CONCLUSION

Internet connectivity can be extremely valuable to an organization, but it entails many security risks. A key tool in an appropriate set of security control measures to protect Internet-capable networks is the firewall. Firewalls can be placed at the gateway to a network to form a security perimeter around the networks they protect, or at the entrance to subnets to screen the subnets from the rest of the internal network.

Three major types of firewalls currently exist. Packet-filtering firewalls accept or deny packets based on numerous rules that depend upon the source and destination ports of packets and other criteria. Packet-filtering firewalls are in most cases the closest to a “plug and play” firewall solution, although they are also generally the easiest to defeat. Application- and circuit-gateway firewalls have a proxy mechanism that halts original connections from client hosts at the firewall and (if rules allow) originates a new connection to the destination host. Proxy-based firewalls such as circuit-gateway firewalls are generally more difficult to defeat. Furthermore, the resulting “virtual circuit” connection is for the most part transparent to users, although circuit-gateway firewalls do not understand the semantics of applications and thus lack a certain amount of granularity of control. Application-gateway firewalls connect specific clients to specific applications, thereby providing more granularity of control, but they also require that every application that proxies reach be modified, and are also generally less transparent to users than are circuit-gateway firewalls. Circuit-gateway firewalls allow “many-to-many” connections between clients and servers. One type of firewall may be more suitable for some kinds of operational environments than others. Furthermore, firewall products offer a variety of additional functionality and features such as the ability to create VPNs, strong authentication, easy-to-use user interfaces, and others that can make choosing the right firewall for an organization’s needs quite difficult.

Developing an accurate and complete firewall policy is the most important single step in using firewalls effectively. This policy provides a statement of requirements for each firewall, and should be modified and updated as new applications are added within the internal network protected by the firewall and as new security threats emerge. Maintaining firewalls properly and regularly examining log data they provide are almost certainly the most neglected facets of using firewalls, yet these activities are among the most important in ensuring that the defenses are adequate and that incidents are quickly detected and handled. Regularly performing security evaluations and testing the firewall to identify any exploitable vulnerabilities or misconfiguration are also essential activities.

Firewall products have improved considerably over the years, and are likely to continue to improve. Several recent vendor products, for example, are not network addressable, rendering breaking into these platforms by someone who does not have physical access to them virtually impossible. At the same time, however, recognizing the limitations of firewalls and ensuring that other appropriate Internet security controls are in place is becoming increasingly important because of problems such as third-party connections to organizations’ networks that bypass gate-based security mechanisms altogether. An Internet security strategy that includes firewalls in addition to host-based security mechanisms is thus almost invariably the most appropriate direction for achieving suitable levels of Internet security.

References

Bernstein, T., Bhimini, A., Schultz, E., and Siegel, C., Internet Security for Business, John Wiley & Sons, New York, 1996.

Chapman, D.B. and Zwicky, E., Building Internet Firewalls, O’Reilly and Associates, Inc., Sebastopol, CA, 1995.

Cheswick, W.R. and Bellovin, S.M., Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley, Reading, MA, 1994.

Power, R., CSI Special Report on Firewalls: How Not to Build a Firewall, Comput. Security J., 9(1), 1, 1995.

Schultz, E.E., A New Perspective on Firewalls, Proc. 12th World Conf. Comput. Security, Audit and Control, 1995, pp. 22-26.

Schultz, E.E. and Longstaff, T.A., Internet Sniffer Attacks, Proc. 18th Natl. Inf. Syst. Security Conf., 1995, pp. 71-77.

Schultz, E.E., Effective Firewall Testing, Comput. Security J., March, 1, 1996a.

Schultz, E.E., Building the Right Firewall, Proc. SecureNet 96, 1996b.

Thomsen, D., IP Spoofing and Session Hijacking, Network Security, March, 6, 1995.