WHY INTERNET SECURITY?
To analyze the security potential of any network, one must first assess the risk of the network being compromised. What is the risk of unauthorized access? Of virus infection? If most Telnet sessions come from untrusted machines, what protection can minimize the intrusion of a remote Telnet session recording username and password combinations or entire log sessions? Quickly one realizes the necessity of implementing a security policy; a set of decisions that collectively determine an organizations stance toward security.
ACC has long recognized the importance of providing network security in its products and therefore continues to expand its firewall capabilities as new challenges are discovered in the marketplace.
Within a network it is common to implement several types and combinations of firewalls, both for internal and external isolation purposes. ACC provides firewall management primarily through the implementation of software filters. The following paragraphs help explain some of the various types of filters one might implement.
ACC's software enhancement extends its extensive filtering capabilities to restrict access into an external interface by not allowing a packet through if it contains a source address from an internal network. In addition, this enhancement filters outgoing packets that have a source address different from an internal network. This last feature prevents a source IP spoofing attack originating from an internal network. Both of these features combine to build a firewall which will prevent any IP spoofing attacks.
|Bridging Technique||MAC Layer||Semantic Filter|
|Ethernet 802.1 (d) Bridging||Block forward or flood MAC destination||Prioritize or discard based on Ethernet Packet Type, SNAP PID, or DSAP, or refer decision to Network Layer datagram filter|
|Token Ring 802.5 (d) Source Routing||Block or forward traffic between station pairs||Prioritize or discard on SNAP PID, or DSAP, or refer decision to Network Layer|
Table 2 highlights the advantages of semantic filtering over traditional router filtering techniques by specifying datagram parameters that can be selected for various protocols.
|Routing Algorithm||Route Filter||Semantic Filters (datagram)|
|AppleTalk||Accept or reject routes to AppleTalk Networks from differing neighbors||Prioritize or discard datagrams based on source, destination, socket, or transport layer protocol|
|DECnet Phase IV||Accept or reject routes to DECnet nodes or areas from differing neighbors||Prioritize or discard datagrams between stated source and destination nodes or areas|
|IP||Accept or reject RIP updates from differing neighbors||Prioritize or discard datagrams based on source, destination Transport layer protocols or UDP/TCP based. Note: ranges of port numbers can be employed.|
|XNS IDP||Accept or reject routes to XNS Networks from differing neighbors. Accept or reject SAP entries||Prioritize or discard datagrams based on destination host, socket and PEP application|
Prioritize or discard datagrams based on source and destination networks
|"add ip filter||entry||0.0.0.0||0.0.0.0||184.108.40.206||255.255.255.255||discard"|
|"add ip filt ent||220.127.116.11||255.255.255.0||0.0.0.0||0.0.0.0||=0x6||D=23||discard"|
|"add ipx host filter entry||00:00:00:00:00:00||0x123||0x0||discard"|
|<host MAX addr>||<sock>||<pc>||<action>|
|"add ipx network filter entry||0x8000||0x1000||0x22||0x33||0||high"|
|"add ipx route filter entry||00:dd:00:12:34:00||0xa5||reject"|
|"add ipx sap filter entry||0x0000||"NWSERVER1"||accept"|
|"add AppleTalk filt ent 1||65534||1||65534||0||255||any discard"|
|"add AppleTalk filt ent 100||199||1||65534||0||255||any normal"|
|<ds> <de> <ss> <se> <scs><sce><t> <action>|
|"add AppleTalk route filter entry 300 399 100 199 accept"|
|"add AppleTalk route filter entry 400 499 100 199 reject"|
|<nrs> <nre> <rs> <re> <action>|
|"add DECnet filter entry 1.2 3.5 discard"|
|"add DECnet route filter entry 2.7 0.0 reject"|
|<adj> <tar> <action>|
|"add dls filter macaddr 12:3e:ff:42:11:2b"|
|"add idp host filt ent 00:00:00:00:00:00 0x123 0x4567 discard"|
|<host MAC addr> <socket><pep-c> <action>|
|"add idp network filter entry 0x8000 0x1000 0x22 0x33 0 dis"|
|<dest> <src> <D-><S-s><t><actn>|
|"add idp route filter entry 00:dd:00:12:34:00 0xa5 reject"|
|<router MAC> <net> <action>|
"add bridge filter ent ca:fe:00:1a:ae:42 ff:ff:ff:ff:ff:00
00:ae:88:f0:od:42 ff:ff:ff:ff:ff:ff discard 2 ! 0x0800"
Firewalls can not protect effectively against viruses. There are too many ways to encode binary files for transport over networks, and there are too many architectures and viruses to risk one's network security with a look-up table.
Whenever possible, generate a suite of network tests to verify the limits imposed by one's firewall filters. As new filters are added and deleted, keep the suite updated. Conflicting filters may create unwanted results.