![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
Protocols Many installations use circuit-level gateways to place limits on outbound Internet connections. Users connecting to outside services must tell the gateway where they want to go. Two protocolssocks and proxyare available for this purpose. If socks is used, the destination systems IP address is used to make the connection. If the proxy protocol is used, the destinations host name is used. Client applications such as Telnet and World Wide Web browsers need to include support for socks or proxy to pass through a gateway of this type. Proxies can provide another level of protection: security through obscurity. A proxy host can act as a gateway between an the global Internet and an internal network with an IP address that is not registered with the InterNIC and thus does not appear in Internet routing tables. All traffic coming from machines on the internal network would appear to originate from the proxy machine, concealing the structure of the protected network from would-be intruders. There would be no way for an outside intruder to send packets directly to machines on the protected network, because their hosts would not be able to route packets to the obscured network (the Internet routers do not know about this network). This approach has two important side benefits:
Circuit-level gateways can be bypassed by users inside the protected network. If users set up a machine that accepts Telnet calls on a nonstandard port and do not secure their systems properly, an outside caller can gain access to the protected network. To close these security gaps, it may be necessary to place limits on such setups and add other types of protection (i.e., packet filtering or application gateways). Specialized LAN Gateways Managers of PC-based local area networks have yet another option for protecting their production networks. Several vendors offer software that allows a network file server to multiplex a single IP network connection among many network clients running a non-IP protocol such as Novells IPX (see Exhibit 8-3-7).
All traffic to and from the network clients is encapsulated in LAN protocol packets. An intruder trying to gain access to such a network would be stopped at the server running the gateway software, because the TCP/IP packets would have nowhere to go other than the gateway machine. FIREWALL MANAGEMENT Architecting and implementing a firewall is just the beginning of the protective processongoing management is key to keeping an organizations networks safe from intruders. If the network firewall produces log files, these should be checked daily for evidence of break-in attempts. Event logging should be configured so that important events stand out, making this process less time-consuming and therefore more likely to be followed. Log files should be kept online for a period of time to allow analysis of trends. Old logs should be moved to a secure system. It is important to remember to include the firewall machines in the enterprise backup strategy. Regular backups should be made of all essential programs and data files. Files on the gateway machine should be checked for unauthorized modifications periodically. LIMITATIONS OF FIREWALLS Although there is no such thing as perfect security, a properly designed and constructed firewall will discourage the casual hacker and alert the network manager to many attacks that would otherwise go unnoticed. Nonetheless, a determined and highly motivated opponent may be the first level of defense. Mission-critical and proprietary systems should be protected with additional types of security measures, such as passwords, even if a firewall is installed. Firewalls are meant to protect against intrusions from outside the protected network. The ability to use network firewalls as a safeguard against proprietary information leaving the protected network as a result of an inside job is limited. Although it is not possible to make it difficult to use FTP to send information to an outside host, users with physical access to hosts have many other options (e.g., disk or tape) for the theft of information. SUMMARY In addition to the techniques describe in this chapter, up-to-date information is an important tool in the continuing task of making enterprise networks secure. The firewall administrators bible is Firewalls and Internet Security by William R. Cheswick and Steven M. Bellovin (Reading MA: Addison-Wesley, 1994). Anyone responsible for network security should make this book part of their reading list. Several Internet-based resources are available to help network managers keep apprised of the latest security data. Usenet groups such as comp.security.*, alt.security, and comp.risks contain discussions of security problems and solutions. The Firewalls Mailing List is an electronic mail-based discussion of technical issues relating to firewall issues. To subscribe, network managers can send an E-mail address with a blank subject line and a single body line of subscribe firewalls to the address majordomo@greatcircle.com. Another resource is the Computer Emergency Response Team (CERT), which serves as a clearinghouse for security information in the Internet community. CERTs anonymous FTP site, ftp.cert.org, contains a wealth of technical tools, tips, and advisories.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |