Реферат: Internet Firewalls Essay Research Paper Internet FirewallsIntroductionThe
Application Gateways-Also referred to as Proxy Servers. A site would use an application gateway server such as an AcerAltos server to provide a guarded gate through which application traffic must first pass before being permitted access to specific (pre-defined) systems. These gateway servers are used in conjunction with packet filtering and event logging to provide a higher level of security for applications that are not blocked at the firewall; examples include telnet, FTP, and SMTP. They are located where all traffic is destined for a host within a subnet; data is first sent to the application gateway, and any traffic not directed at the application gateway will be rejected via packet filtering. The application gateway then passes authorized traffic to the subnet, rejecting all unauthorized traffic. Here are a number of advantages over the default mode of permitting application traffic to pass directly to internal hosts:
+ Information Hiding – The names of internal systems are not made known via DNS to outside systems; only the application gateway host name is made known.
+ Robust Authentication and Logging – Application traffic can be pre-authenticated before it reaches internal hosts and can be logged more effectively than standard host logging.
+ Cost-Effectiveness – Third-party authentication or logging software/hardware need be located only at the application gateway.
+ Less-Complex Filtering Rules – The rules at the packet filtering router are less complex than if the router needed to filter application traffic and direct it to a number of specific systems; the router need only allow application traffic destined for the application gateway and reject the rest.
Note that an application server is application specific; to support a new application protocol, new proxy software must be developed for it. Several proxy application tool kits have been developed and can be used as a starting place to develop your own gateway software. Alternatively, packages have appeared on the market that offers a complete solution in lieu of costly development time.
An application gateway is the focal point of all traffic to and from the Internet. Selecting the proper server hardware is critical to efficient, reliable Internet access.
Underestimating the load with a server too small produces bottlenecks that affects every Internet user, while overestimating the load with a server too large wastes money, which affects the corporation. Acer has effectively addressed this problem with a broad range of servers and upgrade options. Selecting the proper server is made easier because of the inherent flexibility of the AcerAltos product line — from the uni-processor 133MHz Pentium AA900 and the 180MHz/256KB / 200MHz/256KB Pentium Pro AA900Pro to the dual-processor 166MHz Pentium AA9000 and the 200MHz/256KB Pentium Pro AA9000Pro and AA19000 models — offers the appropriate level of power that best fits the application. The expandability and scalability of the AcerAltos product line ensure incremental growth and performance improvement with minimal cost.
Other Technologies-There are other emerging technologies that, while not new, are just now gaining recognition and standardization. Certain industry niches such as financial services require a higher degree of security. It is imperative for these companies to maintain the safety of financial data and build customer trust; Internet transactions must be made as safe, if not more, as traditional transactions. To do this, these and other organizations have begun relying on two closely linked technologies: Authentication and Encryption. An application of encryption, which further enhances privacy, is the Virtual Private Network (VPN).
Authentication is the process in which the receiver of a digital message can be confident of the identity of the sender and integrity of the message. Authentication protocols can be based on secret key cryptosystems or public key signature systems. Secret key cryptosystems use a key or seed to encode data transmitted over the Internet. Once encoded by the sender, it takes the same or different key to decode it on the receiving end. Only the sender and the receiver know the keys. Should an unauthorized person intercept the message, it is unreadable and nearly impossible to decode without a great deal of time and a powerful computer.
Public key technology uses the concept of digital signatures to assert that a named person wrote or otherwise agreed to the document on which the signatures appear. The signature is an unforgettable piece of data allowing the recipient, as well as a third party, to verify both that the document did originate from the person who signed it and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts: a method of signing a document so that forgery is unfeasible and a method of signature verification. Moreover, secure digital signatures cannot be repudiated; that is, the signer of a document cannot later disown it by claiming it was forged, since each digital signature is registered with a Certificate Authority.
Encryption has been used by governments and individuals to develop systems for coding, or encrypting, sensitive secrets with the intent to keep them from prying eyes. The science of cryptography involves establishing an encoding key (used for Authentication; see above) consisting of random letters and numbers. Prior to transmission, this key is used in a mathematical formula to change every letter and number in the message. On the other end the receiver then reverses the mathematical process by applying the key to the encrypted message to restore it to the original version. Should someone intercept the message, it would appear as a meaningless series of characters. The length of the key affects how secure the message is; the longer the key, the harder it is to decipher the message. Encryption keys used in today’s commercial systems are between 40 and 128 bits long.
Today’s cryptography techniques and computers, which perform millions of calculations per second, have brought encryption to the point at which the US government cannot break many computer-encrypted documents. Any software using 40-bit or less keys can be exported; software using larger keys is not exportable and must remain in the US.
The combination of sender authentication and data encryption virtually insures the security of sensitive data transmitted over the Internet. Standards for applying these technologies to the Internet are just emerging and have yet to gain wide acceptance. Once they do, however, conducting business on the Internet will be even more secure than in-person transactions.
Virtual Private Network (VPN) technology is being included in some of the more advanced software systems today and provides an added measure of security. Using encryption techniques, VPN hides the content and true source and destination of sensitive data, making it invisible as it moves across the Internet. This technology is also called tunneling because it effectively creates a tunnel through the Internet preventing outsiders from seeing the data.
Conclusion: Plan for Abuse
Planning for abuse before it can happen is the key to building a secure and successful Internet environment. Filtering and connectivity policies must be defined and must incorporate not only security needs, but also the computing needs of the organization. If the computing needs are ignored or short-changed, the Firewall may become too complex to administer or may become essentially useless. Security requirements need to be weighed carefully and accommodations may be necessary if productivity will be hampered by the security policy.
An important concept to remember is that a Firewall should be viewed as an implementation of a policy and that policy should never be made by the Firewall implementation. In other words, decisions on what protocols to filter, application gateways, and other items regarding the nature of network connectivity need to be agreed upon beforehand. Making ad hoc decisions after the fact will be difficult to defend, even more difficult to implement, and will eventually complicate Firewall administration to such a degree that it may be abandoned altogether.
Do your research, put your plan together, and then implement the Firewall policies that best suit your unique environment.
References:
Anderson, Michael R., “Internet Security – Firewalls & Encryption”, New Technologies, Inc., January 17, 1998, Article 1, www.forensics-intl.com
http://www.thewall.com/wallx/wallxbrief.html
http://www.gelb.com/_vti_bin/shtml.exe/search.htm
http://www.isc.tamu.edu/tamu/firewall.html