|
|||||||||
|
Defensive measuresIt is generally agreed that optimizing network security is best achieved by the isolation of internal networks, to some degree, from publicly accessible networks. Trusted-system principles are applied, whereby hierarchies of trust are used to determine which sites, users, and so on are allowed access to a local network and what sort of access is permitted. Packet filtering is a means of restricting incoming and outgoing data, according to where it is coming from or going to. Data from certain sources can be rejected. Data going to certain destinations can be stopped. Certain source/destination combinations can be configured as undesirable, and communication between them prevented. Firewall systems are a way in which a local network can be partially separated from wider networks. They involve the use of a separate firewall computer or set of computers, which is used as a gateway for all traffic between the local network and the wider world, in both directions. All communication passes through the gateway, which is set up to perform various checks and labelling operations on it. Proxy servers are widely used on firewall machines, to provide access to outside services for machines inside the firewall without allowing unwanted inward traffic. Proxies also preserve the anonymity of machines protected by the firewall. Where all outgoing requests from a local network are routed via a proxy server, the remote host will only see that request as coming from the proxy and will not be able to determine its precise origin within the local network. It is a sound general principle to ensure that only the services you actively want to provide are actually being provided. Unless you specifically want to offer such services as TELNET, rlogin and finger, it is as well to disable them.
Next: Web-specific security issues Up: Network security issues Previous: Common forms of
Spinning the Web by Andrew Ford |
||||||
Copyright © 1996-2002 Ford & Mason Ltd |