APPROACHES FOR ENTERPRISE LEVEL SECURITY

A firewall is a security device that allows limited access out of and into one’s network from the Internet. So, a firewall is a piece of hardware that is connected to a network to protect it form agents reaching resources on the network via public open networks. In effect, it only permits approved traffic in and out of one’s local site. This type of security measure allows an administrator to select applicable services necessary to one’s business and screens out any services that may be a potential security risk (e.g., allow WWW transactions but screen out FTP transactions). Protecting a network involves keeping out unauthorized users and preventing access to sensitive data from unauthorized users, while allowing legitimate users unencumbered access to the network resources. In general, a firewall is placed between the internal trusted network and the external untrusted network. The firewall acts as a choke point that can be used for monitoring and rejecting application-level network traffic. Firewalls not only protect internal networks form untrusted networks (either internal or external), they may also be used to segment

87

the enterprise network, based on operational functionality. This segmentation would be useful in keeping for example, sales personnel from gaining access to development/architecture systems, if such segmentation were deemed necessary. We focus in this discussion on external protection.

Firewalls operate at the application layer of the protocol stack. They can also operate at the network and transport layers; in this case, they examine the IP and TCP headers of incoming and outgoing packets and reject and pass packets based on the programmed packet filer rules (in such cases, they are called packet filters).

Security concerns go beyond the headquarters location. If a company has corporate-wide backbone that connects corporate sites in several cities or countries, the network manager at a given site may choose to connect the site to a local ISP. The organization must form a security perimeter by installing a firewall at each external connection. It needs an Internet firewall at the access (boundary) point of the network to be protected. For example, an organization can place a firewall at its connection to the global Internet to protect it from unwanted access. A fire-wall partitions an enterprise network into two areas, referred to informally as the inside and outside.

To guarantee that the perimeter is effective, the organization must coordinate all firewalls to use exactly the same access restrictions. Otherwise, it may be possible to circumvent the restrictions imposed by one firewall by entering the organizations enterprise network through another fire wall. If the organizations has an unguarded external connection, an intruder will find it easier to locate and use the unguarded connection than to subvent the security mechanism on a guarded connection. In fact, the idea that a security system is only as strong as its weakest part is well known and has been termed the weakest-link axiom.

Firewalls are classified into three main categories: 1. Packet filters

2. Application – level gateways 3. Proxy servers.

Packet filtering

Packet filtering at the network layer can be use as a first defense. Basic filtering comes as part of most routers software. Each packet is either forwarded or dropped based on its source address destination address, or a defined (TCP) port. Configuring a filter involves some determination of what services/ addresses should and should not be permitted to access the network or server.

The mechanism requires the manager to specify how the router should treat each protocol data unit. For example, the manager might decide to filer all protocol data units that come from a particular source or those used by a particular application, while choosing to route other protocol data units to their destination. The term packet filter arises because the filtering mechanism does not keep a record of interaction or a history of previous protocol data units. Instead, the filter considers each protocol data unit separately.

When a protocol data unit arrives, the router passes the protocol data unit through its packet filter before performing any other processing. If the filter rejects the protocol data unit, the router drops it immediately. Many commercial routers have the capability to screen packets based on criteria such as the type of protocol, the source address, and destination address fields for a particular type of network-layer protocol and control fields that are part of the protocol. Many vendors call their screening router products firewalls; they are firewalls in the sense that they provide protection of the internal network based on information on the network level. Screening routers provide a mechanism to control the type of network traffic that can enter a subnetwork. By doing this, the screening routers can control the type of services that can exist on a network segment.

One may setup filtering only to allow certain services through, as long as the requests come in on the corresponding TCP port. This security measure involves some trust on the part of the local administrator. There has been an assumption made that any request that came in on a specific port has been originated from the same service port on the sending machine. For example, the usual SMTP port is 25; however, not all systems may use port 25 for SMTP. A security breach could be caused by someone sending non- SMTP packets to port 25 from a foreign host.

Filtering can occur on incoming packets, outgoing packets, or both limitations may exit on one’s router as to where one can apply a filter. As a general rule, filtering of incoming packets may protect the router from becoming compromised by an attacker.

Firewalls are generally a good way of protecting an organization against attacks through the Internet. Firewalls do have some limitations: the firewall can only provide effective protection assuming that the services and programs used within the firewall work properly and contain no exploitable bugs. If the building blocks of he firewall are not solid, then the firewall is not solid and may be liable to attack. As discussed earlier, some security issues may co me in the form of IP address spoofing. IP address spoofing is defined as sending packets from an outside host that allege to be sent from an internal host. Attacks using IP address spoofing are difficult to detect unless logging is performed and activities are correlated against legitimate use. Hence, through filtering helps in the fight against security threats, it does not by itself prevent attacks from address spoofing. A threat could still be realized by an attacker portraying a trusted host that may not be on internal network.

Application-level gateways:

An application-level gateway provides a mechanism for filtering traffic for various applications. The administrator defines and implements code specific to applications or services used by the user’s site (applications, such as SMTP, reside at the application layer). Services or users that can compromise the network security can then e restricted. To counter some weaknesses associated with packet filtering routers, firewalls utilize software applications to forward and filter connections for services such as Telnet, FTP, and HTTP. Application gateways mediate traffic between a protected network and the Internet. A key distinction between a protected network and the Internet. A key distinction between a packet-filtering router and an application-level gateway is the ability to filter and log at the application level rather than just the IP level.

89

Usually, the most common services are the ones supported, which limits the flexibility of integrating new technology; however, by utilizing the most common services, one may decrease the possible security threats. In this way, administrators do not have to worry about possible security holes in foreign hosts which may only invoke simple security measures. Another advantage to an application-level gateway is that they control all traffic going in and out of the network and allow for logging. Utilizing a gateway provides a central point for monitoring and logging activity, which means administrators have the ability to analyze all data being passed through the gateway, which from a security perspective could be used to look for suspected illegal activity.

Application gateways have a number of advantages over packet filtering routers, including logging, hiding of internal host names and IP addresses, robust authentication, and simple filtering rules. An FTP gateway might be configurable to permit incoming FTP and block outgoing FTP, a particularly useful combination in maintaining a secure firewall. Most application gateways run in a UNIX environment and are susceptible to UNIX security infractions and operation systems misconfigurations. Most firewall applications that run in a UNIX environment use a stripped-down kernel, modified to offer additional security.

Proxy Servers

A proxy server terminates a user’s connection (by application) and sets up a new connection to the ultimate destination on behalf of the user, proxying for the user. A user connects with a port on the proxy; the connection is routed through the gateway to a destination port, which is routed to the destination address. Logging can be set up to track such transmission information as number of bytes sent, Inbound IP address, and the outbound destination IP address. Usually, if a proxy is used, the proxy server provides most of the Internet connectivity. An example of a proxy is a Web services proxy server (HTTP).

As for the disadvantages, most proxy servers require two steps to connect inbound or outbound traffic and may require modified clients to work correctly.