SECURITY IMPROVEMENT MODULE CMU/SEI-SIM-008 Deploying Firewalls William Fithen Julia Allen Ed Stoner May 1999 [...]... firewall architectures and their pros and cons can be found in Firewalls and Internet Security [Cheswick 94], Building Internet Firewalls [Chapman 95], Firewalls Complete [Goncalves 98], Firewalls fend off invasions from the Net.” [Lodin 98], and Internet Security Policy: A Technical Guide [NIST 98] ® Perform architectural trade-off analysis Firewalls are typically thought of in their restrictive or protective... pros and cons of each can be found in Firewalls and Internet Security [Cheswick 94], Building Internet Firewalls [Chapman 95], Firewalls Complete [Goncalves 98], Third Annual Firewall Industry Guide [ICSA 98], and Internet Security Policy: A Technical Guide [NIST 98] A recent summary of thirteen vendor firewall products and the functions they support can be found in Firewalls Market Survey” [SC 99] CMU/SEI-SIM-008... Bellovin, Steven M Firewalls and Internet Security Reading, MA: Addison-Wesley, 1994 [Chapman 95] Chapman, D Brent & Zwicky, Elizabeth D Building Internet Firewalls Sebastopol, CA: O’Reilly & Associates, 1995 [Cooper 97] Cooper, Deborah & Pfleeger, Charles Firewalls: An Expert Roundtable.” IEEE Software, New York, NY: IEEE, September/October 1997 [Goncalves 98] Goncalves, Marcus Firewalls Complete... mailing list archive maintained by Gnac at http://lists.gnac.net /firewalls/ This site includes a link to the Internet Firewalls FAQ (frequently asked questions) Check the COAST (Computer Operations, Audit, and Security Technology) website at Purdue University Firewall-related materials can be found at http://www.cs.purdue.edu /coast /firewalls/ fw-body.html The site contains references for relevant books,... the other, and the DMZ between, traffic between the internal network and the Internet must traverse two firewalls and the DMZ In each of these architectures, firewalls are used to control access at the border of your network mainly for the purpose of protecting your network from an untrusted network Firewalls deployed entirely within your network can also be used to provide mutual protection among subnets... filtering firewall products have gained some of the features of application proxies and are generally referred to as stateful inspection packet filters See Building Internet Firewalls [Chapman 95], Firewalls Complete [Goncalves 98], and Firewalls fend off invasions from the Net.” [Lodin 98] for a more detailed explanation of the different types of firewall functions There are good reasons to use both packet... they protect your network from the Internet or they restrict access to your network from the Internet In today’s Internet-enabled organizations, firewalls are more frequently thought of as safely empowering the organization to interact with the Internet As such, firewalls are very much part of an organization’s mission-critical infrastructure and they need to be designed accordingly CMU/SEI-SIM-008 13... when you are deploying a new firewall system There are a range of choices you need to evaluate in order to determine your requirements for these information sources Why this is important How to do it If you are unfamiliar with the technologies that make up your new firewall, you are likely to make potentially costly mistakes This can cause delays in all aspects of installing, configuring, deploying, ... http://csrc.nist.gov/isptg [Power 99] Power, Richard “1999 CSI/FBI Computer Crime and Security Survey.” Computer Security Journal, Volume XV, Number 2 San Francisco, CA: Computer Security Institute, 1999 [SC 99] Firewalls Market Survey.” SC Magazine Framingham, MA: West Coast Publishing, Inc., April, 1999 Available at http://www.infosecnews.com Specific firewall technologies: [Avolio 98] Avolio, Blask "Application... number of commonly deployed architectures They are presented in order of increasing effectiveness Basic border firewall (See figure 1-4 at the end of this section.) This is the starting point for all firewalls A basic border firewall is a single host interconnecting an organization’s internal network and some untrusted network, typically the Internet In this configuration, the single host provides . IMPROVEMENT MODULE CMU/SEI-SIM-008 Deploying Firewalls William Fithen Julia Allen Ed Stoner May 1999