Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Firewall Internet Security - The Basics of a Firewall

By Shaun Hummel

Firewalls

Enterprise companies today employ firewalls that do stateful inspection of sessions between external and internal hosts and devices. Cisco employs a patented ASA algorithm that utilizes source IP address, destination IP address, TCP sequence numbers, port numbers and TCP flags to examine and prevent unauthorized sessions. The firewall is configured with conduit statements to filter traffic by examining source/destination IP addresses, application port and protocol port before making a decision whether to permit or deny a session or specific traffic.

Firewalls are implemented at the company demilitarized zone (DMZ) which is located between the external network and the company internal network. Static routing is typically configured at the DMZ between firewalls and internal/external routers for improved security. This is to have greater control over route propagation than would be available with dynamic routing protocols such as RIP and EIGRP. Internal and DMZ (Public) servers would be configured to use the firewall as their default route to forward Internet traffic. If an internal router were available, servers would use that as their default gateway to forward Internet traffic.

The external router broadcasts a default route to the firewall that is used to forward traffic destined for the Internet. A conduit must be configured at the firewall for each protocol type that should be allowed through your firewall. For instance, if your company manages routers and servers across a firewall, you must configure a conduit for SNMP traffic to allow traps through the firewall. The conduit would specify the source address of the router which is sending SNMP traps, the destination address of the network management station that is receiving SNMP traps, and UDP 161 which is the UDP port number for sending SNMP traffic from managed devices to a network management station.

The firewall examines the end to end session connection and does a lookup of its conduit table to determine if a particular source address, destination address, protocol port or application port is allowed through. The packet is discarded or allowed through on to the company network (inside) or Internet depending upon the conduit statements configured.

TACACS Server

This is a TCP service running on a designated Unix server that authenticates employees attempting to access a router. The routers must be configured to send a request to the TACACS server when someone attempts to logon to a router. The router prompts the user for a username/password pair and sends that to the TACACS server for authentication. TACACS servers are implemented with VPN services as well to authenticate remote users before allowing that session to continue with network authentication to Windows Server, Unix or Mainframe authentication and authorization.

RADIUS Server

This is a UDP service running on a designated network server that authenticates employees attempting to access a router. The routers must be configured to send a request to the RADIUS server when someone attempts to logon to a router. The router prompts the user for a username/password pair and sends that to the RADIUS server for authentication. RADIUS servers are implemented with VPN services as well to authenticate remote users before allowing that session to continue with network authentication to Windows Server, Unix or Mainframe authentication and authorization.

Shaun Hummel is the author of Cisco Wireless Network Design Guide and has a web site focused on information technology solutions, online technical interviews and certifications.

More Network Security Articles:
• Detecting Network Sniffers
• ARP, MAC, Poisoning, and WiFi Security
• How Snort's Stealth TCP Port Scanning Works
• Secure, Network Compliant BYOD (Bring Your Own Device) Solutions
• Designing Physical Network Security
• Prevent Hacking with Password-Cracking Countermeasures
• The Basics of Network Security
• How to Use the Open Source Intrusion Detection System SNORT
• How a Firewall Provides Network Security
• Are You Meeting ISO 27000 Standards for Information Security Management?
Menu - More
Network Security

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268