|
|
Home >
System Services >
Network Security
|
|
Network Securities
|
As e-Business continues to reshape the network security
marketplace, NCS provide comprehensive security consultation &
securities to organizational computer networks that use
Internet, Extranet and Intranet technology that help companies
open up for e-Business.
|
|
NCS will design and plan the task of implementing a firewall by
going through the following steps:
a)
Determine the access denial methodology to use.
It is recommended you begin with the methodology that denies all
access by default. In other words, start with a gateway that
routes no traffic and is effectively a brick wall with no doors
in it.
b)
Determine inbound access policy.
If all of your Internet traffic originates on the LAN this may
be quite simple. A straightforward NAT router will block all
inbound traffic that is not in response to requests originating
from within the LAN. As previously mentioned, the true IP
addresses of hosts behind the firewall are never revealed to the
outside world, making intrusion extremely difficult. Indeed,
local host IP addresses in this type of configuration are
usually non-public addresses, making it impossible to route
traffic to them from the Internet. Packets coming in from the
Internet in response to requests from local hosts are addressed
to dynamically allocated port numbers on the public side of the
NAT router. These change rapidly making it difficult or
impossible for an intruder to make assumptions about which port
numbers to use.
If your requirements involve secure access to LAN based services
from Internet based hosts, then you will need to determine the
criteria to be used in deciding when a packet originating from
the Internet may be allowed into the LAN. The stricter the
criteria, the more secure your network will be. Ideally you will
know which public IP addresses on the Internet may originate
inbound traffic. By limiting inbound traffic to packets
originating from these hosts, you decrease the likelihood of
hostile intrusion. You may also want to limit inbound traffic to
certain protocol sets such as ftp or http. All of these
techniques can be achieved with packet filtering on a NAT
router. If you cannot know the IP addresses that may originate
inbound traffic, and you cannot use protocol filtering then you
will need more a more complex rule based model and this will
involve a stateful multilayer inspection firewall.
c)
Determine outbound access policy.
If your users only need access to the web, a proxy server may
give a high level of security with access granted selectively to
appropriate users. As mentioned, however, this type of firewall
requires manual configuration of each web browser on each
machine. Outbound protocol filtering can also be transparently
achieved with packet filtering and no sacrifice in security. If
you are using a NAT router with no inbound mapping of traffic
originating from the Internet, then you may allow LAN users to
freely access all services on the Internet with no security
compromise. Naturally, the risk of employees behaving
irresponsibly with email or with external hosts is a management
issue and must be dealt with as such.
d)
Determine if dial-in or dial-out access is required.
Dial-in requires a secure remote access PPP server that should
be placed outside the firewall. If dial-out access is required
by certain users, individual dial-out computers must be made
secure in such a way that hostile access to the LAN through the
dial-out connection becomes impossible. The surest way to do
this is to physically isolate the computer from the LAN.
Alternatively, personal firewall software may be used to isolate
the LAN network interface from the remote access interface.
e)
Decide whether to buy a complete firewall product, have one
implemented by a systems integrator or implement one yourself.
Once the above questions have been answered, it may be decided
whether to buy a complete firewall product or to configure one
from multipurpose routing or proxy software. This decision will
depend as much on the availability of in-house expertise as on
the complexity of the need. A satisfactory firewall may be built
with little expertise if the requirements are straightforward.
However, complex requirements will not necessarily entail
recourse to external resources if the system administrator has
sufficient grasp of the elements. Indeed, as the complexity of
the security model increases, so does the need for in-house
expertise and autonomy.
|
|
