Tutorial:Internet


Documented in RFC 1918  Address


rules (see Figure 1).


powerful GNATbox, to the heavy hit 


Allocation for Private Internets , the


At a higher level, application  and


ting corporate firewalls from Digital


reserved addresses are allocated in


circuit level gateways act as routers


with AltaVista Firewall 97 and Check 


three ranges: a single Class A address


that pass only specific packets on to


point's Firewall 1, as well as Raptor's


from 10.0.0.0 to 10.255.255.255; 16


specific machines (eg, HTTP requests


Eagle and TIS's (now part of Network


Class B addresses from 172.16.0.0 to


to a Web server, or SMTP packets to a


Associates) Gauntlet.


172.31.255.255; and 255 Class C ad 


mail server). You can use application


dresses


from


192.168.0.0


to


gateways to transmit only application 


Next Steps


192.168.255.255.


specific data across a firewall, which


The available address space is


can be processor intensive. Circuit 


Once you've built a firewall, you


larger than most companies will ever


level gateways open a virtual circuit on


can add extra features. One useful ad 


need, and allows you to develop your


receiving a valid handshake, but do


dition is the use of a virus checker like


own network numbering scheme


not analyse packet traffic, and in some


MIMEsweeper between an email gate 


quickly. Moving an existing network


cases require use of modified software


way and your SMTP mailer, so all en 


to one of these address schemes is a


  especially true in the case of the com 


capsulated files are virus checked


tricky process, but if handled correctly


monly used SOCKS gateway package.


before entry into a system.


can be achieved with little or no distur 


These gateway techniques have a con 


bance. Using these reserved addresses,


siderable advantage over packet filter 


Not Firewalls


and an address translating firewall,


ing techniques in that the true network


you can keep your internal systems


address of a protected machine is al 


Remember that a gateway tool or a


from direct external access, providing


ways hidden from any external net 


proxy server is not a firewall. Packages


pathways through the firewall only to


works (see Figure 2).


like Wingate or the Microsoft Proxy


trusted hosts or to specific services.


There are a large number of firewall


Server make it easy for you to connect


Network address translation is a


tools available, for virtually every op 


a small network to the Internet. How 


standard feature with most modern


erating system. It's worth looking at


ever, they don't protect it from intru 


application gateway based firewalls,


the various Internet resources avail 


sion or from malicious use of your


or can be added as an optional extra to


able before choosing a firewall, and


resources. There have been an increas 


packet filter based systems.


then trying one or two evaluation cop 


ing number of cases where spammers


ies before you decide what to use.


have used proxied mail servers to relay


Choosing A Firewall


You'll find there are tools that suit


unsolicited commercial email, at con 


every budget, from the free TIS Fire 


siderable cost to the owners of the sys 


Two basic technologies are used to


wall Toolkit, through to the cheap and


tems that were hijacked.


build active firewalls, namely stateful


packet filters and application gate 


ways. These operate in different ways,


and have different effects on how you


run your Internet connection.


It is relatively simple to block access


using packet filtering techniques,


which can allow or prevent access to


services from specific machines. This


can be carried out either at a high level


on a site's access routers or specifically


on a firewall machine. A router alone


cannot fully control a stream of IP


packets, as it cannot monitor the state


of incoming and outgoing packets   so


some protocols like ftp which use more


than one datastream present problems


for a router based firewall.


Things get worse when you use a


connectionless protocol like UDP,


which forms the basis of essential In 


ternet services like DNS. In order to


control UDP streams in a firewall, you


need to add some form of state moni 


toring to a packet filter, so that the


firewall can control access based on


packet requests and sophisticated


Figure 1   State Monitoring.


File: T1803.2


Issue 95 (May 1998) page 4


PC Network Advisor


<  Next page  >


New! The best sites for quality inkjet printer cartridges and the best sites for cheap inkjet cartridges


Windows Help Desk Home