Internal security

 

Connecting state and local government leaders

A few years ago, the focus of network security and firewall technology was on the perimeter'keeping bad guys on the outside from getting to systems on the inside.

A few years ago, the focus of network security and firewall technology was on the perimeter'keeping bad guys on the outside from getting to systems on the inside.But then along came denial-of-service attacks and e-mail Trojan horses, which masquerade as legitimate application traffic to get past the firewall and wreak havoc.And it was no longer enough to merely lock down a range of IP port numbers'if it ever had been.'It started becoming a real problem with Nimda and Code Red,' said Bill Jensen, government marketing manager for Check Point Software Technologies Ltd. 'The attacks were using legitimate-looking traffic to attack networks. It was very hard for administrators to stop this.'As a result, firewalls are now more common within enterprise networks themselves as they are at the perimeter, and a whole new class of application monitoring and filtering technology is being integrated into firewall software and firmware.The complexity of dealing with today's harsh security environment has left many organizations flailing to catch up. Government agencies, especially, are having trouble keeping their perimeters secure. 'We all see the [data security] report cards for agencies; they're failing still,' Jensen said.Adding to the complexity of securing a network infrastructure is the growing demands on virtual private network connections for branch offices and for remote employees connecting over the Internet.The financial rewards of using the public Internet to replace private hard-wired networks make VPNs attractive for all but the most security-conscious applications, but it puts pressure on a firewall. And with more firewalls in the enterprise, the need for easy-to-use management tools has grown as well.The push to execute e-government strategies doesn't make the security problem any easier to deal with, either. Agencies have to find ways to open their networks to legitimate agency-to-agency, vendor-to-agency and citizen-to-agency traffic without leaving gaping holes for denial-of-service attacks that can take e-government applications offline. E-government apps require a defense in depth'agencies can no longer simply lock the front door.Fortunately, over the last two years firewall technology has advanced significantly on those fronts. Routers are now more intelligent, easier to manage and better integrated with the rest of the infrastructure of enterprise networks and other security measures such as intrusion detection systems.In some cases, security features such as firewalls, and intrusion detection and virus prevention software, are being combined into single devices'as in Symantec's recently introduced Gateway Security appliance. Or designers are integrating them as modules within a larger piece of hardware, as with Cisco Systems Inc.'s PIX network security appliances.For its part, Check Point is turning to partners to provide component technologies such as intrusion detection that integrate with its firewall through the company's Open Platform for Security program.Firewalls themselves have changed, sometimes dramatically. Mike Jones, Cisco's product line manager for PIX firewall appliances, said that more than 30 major features have been added to Cisco's PIX family in the last two years.Perhaps the most important area of improvement in firewall technology over the past few years has been in application intelligence'that is, being able to recognize whether incoming network packets are real user traffic, an attack from a hacker or a malicious piece of software.Previously, the only way to control traffic based on which application it was destined for was to use application filtering'also called port filtering'on the firewall. Traffic directed to a known IP logical address, or port, on a network host for a specific server application'such as port 80 for Web server requests and port 25 for e-mail traffic'would be allowed through. Unauthorized traffic would be stopped in its tracks. But denial-of-service attacks and e-mail worms such as Code Red use these known paths into the network for their attacks.Most firewalls now go further than screening packets for their destination port; they look at the actual data in the packet through a process known as stateful inspection. As the packet passes through the firewall, its data is analyzed to determine if it is actual application data; if not, it is blocked.Check Point's Jensen said his company's firewalls equipped with its Smart Defense software 'look at the information passing through and see if it's formatted correctly and up to snuff' before passing it along to its destination. The service also allows customers to use a VPN connection to Check Point to download new attack signatures so that the firewall can block new attacks as they emerge.Cisco has embedded similar technology in its PIX firewalls, Jones said. 'What we've been doing is building application-specific inspection engines within PIX that check packets on a per-protocol or per-application basis.' Built into these inspection engines is a denial-of-service prevention feature that makes sure packets are 'properly formatted, not masquerading,' hesaid.It's important to check incoming Internet traffic in this way. Because of the insidiousness of distributed denial-of-service attacks and other malicious software'such as Code Red, which attacked Microsoft SQL Server'merely checking packets at the perimeter is no longer enough. The same screening needs to be applied to traffic within the network and from trusted outside sources, such as networks attached by a VPN connection.Support for VPNs is another important component of enterprise firewalls. As the number of remote users requiring secure access to applications increases, firewalls have to be able to handle an increasingly large amount of encrypted VPN traffic. Although acceleration hardware and the adoption of new encryption standards such as the Advanced Encryption Standard have increased the amount of VPN data firewalls can handle, another challenge remains: getting the VPN set up in the first place.'One knock against VPNs has been manageability,' Jensen said. 'It's been hard to set up connections between different agencies.'Part of the problem is in distributing the required encryption keys to create the encoded connection that carries VPN traffic. Between two fixed points, using a shared-secret encryption method such as AES or Triple DES will usually suffice for establishing a virtual network pipe. But dealing with multiple, changing sites, or mobile and remote users away from a branch office, means having to integrate some sort of authentication system and handling a much larger number of encryption keys.To make VPNs work well, and quickly, for all users, firewalls need to connect to a variety of directory types to authenticate users. And these authentication methods need to be tied to a policy at the firewall that determines the type and destination of traffic that each user can send into the network.Cisco's firewalls support its switched network infrastructure, so the same policy structure that controls VPNs can be used to control each user's access to virtual LANs within the switched network.This sort of internal partitioning of networks is one of the reasons why firewalls are finding their way deeper and deeper into the network infrastructure of many organizations.There are plenty of reasons to do so. New networking technologies such as WiFi wireless Ethernet make network access more convenient and make all sorts of new applications possible, but they also open new routes for attack on the network.And even the changing infrastructure of the network itself is helping drive the expansion of the role of firewalls. As the available IP address space shrinks, and agencies start looking at implementing IP Version 6, there will be an increasing need to share IP addresses, translate private IP addresses onto public networks, and otherwise mask the complexity of the network from the devices that use it.The Network Address Translation function of firewalls can add years to the lifetime of the current Internet address pool of government agencies and help ease them into whatever network address scheme follows.That's a lot to put on a technology that was originally designed to lock out bad guys. But the versatility of firewalls is making them an important part of nearly every emerging network application, from voice over IP communications to Web services.And even as the importance of firewall technology grows, the days of the standalone firewall seem numbered'with firewall technology being built into almost every point on the network, firewalls as we think of them could disappear completely'and yet manage to be everywhere at the same time.
Firewalls go proactive in screening network traffic































Look at data









Support is critical

























Kevin Jonah, a Maryland network manager, writes about computer technology.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.