Previous | Table of Contents | Next |
A packet-filtering router is usually whats referred to as a firewall. These routers have rules as to what is and is not allowed into a network on a service-by-service basis. Newer, more specialized firewalls on the market allow for NAT and SMLI, as well as better logging and reporting features than traditional packet-filtering routers.
Proxy servers differ from packet-filtering firewalls in that theyre not routers; they act as a workstation on the Internet, and they pass their results back to workstations inside your network. This makes for a bit more setup on the client end and has different trouble-shooting characteristics than a plain router (you need to establish that routing to the device is okay for both networks as well as that the proxy service running on the proxy server is alive and configured properly). Because a proxy server, like a spy ring receptionist, has two separate phone systems, you sometimes need to log into the proxy server in order to troubleshoot it.
DNS can be a thorny issue; youll be well served figuring out what type of DNS resolution you have before you run into problems (so that you know how to verify DNS connectivity). Certain proxy servers will also proxy DNS resolution, making standard DNS troubleshooting tools unsuitable for troubleshooting Internet name resolution problems.
Q Our boss said to get a firewall, so we have one, and it seems reasonably good. Still, Im concerned about the network internally, because we have lots of PCs with PC Anywhere that have arbitrary dial-in ports. I dont have a lot of money to lock down our network, so I cant invest in expensive network-monitoring programs or audit systems. What can I do?
A Security people like to refer to most corporate networks as crunchy on the outside, chewy on the inside, meaning that most folks simply do not invest the time in applying security patches for known security holes. If youre interested in how to improve your security without spending megabucks, check out http://www.cert.org. Many vendor-related security alerts (and how to get fixes) are listed there. You should also make a concerted effort to learn as much as you can about network security policies. Good books on this topic include Cheswick & Bellovins Firewalls and Internet Security and Garfinkel and Spaffords Practical UNIX Security.
Q My vendor says that its firewall isnt a packet-filtering router or a proxy server. Whats up with that?
A I love vendors. Theyre so funny sometimes. Heres the deal: Packet-filtering routers got a really, really bad rap a couple of years ago when someone figured out how to fake them out. They received a lot of bad press. Therefore, advanced firewalls arent really considered to be packet-filtering routers anymoreeven though they still route packets, they still deal with packets on a network level, and they still filter. Also, theyre not particularly the ones with SMLI (which make decisions on the application level). Still, if it walks like a duck
Q Cant my proxy server be compromised by all the bugs out there?
A Anythings possible. Whether you have a proxy server or a firewall, stay in touch with your vendor and be sure to get security patches as they become available. In general, however, your proxy server should not be running other programs besides the proxy programsunless youre a security expert and can warrant that these other programs wont put the server at risk.
Previous | Table of Contents | Next |