Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Firewall Internet Security - The Basics of a Firewall

Firewalls

Enterprise companies today employ firewalls that do stateful inspection of sessions between external and internal hosts and devices. Cisco employs a patented ASA algorithm that utilizes source IP address, destination IP address, TCP sequence numbers, port numbers and TCP flags to examine and prevent unauthorized sessions. The firewall is configured with conduit statements to filter traffic by examining source/destination IP addresses, application port and protocol port before making a decision whether to permit or deny a session or specific traffic.

Firewalls are implemented at the company demilitarized zone (DMZ) which is located between the external network and the company internal network. Static routing is typically configured at the DMZ between firewalls and internal/external routers for improved security. This is to have greater control over route propagation than would be available with dynamic routing protocols such as RIP and EIGRP. Internal and DMZ (Public) servers would be configured to use the firewall as their default route to forward Internet traffic. If an internal router were available, servers would use that as their default gateway to forward Internet traffic.

The external router broadcasts a default route to the firewall that is used to forward traffic destined for the Internet. A conduit must be configured at the firewall for each protocol type that should be allowed through your firewall. For instance, if your company manages routers and servers across a firewall, you must configure a conduit for SNMP traffic to allow traps through the firewall. The conduit would specify the source address of the router which is sending SNMP traps, the destination address of the network management station that is receiving SNMP traps, and UDP 161 which is the UDP port number for sending SNMP traffic from managed devices to a network management station.

The firewall examines the end to end session connection and does a lookup of its conduit table to determine if a particular source address, destination address, protocol port or application port is allowed through. The packet is discarded or allowed through on to the company network (inside) or Internet depending upon the conduit statements configured.

TACACS Server

This is a TCP service running on a designated Unix server that authenticates employees attempting to access a router. The routers must be configured to send a request to the TACACS server when someone attempts to logon to a router. The router prompts the user for a username/password pair and sends that to the TACACS server for authentication. TACACS servers are implemented with VPN services as well to authenticate remote users before allowing that session to continue with network authentication to Windows Server, Unix or Mainframe authentication and authorization.

RADIUS Server

This is a UDP service running on a designated network server that authenticates employees attempting to access a router. The routers must be configured to send a request to the RADIUS server when someone attempts to logon to a router. The router prompts the user for a username/password pair and sends that to the RADIUS server for authentication. RADIUS servers are implemented with VPN services as well to authenticate remote users before allowing that session to continue with network authentication to Windows Server, Unix or Mainframe authentication and authorization.


Shaun Hummel is the author of Cisco Wireless Network Design Guide and has a web site focused on information technology solutions, online technical interviews and certifications.

More Network Security Articles:
• Network Security Model - Defining an Enterprise Security Strategy
• Designing Physical Network Security
• Firewall Rules
• What's the Difference Between Sniffing, Snooping, and Spoofing?
• Types of DoS (Denial of Service) Attacks
• Firewall Perimeter Network (DMZ)
• How to Tell if Someone is Lurking on Your Wireless Network
• Data Encryption
• Network User Authentication
• Email Security

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268