|
|
| Previous | Table of Contents | Next |
TCP/IP firewalls use many different technologies, mixing and matching them in different amounts and different ways. The three main techniques are called packet filtering, circuit gateways, and application proxies. Firewalls sit between two or more TCP/IP networks and use these techniques to decide whether to pass or drop/reject traffic. The following sections will define those three techniques for you.
Packet Filtering
Packet filtering implies making decisions based on examination of TCP or UDP packet information. A TCP packet will have source and destination IP addresses, source and destination application access points (called “port numbers”), and other header information, such as whether this is a new connection or an existing one. One important limitation of packet filters is they cannot tell good users from bad ones; they can only tell good packets from bad packets. Packet filtering technology works best in networks that have very black-and-white security policies: inside people good; outside people bad.
The elegant simplicity of packet filtering technology has been heavily extended by a number of vendors who have built firewall systems that combine packet filtering cores with intelligent decision-making systems. To distinguish themselves from simple packet filtering, these vendors have created their own category called “stateful protocol inspection.”
Circuit Gateways
Circuit gateways are used when the actual information passed by the network application is not important, but who is using the application is. A circuit gateway is best thought of as a tunnel, built through the firewall that links selected systems on one side to selected systems on the other. Circuit gateways are not very different from packet filters, but are commonly joined to an out-of-band authentication scheme that adds some additional information.
Application Proxies
Application proxies are used when the actual content or data stream in an application is important and needs to be controlled. For example, an application proxy could be used to limit FTP users so that they could only get files from the Internet, but never push them to the Internet. The problem with application proxies is that they’re specific to a particular application, which makes them difficult to write and maintain. Application proxies for user programs typically also include authentication information in the application data stream. This can be confusing to users and limit the kinds of software that can be used. Many firewalls that include application proxies also use circuit gateways for new applications or applications that aren’t considered a security risk.
With dozens of products on the market, how do you choose the best one for your company? Start with your security policy. Many organizations start with a vague idea of what they want to do, which leaves them wide-open for confusion. As one consultant noted, “Implementers ricochet from rock to post without a clear concept of what they’re trying to do.” Consult table 7.1 to identify additional questions you should answer.
| Area | Questions |
|---|---|
| Security Policy | What elements will your policy have? |
| What logging and alarms will you need? | |
| What authentication is acceptable? | |
| Where do you need to put security barriers such as firewalls? | |
| System Management Policy | Do you want to have a vendor provide an all-in-one solution that you plug in, point-and-click, and let loose? |
| Do you want an active part in defining filters, rules, special types of proxies, obscure protocols, and unusual cases? | |
| Do you want to manage the firewall platform (typically a Unix system), or should this be a hands-off system? | |
| Firewalls and Other Network Services | What are the service goals that this firewall will support? |
| Will you be expecting the firewall to handle DNS? Process SMTP e-mail? | |
| Be your WWW server? | |
| Or do you want to make a clear separation between the firewall and network services? | |
Once you have policy, philosophy, and service goals in place, you’ll find that only a few products on the market really fit your needs. Nothing takes the place of doing your own homework on your own organization first.
Remember that firewalls are just one part of a much larger security plan. The greatest danger to corporate network security comes from internal users, not external attackers. Corporate networks are especially vulnerable to the simplest of eavesdropping and impersonation attacks as well as just plain negligence and carelessness. Firewalls are also not the final answer to external security problems. A dedicated criminal will be able to break into any network given time and resources. Your threats come not just from the network, but also from physical access through force or coercion and from social engineering. Firewalls don’t help much with either of those avenues of attack.
| Previous | Table of Contents | Next |