next up previous
Next: 3.2.2 Design decisions Up: 3.2 Access Security: Firewalls Previous: 3.2 Access Security: Firewalls

3.2.1 Introduction

Many companies connect to the Internet, guarded by ``firewalls'' designed to prevent unauthorized access to their private networks. Despite this general goal, firewalls span a continuum between ease of use and security. This section describes some of the considerations and tradeoffs in designing firewalls. A vocabulary for firewalls and their components is given in Appendix to provide a common ground for discussion.

The rationale for installing a firewall is almost always to protect a private network against intrusion. In most cases, the purpose of the firewall is to prevent unauthorized users from accessing computing resources on a private network, and often to prevent unnoticed and unauthorized export of proprietary information. In some cases export of information is not considered important, but for many corporations that are connecting this is a major though possibly unreasoning concern. Many organizations will want simply to address the problem by not connecting to the Internet at all. This solution can be difficult to implement. If the private network is loosely administered or decentralized, a single enterprising individual with a high-speed dialup modem can quickly effect an Internet SLIP (Serial Line Internet Protocol) connection which can compromise the security of an entire network.

Often it is safe to say that a firewall needs to be put in place for the ``CYA'' (Cover Your Assets, a family publication) factor. Even though an employee could compromise proprietary information by carrying it offsite on a DAT (Digital Audio Tape) or floppy disk, the Internet represents a tangible threat, populated with dangerous ``vandals.'' (The Vandals were a collection of tribes of roughneck barbarians who sacked Rome in 455 and looted it of all its portable wealth. Some use the term ``hackers'' to describe Internet snoopers, but ``vandals,'' ``crackers,'' or ``jerks'' is more appropriate) It could very easily cost a network manager his job if a break-in occurs via this route, even if the damage is no more extensive than could have been inflicted over a dialup line or by a disgruntled employee. Generally, for a would-be Internet site, the technical difficulties of implementing a firewall are greatly outweighed by the public relations problems of ``selling'' upper management on the idea. In summary, because Internet services are so highly visible, they are much more likely to require official oversight and justification.


next up previous
Next: 3.2.2 Design decisions Up: 3.2 Access Security: Firewalls Previous: 3.2 Access Security: Firewalls
Denis Arnaud
12/19/1997