This page contains an archived post to the Jini Forum made prior to February 25, 2002.
If you wish to participate in discussions, please visit the new
Posted by joe on November 29, 2001 at 2:56 PM
Create a security policy
1. Describe what you need to service
2. Describe the group of people you need to service
3. Describe which service each group needs access to
4. For each service group describe how the service should be keep secure
5. Write a statement making other forms of access a violation
Types of Firewalls
There are two types of firewalls.
1. Application-level firewalls: Proxy Servers (sometimes called firewalls) - that make network connections for you.
2. Network-level firewalls: Filtering Firewalls - that block selected network packets.
Application-level firewalls ("proxy" firewalls)
Application-level firewalls first determine if a requested connection between a computer on the internal network and one on the outside is permitted. If the connection is authorized, the firewall, mimicking the application, sets up the necessary communication links between the two computers. As an intermediary, the firewall can monitor the communication between the two networks and suppress any unauthorized activity.
Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data.
There are two types of proxy servers.
1. Application Proxies - that do the work for you.
2. SOCKS Proxies - that cross wire ports.
The best example is a person telneting to another computer and then telneting from there to the outside world.
With an application proxy server the process is automated. As you telnet to the outside world the client will send you to the proxy first. The proxy then connects to the server you requested (the outside world) and returns the data to you.
Because proxy servers are handling all the communications, they can log everything they (you) do. For HTTP (web) proxies this includes every URL that you see.
For FTP proxies this includes every file you download. They can even filter out "inappropriate" words from the sites you visit or scan for viruses.
Application proxy servers can authenticate users. Before a connection to the outside is made, the server can ask the user to login first. To a web user this would make every site look like it required a login.
A SOCKS server is allot like an old switchboard. It simply cross wires your connection through the system to another outside connection.
Most SOCKS servers only work with TCP type connections. And like filtering firewalls they don't provide for user authentication. They can however record where each user connected.
Network-level firewalls ("packet-filtering" firewalls)
Rather than impersonating an application, as do application-level firewalls, network-level firewalls examine the packets of information sent at the transport level to determine whether a particular packet should be blocked. Each packet is either forwarded or blocked based on a set of rules defined by the firewall administrator.
Packet Filtering Firewalls
A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet.
Many network routers have the ability to perform some firewall services. Filtering firewalls can be thought of as a type of router.
Filtering firewalls do not provide for password controls. User cannot identify themselves. The only identity a user has is the IP number assigned to their workstation. This can be a problem if you are going to use DHCP (Dynamic IP assignments). This is because rules are based on IP numbers you will have to adjust the rules as new IP numbers are assigned.
Filtering firewalls are more transparent to the user. The user does not have to setup rules in their applications to use the Internet.
- firewall param January 16, 2002 at 2:15 AM