Previous Table of Contents Next


Summary

A packet-filtering router is usually what’s referred to as a firewall. These routers have rules as to what is and is not allowed into a network on a service-by-service basis. Newer, more specialized firewalls on the market allow for NAT and SMLI, as well as better logging and reporting features than traditional packet-filtering routers.

Proxy servers differ from packet-filtering firewalls in that they’re not routers; they act as a workstation on the Internet, and they pass their results back to workstations inside your network. This makes for a bit more setup on the client end and has different trouble-shooting characteristics than a plain router (you need to establish that routing to the device is okay for both networks as well as that the proxy service running on the proxy server is alive and configured properly). Because a proxy server, like a spy ring receptionist, has two separate “phone systems,” you sometimes need to log into the proxy server in order to troubleshoot it.

DNS can be a thorny issue; you’ll be well served figuring out what type of DNS resolution you have before you run into problems (so that you know how to verify DNS connectivity). Certain proxy servers will also proxy DNS resolution, making standard DNS troubleshooting tools unsuitable for troubleshooting Internet name resolution problems.

Workshop

Q&A

Q Our boss said to get a firewall, so we have one, and it seems reasonably good. Still, I’m concerned about the network internally, because we have lots of PCs with PC Anywhere that have arbitrary dial-in ports. I don’t have a lot of money to lock down our network, so I can’t invest in expensive network-monitoring programs or audit systems. What can I do?

A Security people like to refer to most corporate networks as “crunchy on the outside, chewy on the inside,” meaning that most folks simply do not invest the time in applying security patches for known security holes. If you’re interested in how to improve your security without spending megabucks, check out http://www.cert.org. Many vendor-related security alerts (and how to get fixes) are listed there. You should also make a concerted effort to learn as much as you can about network security policies. Good books on this topic include Cheswick & Bellovin’s Firewalls and Internet Security and Garfinkel and Spafford’s Practical UNIX Security.

Q My vendor says that its firewall isn’t a packet-filtering router or a proxy server. What’s up with that?

A I love vendors. They’re so funny sometimes. Here’s the deal: Packet-filtering routers got a really, really bad rap a couple of years ago when someone figured out how to fake them out. They received a lot of bad press. Therefore, advanced firewalls aren’t really considered to be packet-filtering routers anymore—even though they still route packets, they still deal with packets on a network level, and they still filter. Also, they’re not particularly the ones with SMLI (which make decisions on the application level). Still, if it walks like a duck…

Q Can’t my proxy server be compromised by all the bugs out there?

A Anything’s possible. Whether you have a proxy server or a firewall, stay in touch with your vendor and be sure to get security patches as they become available. In general, however, your proxy server should not be running other programs besides the proxy programs—unless you’re a security expert and can warrant that these other programs won’t put the server at risk.

Quiz

1.  What’s the difference between a proxy server and a packet-filtering router?
A.  Proxy servers filter on the network level, whereas routers filter on the application level.
B.  Proxy servers filter on the application level, whereas routers filter on the network level.
C.  Routers are security risks with improper configurations.
D.  Proxy servers are security risks with improper configurations.
2.  True or false? A proxy server is not considered “network glue.” Instead, it’s considered “just another server” (albeit a multihomed server).
3.  A packet-filtering router and a proxy server are both ________.
A.  users of Stateful Multi-Level Inspection
B.  multihomed
C.  security loopholes
D.  socket rockets
4.  TCP is ______________, and UDP is ___________.
A.  a pain to configure; wonderful
B.  problematic with government installations; okay with corporations
C.  easy; hard
D.  connection oriented; connectionless
5.  A proxy server can be overburdened by which of the following?
A.  Users asking it to proxy local LAN connections
B.  Users asking it to link to infrastructure valence
C.  Too much T1 traffic
D.  Too much searching on a Web site
6.  You can use normal DNS troubleshooting tools from within your network if which of the following statements is true?
A.  DNS is being routed through the local DNS servers
B.  DNS is being routed through the proxy server
C.  The router handles internal DNS requests
D.  The proxy server handles all DNS requests

Answers to Quiz Questions

1.  B
2.  True
3.  B
4.  D
5.  A
6.  A


Previous Table of Contents Next