Firewalls -
a flaming nuisance
or red-hot protection for your data?
Welcome to the beginner's guide to protecting your network.
A firewall consists of two parts.
A more advanced form of security.
By: Catherine Shaw
If your company network is connected to the Internet, a firewall should be used to protect your data. However in today's marketplace, the presence of a firewall is currently (and most unwisely) not a certainty.
Welcome to the beginner's guide to protecting your network.
But what IS a firewall? How come it never triggers the fire alarm? And where does all the smoke go? Welcome to the beginner's guide to protecting your network...
In the last couple of years, the Internet has dominated technological news pages everywhere (this one being no exception). But when companies start adding ".com" to their names and finally join the e-commerce marketplace, their problems are only just beginning.
Many people don't realise that just linking two computers on a network, let alone setting up a website, causes a lot more difficulties than are immediately apparent.
When one PC is connected to another to form a basic network, the security protecting the data on both machines is compromised. This means any sensitive information on one of the machines can be accessed by the user of the other.
Needless to say, this should be the exception rather than the rule when it comes to data protection. Users and data should be filtered so that one doesn't have all-access rights to the other.
For example, should John the typist have access to the Accounts department's wages files or Wendy, the junior programmer, be allowed to view the Personnel records of every employee in the company? It's obvious that neither John nor Wendy need such data to perform their jobs, so this information is made unavailable to them by - yes, you guessed it - a firewall.
An internal network can be divided using as many firewalls as deemed necessary, so imposing a graduated form of access to highly secretive information.
It may help to think of a computer network like your company building. Every employee has access to the building itself (the network), but only certain employees have a key to your office. Even fewer co-workers can open the file cabinet next to your desk, and only you know the combination to the strongbox within the cabinet that contains your emergency Mars bar supply. Here the Mars bars are the most protected data on the network (and quite rightly so).
All of the files in the cabinet are slightly less protected, followed by the paperwork (and snacks) lying around the office. The least protected foodstuffs are the ones in the corridors and foyer of the building. However these still have access limitations, in that only employees of the firm are eligible to test their edibility.
Members of the public walking along the street outside the office building (non-users of your network) have no access to any of the data (or snackfoods) within it because the office doors keep them out. These doors are the firewall which protects your network from unknown and untrusted users outside the company. This perimeter firewall is needed if the network is connected to an external network, such as the Internet.
A firewall between the internal and external networks serves two purposes: it prevents any unauthorised communication from entering the internal network and stops any user of the internal network from accessing the external network without permission. This is, needless to say, extremely useful for scuppering company directors accessing unsuitable websites or spending their day surfing cyberspace. In the home environment, a firewall could act in loco parentis for children using their home PCs and block the viewing of certain pages on the Internet.
A firewall consists of two parts.
So we now have an idea of what a firewall does, but what does it look like?
First off, forget any notion relating to Steve McQueen and the Towering Inferno, because there's no smoke with this fire.
A firewall consists of two parts: the security policy and the physical implementation of that policy. The policy itself is the logical written statements allowing users their access rights to various facilities or parts of the network. It can conform to one of four general types.
As the name implies, the paranoid is the most protective version forbidding every connection or communication attempt - not exactly an ideal scheme for a network. A prudent policy refuses any communication as a rule and only permits those communications through the firewall which have an explicit clearance status.
The permissive type of network security is slightly more easy-going, having a default setting of accepting everything sent to it, unless the communication has been unequivocally forbidden and the final, promiscuous, kind allows every communication or connection request to enter.
In the main the ideal security policy would be a combination of the prudent and permissive types, as the other two options would inhibit (completely) the performance of the network (paranoid) or endanger the security and integrity of the data stored on the network (promiscuous).
For the physical implementation of the firewall there are yet more choices depending on the security measures to be implemented. The oldest and most insecure form of firewall is a packet filter.
This type of firewall checks the destination and source addresses of the communication packet (the data) requesting access to the protected network and decides, after consulting a set of rules, whether to permit the communication to enter the network.
The primary disadvantage of this system, is that it can only distinguish the machine the request came from and not which user used that machine to send the packet, so connections can only be permitted or denied based on the locations sending and receiving the data.
Circuit level firewalls are a step up from packet filters in that they can distinguish between a connection request and a packet containing data. Only data packets relating to an existing, valid connection are allowed through the firewall. Any connection request must follow a handshake procedure to establish communication between two machines in order to pass through the firewall.
Both machines must also be approved for communication with each other according a specified set of rules listed in the firewall's memory. A major disadvantage of this type of firewall is that the only communication protocol which follows the handshaking procedure is TCP/IP (Transport Control Protocol/Internet Protocol) the most common - but not the only - Internet communication protocol.
A more advanced form of security.
A yet more advanced form of security is the application layer firewall. Many examples of this type of firewall use proxy servers and clients to interact with the external network on the user's behalf.
This means that the machine into which the user enters his commands never actually connects with the desired network directly; every request is filtered through another machine - the proxy - which processes and examines the packets sent. The proxy also checks whether the requests it sends and receives are permitted by the policy rules relating to the proxy.
The proxy server, protocol analysis and proxy client are the three invisible parts which together form the proxy service. A well set up proxy service will be transparent to the user and make him think he is interacting with the real machine partner. The only occasion when the user should be aware of the proxy is if the requests made are not permissable, and he is alerted to the fact.
These three types of firewalls all have their advantages and problems. Although the proxy, application level firewall is generally considered the best protection, it requires twice as much processing time to complete the clearance checks on each data packet passed between machines.
The circuit level firewall is quicker than the application level security checks, but only works with the TCP/IP protocol and testing the 'accept' and 'deny' rules is difficult. The fastest protection is provided by the packet filter type of firewall, but this only performs a cursory check on any communication packet and offers minimal security.
As with most aspects of business, there is a compromise to be made, with firewalls that compromise is between protection and performance. The question is are you prepared to risk your company's Mars bars for a few microseconds of processing power?
Visiting the Microsoft Security Advisory Website on a regular basis will keep you posted on the latest issues. http://www.microsoft.com/security)
Catherine Shaw is The Galt Global Review's new IT writer. If you would like to see a specific topic covered email her at infotech@galtglobalreview.com.
© Copyright 2001. Galt Western Personnel Ltd.
Unless otherwise specified, you may reprint this article, quote from it,
use it in research or projects, duplicate it or distribute it. Credit
of authorship and source MUST be given to galtglobalreview.com. Ownership
of Copyright remains with Galt Western Personnel Ltd.
Return to Top
|
