Tuesday, October 07, 2008
Google  
Web voicendata.com
 Archive    
Find out how IT can help your business capitalize on change.
 Home > Enterprise > NETWORK SECURITY: Mirroring real life
  Enterprise
NETWORK SECURITY: Mirroring real life
Relate network security to the real word and get the best out of your firewall
Friday, January 07, 2005

Imagine that your office is at the end of a lane. You need to have parcels and letters delivered and picked up by deliverymen all day long therefore, you keep your lane in good maintenance.

One day a crowd of clowns swarms down your lane and into your house, completely overrunning it. The deliverymen have to jostle with the clowns to reach you. Your business starts to slow down as the deliveries and collections are nowhere near as the usual and, eventually, your business gradually comes to a halt. You've just had a denial of service attack on your business.

When you find out that the clowns are coming from a local circus, you resolve to do something about it.

The top of your lane opens on to a bigger road, and halfway up that road is a checkpoint that stops all travelers and tells them the best route to get to their destination. You tell the checkpoint to turn away any travelers coming from the circus. This seems to work and life goes back to normal, with the deliverymen resuming their normal work. You've just solved the denial of service attack by getting someone 'upstream' to ignore any information coming from the place that attacked you.

Then, one day, the clowns return and there are more of them than ever before. They are again overrunning your house and blocking your lane. There are so many of them that your deliverymen can't get anywhere near your house and your business stop instantly.

You call the checkpoint and complain. But it says it has not allowed anyone from the circus into your lane and doesn't know where these new clown are coming from. You investigate and discover that the circus owners have broken into 1,000 houses in the area, turned them into circuses, and have sent hundreds of clowns to your house from each one. Now you despair, because there are far too many points of origin for the checkpoint to check and your business can't function with a lane full of clowns stopping the delivery men getting through. You've just had a distributed denial of service attack on your business.

At this point, you have to take emergency action to stop your house falling apart under the weight of clowns crowding into it, so you board up the front door and all the windows. The clowns are still filling your lane, but now they can't get into your house, though neither can any deliverymen though. But your house is not in danger of collapsing anymore. You then call your delivery companies and tell them that they shouldn't deliver for a few days; your business is suspended till further notice.

The only way your business can start up again is if the circus owners stop sending the clowns, or you manage to find the circus owners and get them arrested.

Now step back to the real world. The house is a server in your office connected to the Internet, the lane is the connection to your ISP, and the bigger road is a larger connection to the rest of the Internet. The checkpoint in our little story is a router-a machine that, quite literally, sends information on the best route to its destination. The deliverymen are packets, parcels of information traveling back and forth to the server. The clowns are also packets, however they are sent maliciously and carry useless information simply meant to fill your connection and grind your server to a halt with their size and number. If all the malicious packets are coming from the same place, it is sometimes possible for a router upstream from the server to stop the packets from getting through. However, if the malicious packets are coming from hundreds of different places-usually from home computers, which have been infected with a trojan and are being controlled by a criminal mind-then it is almost impossible to block them all. That results in the server being attacked and its connection swamped. When that happens to your server, the rate at which information goes back and forth to you slows (lags), and eventually stops...at which point the server splits. All a server administrator can do then is to make the server unreachable and wait for the attack to stop.

One of the basic forms of a denial of service (DoS) attack involves flooding a target system with so much data, traffic, or commands that it can no longer perform its core functions. When multiple machines are gathered together to launch such an attack, it is known as a distributed denial of service attack, or DDoS.

Firewalls
To help protect against DoS attacks or DDoS Attacks, you can use a firewall.

A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques.

  • Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

IP Spoofing is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker has to find an IP address of a trusted host and then modify the packet headers of the malware so that it appears that the packets are coming from that host.

Newer routers and firewall arrangements can offer protection against IP spoofing.

  • Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation and slowdown of traffic.

  • Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

  • Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in concert.

A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted, however, encryption is a costlier method and the encryption device has to be installed on both the ends to have a successful communication. A firewall protects your network from unwanted Internet traffic. The primary functions of a firewall are to let good traffic pass through while bad traffic gets blocked. The most important part of a firewall is its access control feature that distinguishes between good and bad traffic.

Software Firewall
These are programs that run on your computer and nestle themselves between your network card software drivers and your operating system. They intercept attacks before your operating system can even acknowledge them.

However, even the software firewalls can crash due to heavy packet floods and can be disabled easily by malicious code or a trojan running from within the computer intercepting and disabling the firewall. With the absence of being able to detect malicious code, running on the system and as Trojans and malicious codes are changing everyday; it's easy to disable software firewalls.

Firewalls With Stateful Packet Inspection
A new trend in home networking firewalls is called stateful packet inspection, an advanced form of firewall that examines each and every packet of data as it travels through the firewall. This firewall scans for problems in the packet that might be a symptom of a DoS or more advanced attacks.

Most people are never subjected to such attacks, but many areas of the Internet invite these attacks. Most often, these attacks come from involvement in certain kinds of competitive on-line gaming and questionable websites.

However, these types of firewalls are available mostly with cable modems or cable routers, ISDN routers etc, which are cheap and good for networks of 2 to 20 computers. They are available for $30 to $2000.

High-speed networks have high-speed viruses and worms, which are continually probing and trying to access your computer system. Firewall protection has gone from a luxury to a requirement.

The largest problem with today's networks is spam and viruses, with AOL reporting 80 percent of all its email being spam.

Large corporate website and network outages caused by viruses and Internet are not uncommon and frequently make the news. What we don't hear about is the ongoing problem on a personal level. Most people neglect to update their  workstations with patches. They have virus software that has not been updated ever.

Once a problem strikes a network or home computer, software is usually the first solution to be tried. Yes, some virus and firewall software will assist your computer in removing the unwanted intruders. But they cannot guarantee a 100 percent trouble-free environment.

Shopping for an enterprise firewall can be intimidating if you've never done it before.

The process can become easier with a little background knowledge, an understanding of firewalls' features, and knowing what questions to ask the vendors.

Factors for Choosing Firewalls
One of the first things you need to figure out is what type of firewall best suits your needs.

There are six basic types of firewalls.

  • Embedded

  • Enterprise software-based

  • Enterprise hardware-based

  • SOHO software

  • SOHO hardware

  • Specialty

All of these firewall types typically offer stateful packet inspection or proxy capabilities. These are two techniques that firewalls use to make decisions on what traffic to allow or deny into and out of your intranet.

In the early days of firewall development, most firewalls offered only one of these types of traffic passing architectures. Today, firewalls with hybrid architectures offer both techniques.

Stateful packet inspection firewalls examine protocol packet header fields while proxy firewalls filter services at the application level. These firewalls learn and remember connection states and evaluate new traffic transactions against prior connection histories. Proxy firewalls are able to create virtual connections and can hide the internal client IP address making it more difficult to discern the topology of the protected intranet.

Embedded firewalls are embedded into either a router or a switch and are sometimes referred to as choke-point firewalls. They come standard with certain routers, and can also be purchase as add-on modules to be installed into a router or switch. Due to the wide variety of different protocols used on the Internet, not all services are handled efficiently by embedded firewalls. Because embedded firewalls work at the IP level, they will not be able to protect your network from application-level exploits such as viruses, worms, and trojan-horse programs. In some cases, embedded firewalls might offer greater performance gains, but they typically offer fewer features for protecting your networks. Embedded firewalls are often stateless in nature and pass packets without consideration of prior connection states.

Software-based firewalls are software packages containing firewall software that you install on top of an existing operating system and hardware platform. If you have a server with an enterprise-class operating system that is available for use, purchasing a software-based firewall is a reasonable choice.

Also, if you are a small organization and want to combine a firewall with another application server (such
as your website server), adding on a software-based firewall is reasonable. If you are a large organization, you will probably want to create a security perimeter network, known as a DMZ (demilitarized zone), and will therefore probably want to separate your firewall from all other applications.

Software-based firewalls come in both small office/home office (SOHO) models and enterprise models. Hardware-based firewalls are the same thing as appliance firewalls. The entire firewall is bundled into a turnkey system and when you buy it, you get a hardware device that has the software already inside it. Hardware-based firewalls, or appliance firewalls, also come in both SOHO and enterprise models.

Specialty firewalls are firewalls with a certain application focus. For example, there are some security servers with built-in, firewall-type rules that are made particularly for filtering content, or security messaging servers.

As security technologies become more advanced, sometimes the product segments start to blur and you need to understand what the product actually does, and not rely on its vendor-marketed product definition.

Users, Locations, and Numbers
A consideration that should be very high on your list is how many users do you need to protect, and how many firewalls will you need? The number of users you are going to protect will determine whether you need an enterprise-class firewall or a SOHO firewall. (You can certainly use an enterprise firewall, even for one user, but you might be paying a lot more than you need to pay, and might end up with features you will never use.)

Most firewall vendors rate their firewalls for a certain range of user connections. Typically, the more users you need to support, the more RAM and processing power you will need in your firewall.

Gurpreet Singh Senior Technology Officer at Mantec Consultants

Page(s)   1  
NETWORK INTEGRATING: Integrating with client's business
NETWORK SECURITY: A Layered Approach
MOBILE APPS: Re-inventing SMS
 





 

Current Issue

Download reports make multiple decisions

e-Book guide to improve your PPM Process

Complexicity or Simplicity - Choose





Your Opinion Matters

CIO ROLE TOWARDS MOBILITY - ADMINISTRATION

CIO ROLE TOWARDS MOBILITY - ADMINISTRATION

   CIOL Services
IT News | IT Jobs | IT Outsourcing | IT Shopping
 



  For Voice&Data Print Subscription
  [ Magazine Subscription ]  [ Contact Info ]  [ Advertise : Online | Magazine | Advertising Print ]
 
Other CyberMedia web sites
[Dataquest]  [PCQuest]  [CIOL]  [Living Digital]  [IDC India]
[DQ Channels]  [The DQweek]  [CyberMedia careers]
[CyberMedia Events]   [CyberMedia Digital]  [Cyber Astro]  [CyberMedia India]
[Global Services]  [BioSpectrum]  [BioSpectrum Asia]
[Computer Shopper]   [College Buying Guide]   [Voice&DataConnect

CyberMedia India Ltd

 
  Copyright © CMIL. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmaster@ciol.com