Cryptography Reference
In-Depth Information
the use of a distinct set of IP addresses means there is no conflictingintersection
with IP addresses from outside.
What Firewalls Cannot Do
◗
A firewall cannot thwart attacks that go around it. There might be a
dial-out server behind the firewall, for instance, that circumvents it by dialing
directly to an ISP.
◗
If there are hackers within the local network, the firewall will not detect
them. Possibly, an employee of a corporation operates in concert with Mallory
outside the corporation to steal vital data by giving him needed passwords. No
firewall can prevent this.
◗
A firewall is not an antivirus program. Thus, infected files or programs may
get through. A firewall is not the place for virus-control software, since there are
simply too many ways for viruses to be sent. It would be virtually impossible
for a firewall to filter every piece of data for a possible virus. Furthermore,
even if it could be implemented, it would still only guard against viruses from
the Internet. There are viruses that come in CDs, via modems, as well as the
Internet. A better mechanism is to have antivirus software installed in every
individual computer in the local network.
◗
A firewall is only as secure as the operatingsystem (OS) in which it sits.
If there are weaknesses in the OS, a firewall cannot protect against them.
Basic Kinds of Network Firewalls
1.
Packet Filters — Screening Routers
: A simple firewall configuration
is called a
packet filter
, which records the permitted origins and target IP
addresses, as well as port number
8.13
. If a packet has an address that is
not on its list, it is discarded. Given its simplicity, this type of firewall
is both eJcient and is transparent to users, as well as beinginexpensive
to implement. However, this very simplicity makes it vulnerable to such
attacks as
network layer address spoofing
.
Spoofing
: In general (not necessarily computer-related) terms, spoof-
ingmeans assuminganother entity's identity. In a computer context, IP
spoofing, faking the origin of a message, was an idea tossed around the
cryptographic community in the 1980s. It first appeared in reality when
there was a problem discovered with the TCP protocol, called
sequence
prediction
(see [116] for a discussion of a story related to spoofingand
the introduction of the first Internet worm, called the Morris Worm; see
also pages 407-409 where we discuss worms in general). Later Bellovin
[16], wrote an article discussingthe TCP/IP problems. Unfortunately,
IP spoofingis a problem intrinsic to the TCP/IP model. Yet there are
8.13
Port numbers are integers ranging from 0 to 65,000, which allow data to be sent directly to
a specific device that is “tuned in” to the designated port on a target computer. Port numbers
less than 1024 are for use and assignment only by a systems administrator. Typically, a port
on a computer is specified by the IP address (of the computer on which the port is active),
followed by a colon, and the number of the port, such as 123.214.2.7:60.
Search WWH ::
Custom Search