Firewall design

By D. Brent Chapman, Unix Insider |  Security

If the organizations have a reasonable amount of trust in each other
(and, by extension, in each other's security), it may be
reasonable to establish the packet filters so that clients on the
other side can connect to internal servers (such as
SMTP and DNS servers) directly.

On the other hand, if the organizations distrust each other, they might
each want to place their own bastion host, under their own control and
management, on the perimeter net. Traffic would flow from one party's
internal systems, to their bastion host, to the other party's bastion
host, and finally to the other party's internal systems.

What the future holds

Systems that might be called "third-generation
firewalls" -- firewalls that combine the features and capabilities
of packet filtering and proxy systems into something more than
both -- are just starting to become available.

More and more client and server applications are coming with native
support for proxied environments. For example, many
WWW clients include proxy capabilities, and lots of
systems are coming with run-time or compile-time support for generic
proxy systems such as the SOCKS package.

Packet filtering systems continue to grow more flexible and gain new
capabilities, such as dynamic packet filtering. With dynamic packet
filtering, such as that provided by the CheckPoint Firewall-1 product,
the Morning Star Secure Connect router, and the KarlBridge/KarlBrouter,
the packet filtering rules are modified "on the fly" by
the router in response to certain triggers. For example, an outgoing
UDP packet might cause the creation of a temporary
rule to allow a corresponding, answering UDP packet
back in.

The first systems that might be called "third generation" are just
starting to appear on the market. For example, the Borderware product
from Border Network Technologies and the Gauntlet 3.0 product from
Trusted Information Systems look like proxy systems from the external
side (all requests appear to come from a single host), but look like
packet filtering systems from the inside (internal hosts and users
think they're talking directly to the external systems). They
accomplish this magic through a generous amount of internal bookkeeping
on currently active connections and through wholesale packet rewriting
to preserve the relevant illusions to both sides. The
KarlBridge/KarlBrouter product extends packet filtering in other
directions, providing extensions for authentication and filtering at
the application level. (This is much more precise than the filtering
possible with traditional packet filtering routers.)

While firewall technologies are changing, so are the underlying
technologies of the Internet, and these changes will require
corresponding changes in firewalls.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness