• Choose a category
• All
• Classic-Fiction

The most secure way to use a packet filter is to start with a configuration that allows nothing but inbound SMTP. You can then liberalize the filter bit by bit as you discover useful things that don’t work.

Some extremely security-conscious sites use two-stage filtering. In this scheme, one filter is a gateway to the Internet, and a second filter lies between the outer gateway and the rest of the local network. The idea is to leave the outer gateway relatively open and to make the inner gateway very conservative. If the machine in the middle is administratively separate from the rest of the network, it can provide a variety of services on the Internet with reduced risk.

A reasonable approach to the FTP dilemma is to allow FTP to the outside world only from this single, isolated host. Users can also log in to the FTP machine when they need to perform other network operations that are forbidden from the inner net. Since replicating all user accounts on the FTP “server” would defeat the goal of administrative separation, you may wish to create FTP accounts by request only. Naturally, the FTP host should run a full complement of security-checking tools.

Service proxy firewalls

Service proxies intercept connections to and from the outside world and establish new connections to services inside your network, acting as a sort of shuttle or chaperone between the two worlds. It’s much like driving to the border of your country, walking across the border, and renting a sanitized, freshly washed car on the other side of the border to continue your journey.

Because of their design, service proxy firewalls are much less flexible (and much slower) than pure packet filters. Your proxy must have a module that decodes and conveys each protocol you want to let through the firewall. In the early 1990s this was relatively easy because there were only a few protocols in common use. Today, internauts might use several dozen protocols in an hour of web surfing. As a result, service proxies are relatively unpopular in organizations that use the Internet as a primary medium of communication.

Stateful inspection firewalls

The theory behind stateful inspection firewalls is that if you could carefully listen to and understand all the conversations (in all the languages) that were taking place in a crowded airport, you could make sure that someone wasn’t planning to bomb a plane later that day. Stateful inspection firewalls are designed to inspect the traffic that flows through them and compare the actual network activity to what “should” be happening. For example, if the packets exchanged in an FTP command sequence name a port to be used later for a data connection, the firewall should expect a data connection to occur only on that port. Attempts by the remote site to connect to other ports are presumably bogus and should be dropped.

Unfortunately, reality usually kills the cat here. It’s no more realistic to keep track of the “state” of the network connections of thousands of hosts using hundreds of protocols than it is to listen to every conversation in every language in a crowded airport. Someday, as processor and memory capacity increase, it may eventually be feasible.

So what are vendors really selling when they claim to provide stateful inspection? Their products either monitor a very limited number of connections or protocols, or they search for a particular set of “bad” situations. Not that there’s anything wrong with that; there is clearly some benefit to be obtained from any technology that can detect traffic anomalies. In this particular case, however, it’s important to remember that the claims are mostly marketing hype.

Firewalls: how safe are they?

A firewall should not be your primary means of defense against intruders. It’s only appropriate as a supplemental security measure. The use of firewalls often provides a false sense of security. If it lulls you into relaxing other safeguards, it will have had a negative effect on the security of