Your basic line of defense for your network includes a firewall designed to examine and evaluate everything that passes through it. It also includes security policies that define who can access your network and what services will be allowed.
A firewall is a method that combines security policies, hardware, and software to protect a network from unauthorized intrusion. Firewalls are usually set up at a high-level gateway (such as your Web site's connection to the Internet), but they can also be set up at lower-level gateways to protect your network internally (e.g., sensitive financial or personnel records). With a firewall, traffic in and out of the network is selectively restricted. Employees and other authorized users are given access to the Internet, while traffic from the Internet is not allowed into the internal network. A screening router, or packet filter (see below), will block the traffic based on an IP address or a port number. Other firewall techniques include proxy server, network address translation (NAT), and stateful inspection (See a previous Jargon Watch for these terms) .
A gateway is a network point (or node) where traffic flows between a secure network and an unsecure one. Gateways are often used with routers to form a firewall. An application gateway is a kind of proxy where an application forwards specific application traffic through a firewall. A circuit gateway maps data from one circuit to another (for example, a SOCKS server). A dual-homed gateway is a firewall that uses a bastion host.
A bastion host is a computer with two network interfaces, one of which is connected to the unsecure Internet, and the other to the enterprise's protected network. The IP routing is disabled to protect the network from illegal entry, so IP traffic must be specifically forwarded to pass through a bastion host. Bastion hosts include specific roles such as Web, mail, DNS, and FTP servers. Sometimes a network administrator will also use a decoy bastion host that is deliberately exposed to potential hackers. The purpose is to both delay and facilitate tracking of attempted break-ins. A bastion host does not share authentication services within the network, so if it is compromised, the network is still secure.
A socket is the endpoint in a connection between a client and a server. A socket server is a circuit-level gateway that forwards traffic through a firewall like a generic TCP/IP proxy. It handles all kinds of traffic (telnet, e-mail, HTTP, FTP, etc.) without being aware of the meaning of the data. It either allows or rejects the requested connection based on the destination or user identification.
SOCKS (or socks) is a protocol that a proxy server uses to take requests from someone on the network, accept them, and forward them to the Internet. This protocol uses sockets to keep track of individual connections and is supported by major Web browsers.
ACLs / ACEs
Major operating systems use access control lists (ACLs) to determine the traffic that will be allowed into different parts of a network and what privileges that traffic will have. In Windows NT, an ACL is associated with each system object, such as a file directory. Each ACL has one or more access control entries (ACEs) with the name of a user or group of users or roles (such as "programmer" or "tester").
Screened Host Firewall
A screened host firewall uses a packet-filtering router that allows only traffic that is destined for a gateway to get through. It is more flexible but less secure than a dual-homed gateway firewall (see below). The screened host firewall has one network interface and does not require a subnet between the application gateway and the router. The gateway's proxy passes services to site systems.
A packet-filtering firewall blocks traffic at a gateway based on IP address and/or port numbers. It is also known as a "screening router." It blocks unwanted network traffic based either on its source address, destination, or its type (e-mail, FTP, etc.). Packet filtering is generally performed in a router. It is less secure than other forms of firewalls because it is more vulnerable to IP spoofing. It also does not include password controls or logging; nor does it allow for thorough testing. However, it is most commonly used for small, simple sites.
Dual-homed Gateway Firewall
The dual-homed gateway is an alternative to packet-filtering router firewalls. It has a host system with two network interfaces. The host's IP forwarding ability is disabled so it cannot route packets between the two connected networks. As a result, it blocks all IP traffic between the Internet and the secure network. It uses proxy servers on the gateway for access and for services like Telnet, FTP, and e-mail. This firewall can log access as well as attempts to intrude into the system.