Brought to you by EarthWeb
IT Library Logo

Click Here!
Click Here!


Search the site:
 
EXPERT SEARCH -----
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games

EarthWeb Direct EarthWeb Direct Fatbrain Auctions Support Source Answers

EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info

Previous Table of Contents Next


8-3
Network Firewalls

AL BERG

In this age of global networking, many of the problems associated with providing global access to an organization’s data and systems have been solved. Today’s network managers must meet the challenge of limiting access to their organization’s information systems to authorized users and uses. By properly deploying network firewalls, network managers can protect their network from intruders and monitor attempts to breach network security. Network managers can also use firewalls to limit outward access from their organization’s networks to the global Internet.

WHAT IS A NETWORK FIREWALL?

Simply speaking, a network firewall is a system that controls access to a protected network. Although firewalls are used by organizations wishing to connect their internal networks to the global Internet without compromising the security of proprietary systems and data, they are also used within organizations to “compartmentalize” sensitive information and programs by limiting access to authorized users.

The most effective firewall possible is a “moat” — that is, no connections are allowed between the organization’s networks and the outside world (see Exhibit 8-3-1). In many cases, the demands for both inbound and outbound connections between business users’ workstations and other networks make this level of security impossible. If cutting users off from the outside world is not a feasible option, some other type of protection is needed.


Exhibit 8-3-1.  A Moat

WHERE TO INSTALL A FIREWALL SYSTEM ON THE NETWORK?

Once an internal network is connected to the outside world through a network firewall, the network can be divided into several sections (shown in Exhibit 8-3-2), including:

  The outside world (in most cases, the global Internet). The outside world represents the untrusted network. Packets coming from this network can contain anything from legitimate requests for service to the probes of either a hacker or a corporate spy.
  A public segment (optionally) on which machines offering services to the outside world reside. Examples of services that may be found on a public network include mail servers and information servers such as Gopher, World Wide Web, and anonymous FTP (file transfer protocol) services.
  The home network (also known as the trusted network). Because the organization has control over the devices and users attached to this network, packets on this network can be assumed to be coming from a known user. Of course, the home network can be subject to attack and intrusion, so other types of security must be used to maintain its trusted status.
  One or more internal nontrusted networks. For example, if the network that must be protected services the organization’s human resources department, network security policies may restrict access to that network from other departmental LANs. A firewall can be used to sheild the human resources network (i.e., the home or trusted network) from the other networks in the organization.


Exhibit 8-3-2.  Zones of Trust

If a firewall system is composed of a host computer running specialized software, that system is referred to as a bastion host. Some firewall implementations use the filtering capabilities of routers; if this approach is used, the router used for protection is known as the firewall router.

FIREWALL PHILOSOPHIES

There are two basic approaches to the design of a network firewall:

  Allow everything to pass through the firewall except for specified packets as determined by the designers.
  Allow nothing to pass through the firewall except specified packets as determined by the designers.

In the first approach, the firewall designer makes specific decisions about the type of packets that are permitted to enter or leave the protected network. This approach is dangerous and not recommended for several reasons. Many types of packets and seemingly innocuous services, such as E-mail, can harbor bugs or back doors that allow an unscrupulous hacker to gain network entry. Another disadvantage of this approach is that any new service added to the network will be accessible to the outside world unless a deliberate effort is made to block access.

The second approach—allowing nothing to pass except for specified packets—is more secure than the first, because the network administrator makes affirmitive decisions to allow particular types of packets to enter or leave the protected networks. If a new service is added to the network without updating the firewall, that service is not available to the outside world. This approach is the generally accepted standard for all types of network firewalls discussed in this chapter.

TYPES OF AVAILABLE FIREWALLS

Network firewalls can be implemented in any of the following ways:

  Packet filtering gateways protect the network by examining packets as they are presented and making the decision as to whether to pass them on to the protected network.
  Application gateways use specifically written software to handle requests for a particular network service (e.g., FTP or SMTP E-mail). The programs examine inbound and outbound requests, then answer them or block them, and can be configured to keep log files of any problems encountered.
  Circuit-level gateways, which are generally used to place controls on outbound network connections, are implemented as programs that accept requests to set up a network connection to a remote resource, then set up the connection, enforce rules, (e.g., time limits), and log the transaction.
  Specialized LAN gateways use the architecture and protocols employed by certain LAN software to provide a shield for network services and traffic.


Previous Table of Contents Next

footer nav
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.