.. ed screening systems to reduce the damage that could happen if a subnets routing tables got confused or if a systems Ethernet card malfunctioned. When companies began connecting to what is now the Internet, firewalls acted as a means of isolating networks to provide security as well as enforce, otherwise known as an administrative boundary. Early hackers were not very sophisticated; neither were early firewalls. Today, firewalls are sold by many vendors and protect tens of thousands of sites. The products are a far cry from the first-generation firewalls, now including fancy graphical user interfaces, intrusion detection systems, and various forms of tamper-proof software.
To operate, a firewall sits between the protected network and all external access points. To work effectively, firewalls have to guard all access points into the networks perimeter; otherwise an attacker can simply go around the firewall and attack an undefended connection. The simple days of the firewalls ended when the Web exploded. Suddenly, instead of handling only a few simple services, firewalls now must be connected with complex data and protocols. Todays firewalls have to handle multimedia traffic, attached downloadable programs (applets) and a host of other protocols plugged into Web browsers. This development has produced a basis conflict, the firewall is in the way of the things users want to do.
A second problem has arisen as many sites want to host Web servers: Does the Web server go inside or outside of the firewall? Firewalls are both a blessing and a curse. Presumably, they help deflect attacks; but they also complicate users lives, make a Web Server Administration job a bit harder, rob network performance, add an extra point of failure, cost money, and make networks more complex to manage. Firewall technologies, like all other Internet technologies, are rapidly changing. There are two main types of firewalls, plus many variations. The main types of firewalls are proxy and network-layer. The idea of a proxy firewall is simple: Rather than have users log into a gateway host and then access the Internet from there, give them a set of restricted programs running on the gateway host and let them talk to those programs, which act as proxies on behalf of the user. The user never has an account or the need to login on the firewall itself, and he or she can interact only with a tightly controlled restricted environment created by the firewalls administrator.
This approach greatly enhances the security of the firewall itself because it means that users do not have accounts or shell access to the operating system. Most UNIX bugs require that the attacker have a login on the system to exploit them. By throwing the users off the firewall, it becomes just a dedicated platform that does nothing except support a small set of proxies, it is no longer a general-purpose computing environment. The proxies, in turn, are carefully designed to be reliable and secure because they are the only real point of the system against which an attack can be launched. Proxy firewalls have evolved to the point where today they support a wide range of services andrun on a number of different UNIX and Windows platforms.
Many security experts believe that proxy firewalls are more secure than other types of firewalls, largely because the first proxy firewalls were able to apply additional control on to the data traversing the proxy. The real reason for proxy firewalls was their ease of implementation, not their security properties. For security, it does not really matter where in the processing of data the security check is made; whats more important is that it is made at all. Because they do not allow any direct communication between the protected network and outside world, proxy firewalls inherently provide network address translation. Whenever an outside site gets a connection from the firewalls proxy address, it in turn hides and translates the addresses of systems behind the firewall. Prior to the invention of firewalls, routers were often pressed into service to provide security and network isolation.
Many sites connecting to the Internet in the early days relied on ordinary routers to filter the types of traffic allowed into or out of the network. Routers operate on each packet as an unique event unrelated to previous packets, filtered on IP source, IP destination, IP port number, and other basic data contained in the packet header. Filtering does not constitute of a firewall because it does not have quite enough detailed control over data flow to permit building highly secure connections. The biggest problem with using filtering routers for security is the FTP protocol, which, as part of its specification, makes a callback connection in which the remote system initiates a connection to the client, over which data is transmitted. Cryptography is at the heart of computer and network security. The important cryptographic functions are encryption, decryption, one-way hashing, and digital signatures. Ciphers are divided into two categories, symmetric and asymmetric, or public-key systems.
Symmetric ciphers are functions where the same key is used for encryption and decryption. Public-key systems can be used for encryption, but they are also useful for key agreement and digital signatures. Key-agreement protocols enable two parties to compute a secret key, even in the face of an eavesdropper. Symmetric ciphers are the most efficient way to encrypt data so that its confidentiality and integrity are preserved. That is, the data remains secret to those who do not posses the secret key, and modifications to the cipher text can be detected during decryption. Two of the most popular symmetric ciphers are the Data Encryption Standard (DES) and the International Data Encryption Algorithm (IDEA).
The DES algorithm operates on blocks of 64 bits at a time using a key length of 56 bits. The 64 bits are permuted according to the value of the key, and so the encryption with two keys that differ in one bit produce two completely different cipher texts. The most popular mode of DES is called Cipher Block Chaining (CBC) mode, where output from previous block are mixed with the plaintext of each block. The first block is mixed with the plaintext of each block. The block uses a special value called the Initialization Vector. In conclusion, despite its size and rapid growth, the Web is still in its infancy as with the software industry.
We are just beginning to learn how to develop secure software, and we are beginning to understand that for our future, if it is to be online, we need to incorporate security into the basic underpinnings of everything we develop. Today, no one method of Internet Security can stop a hacker from intruding on our privacy. The goal is that as time goes on and we increase our technological knowledge of the Internet, that we raise our standards of security in everything we do weather on our computers or on the Internet; Thus we will hopefully be more protected by what we enjoy so much, the Internet. Works Cited Book Resources: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet January 2000, by Eoghan Casey Cybershock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists and Weapons of Mass Disruption April 2000, by Winn Schwartau Liberating Cyberspace: Civil Liberties, Human Rights and the Internet May 1998 by Libertty Firewalls a Complete Guide: A look into the vulnerability of a typical Internet-connected network and shows how various kinds of firewalls can reduce the threat from outside. Nov. 1999, by Marcus Goncalves Web Resources: SunWorld: The human side of computer security July 1999 http://www.idg.net/crd idgsearch 77790.html?sc=40050501 139910 PcWorld.com: Privacy Special Report: Stealth Surfing May 2000 http://www.pcworld.com/heres how/article/0,1400,16350+1+0,00.html Digital Ids: a report on server and client certificates that aren’t yet widely used for authentication. http://www.byte.com/art/9703/sec8/art1.htm March 1997 Byte.com Verisign Inc: “Verisign Inc is the leading provider of Internet trust services needed by Web sites, enterprises, and e-commerce service providers to conduct trusted and secure electronic commerce and communications over IP networks.” http://www.verisign.com.