Page 138 - DCAP309_INFORMATION_SECURITY_AND

Page 138 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY

P. 138

Information Security and Privacy

Notes 9.5 Screening Routers

A screening router is a fundamental part of most firewalls. A screening router can be a commercial
router or a host-based router with some sort of packet filtering potential. Usual screening
routers have the aptitude to block traffic among networks or specific hosts, on an IP port level.
Some firewalls contain nothing more than a screening router between a private network and the
Internet.
Many networks are firewalled by means of only a screening router among the private network
and the Internet. This type of firewall is dissimilar from a screened host gateway in that typically
there is direct communication allowed among multiple hosts on the private network, and
multiple hosts on the Internet. The region of risk is equivalent to the number of hosts on the
private networks, and the number and type of services to which the screening router allows
traffic. For each service provided via peer-to-peer connection the size of the zone of risk increases
sharply. Finally it is impossible to quantify. Damage control is hard as well because the network
administrator would require to frequently examine every host for traces of a break-in. If there
is no usual audit one must hope to stagger on a clue.

Example: A mismatched system accounting record.
In the case of total devastation of the firewall, it tends to be very tough to trace or even to find
out. If a commercial router (which does not preserve logging records) is used, and the router’s
administrative password is negotiated, the whole private network can be laid unlock to attack
very easily. Cases are recognized where commercial routers have been configured with erroneous
screening rules, or have come up in some pass-through mode due to hardware or operator error.
Usually, this configuration is a case of “That which is not specifically prohibited is allowed” as
the ingenious consumer can fairly easily piggyback protocols to attain a higher level of access
than the manager expects or wants.
Screening routers are not the most protected solution, but they are popular as they authorize
fairly free Internet access from any point inside the private network. Many consultants and
network service providers display screening routers in a “firewall” configuration.

Notes It is uncertain if the a variety of trade-offs concerned are clear to the customer;
therefore the use of a screening router to protect sensitive information or trade secrets
would not be suggested since screening routers are very permeable from the within.

Self Assessment

Fill in the blanks:
10. A ........................ can be a commercial router or a host-based router with some sort of
packet filtering potential.
11. Many networks are firewalled by means of only a screening router among the ........................
network and the Internet.

9.6 Application Level Firewalls

An application gateway is an application program that runs on a firewall system between two
networks. It is also known as application proxy or application-level firewalls. When a client
program establishes a connection to a destination service, it connects to an application gateway,

132 LOVELY PROFESSIONAL UNIVERSITY

133 134 135 136 137 138 139 140 141 142 143