User manual MAXTOR DESIGN THE FIREWALL SYSTEM

[. . . ] The greatest disadvantage of the single layer approach is its susceptibility to implementation flaws or configuration errors -- depending on the type, a single flaw or error might allow firewall penetration. In a multiple layer architecture (figure 1. 2), the firewall functions are distributed among a small number of hosts, typically connected in series, with DMZ networks between them. This approach is more difficult to design and operate, but can provide substantially greater security by diversifying the defenses you are implementing. Although more costly, we advise using different technology in each of these firewall hosts. This reduces the risk that the same implementation flaws or configuration errors will exist in every layer. [. . . ] In this context, performance is a routing functionality issue, not a security issue, so it always ranks near the top of the list of design priorities for these routers. In addition, adding filtering to a router · · can negatively impact routing, and therefore networking, performance may require additional memory General purpose computers and the operating system software that runs on them are not typically designed to act as high performance routers, with or without packet filtering. The most common reasons for choosing a general purpose computer include: · · · · using firewall mechanisms in addition to packet filtering on the same host existing in-depth knowledge of the chosen platform eliminating filtering load on a special purpose router availability of source code Application proxies An application proxy is an application program that runs on a firewall system between two networks (figure 1. 3). The host on which the proxy runs does not need to be acting as a router. When a client program establishes a connection "through" a proxy to a destination service, it first establishes a connection directly to the proxy server program. The client then negotiates with the proxy server to have the proxy establish a connection on behalf of the client between the proxy and the destination service. If successful, there are then two connections in place: one between the client and the proxy server and another between the proxy server and the destination service. Once established, the proxy then receives and forwards traffic bi-directionally between the client and service. The proxy makes all connectionestablishment and packet-forwarding decisions; any routing functions that are active on the host system are irrelevant to the proxy. As with packet filtering, application proxies are available on both special purpose proxy machines and general purpose computers. Generally speaking, application proxies are slower than packet filtering routers. However, application proxies are, in some ways, inherently more secure than packet filtering routers. Packet filtering routers have historically suffered from implementation flaws or oversights in the operating system's routing implementation on which they depend. Since packet filtering capabilities are "add-ons" to routing, they cannot correct or compensate for certain kinds of routing flaws. As a result of making more complex filtering and access control decisions, application proxies can require significant computing resources and an expensive host upon which to execute. For example, if a certain firewall technology running on a UNIX platform needs to support 200 concurrent HTTP sessions, the host must be capable of supporting 200 HTTP proxy processes with reasonable performance. Add 100 FTP sessions, 25 SMTP sessions, some LDAP sessions, and some DNS transactions and you have a host that needs to sustain 500 to 1, 000 proxy processes. Some proxies are implemented using kernel threads (which can dramatically reduce resource requirements) but resource demands remain high. Stateful inspection or dynamic packet filtering We use the terms stateful inspection or dynamic packet filtering to refer to a more capable set of filtering functions on routers. Packet filtering is restricted to making its filtering decisions based only on the header information on each individual packet without considering any prior packets. Stateful inspection filtering allows both complex combinations of payload (message content) and context established by prior packets to influence filtering decisions. As with packet filtering, stateful inspection is implemented as an "add-on" to routing, so the host on which the stateful inspection function is executing must also be acting as a router. The principle motivation for stateful inspection is a compromise between performance and security. [. . . ] the objective that all incoming and outgoing network traffic must go through the firewall (i. e. , that no traffic which bypasses the firewall is permitted, for example, by using modems) -- or conversely, that specific loopholes are permitted and under what conditions (e. g. , modems, tunnels, connections to ISPs) In the offering and requesting of services, your policy should ensure that you only allow network traffic · · that is determined to be safe and in your interests that minimizes the exposure of information about your protected network's information infrastructure For additional information on policy-related topics, refer to Firewalls Complete [Goncalves 98]. Footnotes 1. These should have been specified during your firewall evaluation and selection process. Areas you should have considered include - risks you are trying to mitigate with the firewall (i. e. , the information assets and resources you are trying to protect and the threats that you are trying to protect against) - services you intend to offer to the Internet from your network - services you intend to use on the Internet from your network - identification of the users of these services - firewall availability and performance requirements - determining who will manage the firewall system and how they will manage it - determining the system and network growth that the firewall system will need to accommodate in the future Other considerations can be found in Firewalls Complete [Goncalves 98] and the Third Annual Firewall Industry Guide [ICSA 98]. The difficultly primarily arises because of how quickly the rule sets grow in complexity. [. . . ]