หน้าเว็บ

Tuesday, March 19, 2013

Firewall

Firewalls are one of the core components of a network security implementation, are a vital component in protecting a computer system, or network of computers from external attack.

In a default Red Hat Enterprise Linux installation, a firewall exists between your computer or network and any untrusted networks.

Firewall Type

MethodDescriptionAdvantagesDisadvantages
NAT Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several. The Linux kernel has built-in NAT functionality through the Netfilter kernel subsystem.
  1. Can be configured transparently to machines on a LAN.
  2. Protection of many machines and services behind one or more external IP addresses simplifies administration duties.
  3. Restriction of user access to and from the LAN can be configured by opening and closing ports on the NAT firewall/gateway.
  1. Cannot prevent malicious activity once users connect to a service outside of the firewall.
Packet Filter A packet filtering firewall reads each data packet that passes through a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.
  1. Customizable through the iptables front-end utility.
  2. Does not require any customization on the client side, as all network activity is filtered at the router level rather than the application level.
  3. Since packets are not transmitted through a proxy, network performance is faster due to direct connection from client to remote host.
  1. Cannot filter packets for content like proxy firewalls.
  2. Processes packets at the protocol layer, but cannot filter packets at an application layer.
  3. Complex network architectures can make establishing packet filtering rules difficult, especially if coupled with IP masquerading or local subnets and DMZ networks.
Proxy Proxy firewalls filter all requests of a certain protocol or type from LAN clients to a proxy machine, which then makes those requests to the Internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines.
  1. Gives administrators control over what applications and protocols function outside of the LAN.
  2. Some proxy servers can cache frequently-accessed data locally rather than having to use the Internet connection to request it. This helps to reduce bandwidth consumption.
  3. Proxy services can be logged and monitored closely, allowing tighter control over resource utilization on the network.
  1. Proxies are often application-specific (HTTP, Telnet, etc.), or protocol-restricted (most proxies work with TCP-connected services only).
  2. Application services cannot run behind a proxy, so your application servers must use a separate form of network security.
  3. Proxies can become a network bottleneck, as all requests and transmissions are passed through one source rather than directly from a client to a remote service.


Enabling and Disabling the Firewall

  1. To start this application, either select SystemAdministrationFirewall from the panel, or type system-config-firewall at a shell prompt.
  2. Select one of the following options for the firewall:
    1. Disabled — Disabling the firewall provides complete access to your system and does no security checking. This should only be selected if you are running on a trusted network (not the Internet) or need to configure a custom firewall using the iptables command line tool.
    2. Enabled — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.
      If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice.
Refer to:redhat.com: Firewall
techotopia.com: Basic RHEL 5 Firewall Configuration
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)