1 - Principles
Behind the word "Barrier Guard" / Firewall (hereinafter referred to as GB) hides more a concept than hardware or software.We will say that a GB can generally be made up of several elements among which we will distinguish:
- a router (s) providing the filtering functions,- a machine (s) known as a "bastion system" (SB) which, among other things, perform (s):application gateway, (or "proxy") for applications, the best known are Telnet, Rlogin, Mail, Ftp, X11, Gopher, W3, etc,
authentication of incoming calls, possibly with the use of systems such as S / KEY,
audit, log, trace of incoming calls as well as mail, W3 sessions, etc.
The role of a GB environment is to ensure a certain level of protection of the internal network, while allowing to work without too many constraints.2 - The why (the reasons) of a barrier guard?
Several reasons among which:
- Protect yourself from "external" malicious acts:
the curious who generate traffic, who cause more fear than harm, but who, sometimes, end up being expensive,
vandals, those who want to bother to bother, (link saturation, CPU saturation, data corruption, identity masquerade, etc.),
"espionage" (problems of confidentiality of information).
- Restrict the number of machines to be monitored and administered at the fingertips, (this does not mean that the other machines are managed from below the leg!).
Therefore, the (minimum) investment in a smart solution can pay off down the road.
- Have a compulsory passage point allowing:to check whether the security rules as specified in the establishment's security policy are really those applied,to control the traffic between the internal and external network,
to audit / trace this traffic in a "central" way, to help predict network evolutions (possible statistics).
possibly to have a view of the Internet consumption of the various users / services.
- Possibility of implementing specific tools that could not be activated on all systems (example: authentication systems with unique passwords, statistics / accounting, etc.).
- Save IP addresses! Indeed, in certain configurations, an internal network behind a GB, can use IP addresses of RFC 1918 which addresses are neither known nor "routed" on the Internet.
3 - The functionalities of a firewall
Firewalls have been able to adapt to the security needs related to the connection of business networks to the Internet. In addition to access control, confidentiality and data integrity functions are now integrated into the solutions. Indeed, from simple managers of authorized addresses, firewalls have evolved into:
- application access control,- isolation from the external network and user authentication,- encryption of exchanges.
For more information about: firewall network security