What is a Firewall
Download
Report
Transcript What is a Firewall
Beth Johnson
April 27, 1998
What is a Firewall
•Firewall mechanisms are used to control
internet access
•An organization places a firewall at each
external connection to guarantee that the
internal networks remain free from
unauthorized traffic
•A firewall consists of two barriers and a secure
computer called a bastion host
•Each barrier uses a filter to restrict datagram
traffic
•To be effective, a firewall that uses datagram
filtering should restrict access to:
-all IP sources
-IP destinations
-protocols
-protocol ports
except those that are explicitly decided to be
available externally
Firewall continued
•A packet filter that allows a manager to
specify which datagrams to admit instead of
which datagrams to block can make such
restrictions easy to specify
•The bastion host offers externally-visible
servers, and runs clients that access outside
servers
•Usually, a firewall blocks all datagrams
arriving from external sources except those
destined for the bastion host
Implementing a
Firewall
•A firewall can be implemented in one of
several ways
-the choice depends on details such as
the number of external connections
•In many cases, each barrier in a firewall is
implemented with a router that contains a
packet filter
•A firewall can also use a stub network to keep
external traffic off network
•A stub network consists of a short wire to
which only three computers connect
The Wall
Raptor Systems Inc.
•Used for smaller networks
•Has powerful logging capabilities so you can
figure out if someone has tried to crack your
network
•Also, get Raptor’s WebNOT utility, which
blocks 15,000 unsavory Web sites
•For a nominal fee, the vendor will provide
periodic updates
•The wall can only be implemented on a 25user network
•Cost: $995 list
Gauntlet Internet
Firewall
Trusted Information
Systems (TIS)
•Positioned as an application gateway
•Uses proxies to enforce network traffic rules
•Proxies track and log traffic as it flows through
the firewall
•Can configure smoke alarms to notify you when
illegal activity occurs
•Firewalls automatically builds a log report that
tracks anomalies
•You can also receive the alerts via e-mail or
pager
Gauntlet continued
•Gauntlet is available in two versions
-software -only solution -$11,500
it installs on an existing BSD
Unix, HP/UX, or SunOS host
-turnkey solution -$15,000
runs on a Pentium Machine
Check Point Firewall-1
Check Point Software
Technologies Ltd.
•Check Point redefined the way people think
about firewalls with its stateful-inspection
engine, which works at the network layer instead
of an application-proxy-based firewall
•Easy to add new services as they emerge
•Firewall-1 comes with all of the basic services
including:
-HTTP
-SSL
-NNTP
-SMTP
-DNS
•Administrators can control each of these
services using flexible rules
Firewall-1 continued
•Can place specific restrictions on individual
FTP sites and directories, and can selectively
allow gets but not puts
•Check Point has developed Content Vectoring
Protocol (CVP), which defines how a firewall
forwards packets and data to specialized servers
•An administrator can configure and monitor
Firewall-1 on the firewall itself or from
anywhere on the network
•Any unauthorized use can trigger a visible or
audible alert to the System Status screen or one
of many other options such as e-mail
•Firewall-1 optional encryption module turns the
firewall into a VPN node
•Dynamic TCP/IP addresses are allowed
•Cost: 50 nodes -$4,995
unlimited -$18,990
AltaVista Firewall 97
Digital Equipment Corp.
•Application-proxy-based firewall
•Suitable for small networks because of the lack
of remote configuration capabilities and
inability to work with more than two-adapter
configurations
•vulnerable to SYN-flood attacks
•AltaVista has solid support for most of the
basic services, except for some minor
deficiencies with HTTP
•Telnet and FTP access can be finely regulated
•Cost: 50 nodes -$3,995
unlimited -$14,995
Firewall/Plus
Network-1 Software &
Technology
•Aimed at networks of all sizes
•Runs as a Window NT service on both Intel
and Alpha platforms
•Firewall/Plus uses both proxies and stateful
inspection
•Packets are allowed or denied based on choices
made by the administrator configuration
•Firewall/Plus can run transparently without an
IP address
-to run in this manner, the firewall must
be placed between the internet
connection and the local network
•Consists of a firewall engine and a user
interface for making modifications to the engine
Firewalls/Plus
continued
•You can remotely manage the firewall by
loading the user interface on a remote PC and
then connecting to a predefined TCP port over
an encrypted connection
•Cost: 50 nodes -$3,750
unlimited -$13,000
Basic Mini Firewall
Computer Peripheral
Systems
•Used with a dial-up Internet connection at a
desktop
•The Basic Mini Firewall is tiny enough to slip
into your pocket
•It connects to your phone line and your 10
Base-T LAN
•Product works by breaking your connection to
the LAN when you connect to the Internet via
your modem
•Isn’t flexible (and being off the LAN can
sometimes be inconvenient)
•Makes LAN off-limits
•Cost: $85 list