FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:   || 2 | 3 |

«Table of Content Executive Summary Brief survey of firewall concepts What is the problem? What is a firewall? What skills are necessary to manage a ...»

-- [ Page 1 ] --

Firewall Strategies

June 2003

(Updated May 2009)

Table of Content

Executive Summary

Brief survey of firewall concepts

What is the problem?

What is a firewall?

What skills are necessary to manage a firewall?

Do firewalls have a downside?


What are the options?

Managed Network Firewall Service

Personal or host-based firewalls

Special constructs for researchers:

Which computer systems should be protected?

NUIT’s approach to firewall deployment

Balancing effectiveness and costs

Mixing and matching firewall solutions

NUIT planned service offering

Non-NUIT Managed Network Firewalls


Appendix A – Firewall Vendor Recommendation



Technical Background

Product Descriptions

Cisco – PIX and FWSM



Vendor comparison

Ease of management and administration of the platform

Installation into the infrastructure

Shared management

Advanced features

Company focus


Appendix B – Personal Firewall Software

Appendix C – Firewall Service Pricing

Executive Summary Firewalls are one component of a strategy to combat malicious activities and assaults on computing resources and network-accessible information. Other components include anti-virus software and intrusion detection software. Most computers within Northwestern are protected by anti-virus software.

NUIT has prepared this document to orient both technical and management staff to the capabilities of firewall software, and to assist those persons to decide on an appropriate level of participation in this technology. While several approaches were considered for individual users, departments, and divisions, NUIT recommends that the University adopt a systematic approach to this security issue. Common equipment and common management approaches will leverage investments to increase overall security.

Brief survey of firewall concepts What is the problem?

Due to ongoing occurrences of network security incidents and the increased requirements to protect institutional information, there is interest within University departments for a method of controlling the traffic that is allowed to access their computers. The ideal solution would be for each computer or networked device to be secured from intrusion and patched to eliminate vulnerabilities; however, this is not always a realistic scenario. The challenge lies in not only understanding the vulnerabilities of a system and in configuring a system to behave securely, but also in enforcing the security best practices for all the devices within one’s domain. Products that have a default install of “unsecure” make this task all the more difficult. Many departments find it difficult to enforce security policies or to educate end users or themselves on how to do this. As a result of these concerns, many departments are looking for a way to control the traffic that is allowed to access their computer systems.

Although firewalls are not a complete solution to preventing security attacks against a host or the network itself, they can add another layer of security when properly deployed. A firewall is by no means a panacea; it’s simply another tool to assist in controlling the types of traffic that a host must deal with. The only completely secure firewall is one that blocks all traffic; however, a computer with no network connectivity is not a very useful one these days.

What is a firewall?

A firewall is a device or software that can inspect traffic at a deeper level than most network elements. It can be software that resides on a host [1] and inspects traffic before it is allowed to interact with any other applications on that host. This type of firewall is known as a host-based firewall or personal firewall. A second type of firewall is a network firewall that does not reside on the computer system that it’s protecting. It is a standalone device that must be inserted into the network so that it can inspect traffic that flows through it and make decisions on whether it will allow or deny a particular packet or flow of packets. Neither type of firewall has any “magic” that can decipher good traffic from bad traffic. The firewall makes a decision using the information that has been provided by the person responsible for the systems being protected. This information is expressed as a set of rules known as the “ruleset”. The ruleset should follow a department’s security policy, which is an essential component to establishing security. If one can’t define what traffic should be allowed, then rules can’t be developed to enforce it.

What skills are necessary to manage a firewall?

The management of a firewall requires a detailed understanding of data networking elements (routers and switches), as well as a detailed understanding of network protocols (the languages used when systems communicate over the network). Furthermore, it requires the ability to translate these concepts along with a security policy into an effective ruleset that can be applied to the firewall.

Beyond installation of the firewall into the network, firewalls must be configured with rulesets that accept or deny the types of traffic specific to the department’s security policy. The collection of rules that make up the ruleset must be logically defined in the format dictated by the firewall’s operating system and in the proper order.

Both routers and switches are network elements that require experience to effectively deploy and firewalls that perform these same functions have the same requirement. There are two general modes of operation for network firewalls.

Network firewalls can act as routers (route mode) or switches (transparent mode). Route mode is the more traditional mode used by firewalls and requires modifications to the existing infrastructure in order to accommodate the new networks that are created for the protected hosts. NAT (network address translation) is a special form of route mode and will not be distinguished from route mode for the purposes of this discussion. Route mode also requires that the IP addresses of the protected hosts changed. Transparent (switch) mode allows for a more seamless installation yet still requires an understanding of switching technology to safely deploy.

Do firewalls have a downside?

Putting every host behind a network firewall requires that all traffic go through the firewall in order to access resources on the other side. There is some benefit to putting up a barrier between a user and network resources but there are also negative effects.

Firewalls are high-touch systems that need to look much deeper into a packet than a simple switch or routing device. As a packet flows through a firewall, many processes need to occur: 1) a connection must be accepted from the outside, 2) information about the connection must be stored, 3) a decision must be made about how to process the packets associated with that connection, and 4) new connections to the inside need to be established. This processing needs to happen separately for each connection or communication between two hosts and in both directions. Comparing this processing with that of a low-touch network element such as a switch or router, firewalls will cause delay that could affect the flow of information between hosts on a network. The amount of delay experienced through a firewall is dependent on how the firewall is implemented.

Firewalls that process in hardware will be faster than firewalls that process in software.

The complexity and high-touch aspect of firewalls also limits the new applications that can be supported behind a firewall since the firewall must be updated to understand each new application. This is especially important in a university department that requires high bandwidth applications or advanced services such as jumbo packets, IP version 6 or encryption. The original design of the Internet stressed the end-to-end argument that put intelligence and complexity at the edges while keeping devices in the middle simple and efficient. This design is important to researchers because it does not put up a barrier to the development of new and innovative applications.

Recommendations What are the options?

In determining the placement and method of attaching firewalls to the network, there are several alternatives to consider. Placement of the firewall determines what set of users can be protected from each other and how easily a solution can be managed both from NUIT’s perspective and the University community. When deciding on how to incorporate a firewall into a security strategy, department administrators have two options from which to choose: managed network firewall service or a host-based firewall. The managed network firewall service is a stand-alone firewall appliance that is deployed in the network. Host-based firewalls comprises of a software running on a host and can be utilized where a managed network firewall is impractical or unfeasible (as discussed below), or as an additional layer of control in conjunction with a managed network firewall. The features and concerns of both the options, which were identified at the time of assessment, are outlined below.

Managed Network Firewall Service The recommended solution is the firewall service option where the network firewall is installed, managed and maintained by NUIT. Choosing to purchase a firewall service from NUIT has several benefits. The department will be alleviated of the everyday management of the device, which will be backed up and monitored by NUIT. Should the device fail, NUIT will replace it on the spot and put the configurations back to get the department up and running quickly. The appliance would be a best-of-breed solution that NUIT certifies for installation into the University network. Such a device will have the features necessary to run applications supported by the University.

The firewall features of this enterprise class equipment are outlined below:

• Bandwidth capacity from 160Mbps to 1 Gbps (firewalls with much higher bandwidth capacity are available to cater to custom requirements)

• Do not preclude features such as remote access VPN, multicast, H.323, VoIP, etc.

• Support for multiple deployment options (route mode, NAT mode and transparent mode)

• Robustness features such as hardware processing and several mechanisms to prevent DoS attacks.

• Enhanced logging and management.

In addition to the powerful feature set, the managed network firewall service

provides additional benefits to technical administrators:

• Support contracts are handled by NUIT while customer pays an easily budgeted annual fee.

• Ability for the customer to manage their own rulesets; while NUIT manages the rest of the firewall.

• Software upgrades would be handled as part of the service.

• Customers can take advantage of future NUIT services such as correlation of logs that will enhance the overall security of the University.

• Positions the customer for new firewall services that will provide immediate protection against new attacks that may arise.

Personal or host-based firewalls Host-based firewalls can be very effective in defining a security policy because they are only responsible for a single host. For the majority of hosts that are client [3] PC’s, a single rule such as “don’t allow any communication to this host unless this host initiated the conversation” will suffice. This type of rule can be easily applied with most firewalls, but may be too restrictive for hosts that need to accept outside connections. An example of such a host would be one participating in a video conference. In general, if the hosts within a domain are homogenous with respect to their security policy, firewalls (host-based and network) will be very effective. Management issues occur when the host security policies are unique for each host. In this case management of each individual host-based firewall will be time consuming without a centralized management console.

Depending on the licensing and central management features, host-based firewalls can also be expensive. For those departments that are able to upgrade to Windows XP/Vista or Windows 2000 a host-based firewall is included with the price of Windows. The Linux operating system also has a built-in firewall.

Separate firewall products often come with subscription support that can be valuable when no other layers of protection are deployed. See Appendix B for a brief discussion of this software.

Host-based firewalls can be used alone or in conjunction with a network firewall for an added layer of security. The benefits of host-based firewalls are

summarized below:

• A host is protected even if it is moved from network to network (as with mobile devices)

• Certain operating systems provide host-based firewalls free of charge (Windows XP/Vista, Mac OS X, Linux)

• Host-based firewalls can have very effective rulesets since they enforce the security policy for a single host.

Host-based firewalls have the following issues that may decrease their

effectiveness when used for servers or clients with diverse security requirements:

• A host-based firewall on a heavily loaded computer may delay processing needed for other tasks the host is required to do. Therefore, host-based firewall software may not be a good solution for a server.

• Host-based firewalls are only as secure as the underlying operating system and may be more susceptible to DoS attacks.

• Managing several host-based firewalls with unique rulesets will be difficult without additional management software.

Special constructs for researchers:

The operational requirements for research computer systems are very different from the operational requirements of administrative computer systems.

Administrative systems look very much like the business world and firewalls that exist today meet their needs nicely; however, research systems cannot be accommodated with firewalls that exist in the industry today.

Pages:   || 2 | 3 |

Similar works:

«Corporate responsibility before God? An examination of the seven letters to Asia Minor in Revelation chapters 2 and 3. By John Watton A thesis submitted for the degree of Master of Theology at the South African Theological Seminary March 2014 Assigned supervisor: Prof. Dan Lioy Abstract Revelation chapters 2 and 3 appear to contain language that refers to the corporate deeds, the corporate faithfulness and the corporate perseverance of the recipients. Does this indicate that the members of a...»

«VOLUME TWO, NUMBER THREE / OCTOBER 2002 In This Ish: Silent eLOCutions (Art by Trinlay Khadro & Ye Editor) Smoke & Mirrors by Alan White (Art by Alan White) State of the Art: Graphic Novel Writers Coda by Will Allan Hogarth Saints by E. B. Frohvet (Art by William Rotsler) The Faned Article Pool by J. G. Stinson (art by my rubber stamp collection) Will the Real Swamp Thing Please Stand Up? (editorial) (Art by Alan White) Free Book Deal Update Pub Crawl: Zine Reviews by J.G. Stinson Additional...»

«EUROPÄISCHE KOMMISSION Brüssel, den 9. November 2005 SEK (2005) 1423 Kosovo (gemäß der Resolution 1244 des Sicherheitsrats der Vereinten Nationen) Fortschrittsbericht 2005 {KOM (2005) 561 endg.} A. EINLEITUNG 1. VORBEMERKUNG 2. HINTERGRUND 3. BEZIEHUNGEN ZWISCHEN DER EUROPÄISCHEN UNION UND KOSOVO B. UMSETZUNG DES STABILISIERUNGSUND ASSOZIIERUNGSPROZESSES 1. POLITISCHE LAGE 1.1 Demokratie und Rechtsstaatlichkeit 1.2 Menschenrechte und Minderheitenschutz 1.3 Regionalfragen und internationale...»

«      Reaktionen von Zellen des Immunsystems auf Bestrahlung mit  Kohlenstoff‐Ionen und Röntgenstrahlung      Vom Fachbereich Biologie  der Technischen Universität Darmstadt  zur Erlangung des akademischen Grades eines  Doctor rerum naturalium (Dr. rer. Nat.)  genehmigte Dissertation von    Dipl‐.Biol. Sandro Conrad  aus Dietzenbach         Referentin:        Prof. Dr. K. Nixdorff  Korreferent:        Prof. Dr. G. Kraft ...»

«Verge 9 Weston Kulvete The Bitter Dream: Internalized Racism in the Passing Narratives of the Harlem Renaissance For black authors living in New York during the 1920s and 1930s, the Harlem Renaissance served as a forum in which issues of race and identity could be openly discussed. Despite George S. Schuyler's claims that little of any merit has been written by and about Negroes that could not have been written by whites or Alain Locke's protests that genius and talent. must choose art and put...»

«Understanding teenage sexuality in Ireland PAGE 1 Understanding teenage sexuality in Ireland Abbey Hyde and Etaoine Howlett ISBN: 0-9548669-4-0 PAGE 2 Understanding teenage sexuality in Ireland Understanding teenage sexuality in Ireland PAGE 3 Foreword It is a great pleasure to introduce this important research report – the first major qualitative study on teenage sexuality in Ireland. This research aimed to explore, in depth, post-primary pupils’ perspectives on sexuality, sex education...»

«Updated: 04/17/12 revised CURRICULUM VITAE Martin A. Lindquist PERSONAL DATA 1255 Amsterdam Ave Telephone: (212) 851-2148 Room 1031, 10th Floor, MC 4690 Fax: (212) 851-2164 New York, NY 10027 Email: martin@stat.columbia.edu EDUCATION AND TRAINING 2001 PhD, Department of Statistics, Rutgers University, New Brunswick, N.J. GPA: 3.97/4.0 Dissertation: Fast Functional MRI Using Two-Dimensional Prolate Spheroidal Wavefunctions. Advisors: Larry Shepp, PhD. & Cun-Hui Zhang, PhD. 1997 MSc., Engineering...»

«SECURITIES AND EXCHANGE COMMISSION (Release No. 34-77477; File No. SR-NYSE-2016-17) March 30, 2016 Self-Regulatory Organizations; New York Stock Exchange LLC; Notice of Filing of Proposed Rule Change, as Modified by Amendment No. 1 Thereto, to Amend Rule 86 to Add Additional Order Types to the NYSE BondsSM Platform, Codify Functionality of Order Types Currently Available on NYSE Bonds, and Amend the Definition of Indicative Match Price in Current Rule 86(B)(2)(G) to Provide Greater Detail of...»

«Invitation Dear Exhibitors, Thank you for your interest in China International Auto Products Expo (CIAPE) ! Involved in the world’s largest auto market, it is a pressing concern how auto enterprises can Keep a global perspective and excel in the competition across the globe. Here we highly recommend China International Auto Products Expo, through which I hope you will find the answer. Features of CIAPE ● The exclusive national platform for display of international and professional auto...»

«FMO Development Impact Report 2013/14 Demonstrating FMO’s Development Results through Measurement and Evaluation FMO Strategy Department Development Impact Unit February 2014 Note to the reader: FMO’s Impact Report 2013/14 is a concise presentation of the findings from project evaluations and other evaluationrelated work carried out by FMO’s Evaluation Unit (from 1/1/2014: Development Impact Team) in the course of 2013. Any opinions and conclusions contained in this report are those of...»


«Anhang | Text Fanni Fetzer, „Freiheit. Ein Gedicht. Ein Haus.“, in Isa Melsheimer, Mittelland, Ausstellungskatalog Kunsthaus Langenthal, Langenthal 2010 «Die Bettine, die alle Leute zu kennen scheint, zwischen den Gruppen hinund herläuft, holt sie ein, fragt in ihrer mutwilligen Laune, was sie sich wünschen würden, hätten sie drei Wünsche frei. Die Günderode lacht: Ich sag‟s dir später. Sie wüsste keinen, ihre Wünsche sind unbegrenzt. Kleist? Und Sie? Kleist sagt: Freiheit. Ein...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.