Introduction Firewall is the key equipment used for network parameters security. Function of a firewall is to permit or deny traffic that attempt to pass through it based on specific predefined rules. Firewalls are similar to other network devices in that their purpose is to control the flow of traffic. Unlike other network devices, however, a firewall must control this traffic while taking into account that not all the packets of data it sees may be what they appear to be. For example, bridge filters traffic based on the destination MAC address.
Definition of a Firewall If a host incorrectly labels the destination MAC address and the bridge inadvertently passes the packet to the wrong destination, the bridge is not seen as being faulty or inadequate. It is expected that the host will follow certain network rules, and if it fails to follow these rules, then the host is at fault, not the bridge. A firewall, however, must assume that hosts may try to fool it in order to sneak information past it. A firewall cannot use communication rules as a crutch; rather, it should expect that the rules will not be followed. This places a lot of pressure on the firewall design, which must plan for every contingency.
Access control policy
(a) An Access Control Policy is simply a corporate policy that states what type of access is allowed across an organization's network parameters. For example, your organization may have a policy that states, "Our internal users can access Internet Web sites and FTP sites or send SMTP mail, but we will only allow inbound SMTP mail from the Internet to our' internal network.
(b) "An access control policy may also apply to different areas within an internal network. For example, your organization may have WAN links to supporting business partners. In this case, you might want to define a limited scope of access across this link to insure that it is only used for its intended purpose.
(c) An access control policy simply defines the directions of data flow to and from different parts of the network. It will also specify what type of traffic is acceptable, assuming that all other data types will be blocked. When defining an access control policy, you can use a number of different parameters to describe traffic flow. Some common descriptors that can be implemented with a firewall are listed following.
(d) A description of acceptable traffic flow based on direction. For example, traffic from the Internet to the internal network (inbound) or traffic from the internal network heading towards the Internet (outbound).
(e) The type of server application that will be accessed. For example, Web access (HTTP),File Transfer Protocol (FTP),Simple Mail Transfer Protocol (SMTP). Sometimes more granularity is required than simply specifying direction. For example, an organization may wish to allow inbound HTTP access, but to only a specific computer. Conversely, the organization may only have one business unit to which it wishes to grant Internet Web server access.
(f) Many organizations have a business need to let only certain individuals perform specific activities but do not want to open up this type of .access to everyone. For example, the company CEO may need to be able to access internal resources from the Internet because she does a lot of traveling.
(g) In this case, the device enforcing the access control policy would authenticate anyone trying to gain access, to insure that only the CEO can get through. Sometimes an organization may wish to restrict access, but only during certain hours of the day. For example, an access control policy may state, "Internal users can access Web servers on the Internet only between the hours of 5:00 PM and 7:00 AM. "At times it may be beneficial to use a public network (such as Frame Relay or the Internet) to transmit private data.
(h) An access control policy may define that one or more types of information should be encrypted as that information passes between two specific hosts or entire network segments. An organization may wish to restrict access based on the amount of available bandwidth. For example, let's assume that an organization has a Web server that is accessible from the Internet and wants to insure that access to this system is always responsive.
(i) The organization may have an access control policy that allows internal users to access the Internet, but at a restricted level of bandwidth if a potential client is currently accessing the Web server. When the client is done accessing the server, the internal users would have 100 percent of the bandwidth available to access Internet resources.
(j) An access control policy may define that one or more types of information should be encrypted as that information passes between two specific hosts or entire network segments. An organization may wish to restrict access based on the amount of available bandwidth. For example, let's assume that an organization has a Web server that is accessible from the Internet and wants to insure that access to this system is always responsive.
(k) The organization may have an access control policy that allows internal users to access the Internet, but at a restricted level of bandwidth if a potential client is currently accessing the Web server. When the client is done accessing the server, the internal users would have 100 percent of the bandwidth available to access Internet resources.
Fire wall Components.
(a) Operating System Linux ES 3.0
(b) Checkpoint Software NG AI at 24 Main Nodes loaded on HP Servers
(c) Cluster XL configured at 24 Main Nodes
(d) Smart Center Pro at AHQ and Chandimandir
(e) Smart view Reporter and Monitor at AHQ, New Delhi
Check Point Firewall
(a) Firewall Clusters at each Main Node
(b) Management server at AHQ & Chandimandir
Trend Micro Antivirus
(a) Office Scan Server
(b) Server Protect – Win / Linux
(c) IMSS (Internet Messaging Security Suite)
(d) IWSS (Internet Web Security Suite)
(e) TMCM (Trend Micro Control Manager)]
ISS
(a) Real Secure Server Sensor & Site Protector
(b) Vulnerability Scanner
Purpose of the Firewalls.
(a) The Firewall provides a high level of security, the fastest runtime, and the flexibility to define the rules to fit your environment. The firewall delivers full firewall capabilities, assuring the highest level of network security. To do this, the firewall examines both incoming and outgoing packets running against a common security policy. All service rules are interpreted based on IP conversations (not packets) and are fully stateful. Security rules do not filter packets directly, but the firewall services determine how to process them based on the defined security policy.
(b) Not all firewalls are built the same. A number of different technologies have been employed in order to control access across a network perimeter. The most popular are .Static packet filtering and dynamic packet filtering.
(c) Not all firewalls are built the same. A number of different technologies have been employed in order to control access across a network perimeter. The most popular are .Static packet filtering and dynamic packet filtering.
Firewall Technology . There are three different types of firewall technologies
(a) Packet Filtering A packet filtering firewall inspects the traffic at transport layer for the following elements:
(i) Source IP address
(ii) Source port
(iii) Destination IP address
(iv) Destination port
(v) Protocol.
(b) Proxy
(i) Authority to act for another
(ii) A proxy firewall acts on behalf of hosts on the protected network segments.
(iii) The protected host never make a connection with the outside world.
(c) Stateful Inspection
(i) Connections are not only applied to an ACL, but are logged into a state table.
(ii) After a connection is established, all session data is compared to state table.
8. Proxies and Additional Firewall Considerations Proxies.
(a) A proxy server {sometimes referred to as an application gateway or forwarder} is an application that mediates traffic between two network segments. Proxies are often used instead of filtering to prevent traffic from passing directly between networks.
(b) With the proxy acting as mediator, the source and destination systems never actually "connect" with each other. The proxy plays middleman in all connection attempts.
(c) Unlike its packet-filtering counterparts, a proxy does not route any traffic. In fact, a properly configured proxy will have all routing functionality disabled. As its name implies, the proxy stands in or speaks for each system on each side of the firewall.
(d) For an analogy, think of two people speaking through a language interpreter. While it is true these two people are carrying on a conversation, they never actually speak to one another.
(e) Unlike its packet-filtering counterparts, a proxy does not route any traffic. In fact, a properly configured proxy will have all routing functionality disabled. As its name implies, the proxy stands in or speaks for each system on each side of the firewall.
(f) For an analogy, think of two people speaking through a language interpreter. While it is true these two people are carrying on a conversation, they never actually speak to one another.
No comments:
Post a Comment