home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!decwrl!pa.dec.com!decuac!hussar.dco.dec.com!mjr
- From: mjr@hussar.dco.dec.com (Marcus J. "will do TCP/IP for food" Ranum)
- Subject: Terminology for firewalls (was Re: Firewall usage)
- Message-ID: <1992Jul26.211639.29453@decuac.dec.com>
- Sender: news@decuac.dec.com (USENET News System)
- Nntp-Posting-Host: hussar.dco.dec.com
- Organization: Digital Equipment Corporation, Washington ULTRIX Resource Center
- References: <1992Jul23.164314.4722@spdcc.com> <1992Jul24.045748.11266@decuac.dec.com> <1992Jul26.100825.13071@magnus.acs.ohio-state.edu>
- Date: Sun, 26 Jul 1992 21:16:39 GMT
- Lines: 69
-
- kbridge@magnus.acs.ohio-state.edu (Doug Karl) writes:
- >Folks, I have recently released for annonymous ftp an IP, DECNET, AppleTalk,
- >etc firwall. It is in the form a bridge similar to PCBRIDGE called
- >KarlBridge.
-
- I don't want to start a war, but I'd like to propose that we try
- to agree on some terminology. What exactly is a "firewall"? I believe that
- a firewall addresses more than just routing and IP connectivity. These
- are my rough definitions:
-
- Simple gateway - a node which is reachable on two networks, but has routing
- disabled, making it a termination point on both. This is typically
- a host with TCP/IP forwarding disabled.
-
- Screening router - a router that can contain some degree of logic to perform
- host or service-based access control. Screening routers include some
- commercial routers, as well as host-based routers with screening
- services. (E.g.: KarlBridge, ULTRIX nodes with screend)
-
- Screened network - a private network that is connected to an untrusted
- network via a screening router. It is important to note that a
- screened network is a matter of degree, and that in order to
- work a screened network must share routes with the untrusted
- network.
-
- Screened subnet - a subnet which sits between a private network and an
- untrusted network, with a screening router mediating access between
- them. In some configurations, screened subnets are configured such
- that routes are not given between the private network and the
- untrusted network. Often a simple gateway node is installed on the
- screened subnet, to act as a network access point.
-
- Trusted application gateway - a software gateway for a given application,
- such as a telnet "forwarder", or relay. Sendmail is a trusted
- (or at least some versions) application gateway.
-
- Firewall - a combination of a security policy with some of the components
- above. Specifically, an implementation of the given policy that
- is enforced by a combination of screening and/or routing.
-
-
- I like to think of access (routing and connectivity) in terms of
- Direct - routes and traffic are shared between the private network and
- the untrusted network.
- Indirect - routes and traffic are passed through some kind of controlling
- mechanism that prevents routes from being shown between the
- private and untrusted networks, and prevents traffic from passing
- directly between the two networks. Communication is accomplished
- by trusted application gateways.
-
- In other words, in my terminology, a firewall may be made by using
- KarlBridge and some policy to build a screened network or screened subnet.
- By itself, KarlBridge does not a firewall make; it is a very useful building
- block.
-
- Note that many of the components above can be combined, and I
- believe that my terminology retains its clarity in such a case. The kind
- of firewall I run can be deemed a "screened subnet with a simple gateway,
- hosting a suite of trusted application gateways with indirect access".
-
- This is not to imply that any one technique is better or worse,
- but it's difficult when someone says "I am sheltered by a firewall" to
- know if it's a relatively trivial firewall such as a screened network
- with fairly wide access for telnet and mail, or if it's something much
- more complex, like the AT&T or Digital corporate gateways.
-
- Comments??
-
- mjr.
-