Firewalls
Overview
There is only one full proof method that guarantees one hundred percent access deniability of your network to hackers, make it totally isolated system by physically disconnecting it from the internet or other outside networks. Because we live in a world of massive information transfer and realize the importance of allowing network access to and from the Internet, we must devise ways to protect our networks. Firewalls are used for this purpose. A firewall can be hardware, software, or a combination of both. This paper will briefly discuss the purpose, basic types, network policy, and issues concerning firewalls.
Purpose
The primary purpose of a firewall is to provide a single access point where network defenses are implemented to limit exposure to attack. To accomplish this, firewalls provide the following:
Protection
Firewalls provide protection to the network by filtering inherently insecure services and allowing only selected protocols to pass through the firewall to the network.
Access Control
Firewalls provide the ability to control access to the protected network. The network could be effectively sealed off from unwanted access or allow limited access to mail servers or information servers. Firewalls also provide access control from the protected network to the Internet.
Centralized Security
As stated earlier firewalls should be the single access point to the network. Because of this, it affords administrators the ability to use firewalls as a single-point where network security application software can also reside. The benefits are reduced costs (only one application needed) and simplified implementation and upgrades of the security software.
Privacy
Firewalls are designed to enhance network privacy by blocking services such as Finger and Domain Name Service (DNS) to Internet hosts, which could leak this information to possible attackers. Finger is a protocol that displays information such as who is logged on or when e-mail is accessed. DNS contains information about the network, user name, and IP addresses. Think of DNS in terms of a caller ID.
Administrative Tool
Firewalls can log accesses and provide valuable statistics about network usage. A firewall can also provide details on whether the firewall or network are being probed or attacked.
Enforces Network Policy
A firewall provides the means for implementing and enforcing a network access policy. In effect, a firewall provides access control to users and services. Thus, a network access policy can be enforced by a firewall, whereas without a firewall, such a policy depends entirely on the cooperation of users.
Basic Types
A firewall can be a router, a personal computer, a host, or a collection of hosts. Firewalls usually are located at a higher-level gateway, such as a connection of a site to the Internet. Firewalls can be broken down into two basic types: network layer and application layer.
Network Layer Firewalls
Network layer firewalls, such as packet filters, examine traffic at the network protocol packet layer. It can usually filter IP packets based on source IP address, destination IP address, TCP/UDP source port, and TCP/UDP destination port.
Application layer firewalls, such as application gateways, are generally hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them.
Network Policy
Network policy directly influences the design, installation, and use of a firewall. The most important issue concerning firewalls is what access will be allowed or denied to and from the protected network. Because of this, the access policy directly influences the firewall design policy.
· The access policy must be realistic and should be drafted before implementing a firewall. A realistic policy is one that provides a balance between protecting the network from known risks, while still providing users access to network resources.
· The firewall design policy is specific to the firewall. It defines the rules used to implement the access policy. Firewalls generally implement one of two basic design policies:
· Permit any service unless it is expressly denied. A firewall that implements this policy allows all services to pass into the site by default, with the exception of those services that the service access policy has identified as disallowed.
· Deny any service unless it is expressly permitted. A firewall that implements this policy denies all services by default, but then passes those services that have been identified as allowed.
Issues and Problems with Firewalls
Firewalls have many benefits but, there are also disadvantages to firewalls. A firewall is not by any means a universal remedy for Internet security problems.
Restricted Access to Desirable Services
The most obvious disadvantage of a firewall is that it may likely block certain services that users want, such as TELNET, FTP, etc.
Firewalls do not protect against back doors into the site. For example, if unrestricted modem access is still permitted into a site protected by a firewall, attackers could effectively jump around the firewall.
Firewalls generally do not provide protection from insider threats. While a firewall may be designed to prevent outsiders from obtaining sensitive data, the firewall does not prevent an insider from copying the data onto a tape and taking it out of the facility.
· WWW, gopher - Newer information servers and clients such as those for World Wide Web (WWW), gopher, and others were not designed to work well with firewall policies and, due to their newness, are generally considered risky. The potential exists for data-driven attacks, in which data processed by the clients can contain instructions to then clients; the instructions could tell the client to alter access controls and important security-related files on the host.
· MBONE - Multicast IP transmissions (MBONE) for video and voice are encapsulated in other packets; firewall generally forward the packets without examining the packet contents.
· Viruses - Firewalls do not protect against users downloading virus-infected personal computer programs from Internet archives or transferring such programs in attachments to e-mail. Because these programs can be encoded or compressed in any number of ways, a firewall cannot scan such programs to search for virus signatures with any degree of accuracy.
· Throughput - Firewalls represent a potential bottleneck since all connections must pass through the firewall and possibly be examined by the firewall.
· All eggs in single basket - A firewall concentrate security in one spot as opposed to distributing it among systems. A compromise of the firewall results in a security single point failure.
Related Links
NIST Pub. 800-10 “Keeping Your Site Comfortably Secure: An Introduction to Internet Security” .
http://csrc.nist.gov/publications/nistpubs/800-10/main.html
Great frequently asked questions about firewalls.
http://www.interhack.net/pubs/fwfaq/
Purdue Center for Education and Research in Information Assurance and Security.
http://www.cerias.purdue.edu/coast/firewalls/
CNN Related sites for 'Insurgency on the Internet'. Great sites on network security.
http://www3.cnn.com/TECH/specials/hackers/related.sites/