Why a Firewall? |
||
| Back
To Home Page
|
The best way to describe a firewall is to state what a firewall is not: a firewall is not simply a router, host system, or a collection of systems that provides security to a system. A firewall is not a single security solution, but it should be implemented as part of a defense in depth strategy. A properly configured firewall can reduce the risk of exposure to inherently insecure services. A firewall is simply an enforcer of a security policy. A firewall should reside at the perimeter of your network and protect your data fro malicious entities. Firewalls can also control the availability of outside resources to the "trusted user". Typically, a firewall resides on a separate machine, called a bastion host, and should be installed on a hardened operating system. It is recommended to have at least three interfaces: one for incoming traffic, one for access to the demilitarized zone, and one that connects to the protected network. The market place offers a wide variety of firewalls all claiming superiority over the other. But there are three traditional categories: packet filter, stateful packet filter, and application proxy. Vendors also supply hybrid firewalls providing the flexibility to deny packets at the network layer, IP address of an unwanted host or network, or the ability to check for malformed packets at the application layer. Firewalls should provide a degree of privacy. Firewalls can conceal a network's inside address scheme from the outside through the use of Network Address Translation (NAT). Most firewalls provide Virtual Private Networks (VPN) further enhancing privacy via encryption. Also, most provide comprehensive logging and auditing functions. These functions allow the administrator to determine if the firewall is withstanding probes or attacks, and if the rule base is configured properly. When implementing a firewall there is a risk involved with any service permitted into the protected network. A correctly configured firewall can help manage that risk. Almost everyone today is aware of the internet, but it is often confused with the World Wide web (WWW, or "the web"). The web is part of the Internet, as are Usenet (Newsgroups) and ISPs (Internet Service Provides) such as AOL (America On Line), CompuServe and MSN (Microsoft Network). As the "World Wide Web" implies, the Internet spans the world. Anyone can connect to the Internet. Hackers, whether they are domestic or foreign, hobbyist, script-kiddies or professionals, scan systems looking for vulnerable computers. Once they find them, they take advantage of the vulnerabilities and can then deface web pages, take out server (Denial of Service attacks), retrieve sensitive data (like your proprietary information or read all of your email) or use the system to attack other systems. In short, the Internet is an environment that cannot be blindly trusted. The Internet provides a convenient medium to connect to to other networks, but it does not provide reliable security features, such as user authentication and validation, or protection from hostile users or software. The External Router connects the Protected network to the WAN Link. The router provides the first opportunity to actively permit or deny access for access for clients and servers and network services. For network traffic, the router can perform packet filtering and may be able to do some stateful inspection. Typically, this router acts as the screening filter. The screening filter provides a basic set of controls that do not change on a regular basis. These controls may include protection against the following types of attacks: IP address spoofing, denial of service attacks, and connections to unauthorized services. For further information please visit this site...
|