|
By their very nature, Intranets encourage a free
flow of information. This means that it is also
very easy for information to flow directly from
the Intranet to the desktops of those who might
seek to gain access to information they should
not have. To guard against this situation,
adequate security measures should be in place
when the Intranet is deployed. In the discussion
that follows, we review various security
techniques to protect an Intranet from
unauthorized external and internal use.
6.2.5.1 Firewalls
The Internet was designed to
be resistant to network attacks in the form of
equipment breakdowns, broken cabling, and power
outages. Unfortunately, the Internet today needs
additional technology to prevent attacks against
user privacy and company security. Luckily, a
variety of hardware and software solutions exist
to help protect an Intranet. The term
firewall is a basic component of network
security. A firewall is a collection of hardware
and software that interconnects two or more
networks and, at the same time, provides a
central location for managing security. It is
essentially a computer specifically fortified to
withstand various network attacks. Network
designers place firewalls on a network as a
first line of network defense. It becomes a
“choke point” for all communications that lead
in and out of an Intranet. By centralizing
access through one computer (which is also known
as a firewall-bastion host), it is easier
to manage the network security and to configure
appropriate software on one machine. The bastion
host is also sometimes referred to as a server.
The firewall is a system that
controls access between two networks. Normally,
installing a firewall between an Intranet and
the Internet is a way to prevent the rest of the
world from accessing a private Intranet. Many
companies provide their employees with access to
the Internet long before they give them access
to an Intranet. Thus, by the time the Intranet
is deployed, the company has typically already
installed a connection through a firewall.
Besides protecting an Intranet from Internet
users, the company may also need to protect or
isolate various departments within the Intranet
from one another, particularly when sensitive
information is being accessed via the Intranet.
A firewall can protect the organization from
both internal and external security threats.
Most firewalls support some
level of encryption, which means data can be
sent from the Intranet, through the firewall,
encrypted, and sent to the Internet. Likewise,
encrypted data can come in from the Internet,
and the firewall can decrypt the data before it
reaches the Intranet. By using encryption,
geographically dispersed Intranets can be
connected through the Internet without worrying
about someone intercepting and reading the data.
Also, a company’s mobile employees can also use
encryption when they dial into your system
(perhaps via the Internet) to access private
Intranet files.
In addition to firewalls, a
router can be used to filter out data packets
based specific selection criteria. Thus, the
router can allow certain packets into the
network while rejecting others.
One way to prevent outsiders
from gaining access to an Intranet is to
physically isolate it from the Internet. The
simplest way to isolate an Intranet is to not
physically connect it to the Internet. Another
method is to connect two sets of cables, one for
the Intranet and the other for the Internet.
Even without a connection to
the Internet, an organization is susceptible to
unauthorized access. To reduce the opportunity
for intrusions, a policy should be implemented
that requires frequent password changes and
keeping that information confidential. For
example, disgruntled employees, including those
who have been recently laid off, can be a
serious security threat. Such employees might
want to leak anything from source code to
company strategies to the outside. In addition,
casual business conversations, overheard in a
restaurant or other public place, may lead to a
compromise in security. Unfortunately, a
firewall cannot solve all these specific
security risks.
It should be noted that a
firewall cannot keep viruses out of a network.
Viruses are a growing and very serious security
threat. Prevention of viruses from entering an
Intranet from the Internet by users who upload
files is necessary. To protect the network,
everyone should run antivirus software on a
regular basis.
The need for a firewall
implies a connection to the outside world. By
assessing the types of communications expected
to cross between an Intranet and the Internet,
one can formulate a specific firewall design.
Some of the questions that should be asked when
designing a firewall strategy include:
- • Will
Internet-based users be allowed to upload or
download files to or from the company server?
- • Are
there particular users (such as competitors)
that should be denied all access?
- • Will
the company publish a Web page?
- • Will
the site provide telnet support to Internet
users?
- • Should
the company’s Intranet users have unrestricted
Web access?
- • Are
statistics needed on who is trying to access
the system through the firewall?
- • Will
a dedicated staff be implemented to monitor
firewall security?
- • What
is the worst case scenario if an attacker were
to break into the Intranet? What can be done
to limit the scope and impact of this type of
scenario?
- • Do
users need to connect to geographically
dispersed Intranets?
There are three main types of
firewalls: network level, application level, and
circuit level firewalls. Each type of firewall
provides a somewhat different method of
protecting the Intranet. Firewall selection
should be based on the organization’s security
needs.
Network, application, and
circuit-level firewalls
Network-level firewall.
A network-level firewall is typically a router
or special computer that examines packet
addresses and then decides whether to pass the
packet through or to block it from entering the
Intranet. The packets contain the sender and
recipient IP address and other packet
information. The network-level router recognizes
and performs specific actions for various
predefined requests. Normally, the router
(firewall) will examine the following
information when deciding whether to allow a
packet on the network:
- • Source
address from which the data is coming
- • Destination
address to which the data is going
- • Session
protocol such as TCP, UDP, or ICMP
- • Source
and destination application port for the
desired service
- • Whether
the packet is the start of a connection
request
If properly installed and
configured, a network-level firewall will be
fast and transparent to users.
Application-level firewall
An application-level firewall
is normally a host computer running software
known as a proxy server. A proxy server is an
application that controls the traffic between
two networks. When using an application-level
firewall, the Intranet and the Internet are not
physically connected. Thus, the traffic that
flows on one network never mixes with the
traffic of the other because the two network
cables are not connected. The proxy server
transfers copies of packets from one network to
the other. This type of firewall effectively
masks the origin of the initiating connection
and protects the Intranet from Internet users.
Because proxy servers
understand network protocols, they can be
configured to control the services performed on
the network. For example, a proxy server might
allow ftp file downloads, while disallowing ftp
file uploads. When implementing an
application-level proxy server, users must use
client programs that support proxy operations.
Application-level firewalls
also provide the ability to audit the type and
amount of traffic to and from a particular site.
Because application-level firewalls make a
distinct physical separation between an Intranet
and the Internet, they are a good choice for
networks with high-security requirements.
However, due to the software needed to analyze
the packets and to make decisions about access
control, application-level firewalls tend to
reduce the network performance.
Circuit-level firewalls
A circuit-level firewall is
similar to an application-level firewall in that
it, too, is a proxy server. The difference
between them is that a circuit-level firewall
does not require special proxy-client
applications. As discussed in the previous
section, application-level firewalls require
special proxy software for each service, such as
ftp, telnet, and HTTP.
In contrast, a circuit-level
firewall creates a circuit between a client and
server without needing to know anything about
the service required. The advantage of a
circuit-level firewall is that it provides
service for a wide variety of protocols, whereas
an application-level firewall requires an
application-level proxy for each and every
service. For example, if a circuit-level
firewall is used for HTTP, ftp, or telnet, the
applications do not need to be changed. You
simply run existing software. Another benefit of
circuit-level firewalls is that they work with
only a single proxy server. It easier to manage,
log, and control a single server than multiple
servers.
Firewall architectures.
Combining the use of both a router and a proxy
server into the firewall can maximize the
Intranet’s security. The three most popular
firewall architectures are the dual-homed host
firewall, the screened host firewall, and the
screened subnet firewall. The screened-host and
screened-subnet firewalls use a combination of
routers and proxy servers.
Dual-homed host firewalls
A dual-homed host firewall is
a simple, yet very secure configuration in which
one host computer is dedicated as the dividing
line between the Intranet and the Internet. The
host computer uses two separate network cards to
connect to each network. When using a dual-home
host firewall, the computer’s routing
capabilities should be disabled, so the two
networks do not accidentally become connected.
One of the drawbacks of this configuration is
that it is easy to inadvertently enable internal
routing.
Dual-homed host firewalls use
either an application-level or a circuit-level
proxy. Proxy software controls the packet flow
from one network to another. Because the host
computer is dual-homed (i.e., it is connected to
both networks), the host firewall can examine
packets on both networks. It then uses proxy
software to control the traffic between the
networks.
|
