DESIGNING AND IMPLEMENTING FIREWALL

Designing and Implementing firewall



Table of Contents

Table of Contents2

Chapter I3

Introduction3

The Nature of Today's Attackers4

The Firewall to the Rescue6

Chapter II8

Types of Firewalls8

How a Firewall Works9

Basic TCP/IP Flow9

Packet Filtering11

Filtering Based on Source and Destination16

Stateful Inspection Filtering17

Application-Layer Filtering20

Logging21

Intrusion Detection22

Antivirus23

VPNs and Encryption24

Host-Based Firewalls26

Network Firewalls27

Proxy Services28

Reverse Proxy Services32

Chapter III35

Firewalls for Small Offices and Home Offices35

Firewalls for Enterprises42

Host-Based Firewalls on Corporate Networks43

Using a Demilitarized Zone45

Standard DMZ Web Site Architectures48

Multilayer Firewall Web Site Architectures50

Chapter IV52

Firewall Products52

Internet Connection Firewall52

How ICF Works54

ICF and Notification Messages59

Advanced ICF Settings60

Other Host-Based Firewalls61

Microsoft Internet Security and Acceleration Server 200061

Multilayer Firewall Security64

Circuit-Level Filtering64

Packet Filtering65

Application-Level Filtering67

Stateful Inspection67

Integrated Intrusion Detection68

High-Performance Web Cache69

Cache Array Routing Protocol69

Chained-Configuration Cache Placement69

Active Caching70

Unified Management71

Enterprise Policy and Access Control72

Nortel Networks Alteon Switched Firewall73

Firewall Scale Considerations74

Tools76

Check Point Policy Editor76

Check Point Log Viewer77

Check Point System Status Viewer78

Distributed Enterprise Management78

Object Creation and Management78

Operating80

Configuration80

Maintenance81

Real-Time Monitoring81

Supporting82

Capacity Management82

Chapter V83

Summary83

References85

Chapter I

Introduction

Firewalls are a key part of keeping networked computers safe and secure. All computers deserve the protection of a firewall, whether it's the thousands of servers and desktops that compose the network of a Fortune 500 company, a traveling salesperson's laptop connecting to the wireless network of a coffee shop, or your grandmother's new PC with a dial-up connection to the Internet.

This article covers the design, deployment, and use of both network and host-based firewalls (also called personal firewalls). Although home users have traditionally used only host-based firewalls, recent trends in security exploits highlight the importance of using both types of firewalls together. Traditional firewall architectures protect only the perimeter of a network. However, once an attacker penetrates that perimeter, internal systems are completely unprotected. Hybrid worms, in particular, have penetrated corporate networks through email systems, and then have spread quickly to unprotected internal systems. Applying host-based firewalls to all systems, including those behind the corporate firewall, should now be standard practice.



The Nature of Today's Attackers

Who are these “hackers” who are trying to break into your computer? Most people imagine someone at a keyboard late at night, guessing passwords to steal confidential data from a computer system. This type of attack does happen, but it makes up a very small portion of the total network attacks that occur. Today, worms and viruses initiate the vast majority of attacks. Worms and viruses generally find their targets randomly. As a result, even organizations with little or no confidential information need firewalls to protect their networks from these automated attackers.

If a worm or a virus does find a security vulnerability and compromises your system, it can do one of several things. To begin with, it will almost always start looking for other systems to attack so that it can spread itself further. In this case, you become one of the bad guys—because the worm or virus is using your computer to attack other systems on your internal network and the Internet, wasting your computing resources and bandwidth. Even though the worm or virus won't know what to do with your confidential data, chances are good that it will open a new back door into your system to allow someone ...