A few years ago, for reliable PC protection, it was enough to install a good anti-virus program and monitor regular database updates. However, the ingenuity of attackers generates more and more new ways of causing damage. Often, the main way to penetrate a user's computer is his network connections, or rather the associated system vulnerabilities. An antivirus package can only detect malicious code, but not every antivirus is capable of detecting unauthorized access to data.

With the development of market relations, information more and more acquires the qualities of a commodity, that is, it can be bought, sold, transferred and, unfortunately, stolen. Therefore, the problem of information security is becoming more and more urgent every year. One of the possible ways to solve this problem is the use of firewalls.

Modern firewall technologies are one of the most dynamic segments of the modern security market. Means of network protection are developing so rapidly that currently the generally accepted terminology in this direction has not yet been finally established. These defenses are referred to in the literature and the media as firewalls, firewalls, and even information membranes. But the most commonly used term is “firewalls” (FW).

In the general case, to provide network protection between two sets of information systems (IS), a screen or information membrane is placed, which are a means of differentiating access of clients from one set of systems to information stored on servers in another set. In this sense, ME can be represented as a set of filters that analyze the information passing through them and make a decision: to pass information or block it. At the same time, events are recorded and an alarm is triggered if a threat is detected. Shielding systems are usually made asymmetrical. For screens, the concepts of “inside” and “outside” are defined, and the task of the screen is to protect the internal network from a potentially hostile environment. In addition, ME can be used as a corporate open part of the network, visible from the Internet. For example, in many organizations, DOEs are used to store publicly available data, such as information about products and services, files from FTP databases, error messages, and so on.

A firewall or firewall is a set of hardware or software that monitors and filters network packets passing through it in accordance with specified rules.

The main task of the firewall is to protect computer networks or individual nodes from unauthorized access. Also, firewalls are often called filters, since their main task is not to pass (filter) packets that do not match the criteria defined in the configuration.

Some firewalls also allow for translation of addresses - dynamic replacement of intranet (gray) addresses or ports with external ones used outside the local area network.

Figure 4. General structure of the firewall

Other names

Firewall (German Brandmauer) is a term borrowed from the German language that is analogous to the English firewall in its original meaning (a wall that separates adjacent buildings, preventing the spread of fire). Interestingly, in the field of computer technology, the word "Firewall" is used in German.

Firewall - Formed by transliteration of the English term firewall.

Varieties of firewalls

Firewalls are classified into different types depending on the following characteristics:

whether the shield provides a connection between one node and a network, or between two or more different networks;

at the level of which network protocols the data flow is controlled;

whether the states of active connections are monitored or not.

Depending on the coverage of controlled data streams, firewalls are divided into:

traditional firewall (or firewall) - a program (or an integral part of the operating system) on a gateway (a server that transfers traffic between networks) or a hardware solution that controls incoming and outgoing data flows between connected networks.

personal firewall is a program installed on a user's computer and designed to protect only this computer from unauthorized access.

A degenerate case is the use of a traditional firewall by a server to restrict access to its own resources.

Depending on the level at which access control occurs, there is a division into firewalls operating on:

the network layer, when filtering is based on the addresses of the sender and recipient of packets, the port numbers of the transport layer of the OSI model and static rules set by the administrator;

session Layer (also known as stateful) - Tracking sessions between applications that do not allow packets that violate TCP / IP specifications, often used in malicious operations - resource scans, hacking through incorrect TCP / IP implementations, dropped / slowed connections, data injection.

the application layer, filtering based on the analysis of application data transmitted within the package. These types of screens allow you to block the transmission of unwanted and potentially harmful information based on policies and settings.

Some solutions related to application-level firewalls are proxy servers with some firewall capabilities, implementing transparent proxy servers, specializing in protocols. Proxy server capabilities and multi-protocol specialization make filtering much more flexible than on classic firewalls, but such applications have all the disadvantages of proxy servers (for example, traffic anonymization).

Depending on the tracking of active connections, firewalls are:

stateless (simple filtering), which do not track current connections (for example, TCP), but filter the data stream solely based on static rules;

stateful, stateful packet inspection (SPI) (context-aware filtering), monitoring the current connections and passing only those packets that satisfy the logic and algorithms of the corresponding protocols and applications. These types of firewalls make it possible to more effectively combat various types of DoS attacks and vulnerabilities of some network protocols. In addition, they provide the operation of protocols such as H.323, SIP, FTP, etc., which use complex schemes for transferring data between recipients, which are difficult to describe by static rules and, often incompatible with standard, stateless firewalls.

It should be noted that nowadays, along with single-level firewalls, complex screens, covering the layers from network to application, are gaining popularity, since such products combine the best properties of different types of single-level screens. Figure 1 shows the structure of information shielding between two systems using the ISO / OSI reference model.

Figure 5. Structure of information shielding using the reference model

Modern requirements for firewalls

The main requirement is to ensure the security of the internal (protected) network and full control over external connections and communication sessions.

The shielding system must have powerful and flexible controls to easily and completely enforce the organization's security policy.

The firewall should work invisibly to the users of the local network and not impede their legal actions.

The firewall processor must be fast, work efficiently enough, and be able to handle all incoming and outgoing traffic at peak levels so that it cannot be blocked by a large number of calls and disrupted.

The security system itself must be reliably protected from any unauthorized influences, since it is the key to confidential information in the organization.

The screen management system should be able to centrally enforce a uniform security policy for remote branches.

Features of modern firewalls

As can be seen from Table 3, a firewall is the most common means of enhancing traditional means of protection against unauthorized access and is used to ensure data protection when organizing interworking.

The specific implementations of the ME largely depend on the computing platforms used, but, nevertheless, all systems of this class use two mechanisms, one of which provides blocking of network traffic, and the second, on the contrary, allows data exchange.

At the same time, some versions of the ME focus on blocking unwanted traffic, while others - on regulating the allowed machine-to-machine communication.

Table 3 - Features of firewalls

Typical options for enabling firewalls

Figure 6. Switching on the ME according to the two-port gateway scheme

Figure 7. Enabling ME directly on the protected server

Figure 8. Enabling ME in the Internet Intranet system

Comparative characteristics of modern firewalls

Table 4 - Comparative characteristics of modern firewalls

The firewall itself is not a panacea for all threats to the network. In particular, he:

does not protect network nodes from penetration through "back doors" or software vulnerabilities;

does not provide protection against many internal threats, primarily data leakage;

does not protect against users downloading malicious programs, including viruses;

To solve the last two problems, appropriate additional tools are used, in particular, antiviruses. Usually they connect to the firewall and let the corresponding part of the network traffic pass through themselves, acting as a transparent proxy for other network nodes, or they receive a copy of all transmitted data from the firewall. However, this analysis requires significant hardware resources, so it is usually carried out on each node of the network independently.

Instructions

Go to the main menu "Start" of the Windows operating system. Select the "Control Panel" section and go to the "Windows Firewall" item. You can also run its configuration from the command line by entering the following text: “control.exe / name Microsoft.WindowsFirewall”.

Check out the window that opens. On the left there is a panel consisting of several sections that are responsible for various settings of the gateway screenand. Go to the tab "General profile" and "Private profile", where near the inscription "Outgoing connections" you must uncheck the option "Block". Press the button "Apply" and "Ok", then close the window. After that, you can start configuring Internet access for various services and programs installed on your personal computer.

Go to the "Advanced Settings" tab to start the gateway screen in high security mode. The window that appears consists of a toolbar and three sections. Select the "Rules for outbound connections" section in the left field, then check the "Create rule" item in the right field. This will open the rule creation wizard.

Select the type of rule you want to add to the gateway settings screenand. You can select for all computer connections or customize a specific program by specifying the path to it. Click the "Next" button to go to the "Program" item, in which we again indicate the path to the application.

Go to Action. Here you can allow the connection or block it. You can also establish a secure connection, which will check it using IPSec. In this case, by clicking the "Configure" button, you can set your own rules. Then enter the "Profile" for your rule and name it. Click the Finish button to save the settings.

The amount of flickering when the screen is turned on depends on the settings for the refresh rate of the monitor. The concept of "refresh rate" is applicable to lamp monitors, these settings are not important for liquid crystal monitors. Most lamp monitors are refreshed once a minute. If these settings do not suit you, remove flicker screenby following a few steps.

Instructions

Call the "Display" component. To do this, open the Control Panel through the Start menu. In the category "Design and Themes" click on the "Screen" icon with the left mouse button or select any of the available tasks at the top of the window. If the "Control Panel" on your computer has a classic look, select the desired icon immediately.

There is another way: right-click in any part of the "Desktop" free of files and folders. In the drop-down menu, select the "Properties" item by clicking on it with the left mouse button. A new "Display Properties" dialog box will open.

In the window that opens, go to the "Options" tab and click on the "Advanced" button located at the bottom of the window. This action will bring up an additional dialog box "Properties: Monitor Connector and [name of your video card]".

In a new window, go to the "Monitor" tab and place a marker in the field opposite the inscription "Hide modes that the monitor cannot use." This will help you avoid potential problems: if screen set incorrectly, the monitor image may be unstable. Also, an incorrectly selected frequency can lead to equipment malfunction.

Using the drop-down list in the "Monitor settings" section, set in the "Refresh rate screen»The value you want. The higher the refresh rate screen, the less the monitor flickers. The default is 100Hz, although your monitor may support a different frequency. Check this information in the documentation or on the manufacturer's website.

After making the necessary changes, click on the "Apply" button in the monitor properties window. Answer in the affirmative when asked to confirm the new parameters. Click on the OK button. You will be left with one window "Properties: Display". Close it using the OK button or the [x] icon in the upper right corner of the window.

If changing the refresh rate screen the view of the desktop will change, set in the properties window screen convenient for perception, click on the "Apply" button and close the window. Adjust the size of the working area on the screen using the adjustment buttons on the monitor body. Don't forget to click on the Degauss button at the end.

Internetwork screen, or firewall, is designed to control the operation of programs on the network and to protect the operating system and user data from external attacks. There are many programs with similar functions, and they are not always effective. To check the quality of your network screena, use the 2ip Firewall Tester program.

Instructions

Find a link to download the utility 2ip Firewall Tester using the search engine. Check the downloaded files with an antivirus program and run the application. As a rule, the program needs to be installed on the computer hard drive. After that, a shortcut will appear on the desktop, with which you can launch it.

The program window is quite simple and contains a message line and two buttons Help and Test. Make sure your computer has Internet access and click the Test button. The utility will attempt to communicate with the external server. If the connection is established (which will be reported in red letters), then your firewall is ineffective. It is also worth noting that most of such software is installed by default with an English-language interface. To change to Russian, go to the program settings. Do not forget to save any changes that have been made to the program.

If the connection fails and the gateway screenand issued a request for permission of this connection, then the firewall is working. Allow one-time connection. For a more complex firewall check, rename the 2ip Firewall Tester utility startup file to the name of a program whose Internet access is known to be allowed. For example, Internet Explorer. To do this, name the utility by the name iexplore.exe, run it again and click the Test button. If the connection is established, then your gateway screen has a rather low level of protection.

If the connection fails, then your gateway program screenand performs its functions by five points. You can safely surf the Internet, because your personal computer is reliably protected from various threats. As a rule, such software has flexible settings in the system.

Related Videos

Sometimes, while sitting at the computer, you may notice that the image on the screen is shaking, "floating" in a peculiar way or starts unexpectedly. This problem is widespread. But the reasons for her are different. It is worth figuring out why the screen is shaking.

The most common cause of a shaking screen is the presence of a source of alternating electromagnetic fields in the workroom or apartment. This can be verified very easily by moving the monitor. If it stops, then the problem is related to the electromagnetic fields. Their sources at work are various electrical installations, transformer substations, as well as power lines. At home, they are replaced by a TV, refrigerator, microwave oven and other household appliances.

The second most common cause of screen shaking is insufficient power to the monitor. As a rule, the monitor is connected to the pilot, in which, in addition to himself, the system unit, modem, TV, chandelier and much more are also "powered", depending on the user's taste. It is worth trying to turn off some of these devices and see if the shaking of the image on the monitor has decreased. If not, then perhaps the problem is in the pilot himself, in how he filters the electricity. You can try just changing it.

The least common (although most often that comes to mind) cause of image shaking can be a malfunction inside the monitor itself, for example, a broken scanner or a malfunction in its power system. In such cases, it is better for an inexperienced user not to climb inside the monitor. The best solution in this situation would be to contact qualified specialists.

Sometimes the reason for the above problems can be a low refresh rate. By default, some monitors have a frequency of 60 Hz. This not only makes the screen shake noticeable, but also extremely harmful to vision. Therefore, it is worth through the "Control Panel" to find the menu item "Screen" and set the frequency there to 75 Hz. At this frequency, screen shake can be completely eliminated.

Attention: we remove!

To take a screenshot, launch the application on the computer by clicking on the shortcut on the desktop (usually during the installation process, it is created automatically) or by finding it in the list of programs (via the "Start" button). After that, in the opened working window select the function you need. In this program, you can capture the screen: full screen, window element, scrolling window, selection, fixed area, arbitrary area, or take a screenshot from the previous selection.

The toolbar also opens when you click the "File" button in the main program menu.

From the names of the options, it is clear which part of the working window will be highlighted during the screening process. You will be able to "take a picture" of the entire screen or any part of it with one click of the button. Also, here you can set a specific area or part of the screen that will correspond to the previously set parameters. In general, you can screen absolutely everything.

In addition, the program has a small list of tools necessary for image processing: a color palette, a magnification window, a ruler with which you can calculate the distance from one point to another with millimeter accuracy, a protractor, an overlap and even a slate board that allows you to make notes and drawings directly on the screen.

To perform further actions, click the "Main" button, after which an additional panel with a specific set of tools will appear on the screen. With their help, you can crop the image, set its size, highlight a certain part with color, superimpose text, select the font and fill color.

The button "View" in the main menu allows you to change the scale, work with a ruler, adjust the appearance of screened documents: cascade, mosaic.

After you take a screenshot, click the "File" button on the top panel of the application and select the "Save As" option in the drop-down window. After that, an additional window will open on the right side, in which you will need to select the file type: PNG, BMP, JPG, GIF, PDF. Then all that remains is to specify the folder where the file should be saved.

1. Symmetric encryption

Symmetric cryptosystems (also symmetric encryption, symmetric ciphers) (eng. symmetric- key algorithm) is an encryption method in which the same cryptographic key is used for encryption and decryption. Prior to the invention of the asymmetric encryption scheme, the only existing method was symmetric encryption. The algorithm key must be kept secret by both parties. The encryption algorithm is chosen by the parties prior to starting the exchange of messages.

In symmetric cryptosystems, the same key is used for encryption and decryption. Hence the name - symmetrical... The algorithm and the key are chosen in advance and are known to both parties. Keeping the key secret is an important task for establishing and maintaining a secure communication channel. In this regard, the problem of the initial key transfer (key synchronization) arises. In addition, there are methods of crypto attacks that allow one way or another to decrypt information without having a key, or by intercepting it at the negotiation stage. In general, these points are the problem of the cryptographic strength of a specific encryption algorithm and are an argument when choosing a specific algorithm.

Symmetric, and more specifically, alphabetic encryption algorithms were among the first algorithms ... Later, asymmetric encryption was invented, in which the keys of the interlocutors are different. .

Basic information [edit | edit code]

Data encryption algorithms are widely used in computer technology to hide confidential and commercial information from malicious use by third parties. The main principle in them is the condition that the transmitter and receiver know the encryption algorithm in advance, as well as the key to the message, without which information is just a set of characters that have no meaning.

Classic examples of such algorithms are symmetric cryptographic algorithmslisted below:

Simple permutation

Single key permutation

Double permutation

Permutation "Magic square"

Simple permutation[edit | edit code]

Simple keyless permutation is one of the simplest encryption methods. The message is written to the table column by column. After the plaintext is written in columns, it is read line by line to form the ciphertext. To use this cipher, the sender and receiver need to agree on a common key in terms of the size of the table. Combining letters into groups is not included in the cipher key and is used only for the convenience of writing meaningless text.

Single key permutation[edit | edit code]

A more practical encryption technique called single key permutation is very similar to the previous one. It differs only in that the table columns are rearranged by a keyword, phrase or a set of numbers as long as a table row.

Double permutation[edit | edit code]

For added stealth, you can re-encrypt a message that has already been encrypted. This technique is known as double permutation. To do this, the size of the second table is selected so that the lengths of its rows and columns differ from the lengths in the first table. It is best if they are mutually simple. In addition, columns can be swapped in the first table and rows in the second. Finally, you can fill the table with a zigzag, a snake, a spiral, or in some other way. Such methods of filling the table, if they do not increase the strength of the cipher, make the encryption process much more entertaining.

Permutation "Magic square"[edit | edit code]

Magic squares are square tables with sequential natural numbers from 1 inscribed in their cells, which add up the same number for each column, each row and each diagonal. Such squares were widely used to inscribe the encrypted text according to the numbering given in them. If you then write out the contents of the table line by line, then the encryption was obtained by rearranging the letters. At first glance, it seems that there are very few magic squares. However, their number increases very rapidly with the size of the square. So, there is only one magic square measuring 3 x 3, if you do not take into account its rotations. There are already 880 magic squares 4 x 4, and the number of magic squares measuring 5 x 5 is about 250,000. Therefore, magic squares of large sizes could be a good basis for a reliable encryption system of that time, because manual enumeration of all key variants for this cipher was unthinkable.

Numbers from 1 to 16 were inscribed in a 4 by 4 square. Its magic consisted in the fact that the sum of the numbers in rows, columns and full diagonals was equal to the same number - 34. These squares first appeared in China, where they were attributed some "magical power".

Magic square encryption was performed as follows. For example, you need to encrypt the phrase: "I am coming today." The letters of this phrase are inscribed sequentially in a square according to the numbers written in them: the position of the letter in the sentence corresponds to the ordinal number. A full stop is put in empty cells.

After that, the cipher text is written to a line (reading is performed from left to right, line by line): .irdzegyuSzhaoeyanP

When decrypting, the text fits into a square, and the plain text is read in a sequence of "magic square" numbers. The program should generate "magic squares" and select the required one by key. The size of the square is more than 3x3.

General scheme [edit | edit code]

Currently symmetric ciphers are:

block ciphers. The information is processed in blocks of a certain length (usually 64, 128 bits), applying a key to the block in a prescribed order, as a rule, several cycles of mixing and substitution, called rounds. The result of repeating rounds is an avalanche effect - an increasing loss of bit correspondence between blocks of open and encrypted data.

stream ciphers, in which encryption is performed on each bit or byte of the original (plain) text using gamma. A stream cipher can be easily created on the basis of a block cipher (for example, GOST 28147-89 in gamma mode), launched in a special mode.

Most symmetric ciphers use a complex combination of many substitutions and permutations. Many such ciphers are executed in several (sometimes up to 80) passes, using a "pass key" on each pass. The set of "pass keys" for all passes is called a "key schedule". As a rule, it is created from a key by performing certain operations on it, including permutations and substitutions.

A typical way to build symmetric encryption algorithms is the Feistel network. The algorithm builds an encryption scheme based on the function F (D, K), where D is a piece of data half the size of the encryption block, and K is the "pass key" for this pass. A function is not required to be reversible - its inverse function may not be known. The advantages of the Feistel network are that the decryption and encryption almost completely coincide (the only difference is the reverse order of the "pass keys" in the schedule), which greatly facilitates the hardware implementation.

The permutation operation shuffles the bits of the message according to a certain law. In hardware implementations, it is trivially implemented as wire entanglement. It is the permutation operations that make it possible to achieve the "avalanche effect". Permutation operation is linear - f (a) xor f (b) \u003d\u003d f (a xor b)

Substitution operations are performed as replacing the value of some part of the message (often 4, 6, or 8 bits) with a standard, hard-coded other number in the algorithm by referring to a constant array. The substitution operation introduces non-linearity into the algorithm.

Often, the robustness of an algorithm, especially against differential cryptanalysis, depends on the choice of values \u200b\u200bin lookup tables (S-boxes). At a minimum, it is considered undesirable to have fixed elements S (x) \u003d x, as well as the lack of influence of some bit of the input byte on some bit of the result - that is, cases when the result bit is the same for all pairs of input words that differ only in this bit ...

Algorithm parameters [edit | edit code]

There are many (at least two dozen) symmetric cipher algorithms, the essential parameters of which are:

tenacity

key length

number of rounds

length of the processed block

complexity of hardware / software implementation

complexity of conversion

Types of symmetric ciphers [edit | edit code]

block ciphers

AES (eng. Advanced Encryption Standard) - American encryption standard

GOST 28147-89 - Soviet and Russian encryption standard, also a CIS standard

DES (eng. Data Encryption Standard) - data encryption standard in the USA

3DES (Triple-DES, triple DES)

RC2 (Rivest Cipher or Ron's Cipher)

IDEA (International Data Encryption Algorithm, international data encryption algorithm)

CAST (from the initials of the developers Carlisle Adams and Stafford Tavares)

stream ciphers

RC4 (variable key encryption algorithm)

SEAL (Software Efficient Algorithm)

WAKE (World Auto Key Encryption algorithm, world auto key encryption algorithm)

Comparison with asymmetric cryptosystems [edit | edit code]

Advantages[edit | edit code]

speed

ease of implementation (due to simpler operations)

shorter key length required for comparable strength

knowledge (due to the greater age)

disadvantages[edit | edit code]

the complexity of key management in a large network

the complexity of the key exchange. To use it, it is necessary to solve the problem of reliable key transfer to each subscriber, since a secret channel is needed to transfer each key to both parties

To compensate for the shortcomings of symmetric encryption, a combined (hybrid) cryptographic scheme is now widely used, where using asymmetric encryption, a session key is transmitted that is used by the parties to exchange data using symmetric encryption.

An important disadvantage of symmetric ciphers is impossibility their use in mechanisms for generating electronic digital signatures and certificates, since the key is known to each party.

2. Firewall. Firewall. Brandmauer

Firewall, network screen - program or firmware element computer network, carrying out control and filtration passing through it network traffic according to the given rules .

Other names :

Firewall (german Brandmauer - fire wall) - a term borrowed from the German language;

Firewall (english Firewall - fire wall) is a term borrowed from the English language.

Firewall

Firewall (Firewall or Firewall) is a means of filtering packet traffic coming from an external network in relation to a given local network or computer. Let's consider the reasons for the appearance and the tasks performed by the Firewall. A modern data transmission network is a set of remote high-performance devices that interact with each other over a considerable distance. Some of the most large-scale data networks are computer networks such as the Internet. It simultaneously employs millions of sources and consumers of information around the world. The widespread development of this network allows it to be used not only by individuals, but also by large companies to unite their disparate devices around the world into a single network. At the same time, shared access to single physical resources opens access to scammers, viruses and competitors the opportunity to harm end users: steal, distort, plant or destroy stored information, violate the integrity of software and even remove the hardware of the end station. To prevent these unwanted influences, it is necessary to prevent unauthorized access, for which Firewall is often used. The very name Firewall (wall - from the English.wall) conceals its purpose, i.e. it serves as a wall between the protected local network and the Internet or any other external network and prevents any threats. In addition to the above, the firewall can also perform other functions related to filtering traffic from / to any resource on the Internet.

The principle of operation of the Firewall is based on the control of traffic coming from outside. The following methods can be selected to control traffic between the LAN and the external network:

1. Packet filtering - based on setting up a set of filters. Depending on whether the incoming packet satisfies the conditions specified in the filters, it is passed to the network or dropped.

2. Proxy server - an additional proxy-server device is installed between the local and external networks, which serves as a "gate" through which all incoming and outgoing traffic must pass.

3. Stateful inspection - Inspection of incoming traffic is one of the most advanced ways to implement Firewall. Inspection does not mean analyzing the entire package, but only its special key part and comparing it with previously known values \u200b\u200bfrom the database of allowed resources. This method provides the highest Firewall performance and the lowest latency.

How Firewall works

The firewall can be done in hardware or software. The specific implementation depends on the scale of the network, the amount of traffic and the required tasks. The most common type of Firewall is software-based. In this case, it is implemented in the form of a program running on the target PC, or an edge network device, such as a router. In the case of hardware execution, the Firewall is a separate network element that usually has high performance capabilities, but performs similar tasks.

Firewall allows you to configure filters that are responsible for traffic passing according to the following criteria:

1. IP address... As you know, any end device using the IP protocol must have a unique address. By setting an address or a certain range, you can prohibit receiving packets from them, or, on the contrary, allow access only from these IP addresses.

2. Domain name... As you know, a site on the Internet, or rather its IP-address, can be assigned a corresponding alphanumeric name, which is much easier to remember than a set of numbers. Thus, the filter can be configured to pass traffic only to / from one of the resources, or deny access to it.

3. Port... We are talking about software ports, i.e. access points of applications to network services. For example, ftp uses port 21, while web browsing applications use port 80. This allows you to deny access from unwanted services and network applications, or, conversely, allow access only to them.

4. Protocol... Firewall can be configured to pass data of only one protocol, or deny access using it. Typically, the type of protocol can talk about the tasks it performs, the application it uses, and a set of security parameters. Thus, access can be configured only for the operation of any one specific application and prevent potentially dangerous access using all other protocols.

The above lists only the main parameters by which the adjustment can be made. There may also be other network-specific filter parameters applied, depending on the tasks being performed on that network.

Thus, Firewall provides a complex set of tasks to prevent unauthorized access, damage or theft of data, or other negative impact that may affect the performance of the network. Typically, a firewall is used in conjunction with other means of protection, such as antivirus software.

It is believed that a router can also act as a firewall. However, there is one fundamental difference between these devices: the router is designed to quickly route traffic, not block it. Firewall is a security tool that allows certain traffic from a data stream, and a router is a network device that can be configured to block certain traffic.

In addition, firewalls tend to be highly configurable. Traffic flow on the firewall can be configured by services, source and destination IP addresses, and user IDs requesting the service. Firewalls allow centralized security management... In one configuration, an administrator can configure inbound traffic to be allowed for all internal systems in an organization. This does not eliminate the need to update and tune systems, but it can reduce the likelihood of misconfiguration of one or more systems, which could lead to attacks on a misconfigured service.

Identifying firewall types

There are two main types of firewalls: application-level firewalls and packet filtering... They are based on different principles of operation, but when properly configured, both types of devices ensure the correct implementation of security functions, which are to block prohibited traffic. You will see from the following sections that the degree of protection provided by these devices depends on how they are applied and configured.

Application Layer Firewalls

Application-level firewalls, or proxy-screens, are software packages based on operating general systems (such as Windows NT and Unix) or on the firewall hardware platform. Firewall has several interfaces, one for each of the networks to which it is connected. A set of policy rules determines how traffic flows from one network to another. If the rule does not explicitly allow traffic to pass, firewall rejects or discards packages.

Security policy rules amplified through the use of access modules. In the application firewall, each protocol allowed must have its own access module. The best accessors are those that are built specifically for the protocol being resolved. For example, the FTP accessor is for the FTP protocol and can determine whether the traffic that passes through this protocol and whether this traffic is allowed by the security policy rules.

When using an application layer firewall, all connections go through it (see Figure 10.1). As shown in the figure, the connection starts on the client system and goes to the internal interface of the firewall. Firewall accepts the connection, analyzes the contents of the packet and the protocol used, and determines if the traffic is compliant with the security policy rules. If so, then firewall initiates a new connection between its external interface and the server system.

Application firewalls use access modules for incoming connections. Module access in the firewall accepts the incoming connection and processes the commands before sending the traffic to the recipient. In this way, firewall protects systems against application attacks.

Figure: 10.1.

Note

This assumes that the access module on the firewall is itself invulnerable to attack. If software not elaborated enough, it could be a false statement.

An additional benefit of this type of architecture is that it makes it very difficult, if not impossible, to "hide" traffic within other services. For example, some system control programs such as NetBus and

A firewall or firewall is a set of hardware or software that monitors and filters network packets passing through it at various levels of the OSI model in accordance with specified rules.

The main task of the firewall is to protect computer networks or individual nodes from unauthorized access. Also, firewalls are often called filters, since their main task is not to pass (filter) packets that do not fit the criteria defined in the configuration (Figure 6.1).

The firewall has several names. Let's consider them.

Firewall (German Brandmauer) is a term borrowed from the German language that is analogous to the English firewall in its original meaning (a wall that separates adjacent buildings, preventing the spread of fire). Interestingly, in the field of computer technology, the word "firewall" is used in German.

Firewall, firewall, firewall - formed by transliteration of the English term firewall, equivalent to the term firewall, is currently not an official borrowed word in Russian.

Figure 6.1 Typical placement of ME in the corporate network

There are two distinctly different types of firewalls that are commonly used on the Internet today. The first type is more correctly called a packet filtering router. This type of firewall runs on a machine connected to multiple networks and applies a set of rules to each packet to determine whether to forward or block the packet. The second type, known as a proxy server, is implemented in the form of daemons that perform authentication and packet forwarding, possibly on a machine with multiple network connections, where packet forwarding is disabled in the kernel.

Sometimes these two types of firewalls are used together, so that only a specific machine (known as the bastion host) is allowed to send packets through the filtering router to the internal network. Proxy services run on a security host, which is usually more secure than conventional authentication mechanisms.

Firewalls come in different shapes and sizes, and sometimes they are just a collection of several different computers. Here, a firewall means a computer or computers between trusted networks (for example, internal) and untrusted (for example, the Internet), which inspect all traffic passing between them. Effective firewalls have the following properties:

· All connections must go through a firewall. Its effectiveness is greatly reduced if there is an alternative network route - unauthorized traffic will be transmitted bypassing the firewall.

· The firewall allows only authorized traffic. If it is not able to clearly differentiate between authorized and unauthorized traffic, or if it is configured to allow dangerous or unnecessary connections, then its benefits are greatly reduced. In the event of a failure or overload, the firewall should always switch to a “failed” or closed state. It is better to terminate connections than to leave systems unsecured.

· The firewall must resist attacks against itself, since no additional devices are installed to protect it.

A firewall is like a lock on your front door. It may be the most reliable in the world, but if the door is not locked, attackers can easily open it. A firewall protects the network from unauthorized access, like a lock protects an entrance to a room. Would you leave valuables at home if the lock on your front door was not secure?

The firewall is just a piece of the overall security architecture. However, it plays a very important role in the structure of the network and, like any other device, has its own advantages and disadvantages.

Benefits of a firewall:

· Firewalls are an excellent means of enforcing corporate security policies. They should be configured to restrict connections according to management's judgment on this matter.

· Firewalls restrict access to certain services. For example, sharing a web server might be allowed, but telnet and other non-public services might be denied. Most firewalls provide selective access through authentication.

· The purpose of using firewalls is very specific, so there is no need to find a trade-off between security and usability.

· Firewalls are excellent auditing tools. With sufficient hard drive space, or with support for remote logging, they can log any traffic that passes through.

· Firewalls are very good at alerting staff to specific events.

Disadvantages of firewalls:

· Firewalls do not provide blocking of what has been authorized. They allow normal connections from authorized applications to be established, but if applications pose a threat, the firewall will not be able to prevent an attack by treating the connection as authorized. For example, firewalls allow e-mail to pass to the mail server but do not detect viruses in messages.

· The effectiveness of firewalls depends on the rules they are configured to adhere to. The rules shouldn't be too loyal.

· Firewalls do not prevent social engineering attacks or attacks by an authorized user who deliberately and maliciously uses their address.

· Firewalls cannot resist poor administration approaches or poorly designed security policies.

· Firewalls do not prevent attacks if traffic does not pass through them.

Some people have predicted the end of the era of firewalls, which struggle to differentiate between authorized and unauthorized application traffic. Many applications, such as instant messaging, are becoming more and more mobile and multi-port compatible. Thus, they can bypass the firewall through a port open to another authorized service. In addition, more and more applications allow traffic to be routed through other authorized ports that are most likely to be available. Examples of such popular applications are HTTP Tunnel (www.http-tunnel.com) and SocksCap (www.socks.permeo.com). Moreover, applications are being developed specifically to bypass firewalls, such as the GoToMyPC remote control application (www.gotomypc.com).

However, firewalls don't give up without a fight. Current software releases from major vendors include enhanced intrusion prevention and application layer shielding capabilities. These firewalls detect and filter unauthorized traffic, such as instant messaging applications, that tries to penetrate ports that are open to other authorized services. In addition, firewalls are now comparing their performance against published protocol standards and signs of varying activity (similar to anti-virus software) to detect and block attacks contained in transmitted packets. Thus, they remain the primary means of protecting networks. However, if application protection provided by a firewall is insufficient or incapable of correctly distinguishing between authorized and unauthorized traffic, alternative compensating security methods should be considered.

A firewall can be a router, a personal computer, a specially designed machine, or a set of nodes specially configured to protect the private network from protocols and services that could be maliciously used outside the trusted network.

The method of protection depends on the firewall itself, as well as on the policies or rules that are configured on it. There are four firewall technologies in use today:

· Batch filters.

· Application gateways.

· Loop level locks.

· Adaptive packet inspection devices.

Before exploring the functions of firewalls, let's look at the Transmission and Internet Control Protocol (TCP / IP) suite.

TCP / IP provides a method for transferring data from one computer to another over a network. The job of the firewall is to control the transmission of TCP / IP packets between hosts and networks.

TCP / IP is a set of protocols and applications that perform specific functions according to specific layers of the Open Systems Interconnection (OSI) model. TCP / IP transfers blocks of data independently over the network in the form of packets, and each layer of the TCP / IP model adds a header to the packet. Depending on the technology used, the firewall processes the information contained in these headers to control access. If it supports application delimitation as application gateways, then access control can also be exercised over the data itself contained in the package body.

Controlling information flows consists in filtering them and transforming them in accordance with a given set of rules. Since in modern ME filtering can be carried out at different levels of the reference model for open systems interaction (OSI), it is convenient to represent ME in the form of a filter system. Each filter, based on the analysis of the data passing through it, makes a decision - to skip further, throw it off the screen, block or transform the data (Figure 6.2).

Fig.6.2 Filtration scheme in ME.

An integral function of the ME is the recording of information exchange. Keeping registration logs allows the administrator to identify suspicious actions, errors in the ME configuration and make a decision to change the ME rules.

Screen classification

The following classification of ME is distinguished, in accordance with the operation at different levels of the MEO (OSI):

· Bridge screens (OSI layer 2).

· Filtering routers (3 and 4 OSI levels).

· Session layer gateways (OSI layer 5).

· Gateways of the application level (7 level OSI).

· Complex screens (3-7 OSI levels).

Figure 6.3 OSI Model

Bridge ME

This class of ME, functioning at the 2nd level of the OSI model, is also known as stealth, hidden, shadow ME. Bridge ME appeared relatively recently and represent a promising direction in the development of firewall technologies. They filter traffic at the link level, i.e. ME work with frames (frame, frame). The advantages of such MEs include:

· There is no need to change the settings of the corporate network, no additional configuration of the ME network interfaces is required.

· High performance. Since these are simple devices, they do not require a lot of resources. Resources are required either to enhance the capabilities of the machines or for deeper analysis of the data.

· Transparency. The key for this device is its functioning at the 2nd level of the OSI model. This means that the network interface does not have an IP address. This feature is more important than ease of customization. Without an IP address, this device is not accessible on the network and is invisible to the outside world. If such a ME is not available, then how to attack it? The attackers will not even know that there is a ME that checks every packet.

Filtering routers

A router is a machine that forwards packets between two or more networks. A packet filtering router is programmed to compare each packet against a list of rules before deciding whether to forward it or not.

Packet-filtering firewall (FW with packet filtering)

Firewalls provide network security by filtering network connections based on the TCP / IP headers of each packet. They check these headers and use them to pass and route a packet to its destination or to block it by discarding or rejecting (that is, discarding the packet and notifying the sender).

Packet filters perform delimiting based on the following information:

Source IP address;

· Destination IP address;

· Used network protocol (TCP, UDP or ICMP);

· Source port TCP or UDP;

· TCP or UDP port of destination;

· The ICMP message type (if the protocol is ICMP).

A good packet filter can also function based on information not directly contained in the packet header, such as which interface the packet is received on. Basically, a packet filter contains an untrusted or dirty interface, a filter set, and a trusted interface. The dirty side borders on the untrusted network and receives traffic first. As it passes through it, traffic is processed according to a set of filters used by the firewall (these filters are called rules). Depending on them, traffic is either received and sent further through the "clean" interface to the destination, or dropped or rejected. Which interface is "dirty" and which is "clean" depends on the direction of movement of a particular packet (quality packet filters work for both outgoing and incoming traffic).

The strategies for implementing packet filters vary, but there are basic techniques to follow.

· Building rules - from the most specific to the most general. Most packet filters perform bottom-up processing with rulesets and stop processing when a match is found. Embedding more specific filters at the top of the ruleset makes it impossible for a general rule to hide a specific rule further towards the bottom of the filter set.

· Placement of the most active rules at the top of the filter set. Escaping packets takes up a significant amount of CPU time, and. As mentioned earlier, a packet filter stops processing a packet when it finds that it matches a rule. Placing popular rules in first or second place, rather than 30 or 31 positions, saves processor time that would be required to process a packet of more than 30 rules. When you need to process thousands of packets at once, you shouldn't neglect the processor power savings.

Determining the specific and correct packet filtering rules is a very complex process. The advantages and disadvantages of packet filters should be evaluated. Here are some of the benefits.

· High performance. Filtering can be performed at a linear speed comparable to that of modern processors.

· Payback. Packet filters are relatively inexpensive or free. Most routers have packet filtering capabilities integrated into their operating systems.

· Transparency. User and application actions do not need to be adjusted to ensure that packets pass through the packet filter.

· Broad opportunities for traffic management. Simple packet filters can be used to drop obviously unwanted traffic at the network perimeter and between different internal subnets (for example, use border routers to drop packets with source addresses that match the internal network (we are talking about spoofed packets), "private" IP addresses (RFC 1918) and hanging packages).

Consider the disadvantages of packet filters.

· Direct connections between untrusted nodes and trusted nodes are allowed.

· Low scalability. As rulesets grow, it becomes more difficult to avoid "unnecessary" joins. There is a scalability issue associated with the complexity of the rules. If you can't quickly scan a rule set to see the effect of your changes, you'll need to simplify it.

· Ability to open large ranges of ports. Due to the dynamic nature of some protocols, large port ranges need to be opened for the protocols to function properly. The worst case here is FTP. FTP requires an inbound connection from the server to the client, and packet filters will need to open wide ranges of ports to allow such data transfers.

· Susceptibility to data spoofing attacks. Spoofing attacks typically involve attaching bogus information in the TCP / IP header. Attacks involving spoofing of source addresses and masking packets disguised as part of already established connections are widespread.

Session layer gateway

Circuit-level gateway - A firewall that excludes direct communication between an authorized client and an external host. It first accepts a trusted client's request for certain services and, after verifying that the requested session is valid, establishes a connection with the external host.

The gateway then simply copies the packets in both directions without filtering them. At this level, it becomes possible to use the network address translation (NAT) function. Internal address translation is performed with respect to all packets coming from the internal network to the external one. For these packets, the IP addresses of the sending computers on the internal network are automatically mapped to a single IP address associated with the shielding ME. As a result, all packets outgoing from the internal network are sent by the ME, which excludes direct contact between the internal and external networks. The IP address of the session layer gateway becomes the only active IP address that enters the external network.

Features:

· Works at level 4.

· Forwards TCP connections based on the port.

· Inexpensive, but more secure than a packet filter.

· Generally requires user work or a configuration program to work properly.

· Example: SOCKS firewall.

Application layer gateway

Application-level gateways - A firewall that excludes direct communication between an authorized client and an external host by filtering all inbound and outbound packets at the OSI application layer.

Application-related proxies redirect information generated by specific TCP / IP services through the gateway.

Capabilities:

· Identification and authentication of users when trying to establish a connection through the ME;

· Filtering message flow, for example, dynamic virus scan and transparent encryption of information;

· Registration of events and response to events;

· Caching of data requested from the external network.

At this level, it becomes possible to use the functions of mediation (Proxy).

For each application layer protocol discussed, you can introduce software intermediaries - HTTP intermediary, FTP intermediary, etc. Each TCP / IP service broker is focused on message handling and security functions that are specific to that service. Just like a session-level gateway, an application gateway intercepts incoming and outgoing packets with the help of appropriate shielding agents, copies and redirects information through the gateway, and functions as an intermediary server, eliminating direct connections between the internal and external network. However, the proxies used by the application gateway have important differences from the channel proxies of the session layer gateways. First, application gateway proxies are associated with specific applications by software servers), and second, they can filter message flow at the application layer of the OSI model.

Features:

· Works at level 7.

· Application specific.

· Moderately expensive and slow, but more secure and allows user activity logging.

· Requires user work or configuration program to work properly.

· Example: Web (http) proxy.

ME expert level

Stateful inspection firewall is an expert-level firewall that inspects the contents of received packets at three levels of the OSI model: network, session, and application. This task uses special packet filtering algorithms to compare each packet against a known pattern of authorized packets.

Features:

· Filtration of 3 levels.

· Validation at level 4.

· Inspection of the 5th level.

· High levels of cost, protection and difficulty.

· Example: CheckPoint Firewall-1.

Some modern ME use a combination of the above methods and provide additional ways to protect both networks and systems.

"Personal" ME

This class of ME allows security to be further extended by allowing control over which types of system functions or processes have access to network resources. These MEs can use different types of signatures and conditions to allow or deny traffic. Some of the common functions of personal MEs are:

Blocking at the application level - allow only certain applications or libraries to perform network actions or accept incoming connections

· Blocking based on signature - constantly monitor network traffic and block all known attacks. Additional control increases the complexity of security management due to the potentially large number of systems that can be protected by a personal firewall. It also increases the risk of damage and vulnerability due to poor configuration.

Dynamic ME

Dynamic FOs combine standard FOs (listed above) and intrusion detection techniques to provide on-the-fly blocking of network connections that match a specific signature, while still allowing connections from other sources to the same port. For example, you can block the activity of network worms without disrupting normal traffic.

ME connection diagrams:

Single protection scheme for local network

Scheme protected by closed and not protected by open subnets

· Scheme with separate protection of closed and open subnets.

The simplest is the solution in which the firewall simply shields the local network from the global one. In this case, the WWW server, FTP server, mail server and other servers are also protected by a firewall. At the same time, it is required to pay a lot of attention to preventing penetration into protected stations of the local network using the means of easily accessible WWW-servers.

Fig.6.4 Scheme of the unified protection of the local network

To prevent access to the local network using WWW-server resources, it is recommended to connect public servers in front of the firewall. This method has a higher security of the local network, but a low level of security of WWW- and FTP-servers.

Fig. 6.5 Scheme of protected closed and non-protected open subnets

Similar information.