Weaknesses of firewalls
Firewalls can protect a security strategy only in a part of the threats. Since they only filter the network traffic in a few places, they offer no protection against pests that are on CDs, USB sticks or floppy disks placed in the internal network. The computer worms, Sasser, and W32.Blaster Conficker have shown by outbreaks in large companies such as Germany’s Postbank and Delta Air Lines that they work in real routes of infection.
Basically, each service can operate on any port number. If the regulatory architecture of the TCP port 80 for HTTP is enabled, it can still run a different protocol. There have only two communication parties (the client’s internal network as well as the service on the server from the external network) have been configured accordingly.
An attempt to stop it using the firewall that can be done with application layer firewalls that check, for example, links to HTTP content and block everything else that is sent through this port. However, each protocol is designed to transmit data, so the data must be converted in this case in line only. Embeds the software to transfer data into HTTP, therefore, without violating the standard of the protocol, is powerless against this firewall) (the remote site, the service on the server, therefore, this kind of conversion, however, understand.
That is what makes it to the tunnels. Manipulated data can be, for example in image-packed tunnel data streams. Utterly impossible, the substantive review will pass through the firewall in encrypted protocols such as HTTPS.
Tunnel, therefore, provides a method to circumvent the control of a firewall. Tunnels are also used to insecure network protocols using a secure encrypted network protocol and a secure and tamper-proof transport. This can be done for example through an SSH or OpenVPN tunnel within a legitimately unlocked connection.
Both OpenVPN are as many SSH client (e.g., Putty) also able to build up a tunnel through an HTTP proxy that was supposed to pass only websites. There are also special tunneling software for protocols such as DNS, or ICMP.
In particular, Skype is an example of how good can bypass most firewalls from the inside out. As long as the users from the internal network the ability to access Web sites, the firewall administrator through encryption technology little chance, to prevent tunneling. Thanks to white-lists, which restrict access to certain servers, firewalls can tunnel through the very difficult after all.
Organizations, to expand the technical measures, and sometimes by organizational security, such as a ban on the deliberate use of tunnels in the security policy, requires to be signed between the employees.
A transparent penetrating a firewall is also called a firewall piercing or FWPRC.
To evaluate the performance of a firewall is not as easy as for example in a router, since the speed depends on many dynamic factors. These include the size of the order of the rules and regulations, the type of network traffic and configuration of the firewall (e.g., stateful, logging). A unified benchmarking of firewalls is described in RFC 2647th.
To optimize the following actions are possible:
- More memory and / or a faster CPU.
- Turning off logging for specific rules.
- Remove unused rules and routing messages.
- Common rules used in the regulations to the top. It should be noted that this could change the meaning of the rules.
- For high-availability systems eliminate the synchronization of the connection table for individual rules. Especially in short-lived HTTP connections, this is very possible.
- Product-specific features to use, such as Nokia IPSO and Check Point SecureXL flows.
- Review work to ensure that all network interfaces with full-duplex.
- Adaptation of network parameters of the operating system.
Products: Some Firewall Software
- Astaro Security Linux is a commercial Linux distribution for firewall systems.
- Check Point Firewall 1 is a commercial firewall application running on Unix, Windows, and Nokia appliances
- Endian Firewall is an open source Linux distribution for the gateway / router / firewall systems, which provides comprehensive gateway protection (antivirus, antispam, DMZ, intrusion detection, etc.) and configure it as a headless server via a simple web front end to is.
- The Eindisketten router is next to the CD version fli4l Gibraltar is a project that is allowed in the context of sustainable use, the use of old PC as a firewall.
- IPFire is a free Linux distribution that acts primarily as a router and firewall, this can be easily expanded through a package manager to many additional functions.
- IPCop is an easy-to-use Linux distribution, a balanced compromise between rich and secure firewall features (antivirus, antispam, DMZ, Proxy).
- Ipfw is a packet filter of the FreeBSD operating system, as wipfw also available for Windows systems.
- Netfilter / iptables – Packet filtering within the Linux kernel.
- M0n0wall is a BSD-based firewall, optimized for security, a solution with their functions in professional herankommt firewalls and is still very easy to configure.
- Pfsense is an easy to use BSD-based firewall, M0n0wall offshoot of a compromise between rich and secure firewall features (antivirus, antispam, DMZ, Proxy).
- Phion netfence – European enterprise firewall product, which is available as a software and hardware appliance.
- Microsoft Internet Security and Acceleration Server is a commercial firewall from Microsoft, based on Windows Server 2000/2003. An advantage is the integration with the Active Directory directory structure that is disadvantageous to the base operating system with its complex sufficiently known security problems.
- Pf is an open source firewall that was originally developed for OpenBSD and then ported to other BSD operating systems.
- SME Server is an open-source software-based firewall, server roles, which are also used in SoHo contains field.
Firewall devices provide a coordinated combination of hardware, hardened operating system and firewall software:
- Check Point VPN-1 Edge UTM-1 and
- Cisco ASA (predecessor: PIX) and Firewall Service Module (FWSM) for Catalyst Switches
- Juniper Networks Netscreen and SSG
- Innominate Security Technologies (a Phoenix Contact Company)
- mGuard industrial appliances
- WatchGuard Firebox X Core and Peak appliances
Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.
Latest posts by Santosh (see all)
- Cloud Computing: The Concept and Examples of its Virtual Services | Part 1 - July 23, 2012
- Why Rapidly Growing Companies Need Cloud Computing | Part 1 - July 22, 2012
- Web Designing Process | Strategic Planning | Part 1 - August 7, 2011