Network Security: Firewalls

This article is the second in a series of three articles on network security. The previous issue covered Network Security: A Primer on Vulnerability, Prevention, Detection and Recovery. In a subsequent article, I will present "Network Security: Virtual Private Networks (VPNs)

The last article addressed the policies and procedures that organizations should take to reduce the risk of security breeches and minimize their damage. It described: 1) your vulnerability, 2) preventive measures, 3) detection measures, and 4) recovery steps. Firewalls can help with all of these issues.

What is a Firewall?

The term firewall is derived from the building construction industry’s use of fire-retardant materials to protect one unit’s fire from spreading to another unit. Likewise, a network firewall represents a wall of separation between your network and potential danger lurking outside your network. The Internet Protocol (IP) was designed as a protocol for the academic community to share ideas, and by nature is not secure. Firewalls protect you from external network connections like the Internet, but provide little protection from dangers within your network. If you’re connected to other networks, you need a firewall. Many applications that we use daily have huge security holes built into the protocol that must be secured.

There are several technologies that firewalls can use. We will discuss the use of:

  1. packet filtering
  2. demilitarized zones
  3. proxy serving
  4. network address translation (NAT)
  5. authentication
  6. packet state inspection
  7. logging
  8. alerts
  9. multi-level security (MLS)
  10. dual-homed DNS

Packet Filtering:

Packet filtering refers to the technology where the network administrator can specify any combination the following:

  • Which IP addresses outside the network can use which IP addresses inside the network.
  • Which IP addresses outside the network can use which applications inside the network.
  • Which applications outside the network can use which IP addresses inside the network.
  • Which applications outside the network can use which applications inside the network.

    • Packet filtering can use inclusive or exclusive logic. The same kinds of restrictions can be placed on outbound traffic. If you have a packet filtering router, you do not have a secured firewall. There are too many security holes in the IP protocol stack that hackers can penetrate easily. Network administrators must take additional precautions.

    Demilitarized Zones (DMZ):

    A DMZ is an area outside your internal network, containing the servers that require direct access to the Internet. Such servers include Internet routers, firewalls, e-mail servers, and web servers. By placing these servers within a DMZ, you provide access to services to those outside your internal network, while minimizing the penetration inside your internal network.

    Proxy Serving:

    A proxy server proxies on behalf of network client computers inside your network. All traffic to and from the outside world passes through your proxy server. All such traffic would appear to the outside as traffic from the proxy server itself. By doing so, proxy servers hide the details of everything inside your demilitarized zone.

    Proxy servers can save frequently-accessed network sites in a local memory cache, allowing subsequent accesses to those sites to be retrieved faster than retrieving that same information from the Internet.

    Network Address Translation (NAT):

    NAT refers to the process of a firewall or proxy server translating the address of every packet leaving and entering the internal network. To networks outside, every packet appears to originate from outside the firewall. In this way, the details of your internal network are hidden.

    Authentication

    Firewalls can authenticate valid users with additional user name and password protection. You may choose to add this level of authentication in addition to that provided by your internal network servers. Proxy serving firewalls can further ensure that every packet passing through the DMZ meets your defined criteria.

    Packet State Inspection:

    Some firewalls can inspect every packet entering the network to determine if a sequence of packets is intended to harm your internal network. Going beyond packet filtering, packet state inspection can identify and block known vulnerabilities from entering your network.

    Logging:

    Logging refers to firewalls recording every attempt to access your network, both successful and unsuccessful. Logging allows network administrators to review network access attempts and determine if someone has attempted to breech network security. Network security policy should include the regular review of the firewall log to determine who has accessed the network, and why they have accessed it.

    Alerts:

    A firewall can alert network administrators as network breeches occur. The software can alert you via e-mail, pop-up screen, or pager. This may allow you to respond quickly before the network breech actually results in damage.

    Multi-level Security (MLS):

    Because your firewall is so pivotal in securing your network, gaining access to your firewall can compromise all network security. Therefore, securing the firewall is tantamount to securing your network. MLS provides different levels of security for different interfaces to your firewall. For example, no one accessing your network via the Internet should be able to access the security functions of your firewall. This functionality would be built into the operating system, so that no matter how someone tried to penetrate your firewall, security configuration would not be accessible through the Internet.

    Dual-homed Domain Name System:

    Because IP works with IP addresses that come in the form of numbers (e.g. 207.233.140.6), and we humans think in terms of domain names (e.g. IntegrityComputing.com), there needs to be a process that translates domain names to IP addresses. Domain name service (DNS) is that system. Organizations who have their own internal web services or intranet can hide the details of their intranet by running a DNS for external use (Internet) and a separate, private DNS for internal use (intranet).

    Conclusion:

    A firewall combines the technologies mentioned in this article to provide the best security external for your network. Many might ask, if we implement a firewall, are we safe. Firewalls, by themselves do not completely protect your organization. Consider the use of seatbelts in an automobile. Do they make you safe? Not by themselves. Only if the automobile has a steel frame and if the collision is head-on do seatbelts really help. Do seatbelts enhance the safety of your automobile? Yes! Likewise firewalls represent considerably enhanced safety to your network. Firewalls are a necessary piece of your network’s security, but only represent a small part of your comprehensive network security plan

    Firewalls sometimes include virtual private network (VPN) capabilities. In the next article, I will discuss VPNs and their application to the Association industry

    ************************************************

    Next article
    Back