4BA2 Web Project - WWW Access Control Mechanisms - Firewalls


...'I am a servant of the Secret Fire, wielder of the flame of Anor. You cannot pass.'...
J.R.R. Tolkien "The Lord Of Rings"

Introduction

Almost all of the modern information systems based on the computer's network, which connects sets of servers and clients. The main objective of firewalls is to protect the internal network against an external network, from which security intrusions can originate. Protecting involves preventing unauthorized users from having access to sensitive data, while allowing legitimate users to have unencumbered access to the network resources. Firewalls is a chief instrument to provide organization's security policy, they implement different access control mechanisms. However, in many cases, encryption and other privacy enhancement techniques are also required to provide security of the information system.


Firewall's basics

The term firewall is used by many as a generic term, that describes a wide range of functions and the architecture of devices that protect the network. In general, a firewall is placed between the internal trusted network and the external untrusted network. In practice there is a plenty of ways to organize network structure with firewalls. The structure of such a network consist of one or more internal security levels (folded subnets) separated by firewalls. Any firewall that is critical to the network security called a bastion.

Usually, the firewall acts as a choke-point that monitors and rejects application-level network traffic. The firewall must register all performed connections and transactions in order to find software breaches and security violations.

Firewalls also can operate at the network and transport layers, in which case they examine the IP and TCP headers of incoming and outgoing packets, and reject or pass packets based on the programmed filter rules. Very often this function can be carried out by router, in which case it is called screenig router. Usually screening routers used as the first level of defence against an untrusted network. They cannot guarantee full security, because of lack of context information, certain protocols such as RPC cannot be filtered effectively.

A Multi-homed host is a computer with several network interfaces. Firewalls are built around multi-homed hosts with disabled packet forwarding between interfaces. Such a multi-homed host ideally separates connected networks: they are still able to exchange (and even share) data, but only through using of firewall applications.

Because firewalls operate at the application layer, implementations of firewalls are different for different network services. Many of network services have store-and-forward nature, like E-mail and News. Such a service could be easily configured for passing messages through the firewall. Other services may require additional autentication dialog (Telnet, FTP, WWW) and client software may require serious changes to comply the client - firewall interacion rules.

There are several approaches to build a network with firewalls. If organization have expirienced programmers and financial resources it is possible to use a "roll your own" approach. This involves building custom firewall solutions to protect the organization's network. If implemented properly, this is perhaps the most efficient (and also the more expensive) way.

Another approach is to use existing off-the-shelf products, and customize and configure them to meet the organization's network security policy. Plenty of commercial and shareware firewall products are available, and could be found easily using WWW or literature.


References

  1. Karanjit S.Siyan
    Internet firewalls and network security.
  2. D.Brent Chapman, Elizabeth D.Zwircky
    Building Internet firewalls.
  3. Internet Firewalls Frequently Asked Questions
  4. Computer and Network Security Resources

Return to the introduction