Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next Two Networks, One Host Rather than using a modem to contact an ISP (be it internal or external), it will almost certainly be faster to have genuine LAN connection to the Internet (see Exhibit 8-1-7). One way to do this is to have each Internet-capable machine connected to the Internet and to the production network and to disable IP-forwarding on the machines (i.e., configure each machine that is dually connected so that it does not behave as a router). This has some obvious speed advantages, but will probably be cost prohibitive for most sites. It also makes the network slightly less secure by increasing the chance that the production network and the Internet network could get accidentally connected. Exhibit 8-1-7.  A Dually Connected Host with IP Forwarding Turned Off The Router-Only Solution A popular method for connecting to the Internet without additional equipment has been the router-only solution (see Exhibit 8-1-8). As mentioned, most modern routers have a facility for blocking certain ranges of IP addresses and/or TCP ports. Using this solution, an administrator could, for instance, limit SMTP mail to a particular host. The problems with this method of firewalling are that administrators must be certain that the machines that they are giving the outside world access to cannot be used to jump to other machines on the network, and that TCP ports above 1,024 must be left open for outgoing connections. This makes a network vulnerable to holes dug by internal users who have learned the trick of opening a high-numbered port. Exhibit 8-1-8.  Router Filtering Incoming Traffic Surviving Complete Connectivity For many sites, particularly those where the users have become accustomed to complete connectivity, no firewall will satisfy them. If using this solution, it is best if administrators also carefully log the IP addresses and the TCP ports on those hosts that are left open. TCP wrappers provide an excellent logging mechanism. TCP wrappers sit between the actual program that the foreign machine is attempting to contact (e.g., telnet) and the network interface. The wrappers can be used to log connections or refuse connectivity based on IP address. They are available for UNIX computers by anonymous FTP. A Bastion Proxy Host Many traditional Internet firewalls have been constructed by placing a single machine between a production network and the outside world. This bastion host would run a minimal set of software and more complicated access method. Commercial Solutions Several vendors sell and support off-the-shelf firewall systems. These vary significantly. If planning to purchase such a system, administrators should be sure that they thoroughly understand how it operates and exactly what it is firewalling. TELEPHONY An aspect of computer network security that is sometimes overlooked is telephony. Telephony, for purposes of this chapter, includes any system in which users need modems to connect into and out of facility. There are some obvious problems. If hackers are able to freely dial into a system, they could compromise the system or use the system as a springboard for breaking into other computers. Telephone numbers cannot be kept secret. Programs that dial through an entire prefix of numbers (called War Games Dialers, named after the movie) have been available for years. This problem should be approached from the viewpoint that modem numbers are well-known. Dial-Back Only. There are many terminal servers and other systems that can be set to only function in dial-back mode. The following dialogue usually occurs with dialback: •  The user dials a special number that is used only to initiate a dialback connection. •  The user identifies himself or herself, usually through a username/password pair. •  The connection is closed. •  The user sets his or her machine for auto-answer. •  The foreign machine calls the user at his or her prearranged number. •  The user has remote access into his or her system. This system is not without its drawbacks. First, there must be a prearranged number at which the user will be waiting for the returned phone call. Second, this system can be defeated by call forwarding. Third, and most importantly, this system is difficult if not impossible to administer for users who travel. Hardware Encryption. Devices exist that can be put on both ends of a telephone connection to encrypt the data. These devices are usually expensive, and may be difficult to export. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.