In the course of my investigations re Instant Internet I've come
across a White Paper from Performance Technology which might be of
interest to readers of this list. For a full version see
http://www.perftech.com. Any comments about the demise of firewalls or
their appropriateness to Corporate LANS. Sorry about the length of the
quote but I felt it was necesssary to include as much as I have.
You need to secure your computer network against break-ins just like
you secure your building against burglars.
.
.
.
.
.
However, the Internet firewall needs to permit authorized and
desirable operation to continue unimpeded. A cascaded set of security
barriers can make using the Internet so uncomfortable and burdensome
that it becomes useless.
.
.
.
.
.
.
The more complicated a firewall becomes, the more necessary it is to
provide logging and audit trails of the events it has allowed, as well
as the events it has denied. Using this log, a systems administrator
can track down attempts to bypass the security. It also helps bring
attention to user problems resulting from overzealous constraints.
While some aspects of having such a log may seem positive, keeping it
functional may entail more than just reading it. For example, it may
become necessary to write analytical programs to help automate the
investigation.
.
.
.
.
.
The simplest filters, such as those found in routers, limit the
permitted connections based upon specified clients connecting to
specified servers. Just maintaining a list of these connections is
monstrous even in a modest sized LAN.
Another problem arises because the flexibility in protocols required
by popular browsing programs such as Mosaic, NetScape, and Winweb
makes such a list of questionable value. The browsers often use UDP
datagrams instead of TCP/IP connections in internal operations like
those used in ARCHIE and WAIS. The relationship between the two ends
communicating through UDP datagrams is not structured into a client
and server as is communications under the connection conditions of
TCP/IP. Therefore, a packets history is not self evident.
The problem has been tackled by filtering firewalls of amazing
complexity. These firewalls are very expensive and run in very fast
and very expensive computers. However, they do work. They work by
tracking every user and knowing every permitted application. They
follow the course of that application and scrutinize every packet to
see if it follows the rules put into the firewall. There are lots of
rules and those rules are installed by the administrator. The rules
are checked by the firewall filter for every packet. A very fast
computer can make these checks for every single packet with only a
small deterioration performance.
Some installations have not just one, but two or more cascaded
firewalls to attempt guarantee of absolute security. In some
installations, the ordinary network users are unable to access the
Internet because of this.
.
.
.
.
.
Typically, a proxy application firewall is taught each application
which local network users wish to run against the Internet. The
mechanism works. Since no IP packets can travel from the Internet to
the local network, the intruders have a very hard time invading.
However, since the proxy application must be taught each application,
it may be very limited in the number of users it can support.
Clearly, new applications may not be introduced to the LAN users on a
timely basis.
.
.
.
.
.
Instant Internet: Security by means of total IP blocking
.
.
.
.
.
By contrast, Instant Internet allows IPX workstations on your local
LAN running IP to access the Internet without any IP traffic traveling
between the Internet and the local IP LAN. While IP continues to run
on the LAN, IP traffic from the Internet is blocked by the Instant
Internet box. All incoming Internet packets stop at the Instant
Internet box, therefore outsiders cannot penetrate the LAN. Instant
Internet is effectively hiding the local IP LAN including the IP
addresses and configurations. Your network remains secure. What's
more, no changes to the local network are required in order to use
Instant Internet.
John Dobson
Follow-Ups:
|
|
