DOCSLIB.ORG

Network Security: a Simple Guide to Firewalls

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

WHITE PAPER Network Security: A Simple Guide to Firewalls Network Security There are experts who say, “If you are connected to the Internet, you need a firewall.” The decision may not be A Simple Guide to Firewalls more complicated than that. However, you’ll probably consider a combina- Loss of irreplaceable data is a very real tion of factors. Start with the basic threat for any business owner whose questions you’d ask about any other network connects to the outside world. security system. Remote access for employees and con- nection to the Internet may improve Do I Have Anything Worth communication in ways you’ve hardly Protecting? imagined. Access to the Internet can Be sure to consider: open the world to communicating with customers and vendors, and is an • Confidential client, supplier, or immense source of information. But employee information that might these same opportunities open a local expose you to a lawsuit if you allow area network (LAN) to the possibility someone else to capture it of attack by thieves and vandals and abuse by your own employees. • Intellectual property that gives you a competitive edge in the market Figuring out the right amount of secu- CONTENTS rity for your network takes some con- • Critical business records that would sideration. The first thing to consider is have to be recovered and/or Why a Firewall—Am I Really at what your data is worth. A quick recreated Risk? . 1 answer is, “Maybe more than you think.” When you consider the value of What Is a Firewall? . 2 It isn’t always safe to assume that no your data, remember risks such as legal one else wants your data. Some hack- Types of Attack . 2 liability and loss of competitive edge, or ers operate on a nonprofit basis. They the effect of lost production if your net- Firewall Technologies . 3 may capture data or vandalize your work is compromised. Many analysts system just because they can. Additional Firewall Features say very bluntly, “If you are on the and Functionality . 4 Internet, you need a firewall.” Aren’t My Valuables Already Choosing a Firewall . 5 The benefits of connecting to the Inter- Adequately Protected? Designing a Firewall into net are clear. This paper discusses the The truth is that if you have valuable Your Network . 6 risks you face when you connect to the electronic property, it may not be as Internet, describes the types of attacks safe as you would like to think it is. Conclusion . 6 that can occur, and offers an overview You can do a lot to protect your sys- of firewall technology, which can protect tem if you: your network from hackers. Specifically, the paper discusses the implementation • Back up your information every of a firewall and what you should con- night sider in choosing the type of firewall you require. • Set up unshared folders behind tough passwords and password Why a Firewall—Am I rules Really at Risk? • Use your access router or browser Anyone can become a hacker. It to filter incoming traffic from all doesn’t require a technological whiz but trusted sites kid to wreak havoc on your network. A wide range of tools and utilities can Unfortunately, hackers have many be easily downloaded from the Inter- sophisticated software tools at their net; and with their help, almost any- disposal. Given enough time and one can become a competent hacker determination, a skilled hacker may at the touch of a button. get through the standard safeguards. 1 If he does, he can run software pro- • It screens outgoing traffic to limit grams to break your passwords. If Internet use and/or access to remote you have valuable data on your net- sites. work and the network is exposed to outside computers, chances are very Screening Levels good you need a firewall. A firewall can screen both incoming and outgoing traffic. Because incom- What Is a Firewall? ing traffic poses a greater threat to the A firewall is a system that enforces an network, it’s usually screened more access control policy between two closely than outgoing traffic. networks—such as your private LAN and the unsafe, public Internet. The When you are looking at firewall firewall determines which inside ser- hardware or software products, you’ll vices can be accessed from the out- probably hear about three types of side, and vice versa. The actual means screening that firewalls perform: 3DES Data Encryption Standard by which this is accomplished varies • Screening that blocks any incoming (168-bit) widely, but in principle, the firewall can be thought of as a pair of mecha- data not specifically ordered by a DMZ demilitarized zone nisms: one to block traffic, and one to user on the network permit traffic. A firewall is more than DoS denial of service the locked front door to your net- • Screening by the address of the FTP File Transfer Protocol work—it’s your security guard as sender well. HTTP Hypertext Transfer Protocol • Screening by the contents of the ICSA International Computer Firewalls are also important because communication Security Association they provide a single “choke point” where security and audits can be Think of screening levels as a process LAN local area network imposed. A firewall can provide a net- of elimination. The firewall first work administrator with data about determines whether the incoming NAT Network Address Translation what kinds and amount of traffic transmission is something requested POP3 Post Office Protocol, Version 3 passed through it, how many attempts by a user on the network, rejecting were made to break into it, and so on. anything else. Anything that is SMTP Simple Mail Transfer Protocol Like a closed circuit security TV sys- allowed in is then examined more TCP/IP Transmission Control tem, your firewall not only prevents closely. The firewall checks the sender’s computer address to ensure Protocol/Internet Protocol access, but also monitors who’s been sniffing around, and assists in identi- that it is a trusted site. It also checks VPN virtual private network fying those who attempt to breach the contents of the transmission. your security. WAN wide area network Types of Attack Basic Purpose of a Firewall Before determining exactly what type Basically, a firewall does three things of firewall you need, you must first to protect your network: understand the nature of security threats that exist. The Internet is one • It blocks incoming data that might large community, and as in any com- contain a hacker attack. munity it has both good and bad ele- ments. The bad elements range from • It hides information about the net- incompetent outsiders who do dam- work by making it seem that all age unintentionally, to the proficient, outgoing traffic originates from the malicious hackers who mount deliber- firewall rather than the network. ate assaults on companies using the This is called Network Address Internet as their weapon of choice. Translation (NAT). NETWORK SECURITY 2 Generally there are three types of Denial-of-Service Attacks attack that could potentially affect DoS attacks are purely malicious. your business: They don’t result in any gain for the hacker other than the “joy” of render- • Information theft: Stealing company ing the network, or parts of it, confidential information, such as unavailable for legitimate use. DoS employee records, customer records, attacks overload a system so that it or company intellectual property isn’t available—they deny your abil- ity to use your network service. To • Information sabotage: Changing overload the system, the hacker sends information in an attempt to dam- very large packets of data or programs age an individual or company’s rep- that require the system to respond utation, such as changing employee continuously to a bogus command. medical or educational records or uploading derogatory content onto To launch a DoS attack, a hacker must your Web site know the IP address of the target machine. A good firewall doesn’t • Denial of service (DoS): Bringing reveal its own IP address or the IP down your company’s network or addresses on the LAN. The hacker servers so that legitimate users can- may think he has contacted the net- not access services, or so that nor- work when he has only contacted the mal company operations such as firewall—and he can’t lock up the production are impeded network from there. Furthermore, when a hacker launches an attack, Attempts to Gain Access some firewalls can identify the incom- A hacker may attempt to gain access ing data as an attack, reject the data, for sport or greed. An attempt to gain alert the system administrator, and access usually starts with gathering track the data back to the sender, information about the network. Later who can then be apprehended. attacks use that information to achieve the real purpose—to steal or destroy Firewall Technologies data. Firewalls come in all shapes, sizes, and prices. Choosing the correct one A hacker may use a port scanner—a depends mainly on your business piece of software that can map a net- requirements and the size of your net- work. It is then possible to find out work. This section discusses the dif- how the network is structured and ferent types of firewall technologies what software is running on it. and formats available. Once the hacker has a picture of the Above all, no matter what type of network, he can exploit known soft- firewall you choose or its functional- ware weaknesses and use hacking ity, you must ensure that it is secure tools to wreak havoc. It is even possi- and that a trusted third party, such as ble to get into the administrator’s files the International Computer Security and wipe the drives, although a good Association (ICSA), has certified it.
Recommended publications
  • Ipv6 DMZ Web Service Technology Design Guide

    Ipv6 DMZ Web Service Technology Design Guide

    IPv6 DMZ Web Service Technology Design Guide August 2014 Series Table of Contents Preface ........................................................................................................................................1 CVD Navigator .............................................................................................................................2 Use Cases .................................................................................................................................. 2 Scope ......................................................................................................................................... 2 Proficiency .................................................................................................................................. 2 Introduction .................................................................................................................................3 Technology Use Cases ............................................................................................................... 3 Use Case: Enable Native IPv6 Access for Network Traffic Between the Internet and a Web Server DMZ Network.............................................................................................................. 3 Use Case: Enable IPv6 Access for Network Traffic Between the Internet and an IPv4-only Web Server DMZ Network ..................................................................................................... 3 Design Overview ........................................................................................................................
  • Iptables with Shorewall!

    Iptables with Shorewall!

    Iptables with shorewall! Table of Contents 1. Install swarmlab-sec (Home PC) . 1 2. shorewall . 1 2.1. Installation . 2 3. Basic Two-Interface Firewall. 2 4. Shorewall Concepts . 3 4.1. zones — Shorewall zone declaration file . 3 4.2. interfaces — Shorewall interfaces file. 4 4.3. policy — Shorewall policy file . 4 4.4. rules — Shorewall rules file . 4 4.5. Compile then Execute . 4 5. Three-Interface Firewall. 5 5.1. zones . 6 5.2. interfaces . 6 5.3. policy . 7 5.4. rules . 7 5.5. masq - Shorewall Masquerade/SNAT definition file . 7 5.6. snat — Shorewall SNAT/Masquerade definition file . 8 5.7. Compile and Execute . 8 1. Install swarmlab-sec (Home PC) HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html NOTE Assuming you’re already logged in 2. shorewall Shorewall is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files. More: wikipedia 1 NOTE Our docker instances have only one nic to add more nic’s: create netowrk frist docker network create --driver=bridge --subnet=192.168.0.0/16 net1 docker network create --driver=bridge --subnet=192.168.0.0/16 net2 docker network create --driver=bridge --subnet=192.168.0.0/16 net3 then connect network to container connect network created to container docker network connect net1 master docker network connect net1 worker1 docker network connect net2 master docker network connect net2 worker2 now let’s look at the following image 2.1.
  • How to Configure Some Basic Firewall and VPN Scenarios

    How to Configure Some Basic Firewall and VPN Scenarios

    AlliedWareTM OS How To | Configure Some Basic Firewall and VPN Scenarios Introduction This document provides examples that illustrate common configurations for security routers. You may want to make changes or enhancements to these configurations to customize them to your particular requirements. However, with the configurations provided here, you can be quickly operational with a reliable and secure Internet connection. What information will you find in this document? The first section provides the basic configuration for two likely methods that will be used for an Internet connection from the security router: z "Script A: basic Ethernet connection" on page 3 z "Script B: basic PPPoE configuration" on page 7 The second section provides three extra configurations to enable the router to support three popular forms of Virtual Private Network (VPN) connection, followed by a configuration for a Mail server on a DMZ. One or more of these additional scripts can be added to either of the basic configuration scripts: z "Script C: internal L2TP Network Server (LNS)" on page 11 z "Script D: IPsec tunnel" on page 13 z "Script E: PPTP server on LAN behind router" on page 16 Then the second section ends with an example in which private IP addresses are used on the DMZ LAN: z "Script F: DMZ using private addresses" on page 17 C613-16069-00 REV B www.alliedtelesis.com Introduction > Related How To Notes These six configuration examples are as general as possible, and no actual IP addresses have been specified. IP addresses are represented by placeholder names in angled brackets, for example, <dmz-ip-address>.
  • 9 Steps to Protect Against Ransomware

    9 Steps to Protect Against Ransomware

    9 Steps to ProtectUsers/Devices Against Ransomware Home Security Dashboard Security Dashboard IT Support Analyst Task Overview Devices Vulnerability Scan With Vulnerabilities In Last 30 Days Security Manager Critical Security Dashboard 40 Devices 95 Not Scanned Self Service Important/High 85 Estimated Not Scanned 90 Devices 31 Scanned So ware Catalog Moderate/Medium 15% Launchpad 90 Devices Asset Manager NA 140 Devices So ware Asset Hardware Asset Inventory Scan Most detected Critical/High Vulnerables In Last 30 Days In Last 30 Days Sign Out MS15-080_MSU 70 Devices 169 Not Scanned 42 Scanned MS15-084_MSU White Paper 70 Devices 20% MS15-049_INTL 50 Devices MS15-049_INTL 50 Devices Contents Introduction . 1 Prevention . .. 2 1. Patch the critical operating systems and applications .................................2 2. Ensure that antivirus software is up-to-date and that regular scans are scheduled .......3 3. Manage the use of privileged accounts ..............................................4 4. Implement access control that focuses on the data ...................................4 5. Define, implement, and enforce software rules .......................................6 6. Disable macros from Microsoft Office files ...........................................6 Other considerations . 6 7. Implement applications whitelisting ................................................7 8. Restrict users to virtualized or containerized environments ............................7 9. Back up critical files frequently .....................................................7 Ransomware incidents are on the rise . Fight back! . 8 References . 8 This document contains the confidential information and/or proprietary property of Ivanti Software, Inc. and its affiliates (referred to collectively as “Ivanti”), and may not be disclosed or copied without prior written consent of Ivanti. Ivanti retains the right to make changes to this document or related product specifications and descriptions, at any time, without notice.
  • Trojans and Malware on the Internet an Update

    Trojans and Malware on the Internet an Update

    Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY Abstract This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet - throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet… Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within.
  • Breaking Antivirus Software Joxean Koret, COSEINC 44CON, 2014

    Breaking Antivirus Software Joxean Koret, COSEINC 44CON, 2014

    Breaking Antivirus Software Joxean Koret, COSEINC 44CON, 2014 Breaking antivirus software Introduction Attacking antivirus engines Finding vulnerabilities Exploiting antivirus engines Antivirus vulnerabilities Conclusions Recommendations Antivirus Engines Common features of AV engines: Written in C/C++. Signatures based engine + heuristics. On-access scanners. Command line/GUI on-demand scanners. Support for compressed file archives. Support for packers. Support for miscellaneous file formats. Advanced common features: Packet filters and firewalls. Drivers to protect the product, anti-rootkits, etc... Anti-exploiting toolkits. Antivirus products or engines An antivirus engine is just the core, the kernel, of an antivirus product. Some antivirus engines are used by multiple products. For example, BitDefender is the most widely used antivirus kernel. It's used by so many products like QiHoo360, G-Data, eScan, F-Secure, etc... Most “big” antivirus companies have their own engine but not all. And some companies, like F-Secure, integrate 3rd party engines in their products. In general, during this talk I will refer to AV engines, to the kernels, except when specified the word “product”. Attack surface Fact: installing an application in your computer makes you a bit more vulnerable. You just increased your attack surface. If the application is local: your local attack surface increased. If the application is remote: your remote attack surface increased. If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... Your attack surface dramatically increased. Myths and reality Antivirus propaganda: “We make your computer safer with no performance penalty!” “We protect against unknown zero day attacks!”.
  • Cyber Warfare: Surviving an Attack

    Cyber Warfare: Surviving an Attack

    14 Cyber Warfare: Surviving an Attack By Devabhaktuni Srikrishna Cyberspace is a new domain of warfare. Created to minimize the vulnerability of United States communications networks to a crippling nuclear first strike by the Soviet Union, the Internet that was originally envisioned to enhance U.S. security is turning into a battlefield 1 for nations or sub-national groups to launch virally spreading attacks 2 and induce network failures potentially involving critical infrastructure systems.3 Cyber warfare and cyberoffense 4 have been a part of U.S. military operations for decades.5 Treaties and rules of engagement define what is off-limits during a cyberwar.6 The more vulnerable the system is, the more policy is necessary to deter adversarial nations from launching attacks, and vice-versa. Some cyberattacks are analogous to air forces probing one anotherʼs defenses or perhaps to espionage during the Cold War, which occurred though there was no official war and no physical harm. Cyberespionage largest recent cyberattacks in their book, but due to a gap in theory and practice. operations of China, for example, against the United States and its allies Cyber War: The Next Threat to National Organizations are vulnerable to the extent have been going on for years and will Security and What to Do About It. Once a they want to be and to how much they want never really end.7 virus or malware is inadvertently to spend to address vulnerabilities. 14 And downloaded onto a networked personal cyber vulnerabilities can be completely U.S. Air Force General Kevin Chilton, computer (PC) by a user9, the PC can be eliminated -- unlike conventional, nuclear, former Commander-in-Chief of commandeered to perform cyberattacks chemical, or biological which are permanent Strategic Command, has stated that ranging from electronic banking crimes, vulnerabilities due to laws of nature.
  • Study on Computer Trojan Horse Virus and Its Prevention ZHU Zhenfang

    Study on Computer Trojan Horse Virus and Its Prevention ZHU Zhenfang

    International Journal of Engineering and Applied Sciences (IJEAS) ISSN: 2394-3661, Volume-2, Issue-8, August 2015 Study on Computer Trojan Horse Virus and Its Prevention ZHU Zhenfang to steal or viciously revise files, spy system information, steal various commands and passwords, and even format users’ Abstract— In recent years, the fast development of computer hardware. In addition, Trojan horse virus usually records network technology, has become an integral part of human’s life, keyboard operation by means of keyboard record, and then work and study. But with the popularity of the Internet, obtains the account and password of E-bank. Attackers can computer viruses, Trojans and other new terms have become some well-known network vocabularies. Studies have shown directly steal users’ wealth by obtaining accounts and that most users of computer are more or less suffered from passwords. On the other hand, Trojan horse can also cause the computer virus. So people must attach great importance to the native machine be affected by other vicious virus. network security problem. The paper studied Trojan virus. Paper first introduced the concept, characteristics and PREVENTION OF HORSE VIRUS categories of the Trojan virus and its harm, and then focused on the way and means of the Trojan’s spread. It introduced the According to the above introduction, we know that Trojan virus loading and hiding technology, too. Its last part Trojan horse virus is very dangerous. If we neglect the focused on the prevention measures, it put forward reasonable prevention, our computer may be easily attacked. For the suggestions to users, and paper also put forward prevention prevention of Trojan intrusion, Trojan intrusion should be advice to improve network security.
  • The Antivirus Hacker's Handbook

    The Antivirus Hacker's Handbook

    The Antivirus Hacker’s Handbook The Antivirus Hacker’s HHandanddbook Joxean Koret Elias Bachaalany The Antivirus Hacker’s Handbook Published by John Wiley & Sons, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-02875-8 ISBN: 978-1-119-02876-5 (ebk) ISBN: 978-1-119-02878-9 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis- sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley .com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war- ranties with respect to the accuracy or completeness of the contents of this work and specifi cally disclaim all warranties, including without limitation warranties of fi tness for a particular purpose. No warranty may be created or extended by sales or promotional materials.
  • Controlling for Cybersecurity Risks of Medical Device Software

    Controlling for Cybersecurity Risks of Medical Device Software

    © Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited. Managing Risk Controlling for Cybersecurity Risks of Medical Device Software Kevin Fu and James Blum About the Authors Editor‘s Note: This article originally appeared in Communications of the ACM (2013;56[10]21–3; doi: 10.1145/2508701). Reprinted with permission. Kevin Fu, PhD, is an associate professor of While computer-related failures are known to Measuring Medical Device Security: computer science play a significant role in deaths and injuries Quantitative or Qualitative? and engineering involving medical devices reported to the U.S. Between years 2006 and 2011, 5,294 recalls and at the University of Food and Drug Administration (FDA),1 there is approximately 1.2 million adverse events of Michigan in Ann Arbor, MI. He also is a Sloan research no similar reporting system that meaningfully medical devices were reported to the FDA’s fellow. E-mail: [email protected] captures security-related failures in medical Manufacturer and User Facility Device devices. Experience (MAUDE) database.1 Almost 23% of James Blum, MD, Medical device software must satisfy system these recalls were due to computer-related is chief of critical properties, including safety, security, reliability, care and surgical failures, of which approximately 94% presented specialty anesthesia resilience, and robustness, among others. This medium to high risk of severe health conse- at Emory University column focuses on the challenges to satisfying quences (such as serious injury or death) to Hospital in a security property for medical devices: post- patients.1 For security incidents on medical Atlanta, GA, and market surveillance, integrity and availability, devices, no systematic national reporting assistant professor of anesthesiology and regulation and standards.
  • Why Malware Works in Face of Antivirus Software

    Why Malware Works in Face of Antivirus Software

    Outsmarted - Why Malware Works in face of Antivirus Software Matthias Deeg, Sebastian Nerz, Daniel Sauder Outsmarted – Why Malware Works in face of Antivirus Software For many years, different types of malware rank among the biggest IT security threats both in the business and the private domain. In order to protect one- self from the dangers of malware, numerous software manufacturers offer IT security products like antivirus and endpoint protection software. But these products alone offer no sufficient protection from malware that knows some tricks, as the results of our recent research with the topic antivirus evasion show. n the recent past, there were several com- from antivirus software. Thereby, current results puter-based attacks against IT networks that of our recent research are presented and recom- became public and raised a lot of media at- mendations are given for dealing with threats and Itention. Especially the attacks against the New security risks caused by malware. York Times [1] and the Washington Post [2] at the beginning of 2013 had a world-wide media How Antivirus Software Works coverage and also heated the debate about such Current antivirus software, no matter if a stand- cyber threats with manufacturers of IT security alone software product or a component of a soft- products like antivirus and endpoint protection ware suite (host intrusion detection/prevention software. In both mentioned cases, attackers were software, endpoint protection software, etc.), uses able to install malware on computer systems of different methods to detect known and unknown employees in order to literally spy on the affect- threats by means of malware.
  • Guidelines on Firewalls and Firewall Policy

    Guidelines on Firewalls and Firewall Policy

    Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Revision 1 Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director GUIDELINES ON FIREWALLS AND FIREWALL POLICY Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-41 Revision 1 Natl. Inst. Stand. Technol. Spec. Publ. 800-41 rev1, 48 pages (Sep. 2009) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.