Compare & Contrast
Protecting Against Wolves in Sheep's Clothing
by Wayne Spivak
NOT LONG AGO, the only person in your firm who could go "under the hood" of your computers and local area network was your MIS director (or the defacto MIS director in small firms). See related chart.
Today, with the realities of 24/7 Internet connectivity, access to your computer system has been opened to millions.
This presents some very real and some very imagined problems. But for purposes of this article, we will limit the discussion of firewalls and proxy servers to what they do -- not to whether you really need them.
Firewalls, proxy servers and packet filters are all related, and are outgrowths of each other. A packet filter works at the base TCP/IP level. "A packet is a block of data that carries with it the information necessary to deliver it, in a manner similar to a postal letter, which has an address written on its envelope," explains Craig Hunt in TCP/IP Network Administration, from O'Reilly & Associates Inc.
A firewall is the next step up the network security ladder, and a proxy server is an application-specific firewall. All three can be used together or just a packet filter and either a firewall or proxy server.
A firewall prohibits Internet traffic from accessing your local area network through your Internet connection. It does this by restricting IP addresses that can access your internal network from the Internet.
Packet filtering examines blocks of data, and checks to see where the data is coming from, and where it's going. This examination determines whether the information originated inside the network or outside.
A packet filter will not permit information that claims to have originated inside the network from entering the network (which is one way hackers gain entrance into a local area network, by masquerading as a valid IP address on the local area network.) This software is usually found in routers. (As a reminder, a router is used to pass packets originating in one network to another.)
Hackers are able to forge IP addresses, and thus enter an unprotected network. Once in a network, these unscrupulous individuals can wreak havoc on your data systems. A firewall and packet filter, as well as the proxy servers guard your internals from being hacked. Hackers can gain entry from these points of access and bypass the Internet access point. Remember the movie War Games? It wasn't that far fetched.
A firewall prohibits Internet traffic from accessing your local area network through your Internet connection. It does this by restricting IP addresses that can access your internal network from the Internet - very much like a packet filter.
However, a firewall can address higher levels of the TCP/IP protocol. Similar to a television, which runs on the radio bandwidth, and has different channels, TCP/IP has the ability to deliver information on different ports.
A firewall as well as the proxy server, can limit which ports can be used, by whom and when. In addition, it will track and log all the information that transverses the firewall. This log can be analyzed from both a usage perspective as well as a security perspective.
There are three general types of firewalls; hardware, software, or a hybrid. They all essentially do the same job, restricting traffic into and out of your LAN. Most routers, (even small office/home office routers) offer basic firewalls, called packet filtering.
Proxy servers offer functions similar to a firewall, but are built to be application specific. These proxy servers understand the entire protocol involved in the http (Web) protocol, or the ftp protocol. They then can be used to filter unwanted connections or pages. A special type of proxy server is the caching proxy server.
Installation of a caching proxy server can save bandwidth, because any Web page that is retrieved by a user remains on the proxy server. This allows others who may want that page to get the local copy. The only local problem with the caching proxy server seems to be intellectual property (copyright) issues, but I'll let the readership sort that one out.
Packet filtering, firewalls and proxy servers need to be installed and implemented by professionals who are skilled in using them. Even the most basic router has complicated rulesets for examining packets as they come and go through the router. An error in configuration can cause your network to either be hidden from the world or the world hidden from it.
For more information on setting up a packet filter, try Getting Connected: The Internet at 56K and Up, by Kevin Dowd, O'Reilly & Associates, Inc. or Managing IP Networks with Cisco Routers, by Scott Ballew, O'Reilly & Associates, Inc.
Most firewalls and proxy servers, whether a software only or hardware/software solution can cost significant money. Firewalls also need constant attention, tweaking, examination, and tweaking again, if they are to do the job they were intended to do. This requires a skill computer professional to be onsite, or in other terms another employee. This raises a threshold question for your firm: "What are our real security requirements." But that's the subject for a separate article!
Wayne Spivak is president of Bellmore, N.Y.'s SBA*Consulting.