![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
TCP/IP Review Understanding TCP/IP is helpful in understanding firewalls. According to the TCP/IP protocol, computers communicate by exchanging messages called packets. A TCP/IP packet always contains source and target IP addresses and TCP ports. An Internet protocol (IP) address uniquely identifies a particular device and has been assigned to that machine by a network administrator. An institution has typically been granted exclusive use of a set (range) of IP addresses for assignment to machines within that institution and has identified a single individual or group to administer those IP addresses. Therefore, inside a site can be distinguished from outside the site. A TCP port identifies a particular process (program) on a computer. The source port number in a TCP/IP packet specifies the process from which the packet is sent, while the destination port number specifies the process for which the packet is intended. Although TCP ports can be assigned arbitrarily for use in general applications programming, there is a special reserved set of well-known port numbers, the use of which has been standardized by the Internet Engineering Task Force (IETF) through the request for comments (RFC) process. These port numbers are associated with such network service processes as telnet, FTP, sendmail, and name services. These service processes must run with super-user privileges and therefore they (and their associated ports) are particularly susceptible to security-violating attack. Because these ports have been standardized, they can be distinguished from non-threatening ports and filtered. On the user side of these services (client), a privileged port number is not needed. Some examples of well-defined port/process associations are listed in Exhibit 8-1-4. In general, the standardized, privileged service ports are in the range 0-1024, with notable exceptions being 2049 (NFS) and the 6000+ range (Xwindows).
Networks are typically connected to the Internet through a single point, usually a router. The router is the single connection point between the site and the Internet. Most routers software allows access control based on IP addresses and TCP ports. Knowledge of exclusive IP address ranges and well-defined TCP ports can be used to provide network security (firewall) by filtering packet traffic at the router accordingly. Most new routers also have controls for IP Spoofing. The router can recognize a computer from outside the site pretending to have a local IP address. For example, if the network 131.247.1.0 (subnet mask of 255.255.255.0) is inside of a site and the router receives a packet that claims to originate at address 131.247.1.2 from outside of the site, the router is intelligent enough to recognize this and disregard the packet. Spoofing has raised serious concerns by the Computer Emergency Response Team (CERT) for many firewall implementations. Degrees of Connectivity As with the other connectivity described, the goal is to minimize the threat while maintaining some usability. Outside Internet Service Provider The simplest way to secure a LAN is to not connect it to any outside networks, particularly the Internet (see Exhibit 8-1-5). If a user wishes to use an Internet resource, he or she can connect through a modem from her local PC to an Internet Service Provider (ISP). The downside of this sort of connection are that it is typically temporary, limited, and slow. Current modem technology limits the user to a 28.8K bps (uncompressed) connection over an analog phone line. At this speed, most Internet applications are unbearably slow, particularly those that use a lot of graphics. The connection to the ISP can also be costly.
Move the ISP Inside Alternatively, the preceding scenario could be changed so that a company could be its own Internet service provider (see Exhibit 8-1-6). This is done by installing an Internet connection to the premises without directly interfacing the Internet connection and the LAN. Therefore, users could access the network through the internal phone system (or some other method) and continue to keep the system somewhat secure.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |