controls the dialogue between communicating end
nodes.
As an application gateway, the firewall typically
behaves as a client on the Internet and appears as a
server to users on its secure, protected side. When
operating in this mode, the firewall will examine
specific application protocols to decide whether
connections are permissible. The range of supported
application protocols varies from firewall to firewall,
but most examine such popular ones as TELNET, the
World Wide Web’s HyperText Transfer Protocol
(HTTP) or File Transfer Protocol (FTP).
Application layer firewalls offer greater protection
against hacker attacks than the packet filtering
firewalls. Besides providing stronger logging
capabilities, many firewalls can also provide features
like network address translation, authentication, and
virtual private net works.
Choosing A Firewall
Once the decision is made to use firewall
technology to implement an organization’s security
policy, the next step is to procure a firewall that provides
the appropriate level of protection and is cost-effective.
We cannot say what exact features a firewall should
have to provide effective implementation of your
policies, but we can suggest that, in general, a firewall
should be able to do the following:
Support a “deny all services except those
specifically permitted” design policy, even if
that is not the policy used.
Support your security policy, not impose one.
Accommodate new services and needs if the
security policy of the organization changes.
Contain advanced authentication measures or
contain the hooks for installing advanced
authentication measures.
l
l
l
Employ filtering techniques to permit or deny
services to specified host systems as needed.
Use an IP filtering language that is flexible, user-
friendly to program, and able to filter on as many
attributes as possible, including source and
destination IP address, protocol type, source and
destination TCP/UDP port, and inbound and
outbound interface.
Use proxy services for services such as FTP and
TELNET, so that advanced authentication
measures can be employed and centralized at the
firewall.
The firewall should contain the ability to
concentrate and filter dial-in access. The firewall
should contain mechanisms for logging traffic and
suspicious activity, as well as mechanisms for log
reduction so that logs are readable and understandable.
If the firewall requires an operating system such as
UNIX®, a secured version of the operating system
should be part of the firewall, with other security tools
as necessary to ensure firewall host integrity. The
operating system should have all patches installed. The
firewall should be developed in such a manner that its
strength and correctness are verifiable. It should be
simple in design so that it can be understood and
maintained. The firewall and any corresponding
operating system should be updated with patches and
other bug fixes in a timely manner.
SUMMARY
In this chapter, we have covered some of the areas
that need to be considered in the administration of a
network. We have discussed network operations, the
configuration of the network, network software, and
network design. This is by no means all that will be
required for administration, but it is a beginning.
1-19
