written 8.5 years ago by |
Firewall Design Principles
- Firewall is a security barrier between two networks that screens traffic coming in and out of the gate of one network to accept or reject connections and services according to a set of rules.
- For a firewall to be effective the design of the firewalls should be efficient. The various principles that should be adopted while designing a firewall are as follows:
Firewall Characteristics:
i. All traffic from inside to outside and vice versa must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. The configurations used for this are screened Host Firewall (Single and Dual) and Screened Subnet Firewall.
ii. Only authorized traffic as defined by the local security policy will be allowed to pass. Various types of firewalls that can be used are Packet-Filters, Stateful Filters and Application Proxy Filters.
iii. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system.
Techniques for Control:
Four general techniques that firewalls use to control access and enforce security policy are as follows
i. Service Control- This determines the types of internet services that can be accessed inbound or outbound.
ii. Direction Control: This determines the direction in which particular service requests may be initiated and allowed to flow through the firewall.
iii. User Control: Control access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter.
iv. Behaviour Control: Controls how particular services are used.
Capabilities of Firewalls: The expectations from a firewall are as follows
i. A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits vulnerability and provides protection from spoofing and routing attacks.
ii. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system.
iii. A firewall is a convenient platform for several internet functions that are not security related which include network address translator and a network management function.
iv. A firewall can serve as the platform for IPsec. Using the tunnel mode capability, the firewall can be used to implement virtual private networks.
Limitations of Firewalls:
i. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modern pool that provides dial-in capability for traveling employees and telecommuters.
ii. The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.
iii. The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter it would be impractical and impossible for the firewall to scan all incoming files for viruses.