ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaj4_5.4.0.1/rzaj4fwfirewallconcept.htm

149 lines
9.2 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Firewalls" />
<meta name="abstract" content="A firewall is a blockade between a secure internal network and an untrusted network such as the Internet." />
<meta name="description" content="A firewall is a blockade between a secure internal network and an untrusted network such as the Internet." />
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaj4fwfirewallconcept" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Firewalls</title>
</head>
<body id="rzaj4fwfirewallconcept"><a name="rzaj4fwfirewallconcept"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Firewalls</h1>
<div><p>A firewall is a blockade between a secure internal network and
an untrusted network such as the Internet.</p>
<p>Most companies use a firewall to connect an internal network safely to
the Internet, although you can use a firewall to secure one internal network
from another also.</p>
<p>A firewall provides a controlled single point of contact (called a chokepoint)
between your secure internal network and the untrusted network. The firewall:</p>
<ul><li>Lets users in your internal network use authorized resources that are
located on the outside network.</li>
<li>Prevents unauthorized users on the outside network from using resources
on your internal network.</li>
</ul>
<p>When you use a firewall as your gateway to the Internet (or other network),
you reduce the risk to your internal network considerably. Using a firewall
also makes administering network security easier because firewall functions
carry out many of your security policy directives.</p>
<div class="section"><h4 class="sectiontitle">How a firewall works</h4><p>To understand how a firewall
works, imagine that your network is a building to which you want to control
access. Your building has a lobby as the only entry point. In this lobby,
you have receptionists to welcome visitors, security guards to watch visitors,
video cameras to record visitor actions, and badge readers to authenticate
visitors who enter the building.</p>
<p>These measures may work well to control
access to your building. But, if an unauthorized person succeeds in entering
your building, you have no way to protect the building against this intruder's
actions. If you monitor the intruder's movements, however, you have a chance
to detect any suspicious activity from the intruder.</p>
</div>
<div class="section"><h4 class="sectiontitle">Firewall components</h4><p>A firewall is a collection of
hardware and software that, when used together, prevent unauthorized access
to a portion of a network. A firewall consists of the following components:</p>
<ul><li><img src="./delta.gif" alt="Start of change" />Hardware. Firewall hardware typically consists of a separate
computer or device dedicated to running the firewall software functions.<img src="./deltaend.gif" alt="End of change" /></li>
<li>Software. Firewall software provides a variety of applications. In terms
of network security, a firewall provides these security controls through a
variety of technologies: <ul><li>Internet Protocol (IP) packet filtering</li>
<li>Network address translation (NAT) services</li>
<li>SOCKS server</li>
<li>Proxy servers for a variety of services such as HTTP, Telnet, FTP, and
so forth</li>
<li>Mail relay services</li>
<li>Split Domain name services (DNS)</li>
<li>Logging</li>
<li>Real-time monitoring</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Some firewalls provide virtual private networking (VPN) services
so that you can set up encrypted sessions between your firewall and other
compatible firewalls.</div>
</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Using firewall technologies</h4><p>You can use the firewall
proxy servers, SOCKS server, or NAT rules to provide internal users with safe
access to services on the Internet. The proxy and SOCKS servers break TCP/IP
connections at the firewall to hide internal network information from the
untrusted network. The servers also provide additional logging capabilities.</p>
<p>You
can use NAT to provide Internet users with easy access to a public server
behind the firewall. The firewall still protects your network because NAT
hides your internal IP addresses.</p>
<p>A firewall also can protect internal
information by providing a DNS server for use by the firewall. In effect,
you have two DNS servers: one that you use for data about the internal network,
and one on the firewall for data about external networks and the firewall
itself. This allows you to control outside access to information about your
internal systems.</p>
<p>When you define your firewall strategy, you may think
it is sufficient to prohibit everything that presents a risk for the organization
and allow everything else. However, because computer criminals constantly
create new attack methods, you must anticipate ways to prevent these attacks.
As in the example of the building, you also need to monitor for signs that,
somehow, someone has breached your defenses. Generally, it is much more damaging
and costly to recover from a break-in than to prevent one.</p>
<p>In the case
of a firewall, your best strategy is to permit only those applications that
you have tested and have confidence in. If you follow this strategy, you must
exhaustively define the list of services you must run on your firewall. You
can characterize each service by the direction of the connection (from inside
to outside, or outside to inside). You should also list users who you will
authorize to use each service and the machines that can issue a connection
for it.</p>
</div>
<div class="section"><h4 class="sectiontitle">What a firewall can do to protect your network</h4><p><img src="./delta.gif" alt="Start of change" />You
install a firewall between your network and your connection point to the Internet
(or other untrusted network). The firewall then allows you to limit the points
of entry into your network. A firewall provides a single point of contact
(called a chokepoint) between your network and the Internet. Because you have
a single point of contact, you have more control over which traffic to allow
into and out of your network.<img src="./deltaend.gif" alt="End of change" /></p>
<p>A firewall appears as a single address
to the public. The firewall provides access to the untrusted network through
proxy or SOCKS servers or network address translation (NAT) while hiding your
internal network addresses. Consequently, the firewall maintains the privacy
of your internal network. Keeping information about your network private is
one way in which the firewall makes an impersonation attack (spoofing) less
likely.</p>
<p><img src="./delta.gif" alt="Start of change" />A firewall allows you to control traffic into and
out of your network to minimize the risk of attack to your network. A firewall
securely filters all traffic that enters your network so that only specific
types of traffic for specific destinations can enter. This minimizes the risk
that someone might use TELNET or file transfer protocol (FTP)
to gain access to your internal systems.<img src="./deltaend.gif" alt="End of change" /></p>
</div>
<div class="section"><h4 class="sectiontitle">What a firewall cannot do to protect your network</h4><p>While
a firewall provides a tremendous amount of protection from certain kinds of
attack, a firewall is only part of your total security solution. For instance,
a firewall cannot necessarily protect data that you send over the Internet
through applications such as SMTP mail, FTP, and TELNET. Unless you choose
to encrypt this data, anyone on the Internet can access it as it travels to
its destination.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
</div>
</div>
</body>
</html>