51-30-10 Selecting a Firewall Gilbert Held



Similar documents
Using RMON to Manage Remote Networks Gilbert Held

UPPER LAYER SWITCHING

NETWORK BASELINING AS A PLANNING TOOL

Lab Developing ACLs to Implement Firewall Rule Sets

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Secure Data Center Operations Gilbert Held Payoff

Selecting a Web Server Connection Rate Gilbert Held

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Overview - Using ADAMS With a Firewall

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Overview - Using ADAMS With a Firewall

Security Technology: Firewalls and VPNs

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Operating System Concepts. Operating System 資 訊 工 程 學 系 袁 賢 銘 老 師

Cornerstones of Security

NZQA Expiring unit standard 6857 version 4 Page 1 of 5. Demonstrate an understanding of local and wide area computer networks

PART OF THE PICTURE: The TCP/IP Communications Architecture

Data Communication Networks and Converged Networks

MANAGEMENT INFORMATION SYSTEMS 8/E

Access Control Lists: Overview and Guidelines

AS/400e. TCP/IP routing and workload balancing

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

A Heterogeneous Internetworking Model with Enhanced Management and Security Functions

Overview. Firewall Security. Perimeter Security Devices. Routers

Computer Networks Vs. Distributed Systems

Cisco Configuring Commonly Used IP ACLs

Firewalls (IPTABLES)

Introduction to Computer Networks and Data Communications

Types of Firewalls E. Eugene Schultz Payoff

Security threats and network. Software firewall. Hardware firewall. Firewalls

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

ERserver. iseries. TCP/IP routing and workload balancing

Multi-Homing Dual WAN Firewall Router

Networking Basics for Automation Engineers

Chapter 11 Cloud Application Development

Chapter 14: Distributed Operating Systems

Networking TCP/IP routing and workload balancing

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

Internet Concepts. What is a Network?

UIP1868P User Interface Guide

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Basic Network Configuration

The TCP/IP Reference Model

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Protocol Data Units and Encapsulation

Chapter 16: Distributed Operating Systems

COMPUTER NETWORK TECHNOLOGY (300)

RMON, the New SNMP Remote Monitoring Standard Nathan J. Muller

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Logical & Physical Security

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Network Troubleshooting with the LinkView Classic Network Analyzer

Communications and Computer Networks

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

iseries TCP/IP routing and workload balancing

Firewall Architecture

Module 15: Network Structures

INTRODUCTION TO VOICE OVER IP

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

Proxy Server, Network Address Translator, Firewall. Proxy Server

Stateful Inspection Technology

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

How To Understand and Configure Your Network for IntraVUE

Figure 41-1 IP Filter Rules

System Development and Life-Cycle Management (SDLCM) Methodology

Firewalls. Chapter 3

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

EXPLORER. TFT Filter CONFIGURATION

Fig : Packet Filtering

Firewall Design Principles Firewall Characteristics Types of Firewalls

Chapter 7: Computer Networks, the Internet, and the World Wide Web. Invitation to Computer Science, C++ Version, Third Edition

Virtual Server in SP883

Review: Lecture 1 - Internet History

Lecture 1. Lecture Overview. Intro to Networking. Intro to Networking. Motivation behind Networking. Computer / Data Networks

How To Use A Network Over The Internet (Networking) With A Network (Netware) And A Network On A Computer (Network)

Oct 15, Internet : the vast collection of interconnected networks that all use the TCP/IP protocols

The OSI Model: Understanding the Seven Layers of Computer Networks

This course has been retired. View the schedule of current <a href=

Network Simulation Traffic, Paths and Impairment

ERserver. iseries. Remote Access Services: PPP connections

allow all such packets? While outgoing communications request information from a

Network System Design Lesson Objectives

Peer-to-Peer SIP Mode with FXS and FXO Gateways

NetFlow Subinterface Support

Chapter 2 TCP/IP Networking Basics

Transcription:

51-30-10 Selecting a Firewall Gilbert Held Payoff Although a company may reap significant benefits from connecting to a public network such as the Internet, doing so can sometimes compromise the security of a private network. This article discusses two types of firewalls that provide security by creating barriers between networks. Firewall solutions for three common network scenarios are also discussed. Introduction A firewall is a combination of hardware and software that functions as a programmable barrier to the flow of data between two or more networks. Those networks can be public, private, or a combination of the two. The hardware platform used to construct a firewall depends on the configuration of networks the firewall will protect. Bridge-Based Firewalls If a firewall is required to function as a barrier between two private local area networks (LANs) operating within the same building, a bridge hardware platform may be sufficient. Exhibit 1a illustrates the use of a firewall-based bridge to both interconnect two LANs and function as a programmable barrier between the flow of data from one LAN to another. The firewall obtains barrier capability through packet filtering. Using Bridge-Based Firewalls Packet Filtering When operating on a bridge platform that uses Media Access Control packet addresses as decision criteria for forwarding a packet from one LAN to another, the software in the firewall supersedes the bridging operation. That is, the firewall enables or disables the flow of packets from one network to another according to the packet-filtering criteria previously established. For example, one or more source or destination addresses or groups of addresses could be barred from traversing from one network to another. When operating on a bridge platform, a firewall's filtering capability is limited to source and destination addresses. A firewall cannot make decisions based on the application or any other criteria. This limitation is the result of a requirement for additional filtering to occur at the network layer while the bridge operates at the data link layer. Although filtering is limited, a bridge-based firewall is suitable for many intracompany applications. For example, the use of packet filtering can prevent specific users on one network from attempting to access a print or file server on another network. Although packet filtering is no substitute for password protection for controlling access to servers, it can be used to thwart attempts by users of one network to access resources of another network. Because every query requires a response, using packet filtering to block access requests also reduces intralan communications, which can eliminate or reduce bottlenecks when remote bridges are used to interconnect

geographically separated LANs. By using a remote bridge-based firewall at each location, users can obtain a degree of control over intralan communications. Exhibit 1b illustrates the use of a remote bridge-based firewall. The connection of geographically separated LANs by remote bridge-based firewalls requires two firewall operations to effectively limit the communications flow on the WAN. If filtering occurs at only one end of the WAN transmission path, a conventional remote bridge can permit all packets with unknown destination addresses to be transmitted over the WAN to the other LAN. Thus, implementing packet filtering on both remote bridges can effectively reduce the traffic over lower-speed WAN circuits in addition to serving as a barrier to unwanted transmission. Router-Based Firewalls A more sophisticated type of firewall, the router-based firewall, is used with a router hardware platform. Unlike a bridge, which operates at the data link layer, a router operates at the network layer. Instead of making forwarding decisions based on the destination address in a packet (as performed by a bridge, without filtering), a router makes decisions that are based on a variety of information that can be included in the network header. In addition, most routers support multiple protocols, such as NetWare Internet Packet Exchange (IPX), Transmission Control Protocol and Internet Protocol (TCP/IP), and Systems Network Architecture(SNA). Routers may support System Network Architecture by using a passthrough facility, encapsulating SNA into TCP/IP, or using IBM Corp.'s recently introduced data link switching to route SNA traffic. Because the Internet Protocol (IP) includes port numbers that define applications such as E-mail, Telnet, rlogin, and File Transfer Protocol, it is important that users consider the routerbased firewall's ability to filter using protocol addresses as well as logical port numbers that equate to distinct applications. Exhibit 2a illustrates the use of a router to provide a connection from an organization's Ethernet LAN to the Internet. In this example, the actual connection to the Internet was obtained from an Internet Access Provider. In many instances theinternet access provider furnishes both the router and the connection to the Internet. Thus, many organizations may want to examine the filtering capability of the router bundled with Internet access. Connecting a Corporate LAN to the Internet If the filtering capability is not sufficient to satisfy its communications requirements, an organization may want to install a router-based firewall between the network and the router from the access provider as an additional level of protection. This situation is illustrated in Exhibit 2b. Although the use of a firewall as illustrated in Exhibit 2b appears similar to the use of a router's built-in filtering, there can be enough differences between the two methods to justify the use of a standalone router-based firewall. The examples in the following section explain why some routers may be incapable of providing the level of filtering an organization requires. Examples of Filtering Filtering is required to make certain corporate networking functions more secure for example, employee access to the Internet, employee access to File Transfer Protocol

servers on the Internet, and customer access to files on a company's file transfer protocol (FTP) server. This section describes examples of each of these functions. Corporate Internet Access In the first example, an organization's Internet connection has been established to permit employees connected to the Ethernet to send and receive E-mail over the Internet. The users want to establish a file transfer protocol (FTP) server on their LAN that allows customers to access and retrieve information concerning price quotes, technical bulletins, and similar company information. Although the network manager wants workstation users on the company LAN to use file transfer protocol (FTP) to access file transfer protocol (FTP) servers on the Internet, the manager also wants to limit file transfer protocol (FTP) access to the LAN to customers only. Some routers with a built-in filtering capability permit anything not explicitly precluded. Other routers with a built-in filtering capability operate on the assumption that nothing is permitted unless allowed. This second type of router is less frequently encountered because it requires a more sophisticated degree of filtering and a significant amount of memory to hold permissions rather than exceptions. This type of filtering is usually encountered in router-based firewalls that, as a security precaution, only permit explicitly defined operations. Because the organization wants to transmit E-mail over the Internet, certain filtering actions are required. Because the simple mail transport protocol (SMTP) is used to transport E-mail as an IP application using port 25, filters should be set using that port assignment. If the router precludes all operations unless explicitly permitted, the following filter actions should be entered: Action Port Source Destination Inbound/Outbound Allow 25 * * Inbound Allow 25 * * Outbound The asterisk (*) functions as a global wildcard permitting any address for source or destination. Thus, the first filter allows inbound traffic using port 25 from any destination address to any source address. The second filter permits outbound E-mail using port 25 from any source address to any destination address. The combination of the two filters permits E-mail from any user on the Internet to reach any user on the company LAN and vice versa. If the company LAN were using a router that allows all operations that are not precluded, users would not have to enter any filters to use E-mail. Employee Access to FTP Servers on the Internet Once the organization's E-mail filtering requirements have been satisfied, its file transfer protocol (FTP) requirements should be evaluated. If the router a company is using precludes all operations other than those explicitly permitted, specific filtering is required. Because file transfer protocol (FTP) uses port 21 to transmit control information outbound and port 20 for the actual inbound file transfer, filtering is required to allow organizational users Internet file transfer protocol (FTP) access. To satisfy this requirement, an organization should set up the following filters: Action Port Source Destination Inbound/Outbound Allow 21 * * Outbound Allow 25 * * Inbound

The first filter permits any user on the LAN to initiate an file transfer protocol (FTP) request on port 21 to any destination address. The second filter permits files requested through an action on port 25 to flow inbound from any source address on the Internet to any destination address on the LAN. This action establishes the filters necessary for LAN users to access any file transfer protocol (FTP) server on the Internet. Letting Customers Access Files on the Company's FTP Server An organization should decide which filters are required so that selected customers can access files on the organization's file transfer protocol (FTP) server. It is important that the network administrator keep in mind one of the key limitations associated with many routers: their inability to support more than a few filters. An organization may want to contact customers to obtain their network addresses, either as a single workstation address representing one computer required to access the organization's File Transfer Protocol server or as a block of addresses representing a group of workstations at a customer site requiring access to the organization's file transfer protocol (FTP) server. For each customer, filters should take the following form: Action Port Source Destination Inbound/Outbound Allow 21 Address FTPA Inbound Allow 25 FTPA Address Outbound Here, FTPA represents the organization's file transfer protocol (FTP) server address, and Address represents either a customer's single workstation address or block of workstation addresses. Thus, the preceding filters would: Allow inbound traffic on port 21 from the defined source address or group of addresses to the organization's file transfer protocol (FTP) server address. Allow outbound traffic on port 25 from the organization's file transfer protocol (FTP) server address to the destination address or block of destination addresses. If, for example, an organization has 60 customers, the setup of a minimum of 120 filters would be necessary for there to be file transfer protocol (FTP) access from customers. If each customer had several workstations that required access to the company file transfer protocol (FTP) server and each address was noncontiguous, a pair of filters would have to be set up for each workstation. Thus, two workstations per customer requiring access to the organization's File Transfer Protocol server would require the setup of 60* 2 * 2 or 240 filters; three workstations per customer would require 360 filters to be set up, and so on. If the router only supports the use of a handful of filter operations because of memory constraints, an organization will probably need to use a router-based firewall to implement filtering requirements. Most router-based firewalls support the use of hundreds to thousands of filters. However, because each filter requires the router to perform a series of comparison operations, the more filters used, the lower the level of router throughput that can be obtained. Vendor performance specifications should be carefully considered because some firewalls can become network bottlenecks when as few as 50 filters are enabled. Other firewalls may support the use of hundreds of filters before performance is significantly effected.

Conclusion Two types of firewalls should be considered to protect the network resources of an organization. In brief: Bridge-based firewalls should be considered if an organization wants to control the flow of information between LANs that are interconnected or can be interconnected by bridges. If an organization wants to connect its private network to a public network, it should consider the use of a router-based firewall to obtain network protection. By carefully examining the filtering capability of a firewall, including its ability to enable or disable the flow of packets based on source addresses, destination addresses, and logical ports, a barrier can be obtained that provides a satisfactory measure of security. Although the filtering capability of a firewall is its primary evaluation feature, other features should be considered before selecting this type of communications product. Exhibit 3 lists some of the additional features of a router-based firewall. This checklist can be used as a basis for comparing vendor products to company requirements. Router-Based Firewall Features Feature Requirement Vendor A Vendor B -------- ------------- ---------- ---------- Filter Construction Number supported Binary linkage LAN Support Token Ring Ethernet Protocol Support TCP/IP IPX SPX RIP SLIP Other WAN Support RS232 V.35 RS-449 Other Author Biographies Gilbert Held Gilbert Held is director of 4-Degree Consulting, a Macon GA-based high-tech consulting group. He is an internationally recognized author and lecturer, having written more than 40 books and 300 technical articles. He earned a BSEE from Pennsylvania Military College, an MSEE from New York University, and MBA and MSTM degrees from The American

University. He has represented the US at technical conferences in Moscow and Jerusalem and received numerous awards for excellence in technical writing.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information