Tutorial:Internet


How To Build And


Run A Firewall


We take a look at some of the issues involved in choosing, setting up and running a firewall.


By Simon Bisson


N


ow that corporate access to the


Bastion Host


extra services should be disabled, and


Internet is seen as a business


user accounts kept to a minimum. If it


advantage, more and more


Keeping the network itself secure is


is possible to only allow logins from


companies are finding themselves


the job of the bastion host. Taking its


trusted hosts or the system console, all


having to think long and hard about


name from the fortified gateways of a


other access routes should be removed.


the security implications of a connec 


feudal Norman castle, this is what is


Some firewall packages make the


tion.


often thought of as the firewall but is


DMZ more secure by using a third net 


With attacks on business computer


really only part of a layered firewall


work interface to host public services


systems becoming more visible (and


architecture.


and using the firewall software to pro 


potentially more expensive), and with


The bastion host is a machine with


tect them rather than a choke router.


holes in operating systems more pub 


only one purpose: to pass packets be 


lic, some form of Internet security pol 


tween your network and the Internet.


Firewall Policies


icy is essential. This can include


Usually, it's a dedicated machine with


everything from limiting the number


two separate network interfaces. The


It's sometimes best to think of In 


of machines and systems with an In 


bastion host will act as an active router,


ternet security policies in terms of the


ternet connection, to controlling what


linking your private network to the


 Four Ps , namely Paranoia, Pragma 


files can enter or leave a company net 


Internet, monitoring the state of con 


tism, Permissiveness and Promiscuity.


work. A security policy alone won't


nection and blocking packets that


Each approach is the result of a differ 


prevent attacks and intrusions, so


don't meet the rules you have defined.


ent assessment of the risks involved in


some form of defence is required, often


If you use it for anything else than


opening a corporate network to the


implemented in the form of a firewall.


as an Internet gateway, you may be


Internet:


adding weaknesses to a security archi 


Definition


tecture. For example, if you use the


G


A Paranoid network is never con 


machine for reading email, it's possible


nected to the Internet.


A firewall is a set of tools designed


for someone to send an email with an


G


A Pragmatic network only permits


to prevent unauthorised access to a


embedded ActiveX control so that,


selected applications and services


network, and can mix hardware and


when you read the message, the con 


access to the Internet, and blocks all


software solutions to provide a layered


trol turns off the firewall.


others.


defence. A typical firewall architecture


You must make sure that the


G


A Permissive network lets all appli 


is based around two concepts: the


bastion's operating system is config 


cations have access to the Internet,


 choke router  and the  bastion host 


ured to prevent any packets being


except for those specifically seen as


[refer also to Understanding Firewalls,


routed directly between its network in 


a threat.


File S0499, PCNA Issue 86   Ed.].


terfaces. Most commercial packages will


G


A Promiscuous network is con 


Most routers allow you to define


handle this for you, but if you are un 


nected directly to the Internet, and


access control lists, which can control


sure, you can configure most dialects


lets all applications and services


exactly which IP packets are routed


of Unix to stop any internal routing.


have full access to and from the In 


and to where. Whilst choking an In 


ternet.


ternet connection this way is an all or 


The DMZ


nothing security mechanism, you can


One of the best techniques for secur 


use router access control lists to explic 


Between the choke router and the


ing a network is to hide it from the


itly deny access to your network for


bastion host lies the  Demilitarised


Internet. A range of IP addresses is


specific packet types, or to make sure


Zone . The DMZ is a partially pro 


reserved for intranet use, and allows


that certain packets are only delivered


tected area, where you can install pub 


you to build as large a network as you


to specific machines so that, for exam 


lic services. Machines in the DMZ


like, as long as you use some form of


ple, mail is only delivered to your mail


should not be fully trusted, and should


network address translation to allow


server or Web access is only to your


only be used for single purposes   such


packets to travel into and out of your


public Web server or Web proxies.


as a Web server or an ftp server. Any


network.


Issue 95 (May 1998) page 3


File: T1803.1


PC Network Advisor


Next page  >


New! The best sites for quality inkjet printer cartridges and the best sites for cheap inkjet cartridges


Windows Help Desk Home