Previous | Table of Contents | Next |
When using a private leased line based network, most security issues concern the distribution of userIDs and passwords if required for employees to gain access to different computers connected to the network. In such situations, the ability of a hacker from outside the organization to adversely affect security is nonexistent since there is no connection between a public network and the organizations private network. However, once an organization decides to use the Internet as a virtual network to interconnect geographically separated locations, security becomes a key issue as your organization is now exposed to the efforts of millions of persons that could attempt to access your organizations computational facilities. Thus, a mechanism to bar intruders and allow authorized users from one location to access another location becomes necessary. That mechanism can be obtained either through the packet filtering capability of a router or through the use of a firewall.
A packet filtering router can be used to restrict access based upon the source address, destination address, and TCP port number contained in a datagram. Here the TCP port number is a numeric value between 0 and 1023 that defines the type of data being transported. For example, HyperText Transport Protocol (HTTP), which conveys Web browser pages, uses port 80. Thus, an example of a filter that would bar all traffic other than Web server traffic through a router from users on the IP network whose address is 192.47.27.0 to the network address 203.171.141.25 would be entered as follows:
Exhibit 3. Using a Firewall.
Permit TCP 80 192.47.27.0 203.171.141.25
Although packet filtering represents a useful mechanism for barring unauthorized access, it has a specific weakness in the fact that IP addresses can be spoofed. In addition, by itself packet filtering does not verify the originator of data nor does it prevent a user that gains access to a network behind the router from using an electronic dictionary in an attempt to gain illegal access to organizational computational facilities. To obtain an enhanced level of security, most organizations that anticipate using the Internet as a virtual network will install a firewall at each location connected to the Internet.
Exhibit 3 illustrates the placement of a firewall to provide an extra level of protection between a corporate LAN and the Internet. In this example, the router is connected to a hub that has only one other connection, that of the firewall. This type of workstation-less hub is commonly called a DMZ LAN as any illegal activity passed by the router is barred by the firewall prior to the activity adversely affecting users.
In addition to performing filtering in a manner similar to routers, firewalls may include a number of additional security related functions and features. Those features can include the authentication of remote users, proxy services, and virus scanning of incoming electronic mail and file transfers. Authentication is usually performed by a one-time password check, using the Bellcore S/Key system or the Security Dynamics Secure ID card. The S/Key system generates via software a one time password that is checked by the firewall to verify the authenticity of the user requesting access. In comparison, the Security Dynamics Secure ID card is a credit card-sized device that generates a pseudo random number every 60 seconds. A user would enter their PIN number and the number generated by the Secure ID card which is transmitted to the firewall. The firewall would use an algorithm to compute the Secure ID card number based upon the provided PIN and consider the requester to be authenticated if the number generated by the firewall matches the transmitted number.
The proxy service capability of a firewall results in the firewall barring direct client-server requests. Instead, the firewall examines each request against a set of predefined rules and, if permitted, acts as an intermediate client and performs the requested server connection. Through the use of proxy services the firewall can check for dictionary attacks, protocol spoofing and other illegal activities and can either terminate the attempts or alert a manager via an E-mail or page to the illegal activity being attempted.
When considering the Internet as a virtual network, the cost of a firewall as an added measure of protection should be based upon your organizational requirements. If you plan to use the Internet only to transfer electronic mail, a virus checker on your mail servers may be both sufficient and considerably less costly than the use of a firewall. If your organization has several servers at each location with important content that requires a high level of protection, then the expense associated with the use of firewalls may be well justified. Thus, a careful analysis of the type of data to be transmitted via the Internet between corporate locations as well as economics and security issues associated with the use of the Internet become important criteria prior to determining if virtual networking is a practical solution for the replacement of a private leased line based network.
Using the Internet as a virtual network can save costs. Before using the Internet in such a way, a data center manager should consider the following:
By weighing the pros and cons previously listed, a data center manager can decide if using the Internet as a virtual network will save money and still provide the needed security and predictability.
Previous | Table of Contents | Next |