| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
CheckPoint
|
|
IPfilters
|
|
IPtables
|
|
PIX
|
|
Comparison Shopping for Scalable Firewall Products No Network Designer worth their salt would dream of purchasing a router or switch without demanding benchmark test results on throughput and subscription rates. After all, routers and switches represent choke points on the network where over-subscription can reduce a gigabit backbone to 10mbs crawl due to failed connections or latency caused by re-transmittal of lost packets. A really poorly chosen exterior router or switch can even cause a cascade failure of the entire network by propagating, or failing to contain, broadcast storms. At best, an over-subscribed exterior device will choke Internet connections and waste money paid for expensive bandwidth.
By Laura Keadle, 04/05/2004
|
|
Application Level Content Scrubbers Securing an organization's content servers (be it web, file or mail servers) was at one time the primary domain of packet filtering routers. As the Internet became the mainstream medium it is today, the attackers and their attacks became more sophisticated; packet filters were no longer suitable and the perimeter defenses evolved towards session awareness - the current benchmark technology being stateful inspection which not only understands sessions but also the basics of an application protocol (e.g. Firewall-1 understands how an FTP session should be setup). Firewalls clearly excel at keeping clearly undesirable traffic from getting in and allowing acceptable traffic out. Unfortunately, firewalls do not excel in the e-business and content delivery environments that most organizations are interested in protecting. This is because firewalls were originally created for express purpose of blocking external access while still allowing internal users out.
By Unknown, 04/05/2004
|
|
Disconnect from the Internet - Whale's e-Gap In-Depth While firewalls are a critical part of today's externally-connected networks, their weaknesses have been revealed time and time again. Some of the world's most widely implemented firewall systems, including Check Point's FireWall-1, Cisco's PIX, NAI's Gauntlet, and Axent's Raptor, have had serious vulnerabilities exposed in recent history, and all of these could be exploited remotely by a malicious party in order to gain access to the backend systems. These vulnerabilities were able to exist because of three fundamental design flaws that all firewalls have: a) they all speak TCP/IP, a protocol fraught with inherent vulnerabilities; b) they all connect both the DMZ and internal network in the same way that a router does; and c) holes must be created to allow network traffic to flow through to the inside.
By Kevin Gennuso, 04/05/2004
|
|
Protecting the Next Generation Network - Distributed Firewalls Corporate networks are constantly changing to meet the needs of businesses and continue to expand in ways that we couldn't have imagined only a few years ago. Gone are the days of a closed network with one external point of access. With the expansion of high speed Internet access via DSL and cable modems, users can now work from home using VPNs. Many companies are expanding their networks even farther with wireless technology allowing access for devices that aren't even physically connected to the network. Suddenly the networks with one or two points of access now have multiple points of access that can change from day to day.
By Robert Gwaltney, 04/05/2004
|
|
Achieving Defense-in-Depth with Internal Firewalls A single firewall at the Internet gateway is no longer sufficient. Currently there is a trend toward more and more outside access to the enterprise network by employees, partners, customers, and suppliers. In addition, attackers are becoming more sophisticated. A sound security perimeter today requires more than a single firewall connected at the Internet router. By segmenting the network with multiple firewalls, we can achieve the holy grail of network security - Defense-In-Depth.
By Unknown, 04/05/2004
|
|
Active Net Steward - Distributed Firewall Recent studies have proven just how incorrect that assumption is. A Digital Research, Inc. reported, "Authorized users are by far a company's biggest security threat." (3) A study by the FBI and CSI showed 44% of respondents "reported unauthorized access by employees."(3) The report that opens the most eyes is a 1996 study by American Society for Industrial Security that reports, "A massive 75 per cent of all computer break-ins occurred internally."(4) Whether this access was malicious or simple curiosity is irrelevant, this access was possible because it was not stopped by traditional methods: firewalls and IDS. The question then becomes, how do I deal with the implied trust afforded to users who are inside of the firewall, either physically or electronically (via VPN or dialup)?
By Daniel L. Safeer, 04/05/2004
|
|
A Layer-7 Secure Security Posture I find it interesting how guiding principles don't survive across IT disciplines. Take, for example, the concept of a security stance - your site's attitude toward security. The two fundamental postures are the secure, "default deny" and the reactive, "default permit" stances. In the "default deny" stance, you specify only what you allow and deny the rest, wherein with the "default permit" stance, the opposite is true; you specify only what you prohibit and allow the rest. The shortcoming of the default permit stance, of course, is that you must know what you need to deny prior to the exposure. This paper intends on applying the lessons learned from the lower levels of the OSI model to the upper layers.
By Paul Vinciguerra, 04/05/2004
|
|
CBAC - Cisco IOS Firewall Feature Set foundations With the commercial firewall market dominated by expensive firewall products such as those from Checkpoint, Nokia and Cisco (PIX Firewall), many smaller organizations rely on packet filtering technologies and Access-Control Lists (ACLs) on perimeter routers to provide basic firewall features or perimeter defenses. Since IOS 11.2(P), Cisco has enhanced the ability of its perimeter routers to perform a basic firewall function with the introduction of the Cisco IOS Firewall feature set. Although not suitable for all situations the Firewall feature set is a substantial improvement over ACL based filters.
By Evan Davies, 04/05/2004
|
|
Building an IPv6 Firewall with OpenBSD This paper is intended to be a how-to for IPv6 firewalls running on OpenBSD 3.0. It will cover the basics of installing OpenBSD, setting up a tunnel to the 6Bone, and configuring the Packet Filter firewall included with OpenBSD. This paper will not cover IPv6 firewalls as they apply to mobile IP, but only to hard-wired LANs. The OpenBSD installation will be performed via FTP. It is presumed that the user will have at least some familiarity with IPv4. Familiarity with IPv4 firewalls will also be helpful. I have decided upon OpenBSD 3.0 for two reasons. First is its security track record. Second is the new Packet Filter firewall included with 3.0. Out of all the open source firewalls I have used, it is my opinion that Packet Filter has the best support for IPv6.
By Eric Millican, 04/05/2004
|
|
A Review Of Floppy-Based Firewalls And Their Security Considerations This paper is for the user that is evaluating inexpensive perimeter firewall solutions. Several distributions of miniature Linux systems are available for repurposing old computers into valuable firewalls and routers. There are many advantages in selecting one of these distributions for your firewall project, and this paper discusses the features and security implications amongst three of the more popular choices available. After reading this paper, the user will have a better understanding of floppy disk-based firewalls and some of the technologies they employ.
By Sean Closson, 04/05/2004
|
|
Page: 1 2 345 |
