Many network services have been proven exploitable and network service tools have become widely available. Even without compromising any information, the temporary blackout of a server or network can mean many hours of lost work and missed business opportunities.
Companies connect to the Internet, and exchange data via dialup; ISDN and leased lines. Furthermore, employees are offered remote access options. However, every incoming connection is likely to have outgoing connections as well.
No computer network is completely secure. Like any lock, if it is built by a human being, it can be broken by a human being. A small security measure may prevent most amateurs from causing annoyances to the computer network. However, a major network should not settle for such small security measures.
Security is expensive. Dedicated hardware and software has to be purchased, installed, configured and maintained by either hiring, employing or creating expertise. Often changes have to be made to existing infrastructure requiring more hardware or causing downtime.
Glossary of Terms
Bridge
A device which forwards traffic between network segments based on data link layer information. These segments would have a common network layer address.
Firewall
A dedicated gateway machine having special security precautions. A firewall is used to service outside network, especially Internet connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind the firewall from hackers. The typical firewall is an inexpensive microprocessor-based unit machine that has modems and public network ports. The machine has one carefully monitored connection to the rest of the cluster and contains no critical data.
Router
A device which forwards packets between networks. The forwarding decision is based on network layer information and routing tables, often constructed by routing protocols.
Packets
The unit of data sent across a network. “Packet” is a generic term used to describe a unit of data at any layer of OSI protocol stack, but it is most correctly used to describe application later data units (“application protocol data unit”, APDU).
Packet Filters
Every packet is compared against a rule base and a decision is executed based on the matching rule.
Rule Base
A set of rules which determines which packets to allow or disallow through a network.
HTML: Hypertext Markup Language
The language used to describe WWW pages.
A tag-based ASCII language that is used to specify the content and hypertext links to other documents on World Wide Web servers on the Internet. Browsers made for any operating system, (hardware platform, monitor resolution, etc.) can then be used to view the prepared documents and follow links to display other documents.
Network Interface Card (Network Card)
A name for the LAN Adaptor (printer circuit board) installed in a PC, that enables it to communicate over a LAN. The term is used commonly by IBM PC and token ring users.
IP Address
All network-layer protocols have an address format. For 32-bit IP addresses of the TCP/IP protocol, IP addresses are in the format of “199.12.1.1”. This format is called dotted decimal, and each of the four sections is a decimal number from 0 to 255, representing 8 bits of the IP address that specifies a specific host on that network.
Since there are only 32 bits to the entire IP address and some networks have many more hosts than others (and there are fewer larger networks), there are different address classes. The different addresses allocate different numbers of bits to the network and the host portion of the address.
DMZ De-Militarised Zone
From the military term for an area between two opponents where fighting is prevented.
DMZ Ethernets connect networks and computers controlled by different bodies. They may be external or internal. External DMZ Ethernets link regional networks with routers to internal networks. Internal DMZ Ethernets link local nodes with routers to the regional networks.
Current Technology
Many different types of firewall and security software are known. They can be broken down to three categories. (We do not consider personal firewalls protecting a single home computer).
Proxy based: The firewall serves as an application-proxy between systems that physically connect to different network interfaces on the firewall server. An application-proxy acts as an agent or substitute at the application level for entities that reside on one side of the firewall when dealing with entities on another side of the firewall. By maintaining this separation between interfaces, and continuously protocol checking, the firewall provides a very secure environment. However, proxy based firewall is demanding on CPU time and may become an issue on high volume sites.
Stateful inspection: Whenever the firewall receives a packet initiating a connection, that packet is reviewed against the firewall rule base in sequential order. If the packet goes through any rule without being accepted, the packet is denied. If the connection is accepted, the session is then entered into the Firewall's stateful connection table, which is located in memory. Every packet that follows is then compared to the stateful inspection table. If the session is in the table, and the packet is part of that session, then the packet is accepted. If the packet is not part of the session then it is dropped. This improves system performance, as every single packet is not compared against the rule base.
Packet filters: Every packet is compared against the rule base and a decision is executed based on the matching rule or rules.
Most of the high-end firewalls provide combinations or hybrids of the above-mentioned techniques. All known examples have in common, that they are technically routers and need to have different subnets on each network interface.
Router vs. Bridge
A router is a device that forwards packets between networks. The router is aware of different networks and how to communicate to the networks. This is the technique currently used by all known commercial firewalls. This implies that hosts on a different side of the firewall have to have a different network address, as the traffic will otherwise never end up at the firewall. This technique requires changes to the network's dial-in device and the LAN.
A bridge is a device that forwards traffic between network segments based on data link layer information. The bridge functions based on the MAC address.
The present invention emerged from a real life situation where a company wanted to protect their dial-in server. The dial-in server provided network connectivity for employees and third parties. However, the company had an insecure Internet connection and a new third part needed access to the company's computer system.
Implementing any sort of conventional firewall would have meant reconfiguring the addressing-scheme of the dial-in server and coordinating changes with the remote companies.
It would therefore be desirable to provide a network security device that effectively protects a computer network system and does not require the implementation of the existing firewall.