DOCSLIB.ORG

The Use of Firewalls in an Academic Environment JTAP-631

The Use of Firewalls in an Academic Environment JTAP-631

The Use of Firewalls in an Academic Environment JTAP-631 Tim Chown Jon Read David DeRoure Department of Electronics and Computer Science University of Southampton April 2000 1 Contents 1 CONTENTS .......................................................................................................................................... 2 2 EXECUTIVE SUMMARY .................................................................................................................. 5 3 INTRODUCTION ................................................................................................................................ 7 3.1 ACKNOWLEDGEMENTS .................................................................................................................... 7 4 AN INTRODUCTION TO FIREWALL CONCEPTS...................................................................... 8 4.1 WHAT IS A FIREWALL? .................................................................................................................... 8 4.2 TYPES OF FIREWALL........................................................................................................................ 8 4.3 MODES OF OPERATION..................................................................................................................... 9 4.4 WHERE SHOULD A FIREWALL BE SITUATED? ................................................................................. 10 4.4.1 JANET-level firewalls........................................................................................................... 11 5 GENERAL FIREWALL-RELATED ISSUES................................................................................. 12 5.1 THE COMPUTER MISUSE ACT AND CORPORATE LIABILITY ........................................................... 12 5.2 DATA PROTECTION ACT 1998 ....................................................................................................... 12 5.3 DTI/BSI/ISF STANDARDS............................................................................................................. 13 5.4 GROWTH OF THE INTERNET ........................................................................................................... 14 5.5 SECURITY INCIDENTS ON JANET.................................................................................................. 15 5.6 IMPACT OF AN ATTACK ................................................................................................................. 16 6 EVALUATING A FIREWALL SOLUTION................................................................................... 18 6.1 COST ............................................................................................................................................. 18 6.2 FUNCTIONALITY ............................................................................................................................ 18 6.3 TRAINING, SUPPORT AND DOCUMENTATION ................................................................................. 22 6.4 MISCELLANEOUS FEATURES .......................................................................................................... 22 6.5 FIREWALL EVALUATION CHECKLIST ............................................................................................. 23 7 INTRODUCING A FIREWALL ...................................................................................................... 26 7.1.1 Drivers for change................................................................................................................ 26 7.2 INITIAL NON-FILTERING DEPLOYMENT ......................................................................................... 26 7.3 PERFORMANCE, DEPLOYMENT AND COST ISSUES ......................................................................... 27 7.3.1 Performance ......................................................................................................................... 27 7.3.2 Hardware.............................................................................................................................. 28 7.3.3 Other costs............................................................................................................................ 28 7.3.4 Installation disruption........................................................................................................... 28 7.4 RUNNING A WATCHING BRIEF....................................................................................................... 28 7.4.1 User survey ........................................................................................................................... 29 7.4.2 Understanding the traffic...................................................................................................... 30 7.5 EVOLVING DEFAULT ALLOW RULES............................................................................................... 30 7.5.1 Classifying traffic.................................................................................................................. 30 7.6 ADDING THE FIRST INBOUND DENY RULES..................................................................................... 31 7.6.1 Consulting the users.............................................................................................................. 32 7.6.2 An evolved Firewall-1 rule set.............................................................................................. 33 7.6.3 Initial technical issues .......................................................................................................... 34 7.6.4 Blocking SMTP ..................................................................................................................... 35 7.6.5 The portmapper .................................................................................................................... 35 7.7 DEFINING AND ESTABLISHING A SECURITY POLICY........................................................................ 36 7.7.1 What questions should a firewall policy answer?................................................................. 36 7.8 GOING DEFAULT DENY .................................................................................................................. 37 2 7.9 SIX MONTHS ON ............................................................................................................................. 38 7.9.1 Summary of five weeks of blocked firewall events ................................................................ 38 7.9.2 Unsolicited probes against our network ............................................................................... 39 7.9.3 Services that are hard to filter .............................................................................................. 40 7.9.4 Maintenance on Firewall-1................................................................................................... 40 7.9.5 Outbound filtering................................................................................................................. 40 7.9.6 Interaction with Computing Services.................................................................................... 41 8 OPERATIONAL FIREWALL ISSUES ........................................................................................... 43 8.1 FIREWALL TESTING ....................................................................................................................... 43 8.2 TECHNICAL ISSUES ........................................................................................................................ 43 8.2.1 Getting the more complex services running.......................................................................... 44 8.2.2 Proxy servers – SOCKS ........................................................................................................ 44 8.3 USE OF A DE-MILITARISED ZONE (DMZ)...................................................................................... 45 8.4 ISSUES WITH FIREWALL-1.............................................................................................................. 46 8.5 BEHIND THE FIREWALL ................................................................................................................. 47 8.6 ANALYSING FIREWALL LOGS ........................................................................................................ 47 8.7 INTRUSION AND VIRUS DETECTION SYSTEMS ............................................................................... 48 8.8 USER ISSUES.................................................................................................................................. 50 9 SECURE TRANSIENT FIREWALL ACCESS METHODS ......................................................... 51 9.1 USER AUTHENTICATION ................................................................................................................ 51 9.1.1 SecurID tokens...................................................................................................................... 52 9.2 MAKING SSH AVAILABLE OVER THE WEB...................................................................................... 54 9.3 SSL FOR SECURE WEB SERVERS..................................................................................................... 54 9.4 SSL FOR SECURE E-MAIL ACCESS .................................................................................................. 55 9.5 USE OF TRANSPORT LAYER ENCAPSULATION FOR SECURE ACCESS THROUGH A FIREWALL ......... 55

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    101 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us