of entry for external users that can be configured and controlled to observe high security standards. This is done by requiring strong authentication and by allowing access only to trusted, essential services deemed necessary for organization business. Focusing access control efforts on a single firewall machine takes some of the burden away from having to fully secure many thousands of workstations otherwise accessible to outsiders. This is not to say that internal workstations should not be monitored and configured with secure software; rather, the firewall provides a more reliably effective first barrier to inappropriate entry.

A firewall normally sits between an internal trusted network and an external network connection either to the Internet or to an untrusted part of an intranet. In the most common configuration, a firewall consists of devices called a screening router and a bastion host. The screening router allows only messages from a specified list of trusted parties or locations to enter the system. Such requests are directed to the bastion host, which is configured securely to run only a limited set of trusted and necessary services for external users-for example, e-mail routing or remote terminal connections (with strong user authentication). Communication packets for authorized services are passed through "proxy" handlers in the firewall, which monitor packet types and sequences to give increased assurance of appropriate use. The router or firewall (1) should be configured to prevent users from making it appear as though they are trusted parties (in technical terms, it should prevent "spoofing") so that an outside workstation cannot appear to be an internal trusted workstation, (2) should prohibit unsafe connections (e.g., for the Network File Service protocol), (3) should prevent viewing internal Domain Name Service information (the host's Internet address information containing details about its internal network configuration), (4) should require direct console log-ins to control critical firewall system functions, and (5) should keep full audit trail information that cannot be modified once written.

Firewalls do not offer perfect protection; they are after all just another computer or software system. They may be vulnerable to so-called tunneling attacks, in which packets for a forbidden protocol are encapsulated inside packets for an authorized protocol, or to attacks involving internal collusion. Furthermore, firewalls check only the tags identifying various data packets, not the content of the packets being retrieved and, hence, depend on error-free organization of the domain they protect. Nevertheless they serve a useful purpose in focusing system administrator's attention on a smaller number of points of entry in a complex organization so as to control the most obvious kinds of attacks. Similar techniques can be used to control dial-up modem access to network services, again through the use of strong authentication techniques and limited service access.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement