Advantages of Firewall, Research Paper Example

The Demilitarized Zone (DMZ) for Trapping Attackers

The demilitarized zone operates as a part of a firewall configuration in order to secure the local area networks. If a DMZ is configured on the whole network or on specific workstations, they are known to be in a DMZ. Moreover, the zone also facilitates workstations that are configured behind the firewall to initialize request that are considered as outbound traffic to the DMZ. The functionality of DMZ is similar to a proxy server, as the workstations configured in DMZ interact with the public networks. Furthermore, the most significant advantage for a DMZ is that it protects the local area network domains by segregating the network layer (RE: [FW1] DMZ advantages).  Likewise, the disadvantages associated with DMZ are not significant, but one issue can be highlighted, as the segregation may create a hassle for the network administration because DMZ requires frequent updates and maintenance. Moreover, the hardware cost is high and requires dedicated hardware in order to implement DMZ within the network. Deployment includes a switch, separate firewall and IDS etc.

Intranet / Extranet

The most significant advantage that is shared by both of these technologies is communication. However, intranet provides limited communication as compared to extranet, but it is still effective. In order to implement intranet, local area network and a host is required. The network must adhere to the requirements of the intranet application. Moreover, the application will be deployed on a separate workstation called as a host or server. The star topology is recommended for intranet-based networks as the network administrator can manage and administer intranet issues in a centralized environment. Furthermore, presence of intranet will enable new trends for communication. For example, paper less communication between employees, chatting, e-mails and blogs etc. disadvantage includes maintenance and security issues. Hardware requirements for an extranet are similar, except Extranet provides a wide coverage for employees, who want to work from home, or communicate while travelling. However, in order to provide or publish contents on the Internet, certain advanced protocols are required. For instance, VPN is a secure choice. Accordingly, due to its broad functionality, security issues are also more as compared to the intranet.

Network Address Translation (NAT)

Network address translation is defined as “An Internet protocol that allows individual sites to support more IP hosts than the number of IP addresses assigned to it. This is done using special Internet addresses that have been reserved for this purpose. These special addresses are invalid in the Internet itself. The hosts using these addresses may communicate among themselves, but they cannot access the Internet directly” (Campus infrastructure guidelines). NAT translates private IP addresses into global IP addresses, making it simple for the network administrator, as incremental changes are required without modifying host and routers. Moreover, the disadvantage NAT has is that, it is slow because each packet is processed, prior to the decision of translating it or not. ‘IP traceability’ also becomes difficult as data packets are difficult to trace.

Tunneling

Tunneling is also called as port forwarding. Port forwarding is configured for a secure channel within the medium or corporate networks. One way of implementing a tunneling protocol is to configure a DSL modem by defining the port number that is allocated for using specific service. For instance, in order to access remote desktop via port forwarding, port number 3389  and RDP service is defined in the router against the IP address of the workstation on which the service needs to be executed. A popular tunneling protocol developed by Microsoft is knows as Point to Point Tunneling Protocol (PPTP). This protocol provides a secure data communication channel for users to access Virtual Private Networks (VPN). However, port forwarding does not ensure data security as there is no encryption during data transmission. Moreover, tunnel needs to be defined for each service and routes, creating redundancy and complex configurations.

Access Control List

Access Control Lists are defined in a router, firewall, multi-layer switches etc.  Considering a scenario of a router, when a data packet tries to pass through a router, it encompasses the security rules and policies. Similarly, when considering an operating system environment, ACL identifies the operating system regarding the user rights on files and directories. The attributes for assigning privileges to files and folders are read, write and execute. Therefore, ACL provides security for system files and folders and network data transmission.

Sub Netting for Hiding IP Addresses

Sub netting is defined in “document RFC 950, originally referred to the subdivision of a class-based network into sub networks, but now refers more generally to the subdivision of a CIDR block into smaller CIDR blocks” (Subnetting ). A single subnet in IPv4 only contains 254 assignable IP addresses. These IP addresses need to be managed efficiently as broadcast issues are always triggered, producing network congestion and disruption of services.  In order to overcome these issues, IP addresses are broken down in to smaller class C networks for effective network management and security. Moreover, global IP addresses are limited, in order to operate a corporate network; sub netting is required to allocate private IP addresses to the inbound network, while the global IP addresses will only be configured on the WAN devices.

Virtual Local Area Network (VLAN)

For providing security mechanism to the internal data communication, Virtual local area networks (VLAN) are recommended. The VLAN separates the domain of the departments within the organization. VLAN uses encryption techniques for transmitting data over the network. Access policy list is also configured in the VLAN for defining the routes. Moreover, VLAN is considered as a broadcast domain. It concludes that the broadcast generates from one computer can only be received to the destination which is defined by some criteria in the broadcast domain. The advantage of VLAN implementation includes an efficient way of bandwidth utilization and eliminating the network from possible broadcast storms, which results in denial of service.  Furthermore, by implementing VLANs, the capacity of switching technology is utilized to its full potential.  VLAN also supports ‘VLAN trunking protocol’.  The ‘VLAN trunking protocol’ will significantly reduce administration for the switched network

Suspicious File Types

• ‘Exe files’
• ‘Com Files’
• ‘Bat Files’
• ‘SCR files’
• ‘MP3’ and other executable files

Exe file types are executable files for Microsoft windows environment. These files are used to initialize a program. Hackers develop these executable virus files with a commonly used item. For instance, a virus executable file can be in the form of a folder so that the user can click it and the executable virus program installs itself on the computer to take full control of resources and data.

Com files are the extension of Command that is used as a command prompt in Microsoft Windows environment. Viruses can be executed by clicking this file in the form of an old ‘DOS’ based game.

For Web Packet Filtering

Furthermore, firewalls are integrated with proxy servers to provide an optimum level of security for the network. Although, some configuration procedures are mandatory to follow in order to establish firewall security based on configurations. A typical packet filtering firewall is required. The packet filtering firewalls judge the behavior of each packet and then verifies the rule base that includes exceptions and firewall security policies in order to deny or grant permission to a particular data packet. After receiving a data packet, the firewall will determines whether the packet requires proxy filtering. Consequently, firewall plays a role as a dynamic filter on a control channel linking the application layer and the proxy layer. This combined security mechanism significantly amplifies security for the network (Nelson, 1998).

Acts as a Circuit Level Gateway

Firewall also operates as a circuit level gateway. As per network dictionary, it is defined as “A circuit level gateway is sometimes described as a second generation firewall. It is a fast unrestricted passage through the firewall based on predefined rules maintained in the TCP/IP kernel.” The architecture of a circuit level gateway analyzes handshaking of packets in a data communication channels or sessions on the network, to verify whether the channel is genuine or not. The traffic is filtered by analyzing rule base on the arrival of each packet. Moreover, circuit level gateway provides enhanced security by hiding particulars of workstations that have established a remote session from any computing device outside the network. The computing device outside the network will receive only the gateway address i.e. the firewall.

Acts as an Application Gateway

As per network dictionary, application gateway is defined as “Application Level Gateway (ALG), also known as Application Layer Gateway, is a type of gateway that consists of a security component that augments a firewall or NAT employed in a computer network. It allows legitimate application data to pass through the security checks of the firewall that would have otherwise restricted the traffic for not meeting its limited filter criteria”. The application gateways are also categorized as software-based firewalls. These types of firewalls provide advantages in terms of securing a personal computer located at home from hackers and intruders. Moreover, application gateway also facilitates parents to incorporate parental controls for children. These firewalls provide in depth level of security and access control for the organizations. Likewise, these firewalls do not allow granting permission to any data packet related to COM and EXE extensions. In addition, to provide enhanced security, the firewall does not allow direct session of data communication with any node on the inbound network. Consequently, application gateway firewall protects the network of an organization with viruses, malicious codes, Trojans, unauthorized access and denial of service attacks (Advantages of Firewall).

References

Advantages of Firewall Retrieved 5/4/2011, 2011, from http://www.scribd.com/doc/22594454/advantages-of-firewall

Campus infrastructure guidelines Retrieved 4/14/2011, 2011, from http://system.vccs.edu/its/guidelines/Campus_Infrastructure_Guidelines2.htm

Circuit level Gateway/Firewall. (2007). Network Dictionary, , 99-99.

Nelson, M. (1998). Two faces for the firewall. InfoWorld, 20(41), 1.

Subnetting Retrieved 4/14/2011, 2011, from http://www.lincoln.edu/math/rmyrick/ComputerNetworks/InetReference/24.htm