1.5 Enhanced privacy
Privacy is of great concern to certain sites, because what would
normally be considered innocuous information might actually contain
clues that would be useful to an attacker. Using a firewall, some sites
want to block services such as finger and Domain Name Service
(DNS). Finger displays information about users such as their last
login time and whether they’ve read mail and other items. However,
finger could leak information to attackers about how often a system
is used, whether the system has active users connected, and whether
the system could be attacked without drawing attention.
Firewalls can also be used to block DNS information about site
systems, making the names and IP addresses of site systems unavailable
to Internet hosts. Some site administrators feel that by blocking this
information, they are hiding information that would otherwise be
useful to attackers.
1.5.1 Logging and statistics on network
use and misuse
If all access to and from the Internet passes through a firewall, the
firewall can log accesses and provide valuable statistics about network
usage. A firewall, with appropriate alarms that sound when suspi-
cious activity occurs, can also provide details on whether the firewall
and network are being probed or attacked.
It is important to collect network usage statistics and evidence of
probing for a number of reasons. Of primary importance is knowing
whether the firewall is withstanding probes and attacks and deter-
mining whether the controls on the firewall are adequate. Network
usage statistics are also important as input into network requirements
studies and risk analysis activities.
1.5.2 Policy enforcement
Lastly, but perhaps most importantly, a firewall provides the means
for implementing and enforcing a network access policy. In effect, a
firewall provides access control to users and services. Thus, a
network access policy can be enforced by a firewall, whereas with-
out a firewall, such a policy depends entirely on the cooperation of
users. A site may be able to depend on its own users for their
1.5 Enhanced privacy 15
Chapter 1

Get Firewalls now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.