Lecture 18: Network Security #1

Real World Firewall Systems

Most installations combine both circuit level and application gateways, using the DMZ model of the previous slides. As mentioned, this implies the use of routers which can be configured to do packet filtering on IP addresses and/or TCP connections.

The bastion host normally runs, for example, the organisation's WWW server, its FTP server (if applicable) and any other public information services. It also usually acts as an email gateway. The WWW server usually is configured as a proxy for the hosts connected to the internal LANs (the Intranet). It may also perform a similar function for other services such as FTP.

This type of structure can be very effective, combining many of the best characteristics of all of the other types. However, the gateway system must usually be a general-purpose timeshared (and therefore Unix) system, which raises doubts about the safety and reliability of the proxy software processes. This is not a solved problem, for obvious reasons.

Although... Highly secure versions of Unix for just such applications are now said to be available.

previous | start | next