|
|
 |
|
|
©workingarts.com |
April 2002 Madera Chamber of Commerce Information Security Article Information Security in plain English by Frederic Martin. When you talk about the Internet and networking with computer people, they invariably end up talking about security and about "putting your confidential data behind a firewall". You have heard that word and it sounds like some kind of protection box, but what is a firewall? What is it and how does it work? A broad definition could be: a firewall is a protection device or computer program used to shield a networked computer, or computers, from being attacked. A firewall is smart protection when your computer is connected to the Internet or if you want to separate two network segments - for example, you may want to restrict access (beyond password protection) to the payroll database from the rest of the main company network used by your employees. Firewalls gained mainstream visibility as more businesses started to leverage the Internet as a component of their information infrastructure and needed to protect their corporate data from outside intruders. In fact, firewall companies were some of the first information security companies to go public (Secure Computing, Check Point Software, Raptor, Trusted Information Systems, etc.) in the mid to late 1990's: not only because there was a clearly bright market ahead of them, but also because the security function of firewalls was easy to understand -- even to Wall Street bankers, who are notoriously computer phobic: once they got it, they bought into it. Also, let's not forget the contribution of all those highly publicized security breaches, regularly plastered in daily newspapers, as they most assuredly helped create and inflate the firewall and information security market values (at least until the dot bomb era came along…). There are a few kinds of firewalls: Packet filters firewalls (the simplest), circuit-level firewalls and application-gateway firewalls (the most complex). To understand how they work, we first need to discuss computer communications protocols. When a computer is on a network, it has a unique IP (Internet Protocol) address, and each application or program on your computer uses a specific port number through which it communicates with other computers, either on the local network or over the Internet. For example, SMTP -- Simple Mail Transfer Protocol -- uses port number 25 between your computer and the email server you use whenever you send out an email, the web (http - Hyper Text Transfer Protocol) uses port 80 between your browser and the server that hosts the sites you visit, etc. Among other things, Firewalls monitor the ports being used by the programs on your computer and analyze the data packets being sent through. Each data packet has a particular standardized architecture that the firewall looks for during its analysis. Hang in there, I'm almost done… Each data packet has a source and destination IP address in it. That information is used by the Internet communication protocol (TCP/IP --which stands for Transfer Control Protocol/ Internet Protocol) to move packets around your company's network and across the Internet. Packet filter firewalls examine the packets' IP source and destination addresses (and ports being used) and allow or disallow access based on those addresses and the corresponding policies created by your network administrator. One additional (and very nice) feature that circuit-level firewalls provide is called Network Address Translation (or NAT). NAT hides your computer's address from the outside world, which only "sees" the external address of the firewall. Any computer behind the firewall is invisible to the outside world - the firewall is the traffic cop that redirects the information between the private network and the Internet. The most complex
(and expensive) firewalls are application proxy firewalls: the firewall
deals with the application on your behalf, analyzes the data it receives
and sends your computer the data it considers safe to use. You think
that you are communicating with the outside server on the Internet
and the server thinks that it is dealing with you, but neither is
true, both entities are communicating with the firewall. As you can
imagine, these firewalls use a lot of computer cycles and end up requiring
very powerful machines to run at acceptable speeds, which is why those
firewalls end up being bundled or installed on dedicated hardware
devices specifically engineered for this kind of heavy "number
crunching". These devices are called firewall appliances, and
they are increasingly in use these days, because speed is the name
of the game! The last thing you want is your firewall to become a
traffic bottleneck as it analyzes the data that is sent and received
by everyone behind the network and the outside computers with which
they communicate. But enough of that techno babble… until a few years ago, firewalls were expensive software or hardware solutions, with $5,000 to $30,000 price tags depending on the bells and whistles built in. Thanks to a few smart vendors, you can now get bare bones firewalls in a box for a few hundred dollars. About two years ago or so, even cheaper personal firewall software solutions made their appearance on the market: you can load them right onto your computers (some are even free: for example, Zone Labs* has a free bare bones personal firewall solution that can be easily upgraded (for a fee) to a much more feature rich Pro version. Another company, InfoExpress*, has combined a Virtual Private Network (VPN) solution with a personal firewall: the VPN encrypts the session from the remote user to the corporate network and the "CyberArmor" provides firewall like protection, the whole solution is centrally managed on a corporate server (another computer), so that the individual employees don't have to know anything about configuring their firewall: it's all done automatically, remotely and according to the corporate security policy. One must note, however, that personal firewall software products can only offer limited protection and should be considered as complementary solutions to more complex firewalls. Mainstream antivirus vendors such as McAfee* and Symantec* also market personal firewalls for about $50 to $70 per seat. Even Microsoft* has now embedded firewall technology into its recently released Windows XP operating system. Personal firewall software solutions may be robust, but they cannot replace their dedicate hardware counterparts simply because hardware firewalls have multiple network interface cards which allow them to truly isolate a computer from the outside world, yet provide that same computer with safe connectivity to the Internet. Firewalls themselves are only one component of an information security arsenal; you can attach many additional security solutions to them: strong user authentication products, web, applet control and antivirus filters, combined with load balancing devices… all that becomes complex as more users keep asking for faster data throughput from their firewall… we'll discuss those technologies in subsequent columns. Until next, time,
have a safe month, back up your data and keep updating those virus
signatures. Sales tools|Marketing tools|Public relations|Partner development | Home
Contact
information | |
