149 lines
9.2 KiB
HTML
149 lines
9.2 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Firewalls" />
|
||
|
<meta name="abstract" content="A firewall is a blockade between a secure internal network and an untrusted network such as the Internet." />
|
||
|
<meta name="description" content="A firewall is a blockade between a secure internal network and an untrusted network such as the Internet." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaj4fwfirewallconcept" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Firewalls</title>
|
||
|
</head>
|
||
|
<body id="rzaj4fwfirewallconcept"><a name="rzaj4fwfirewallconcept"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Firewalls</h1>
|
||
|
<div><p>A firewall is a blockade between a secure internal network and
|
||
|
an untrusted network such as the Internet.</p>
|
||
|
<p>Most companies use a firewall to connect an internal network safely to
|
||
|
the Internet, although you can use a firewall to secure one internal network
|
||
|
from another also.</p>
|
||
|
<p>A firewall provides a controlled single point of contact (called a chokepoint)
|
||
|
between your secure internal network and the untrusted network. The firewall:</p>
|
||
|
<ul><li>Lets users in your internal network use authorized resources that are
|
||
|
located on the outside network.</li>
|
||
|
<li>Prevents unauthorized users on the outside network from using resources
|
||
|
on your internal network.</li>
|
||
|
</ul>
|
||
|
<p>When you use a firewall as your gateway to the Internet (or other network),
|
||
|
you reduce the risk to your internal network considerably. Using a firewall
|
||
|
also makes administering network security easier because firewall functions
|
||
|
carry out many of your security policy directives.</p>
|
||
|
<div class="section"><h4 class="sectiontitle">How a firewall works</h4><p>To understand how a firewall
|
||
|
works, imagine that your network is a building to which you want to control
|
||
|
access. Your building has a lobby as the only entry point. In this lobby,
|
||
|
you have receptionists to welcome visitors, security guards to watch visitors,
|
||
|
video cameras to record visitor actions, and badge readers to authenticate
|
||
|
visitors who enter the building.</p>
|
||
|
<p>These measures may work well to control
|
||
|
access to your building. But, if an unauthorized person succeeds in entering
|
||
|
your building, you have no way to protect the building against this intruder's
|
||
|
actions. If you monitor the intruder's movements, however, you have a chance
|
||
|
to detect any suspicious activity from the intruder.</p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Firewall components</h4><p>A firewall is a collection of
|
||
|
hardware and software that, when used together, prevent unauthorized access
|
||
|
to a portion of a network. A firewall consists of the following components:</p>
|
||
|
<ul><li><img src="./delta.gif" alt="Start of change" />Hardware. Firewall hardware typically consists of a separate
|
||
|
computer or device dedicated to running the firewall software functions.<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li>Software. Firewall software provides a variety of applications. In terms
|
||
|
of network security, a firewall provides these security controls through a
|
||
|
variety of technologies: <ul><li>Internet Protocol (IP) packet filtering</li>
|
||
|
<li>Network address translation (NAT) services</li>
|
||
|
<li>SOCKS server</li>
|
||
|
<li>Proxy servers for a variety of services such as HTTP, Telnet, FTP, and
|
||
|
so forth</li>
|
||
|
<li>Mail relay services</li>
|
||
|
<li>Split Domain name services (DNS)</li>
|
||
|
<li>Logging</li>
|
||
|
<li>Real-time monitoring</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Some firewalls provide virtual private networking (VPN) services
|
||
|
so that you can set up encrypted sessions between your firewall and other
|
||
|
compatible firewalls.</div>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Using firewall technologies</h4><p>You can use the firewall
|
||
|
proxy servers, SOCKS server, or NAT rules to provide internal users with safe
|
||
|
access to services on the Internet. The proxy and SOCKS servers break TCP/IP
|
||
|
connections at the firewall to hide internal network information from the
|
||
|
untrusted network. The servers also provide additional logging capabilities.</p>
|
||
|
<p>You
|
||
|
can use NAT to provide Internet users with easy access to a public server
|
||
|
behind the firewall. The firewall still protects your network because NAT
|
||
|
hides your internal IP addresses.</p>
|
||
|
<p>A firewall also can protect internal
|
||
|
information by providing a DNS server for use by the firewall. In effect,
|
||
|
you have two DNS servers: one that you use for data about the internal network,
|
||
|
and one on the firewall for data about external networks and the firewall
|
||
|
itself. This allows you to control outside access to information about your
|
||
|
internal systems.</p>
|
||
|
<p>When you define your firewall strategy, you may think
|
||
|
it is sufficient to prohibit everything that presents a risk for the organization
|
||
|
and allow everything else. However, because computer criminals constantly
|
||
|
create new attack methods, you must anticipate ways to prevent these attacks.
|
||
|
As in the example of the building, you also need to monitor for signs that,
|
||
|
somehow, someone has breached your defenses. Generally, it is much more damaging
|
||
|
and costly to recover from a break-in than to prevent one.</p>
|
||
|
<p>In the case
|
||
|
of a firewall, your best strategy is to permit only those applications that
|
||
|
you have tested and have confidence in. If you follow this strategy, you must
|
||
|
exhaustively define the list of services you must run on your firewall. You
|
||
|
can characterize each service by the direction of the connection (from inside
|
||
|
to outside, or outside to inside). You should also list users who you will
|
||
|
authorize to use each service and the machines that can issue a connection
|
||
|
for it.</p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">What a firewall can do to protect your network</h4><p><img src="./delta.gif" alt="Start of change" />You
|
||
|
install a firewall between your network and your connection point to the Internet
|
||
|
(or other untrusted network). The firewall then allows you to limit the points
|
||
|
of entry into your network. A firewall provides a single point of contact
|
||
|
(called a chokepoint) between your network and the Internet. Because you have
|
||
|
a single point of contact, you have more control over which traffic to allow
|
||
|
into and out of your network.<img src="./deltaend.gif" alt="End of change" /></p>
|
||
|
<p>A firewall appears as a single address
|
||
|
to the public. The firewall provides access to the untrusted network through
|
||
|
proxy or SOCKS servers or network address translation (NAT) while hiding your
|
||
|
internal network addresses. Consequently, the firewall maintains the privacy
|
||
|
of your internal network. Keeping information about your network private is
|
||
|
one way in which the firewall makes an impersonation attack (spoofing) less
|
||
|
likely.</p>
|
||
|
<p><img src="./delta.gif" alt="Start of change" />A firewall allows you to control traffic into and
|
||
|
out of your network to minimize the risk of attack to your network. A firewall
|
||
|
securely filters all traffic that enters your network so that only specific
|
||
|
types of traffic for specific destinations can enter. This minimizes the risk
|
||
|
that someone might use TELNET or file transfer protocol (FTP)
|
||
|
to gain access to your internal systems.<img src="./deltaend.gif" alt="End of change" /></p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">What a firewall cannot do to protect your network</h4><p>While
|
||
|
a firewall provides a tremendous amount of protection from certain kinds of
|
||
|
attack, a firewall is only part of your total security solution. For instance,
|
||
|
a firewall cannot necessarily protect data that you send over the Internet
|
||
|
through applications such as SMTP mail, FTP, and TELNET. Unless you choose
|
||
|
to encrypt this data, anyone on the Internet can access it as it travels to
|
||
|
its destination.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|