Blue Divider Line
Gateway

     If we consider a company that does not have any ties to the internet, but are interested maintaining and in-house public Web server. This involve the software to handle the Web access by the user which was discussed previously. It should be noted that other software is involved, but our focus is the Web. The public Web server is a concern and will be discussed in the next section. There is also an need to isolate the internal and external networks to protect against outside attack while allowing internal users access to the outside world. This involves some kind of gateway, commonly referred to as a firewall.

Consider this example: On the last weekend of 1996, the US military web sites were invaded. Not by enemy forces, but by computer hackers. They changed the links and implanted offensive pictures and defamated the government. Cases like these are popping up often in the news. Now that so many people use the World Wide Web to announce their businesses and lately, to conduct monetary transactions through it, itís no surprise that there are people trying to break down the security barriers.

     A number of the security problems with the Internet can be remedied or made less serious through the use of existing and well-known techniques and controls for host security. A firewall can significantly improve the level of site security and protect intranet facilities, while at the same time permitting access to vital Internet services.

     A firewall system can be a router, a host, or a collection of hosts, set up specifically to shield a site or subnet from protocols and services that can be abused from hosts outside the subnet. A firewall system is usually located at a higher-level gateway, such as a site's connection to the Internet. A firewall can filter certain vulnerable services such as NFS from entering or leaving a protected subnet. This provides the benefit of preventing the services from being exploited by outside attackers. This also permits the use of these services internally with greatly reduced risk to exploitation except from internal attacks.

     Some protocols (such as Telnet and SMTP) lend themselves to filtering while others such as., FTP, Archie, Gopher, and WWW are more effectively handled with proxies. Most firewalls use a combination of proxying and packet filtering.


Firewall Types: Packet Filtering

Packet filtering allows information to be selectively passed between internal and external hosts. The screening router on the outer edge of the network "decides" (as determined by local security policies) what packets to block or allow through.

Packet Filtering Firewall Example
source

     A screening router can filter packets based on the information they contain such as source address, destination address, protocol, message type, and port connection allowing flexibility in what services to allow. Being that certain network services are standardized to certain ports, Telnet on port 23 for example, connections to that port can be prohibited or restricted to only a few external sources (the network administrators service provider for remote maintenance purposes, for example).

     Here are some examples of how a screening router might be used to protect a site:

- Block all incoming connections from systems outside the internal network, except for incoming SMTP connections (so that you can receive email).
- Block all connections to or from certain systems you distrust.
- Allow email and FTP services, but block dangerous services like TFTP, the X Window System, RPC, and the "r" services (rlogin, rsh, rcp, etc.).


Firewall Types: Proxy Services

     Proxy services are specialized applications that exist on a firewall host usually having an internal and external connect ion. These applications take the user's requests for things like FTP and telnet and forward them to the appropriate services in compliance with the site's security policy. Proxies exist transparently between the user and the outside world. It should be noted that these are only effective if internal machines do not have any direct connection to the outside as in a direct modem connection. This is also a flaw of packet filtering... it doesn't work if it's bypassed.

Proxy Services Firewall Example
source

     One of the unfortunate things with proxy services is that specialized software is sometimes required. Many common applications are now handling proxy services as an option, but this requires training of the personnel. The proxy server decides which client requests to approve and which to deny. If a request is approved, the proxy server contacts the real server and proceeds to relay requests from the proxy client to the real server, and responses from the real server to the proxy client.


Firewalls: Solutions

     Most firewall architectures, however, combine both proxy and filtering techniques. Routers obviously incur a hardware cost. This may be anywhere from several hundred to multi thousands of dollars. The determining factor is primarily the size of network and expected traffic. Routers are the most easily integrated into an existing network, and once established, has nominal maintenance. Proxy software has an equally wide range in costs from free to thousands. This component has more maintenance to keep versions current throughout an organization and to wrestle with incompatibilities. Below are some useful resources that cover the sources for this section and additional information on purchasing and setup.

     For our purposes, to avoid the example above, we want to home our public Web server behind a router firewall. This will limit the types of connections that can be made to the entire network. A more detailed example is provided in the example section.

Internal Systems External Systems

Ender Design Mock Site Showpiece