[ Pobierz całość w formacie PDF ]

from a vendor. Another way is to create your own firewall.
Most firewall products are very expensive. Typically, organizations
lack skilled personnel necessary to build or create their own firewall.
The expense involved in purchasing a firewall can be justified by
understanding the total benefit that is gained by using a firewall.
Firewalls provide selective flow control of what is referred to as a
single point of entry and exit for all electronic communications
between two networks. These two networks could be represented in
your organization by your internal private network and the external
public network of the Internet.
Firewalls ideally should be installed at the location of your connection
to the Internet. There are many advantages to having a firewall
configured as a choke point for all your Internet communications.
These advantages include:
Full restriction control of all traffic coming into and exiting
from the internal private network
Comprehensive logging of all communications activities
Finer granularity of packet filtering
Firewalls 9-7
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
9
Fundamental Concepts
Critical Components
There can be multiple components that comprise any firewall.
Typically these components include:
Gateway
Perimeter Network
Bastion host
Proxy Server
Exterior Router
Interior Router
Gateway
A networking device capable of providing relay services for various
interconnected nodes.
Some see this device being further defined by the specific type of relay
services performed. For example:
Packet filtering Gateway
Circuit Level Gateway
Application Level Gateway
Low level definitions and examples are provided the FireWall-1
course.
9-8 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
9
Fundamental Concepts
Critical Components (Continued)
Perimeter Network  Demilitarized Zone
The more layers of protection that you have representing your
network configuration, the more difficult it will be to penetrate.
This is the principle that a perimeter network in based. A perimeter
network, sometimes called a Demilitarized Zone or DMZ, would exist
as a separate network between your internal protected network and
the outside unprotected Internet.
Much of network connectivity is based upon some type of bus
technology. There is the possibility for a host on a given network to see
the traffic for all nodes sharing that network.
The impact of this possibility is that any intruder equipped with a
network analyzer or snoop device can potentially intercept the
passwords used by communications facilities like telnet and ftp. An
intruder is also able to read the contents of sensitive files.
By having a perimeter network, one can isolate the communications
that normally occur between hosts on the internal network from the
network closest to the Internet connection.
Firewalls 9-9
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
9
Fundamental Concepts
Critical Components (Continued)
Bastion Host
The only hosts that should be physically or logically connected to the
perimeter network is the bastion host.
A bastion host is node that will be responsible for communicating to the
Internet.
Most often the bastion host will act as an authorized representative
(proxy server) for various services.
This system must have strict administrative configurations applied.
Nothing should be enabled that is not explicitly required. The most
minimal configuration of system services must be defined.
Bastion hosts typically support incoming e-mail from the Internet
bound for some internal node.
Bastion hosts typically support incoming DNS queries from the
Internet regarding internal nodes.
Bastion hosts typically support incoming ftp connections from the
Internet bound for an anonymous ftp server.
Proxy Server
Many of the systems that comprise nodes of the internal private
network will need to use services of the Internet. Communication with
any of the systems offering these Internet services must be done under
tightly controlled conditions. One method of controlling this type of
communication is to employ the services of a proxy server.
A proxy server ideally is a node stationed within a perimeter network
and is positioned between two separate network resident nodes. Its
main function is to act as a liaison between a node on an internal
private company network and one that is on an external public
Internet network.
9-10 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
9
Fundamental Concepts
Critical Components
Proxy Server (Continued)
Some configurations use specialized application code for both the
client side as well as the server side. This strategy enables a user on
one of the internal private network nodes (proxy client), to
communicate directly to a node (proxy server), positioned within the
perimeter network.
The proxy server facilitates communications between an Internet node
providing a service and an internal protected node requesting the
service. All client requests are intercepted and processed by the
specialized application server code and then sent out to the node
within the Internet without any knowledge of an intermediary.
The successful passing of these types of requests is based entirely on
the filtering requirements of the security policy.
Firewalls 9-11
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
9
Fundamental Concepts
Critical Components (Continued)
Exterior Routers
A router is implemented to protect both the perimeter network and
the internal protected network. The router provides packet filtering
protection for the perimeter network.
Typically, the exterior router is under the control of some external
group such as the Internet provider. Consequently, it is not as secure as
a router over which you have exclusive administrative control.
Exterior routers provide cooperative support with the interior router.
Exterior routers ensure that all communication attempting to leave
either the internal private network or the perimeter network go
through the bastion host only.
The single most important function that is served by the exterior
router is that of blocking all incoming packets from the Internet that
have forged IP source addresses (IP Spoofing).
Interior Routers
Interior routers maintain the responsibility for packet filtering for
firewall implementation. Only selected Internet services are allowed
outbound from the internal network.
The category of services that are allowed to be outbound to the
Internet is not the same allowed to be outbound to the perimeter [ Pobierz całość w formacie PDF ]
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • chiara76.opx.pl
    • Copyright (c) 2009 Odebrali mi wszystkie siły, kiedy nauczyli mnie, że jestem nikim. | Powered by Wordpress. Fresh News Theme by WooThemes - Premium Wordpress Themes.