• No results found

Using a Firewall General Configuration Guide

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Using a Firewall General Configuration Guide"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Using a Firewall

(2)

1 Contents

There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead at some of the more popular commercially-available software and hardware firewall implementations that might be used with an Inmarsat service.

2 Introduction

Any ‘always-on’ Internet connection is a potential target for computer hackers. This is not a satellite-specific issue but a problem that exists for any computer or network that is permanently connected to the Internet.

The obvious solution to address this risk is to equip your computer or network with some sort of user-provided firewall. A remote network will typically use a scaled-down version of the type of hardware firewall that large corporate networks use whereas a software firewall is ideal for a single remote user where portability is paramount.

All firewall software gives at least the most basic protection. It blocks unauthorised inbound access to the PC, on various port numbers, from the Internet. The PC shouldn’t respond at all (e.g. ‘stealth mode’) and it should appear invisible. All unsolicited inbound access attempts are blocked regardless of source. Outbound traffic is monitored and only responses from contacted hosts are permitted back in. Firewalls can also filter outbound connections (from the PC to the Internet). Some viruses and Trojans (see the section on viruses in Inmarsat document, Install a Firewall – Background Information) try to make surreptitious outbound connections – sometimes to transfer information like passwords or credit-card data and sometimes to allow someone else to connect to the PC through the ‘back door’. The effective use of anti-virus software will minimise the need for outbound filtering.

If you are in doubt about the protection your firewall offers there is a Web-based utility available at http://www.pcflank.com/, which tests firewalls (benignly fortunately). Connect to the site and check your protection on-line!

3 Software

firewalls

3.1 Agnitum Outpost

(3)

Whenever a new IP or NetBIOS connection is requested the firewall prompts the user whether the connection type, port number and application is authorised. See below:

(4)

These can be modified and updated at will as more knowledge is gained of the behaviour of your applications.

3.2 Zone Alarm

Other software firewalls such as Zone Alarm from can be downloaded from

http://www.zonelabs.com/. This firewall is similar to Outpost and an

example of how this is presented is shown below:

(5)

4 Hardware

firewalls

4.1 General

Many commercially off-the-shelf routers and hubs now come with built-in Firewalls, VPNs etc. If the routing functions of these devices are working, then it is likely that the other options in particular firewall and network access management will also work.

Some examples of typical compact hardware firewalls are described below: 4.2 Symantec

Symantec Firewall/VPN appliances are integrated hardware and software systems that provide secure connections via the Internet. Symantec Firewall/VPN offers remote sites a method of

securing inbound and outbound web, email, FTP and other network traffic. For VPN access, they can provide firewall protection and VPN access to satellite locations and branch offices. The appliance utilizes Stateful Packet Inspection (SPI) firewall to monitor and cleanse traffic to and from the Internet. It uses IPSec VPN technology to provide the gateway-to-gateway authentication, confidentiality, and encryption required to ensure the integrity of data across public connections. The VPN Global Tunnel offers data traffic control and tunnelling between local sites and the central office or ISPs.

4.3 Netgear

The NETGEAR ProSafe Firewall/Print Servers provide users with security; Denial of Service (DoS) protection and Intrusion Detection using Stateful Packet Inspection (SPI), URL access and content filtering, logging, reporting, and real-time

(6)

Mbps WAN port for high-speed services. Software tools are provided to assist in getting a network up and running.

4.4 Cisco PIX 501

The Cisco PIX 501 Firewall provides security for small offices and tele-workers. Suitable for securing high-speed ‘always on’ broadband environments (such as Regional BGAN), the Cisco PIX 501 Firewalls provide security capabilities, small office

networking features and remote management capabilities. The Cisco PIX 501 Firewall includes Stateful Packet Inspection (SPI) firewalling, virtual private networking (VPN) and intrusion protection. It uses the Cisco Adaptive Security Algorithm (ASA) and PIX operating system. PIX 501 administrators can enforce customized policies on network traffic traversing through the firewall. The Cisco PIX 501 Firewall can also secure network communications from remote offices to corporate networks across the Internet using Internet Key Exchange (IKE)/IP security (IPSec) VPN capabilities. It supports data encryption with 56-bit Data Encryption Standard (DES) or optional 168-bit Triple DES (3DES) encryption.

4.5 SMC Barricade

The SMC Barricade is another popular hardware firewall / router which supports an Internet firewall, print serving and Network Address Translation for up to 253 PCs on your LAN. It also features four 10/100 Mbps RJ-45 ports, a WAN port, a DB-25 printer port and a DHCP server. There is also a DB-9 port for PSTN/ISDN connections. The Barricade also supports VPN. The print server feature can be accessed from

any PC on the network. Configuration and management is Web-based.

5 Active content protection & network access controls

5.1 SurfinGuard

Other software products have been developed which create a safe ‘Sandbox’ within which active content or PC applications can operate, but from which any suspicious behaviour will be reported for user approval. These are complimentary to virus checking software, as the protection offered does not completely overlap. One such application, for example, is SurfinGuard from Finjan Software, downloadable from http://www.finjan.com/.

(7)

Any active content downloaded from the web prior to SurfinGuard installation can still be forced to run in the Sandbox by dragging it onto a desktop Safe Zone icon, or by using a Run Safe menu option. Many normal applications, however, cause a security breach when they are run inside a Sandbox (e.g., the Microsoft Word executable ‘winword.exe’, will attempt to read/write from the registry to/from a file as part of its normal operation). 5.2 NetNanny

Other popular content-control software is available such as NetNanny, which applies WEB filtering through means of ‘black lists’ and ‘white lists’. This is downloadable from http://www.netnanny.com/. This supports the latest browser software and can match key words to block undesired URLs. You can block pop-up windows and cookies. Although this is also available through Internet Explorer 6 for example NetNanny also enables time limits against individual account holders and the ability to block some popular WEB messenger clients. Detailed user access reports are also captured. One feature that may be useful in the Internet café application is a kiosk mode for PC’s shared by members of the public.

(8)

References

Download now ( PDF - 8 Page - 345.52 KB )

Related documents

Local Education Agency

99213 Office or other outpatient visits for the evaluation and management of an established patient, which requires at least two of these three components: an expanded problem

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

If the customer is operating any firewall(s) to secure its Internet connection, the firewall(s) must permit the edge VPN equipment to exchange IPsec packets using their

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

-Dynamic NAT – Dynamic NAT intercepts traffic from a host on the internal network and maps it to an externally registered Internet Protocol (IP) address available from a pool

Cisco Secure PIX Firewall

Access: From the Icon Subviews menu for the Interface icon in the Device view, select Secondary Address Panel. This panel provides a table of IP addresses and masks obtained from

Phase I study of 68Ga-HER2-nanobody for PET/CT assessment of HER2 expression in breast carcinoma

The 68 Ga-HER2-Nanobody tracer showed a favorable biodistribution, with the highest uptake in the kidneys, liver, and intestines but very low background levels in all other organs

Fast Detection of Multiple Textureless 3-D Objects

It is implemented by oriented chamfer score [18], improved by selection of discriminative edges based on their stability and orientation frequency, and by a compensation of the bias

10.2. Auditing Cisco PIX Firewall with Quest InTrust

• “Cisco PIX Firewall: All Events” gathering policy • “Cisco PIX Firewall: All Events” import policy • “Cisco PIX Firewall log daily collection” task • “Cisco

Security Target for Cisco Secure PIX Firewall 515, 520, 525 Version 5.2(3)

The Cisco Secure PIX firewall controls the flow of information from the external to the internal network; it is the only point of connection between the internal and external