[TheGuide Logo]

Search

Forum

Home

Feedback

Credits

About Raj
Firewalls

Home Network Security Cryptography Firewalls

What is a Network firewall?

A firewall is a computer router or other communications device that filters access to a protected network that would otherwise be vulnerable to unauthorized interference or tampering, accidentally or maliciously. It allows the protection of a companies network from unwarranted intrusion while still allowing the companies users access to the Internet services such as Email. Many firewalls contain features to control and authenticate those who access the system from the Internet. They may also be used to protect sensitive data or processes from interference from within the organisation.

A firewall need not be a hardware or software device but it could be a set of rules and procedures laid down within the organisation. Therefore, anything that militates against interference with an organisation's data on a network can be termed a firewall.

In summary, a firewall is a system or group of systems (procedures or technologies based) that enforces an access control policy between two networks. The principle behind firewalls is a pair of mechanisms: one that exists to block access into the network, and the other that exists to permit access into the network.

Need for a firewall

A firewalls purpose is to keep intruders out of your network while still letting you continue with your day-to-day activities. Frequently, the hardest part of hooking up to the internet, if you're a large company for example, is not justifying the expense or effort, but convincing management that the organisations computer system and the data contained therein is secure from unwanted intruders. Therefore, an effective firewall can expose an organisation to the benefits of the Internet with the knowledge of a security policy catered for.

If your Web server and Internet access systems are not connected to your local network, then you may not need the additional security provided by a firewall. If your system includes company confidential information then simple password restrictions may not be enough. Any computer system that is either directly or indirectly connected to the Public Telephone Network is accessible to a hacker.

Useful factors in assessing the risk

  • The following factors should be kept in mind when assessing the true level of risk that is involved:
  • The number of systems at the site
  • How interconnected the site is to the Internet
  • What services are provided
  • How well known the site is generally
  • The level of competence of the staff
  • The hours of operation - Is the system turned off at night ?
  • The level of technical staff turnover in the Data Processing division
  • The level of usage
  • The number of users
  • The present access control policy in use

Cost and Benefit Analysis must also be taken into account once the level of risk has been identified. There is no end to the amount of security that a network may have but it must be compared with the benefit possible. Can the organisation continue without its network running? If no, then how much will it cost to implement an access control policy that nearly guarantees this security?

Basic types of firewalls

1. Network Level
 A Network Level firewall bases its decisions on the source, destination addresses and ports in individual Internet Protocol packets. For example, a simple router is the "traditional" network level firewall since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from.

2. Application Level
An Application Level firewall are generally hosts running proxy servers which permit no traffic directly between networks and which perform elaborate logging and auditing of traffic passing through them.

Setting up a firewall A firewall's primary task is to keep out from identified areas unwanted users. The three methods selected to be discussed for achieving this task are Packet Filtering, Proxy Servers and a combination of both.

1. Packet Filter Firewalls
A Packet Filter firewall involves attaching a screening router to your internal network, with one connection to the Internet and another to your internal network. Security on such a system takes the form of an elaborate table specifying which packets should be routed through to the other side of the router. It is very difficult to specify the correct routing rules for such a table, and if you make a mistake you leave holes in your security. So this is not a recommended approach unless you are a very experienced system administrator. Screening routers are also not set up to allow proxies or authentication.

2. Proxy-Server Firewalls
The idea behind a proxy-server-based firewall is to break the IP connection between the Internet and the internal network. Such a firewall system (called a "dual-homed host" or a "dual-homed gateway") has two separate network connections. A proxy server takes in packets received by both connections and decides whether to send them on to the other side of the firewall.

A Proxy Server firewall therefore examines the traffic stream as a connection to a network service. To ensure all communication between an internal and external host is secure, a proxy prevents these hosts from communicating directly with each other. The proxy decides if traffic from one host to the other host is secure. Secure traffic is forwarded to the destination host while insecure traffic is denied access.

3. Combined Approach
A combined approach may also be possible - combining a screening router with a dual-home host can provide better security than either individual approach. Even if you already have a screening router, you may want to consider adding proxy-server software. Among other security features, proxy servers prevent the IP spoofing problem that can breach security in a screening- router-only firewall.

Limitations of firewalls

Firewalls can't protect very well against viruses. There are too many ways of encoding binary files for transfer over networks and too many different architectures and viruses to try and search for them all. The consequence of this limitation is however a good example of why firewalls are not just hardware and software - manual procedures are also firewalls. In other words, a firewall cannot replace security - consciousness on the part of your users is vital. Organisations that are deeply concerned about viruses should implement organisation-wide virus control measures.

Obviously, firewalls cannot protect against attacks that do not go through the firewall - therefore we must make sure that there are no 'back doors' left open when the firewall is installed. There is no point in having a steel door on a wooden house.

Also, firewalls cannot really protect you against traitors or idiots inside your network. For example, an industrial spy might export information through your firewall but is just as likely to use the telephone, fax machine or floppy disk.

Finally, stupidity when users reveal sensitive information over the telephone while a willing hacker listens in for the chance to 'do their thing'.

The Future It is a definite fact that no firewall will ever be able to provide 100% security for an organisation against intruders or corruption of their data. Human intervention, manual corruption and 'word of mouth' alone will ensure this.

The reason for security on the Internet is to protect a network from intrusion by unwanted visitors and to protect the data accessible from the network.

Firewalls in the future will have one very definite goal in mind - to try and eliminate it present limitation: that viruses are capable of passing the firewall and entering the network it tries to protect.

Anti-virus software
The principle behind this latest technology is to provide an added barrier to potentially infected traffic by scanning all the network traffic and alerting administrators to any detected viruses. There is software at present on the market which functions along these lines - it is a companion product to WebScan, McAfee's antivirus scanner for Web browsers and is called Webshield - compatible with almost all leading network firewalls and Internet gateways. Among other good anti-virus softwares is Norton Antivirus which can be updates on the Internet every few days. Firewalls are also going to be developed with extra protection in the future.

Double-Wall Firewall
for extra protection If the outer firewall is breached, the inner wall safely and automatically shuts down the link between the two firewalls. A product that is currently following this principle is the firewall software provided by Zergo that integrates with all flavors of BSD UNIX and supports over 10,000 simultaneous connections. The system also includes an administration tool enabling you to manage multiple firewalls across an enterprise network.

Firewall combinations for extra protection
Development of firewalls in the future will also lie someplace between the two basic types - Network Level firewalls and Application Level firewalls. It is likely that network level firewalls will become increasingly "aware" of the information going through them, while application level firewalls will become increasingly "low level" and transparent - with the end result being fast packet-screening systems that logs and audits data as it passes through. Encryption will be heavily used for protection of traffic passing over the Internet thus providing more security of data transfer for organisations resulting in the increased growth of the Internet's usage.

Data transfer protection
The act of transferring data across the Internet provides another area for the future of firewalls and data security in general. Data encryption techniques and Cryptography techniques such as public-key, Digital Signatures and Authentication are forever being enhanced to provided added complexity to the encryption of data providing more reliability in that data being sent to a target destination will only be decrypted for example, by that destination's user and no intruder "on the line".

Firewalls

What is a Network firewall?

A firewall is a computer router or other communications device that filters access to a protected network that would otherwise be vulnerable to unauthorized interference or tampering, accidentally or maliciously. It allows the protection of a companies network from unwarranted intrusion while still allowing the companies users access to the Internet services such as Email. Many firewalls contain features to control and authenticate those who access the system from the Internet. They may also be used to protect sensitive data or processes from interference from within the organisation.

A firewall need not be a hardware or software device but it could be a set of rules and procedures laid down within the organisation. Therefore, anything that militates against interference with an organisation's data on a network can be termed a firewall.

In summary, a firewall is a system or group of systems (procedures or technologies based) that enforces an access control policy between two networks. The principle behind firewalls is a pair of mechanisms: one that exists to block access into the network, and the other that exists to permit access into the network.

Need for a firewall

A firewalls purpose is to keep intruders out of your network while still letting you continue with your day-to-day activities. Frequently, the hardest part of hooking up to the internet, if you're a large company for example, is not justifying the expense or effort, but convincing management that the organisations computer system and the data contained therein is secure from unwanted intruders. Therefore, an effective firewall can expose an organisation to the benefits of the Internet with the knowledge of a security policy catered for.

If your Web server and Internet access systems are not connected to your local network, then you may not need the additional security provided by a firewall. If your system includes company confidential information then simple password restrictions may not be enough. Any computer system that is either directly or indirectly connected to the Public Telephone Network is accessible to a hacker.

Useful factors in assessing the risk

  • The following factors should be kept in mind when assessing the true level of risk that is involved:
  • The number of systems at the site
  • How interconnected the site is to the Internet
  • What services are provided
  • How well known the site is generally
  • The level of competence of the staff
  • The hours of operation - Is the system turned off at night ?
  • The level of technical staff turnover in the Data Processing division
  • The level of usage
  • The number of users
  • The present access control policy in use

Cost and Benefit Analysis must also be taken into account once the level of risk has been identified. There is no end to the amount of security that a network may have but it must be compared with the benefit possible. Can the organisation continue without its network running? If no, then how much will it cost to implement an access control policy that nearly guarantees this security?

Basic types of firewalls

1. Network Level
 A Network Level firewall bases its decisions on the source, destination addresses and ports in individual Internet Protocol packets. For example, a simple router is the "traditional" network level firewall since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from.

2. Application Level
An Application Level firewall are generally hosts running proxy servers which permit no traffic directly between networks and which perform elaborate logging and auditing of traffic passing through them.

Setting up a firewall A firewall's primary task is to keep out from identified areas unwanted users. The three methods selected to be discussed for achieving this task are Packet Filtering, Proxy Servers and a combination of both.

1. Packet Filter Firewalls
A Packet Filter firewall involves attaching a screening router to your internal network, with one connection to the Internet and another to your internal network. Security on such a system takes the form of an elaborate table specifying which packets should be routed through to the other side of the router. It is very difficult to specify the correct routing rules for such a table, and if you make a mistake you leave holes in your security. So this is not a recommended approach unless you are a very experienced system administrator. Screening routers are also not set up to allow proxies or authentication.

2. Proxy-Server Firewalls
The idea behind a proxy-server-based firewall is to break the IP connection between the Internet and the internal network. Such a firewall system (called a "dual-homed host" or a "dual-homed gateway") has two separate network connections. A proxy server takes in packets received by both connections and decides whether to send them on to the other side of the firewall.

A Proxy Server firewall therefore examines the traffic stream as a connection to a network service. To ensure all communication between an internal and external host is secure, a proxy prevents these hosts from communicating directly with each other. The proxy decides if traffic from one host to the other host is secure. Secure traffic is forwarded to the destination host while insecure traffic is denied access.

3. Combined Approach
A combined approach may also be possible - combining a screening router with a dual-home host can provide better security than either individual approach. Even if you already have a screening router, you may want to consider adding proxy-server software. Among other security features, proxy servers prevent the IP spoofing problem that can breach security in a screening- router-only firewall.

Limitations of firewalls

Firewalls can't protect very well against viruses. There are too many ways of encoding binary files for transfer over networks and too many different architectures and viruses to try and search for them all. The consequence of this limitation is however a good example of why firewalls are not just hardware and software - manual procedures are also firewalls. In other words, a firewall cannot replace security - consciousness on the part of your users is vital. Organisations that are deeply concerned about viruses should implement organisation-wide virus control measures.

Obviously, firewalls cannot protect against attacks that do not go through the firewall - therefore we must make sure that there are no 'back doors' left open when the firewall is installed. There is no point in having a steel door on a wooden house.

Also, firewalls cannot really protect you against traitors or idiots inside your network. For example, an industrial spy might export information through your firewall but is just as likely to use the telephone, fax machine or floppy disk.

Finally, stupidity when users reveal sensitive information over the telephone while a willing hacker listens in for the chance to 'do their thing'.

The Future It is a definite fact that no firewall will ever be able to provide 100% security for an organisation against intruders or corruption of their data. Human intervention, manual corruption and 'word of mouth' alone will ensure this.

The reason for security on the Internet is to protect a network from intrusion by unwanted visitors and to protect the data accessible from the network.

Firewalls in the future will have one very definite goal in mind - to try and eliminate it present limitation: that viruses are capable of passing the firewall and entering the network it tries to protect.

Anti-virus software
The principle behind this latest technology is to provide an added barrier to potentially infected traffic by scanning all the network traffic and alerting administrators to any detected viruses. There is software at present on the market which functions along these lines - it is a companion product to WebScan, McAfee's antivirus scanner for Web browsers and is called Webshield - compatible with almost all leading network firewalls and Internet gateways. Among other good anti-virus softwares is Norton Antivirus which can be updates on the Internet every few days. Firewalls are also going to be developed with extra protection in the future.

Double-Wall Firewall
for extra protection If the outer firewall is breached, the inner wall safely and automatically shuts down the link between the two firewalls. A product that is currently following this principle is the firewall software provided by Zergo that integrates with all flavors of BSD UNIX and supports over 10,000 simultaneous connections. The system also includes an administration tool enabling you to manage multiple firewalls across an enterprise network.

Firewall combinations for extra protection
Development of firewalls in the future will also lie someplace between the two basic types - Network Level firewalls and Application Level firewalls. It is likely that network level firewalls will become increasingly "aware" of the information going through them, while application level firewalls will become increasingly "low level" and transparent - with the end result being fast packet-screening systems that logs and audits data as it passes through. Encryption will be heavily used for protection of traffic passing over the Internet thus providing more security of data transfer for organisations resulting in the increased growth of the Internet's usage.

Data transfer protection
The act of transferring data across the Internet provides another area for the future of firewalls and data security in general. Data encryption techniques and Cryptography techniques such as public-key, Digital Signatures and Authentication are forever being enhanced to provided added complexity to the encryption of data providing more reliability in that data being sent to a target destination will only be decrypted for example, by that destination's user and no intruder "on the line".

Home Network Security Cryptography Firewalls


Copyright © 1997-2000 Dr. Raj Mehta. All rights reserved.