| Introduction
to Firewalls |
 |
This document is intended to present a brief overview
of firewall security, including implementation types available and relative
advantages and disadvantages of each. It is intended to lay out a general
road map for administrators who wish to publish information for public
consumption while preventing unauthorized access to their private/confidential
network.
The information found here has been provided to assist
with implementation of a multi-user Laserfiche document imaging system
through the Laserfiche WebLink internet gateway with regard to public
access. It is intended to simplify what can sometimes be intimidating
or complex security and network setups.
This tutorial was not intended to be a complete manual
on firewall installation or configuration beyond the level of fundamentals.
Unfortunately the nature of firewall technology does not allow for a uniform
"drop-in" installation setup, so every private network should research
the topic of firewalls and network security to find a personalized solution
that best fits their needs. This document should not be
used as a replacement for knowledgeable network/security administrators.
For additional information on firewalls and network security,
please see:
Understanding
Firewalls
In automobiles, a firewall is a physical barrier that
separates the engine compartment from the cabin. Its function is to protect
passengers from the engine, while still providing the driver access to
the vehicle's controls.
On a computer network, a firewall is a device which protects
a private local network from the rest of the world (public parts of the
same network, or the internet at large). The role of firewall is typically
filled by a computer (or computers) that can reach both the private network
and the internet, allowing it to restrict the flow of data between the
two. Unless the firewall computer allows it, the protected network cannot
reach the internet, and the internet can not reach the protected network.
For someone to reach the internet from inside the protected
network, they must login to the firewall (via telnet, rlogin, etc.), and
use the internet from there.
The simplest form of a firewall is a dual homed system
(a system with two network connections). If system users can be trusted,
a firewall can be setup with IP forwarding/gatewaying turned off and accounts
can be given to everyone on the network. The users can then login to the
firewall and run their network services (ftp, telnet, mail, etc.) from
there. With this setup, the only computer on the private network that
knows anything about the outside world is the firewall. The other systems
on the protected network don't even need a default route.
The greatest weakness of such a system is that it relies
entirely on all users being trusted. It is not recommended.
Drawbacks
with Firewalls
The problem with filtering firewalls is that they inhibit
access to the private network from the internet. Only services on systems
that have pass filters can be accessed. With a proxy server, users can
login to the firewall and then access the private network.
Also, the rapid growth of network client/server technology
makes supporting and controlling developing network services a constant
challenge.
Types
of Firewalls
There are two types of firewalls.
- IP or Filtering Firewalls - block all but selected
network traffic.
- Proxy Servers - act as intermediary to make requested
network connections for the user.
IP
Filtering Firewalls
An IP filtering firewall works at the IP packet level.
It is designed to control the flow of data packets based on their header
information (source, destination, port and packet type).
A filtering firewall is more secure, but lacks any sort
of useful logging. It can block the public from accessing a private system,
but it will not indicate what connections have been made to the internet
from the inside.
Filtering firewalls are absolute filters. They do not
support individual access control, so a private server cannot be made
accessible to a particular outside user without opening it up to the entire
public.
Proxy
Servers
Proxy servers allow indirect internet access by acting
as an intermediary between the private network and the outside. All network
requests made by an internal computer to an outside source are intercepted
by the proxy server, which logs the request, and then passes it along
to the outside. Similarly, data passed back to an internal user from the
outside is received by the proxy server, logged, and then passed along.
Proxy servers effectively duplicate all communications
into or out of the network, thereby allowing all connections to be logged.
There are no direct IP routes. Because of this, proxy servers are completely
secure (when configured correctly).
Adapted
from Mark Grennan's - Firewalling and Proxy Server HOWTO
Back
to Index
|
