Cryptography Reference
In-Depth Information
8.4 Internetworking and Security — Firewalls
Things won are done; joy's soul lies in the doing.
William Shakespeare
(1564-1616)
— from
Troilus and Cressida
(1602)
IP, or Internet Protocols, provide services for connectinghosts over various
disparate networks, as we have seen. To accomplish this, however, each IP must
be embedded, not only at each host site and its associated network, but also
in routers. This presents challenges for these routers since they connect such
dissimilar systems. Here are some of the differences routers face.
Network Dissimilarities
Address Labels
: The various schemes for networks to allocate a target ad-
dress to data in an Internet mechanism may range from 48-bit assignments to
encoded decimal representations. Therefore, some kind of universal standard-
ization is needed together with a central archive for record keeping.
Fragmentation
: On page 221, we already met the concept of message frag-
mentation. Fragmentation is required because of network disparities in maxi-
mum packet sizes permitted.
Interfaces
: A router must be designed to execute its duties irrespective of
the disparate hardware and software interfaces amongnetworks.
Network Dependability
: A router must be independent of the differences
in network reliability, which may range from unreliable to end-to-end depend-
ability.
Firewalls
All the above beingsaid, the primary concern is with local security, so we
need firewalls (see Footnote 8.7 on page 295). The term “firewall” is taken
from the firefighting profession, wherein a firewall is a barrier constructed to
prevent the spread of fire. In the computer world, it means keepingthe flames
of disaster, ubiquitous on the Internet, away from your local network, and pre-
ventingentities from inside the local network from openinga “door” that will
let those flames in. A firewall may be defined as a combination of hardware and
software, located at the interface between two networks, that enforces an access
control security policy between them. For instance, these security gateways
8.12
may screen IP addresses, or ports requested on incomingconnections, to decide
what traJc is permitted into the local network.
8.12
A
gateway
is an access point on a network that plays the role of an entrance to another
network. For instance, when we discussed SET in Section 6.3, we looked at
payment gateways
.
More generally, a
node
on the Internet is a connection point, typically with the capacity to
read, process, and forward data to other nodes. Thus, a node may be a computer or other
device. For a user at home, an ISP (see page 295), is a gateway. For a business enterprise, a
gateway node may play the role of both a proxy server (see Footnote 8.14 on page 317), and
firewall.
Search WWH ::
Custom Search