and alert the network manager to many attacks that would otherwise go unnoticed. Nonetheless, a determined and highly motivated opponent may be the first level of defense. Mission-critical and proprietary systems should be protected with additional types of security measures, such as passwords, even if a firewall is installed.

Firewalls are meant to protect against intrusions from outside the protected network. The ability to use network firewalls as a safeguard against proprietary information leaving the protected network as a result of an inside job is limited. Although it is not possible to make it difficult to use FTP to send information to an outside host, users with physical access to hosts have many other options (e.g., disk or tape) for the theft of information.

SUMMARY

In addition to the techniques describe in this chapter, up-to-date information is an important tool in the continuing task of making enterprise networks secure. The firewall administrator’s bible is Firewalls and Internet Security by William R. Cheswick and Steven M. Bellovin (Reading MA: Addison-Wesley, 1994). Anyone responsible for network security should make this book part of their reading list.

Several Internet-based resources are available to help network managers keep apprised of the latest security data. Usenet groups such as comp.security.*, alt.security, and comp.risks contain discussions of security problems and solutions.

The Firewalls Mailing List is an electronic mail-based discussion of technical issues relating to firewall issues. To subscribe, network managers can send an E-mail address with a blank subject line and a single body line of “subscribe firewalls” to the address majordomo@greatcircle.com.

Another resource is the Computer Emergency Response Team (CERT), which serves as a clearinghouse for security information in the Internet community. CERT’s anonymous FTP site, ftp.cert.org, contains a wealth of technical tools, tips, and advisories.


Previous Table of Contents Next

footer nav
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.