17.4.2 Protection solutions for the extranet
and Internet
Extranet and Internet protection solutions can be used between
organizations, their branch offices, remote sites, nomadic users, sup-
pliers, partners, or customers, over any public network like the
Internet (Figure 17.1). A specific case is that of nomadic users, who
need to access the company intranet through remote dial-up access
services or through the Internet itself. In both cases, it is, of course,
crucial to have good protection.
17.5 Firewall tunneling technologies
There are five main Internet security and firewall tunneling technol-
ogy approaches to combat intrusion in a Transmission Control
Protocol/Internet Protocol (TCP/IP) network:
Application proxies
Encryption with VPN
Management center
Stateful IP filtering
Static IP filtering
17.5.1 Application proxies
Application firewalls implement a proxy on the gateway for each
TCP/IP application supported. A proxy acts as a relay between the
specific applications and their users. Remote users first connect to
these proxies and authenticate themselves, as required, before
connecting to the target server. All traffic must pass through the
proxy, which performs checks and filtering based on the commands
specific to the application. For a high level of protection, both types
Firewall tunneling technology can be abused. Improper configuration of firewall tunneling
software can be a real windfall for would-be hackers. It is important that a firewall tunnel-
ing solution be made to work in a very secure fashion.
17.5 Firewall tunneling technologies 289
Chapter 17
of technique are in fact complementary and must act together to
attain the highest level of security.
17.5.2 Encryption with virtual private network
The full development of the web information-sharing potential
requires confidence and trust in the ability of network security meas-
urements to safeguard the intellectual capital of the enterprise.
VPNs, in ensuring secret business communications, make it possible
to conciliate security and telecommunication costs reduction. This
represents a powerful complement to access control capabilities of
17.5.3 Management center
For large enterprises, the main challenge lies not only in the power
of the technology used at each control point, but also in the ability
to manage the protection policy centrally and consistently across all
enterprise access points, and to change it according to the Internet
security context. A company has to be able to close its doors and
windows when sunny weather turns to rain.
An enterprise may often use several Internet and intranet fire-
walls. How does one ensure good protection and apply a genuine
security policy without overwhelming security officers with endless
configuration tasks or risking security holes caused by misconfigura-
tions? For this, powerful centralized and coherent management
capabilities are required.
Numerous suppliers provide protection technology. Only a very
few vendors, however, are able to provide such Internet security and
firewall tunneling management.
17.5.4 Stateful IP filtering
Advanced firewalls on the market now provide a high security level
of IP filtering, called dynamic or stateful filtering. This filtering pro-
vides checking of major Internet protocols (TCP, User Datagram
Protocol [UDP], etc.), services (web, mail, FTP, Telnet, etc.), and
business applications (remote procedure call [RPC], SQL*Net, etc.)
by memorizing and constantly evaluating the state and progress of
each connection or transaction.
290 17.5 Firewall tunneling technologies

Get Firewalls now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.