hanslux Logo 

Costreduction with Linux and OpenSource-Software

Services for Computer, Networks and IT-Security

Consulting, Security Concepts and Training

_Home ] _Services ] _Training ] _OpenSource ] _Wellknown OpenSource Projects ] _Security Goals ] _Security Concepts ] _Documents ] _Impressum ]
Wellknown OpenSource Projects
Security Goals
Security Concepts
Proxy Server
Virus Protection
Demilitarized Zone
Diese Seiten in deutscher Sprache

Technical Realisation of Security Concepts

The techniques described here are only a small selection of what is useful and possible to enhance the security of a private intranet connected to the threats of the public internet.



The item Firewall often designates two things: on one hand it means the whole security infrastructure as we describe it under demilitarized Zone, on the other hand a Firewall is simply a packet filter as it is realized with iptables. iptables is able to analyse the data packets of the Internet Protokoll (IP) about the attributes of the header and to apply certain rules to the packet. These rules allow to let a packet pass (ACCEPT), to throw it away (DROP) or to return it (REJECT). Furtheron rules can determine if a packet gets logged in a file (LOG).
This firewall acts as a packet filter between two networks, usually the public internet and a private network to be protected.
Another important capability of iptables is the use of modified filter rules depending on the state of a connection, named stateful inspection. This capability is used on protocolls which open child connections which get other rules applied then the parent connection.



Masquerading is a function of the packet filter iptables, too. When a firewall computer stands between a private network and the internet, it replaces the private address of the initiating computer with its own public IP-adress and keeps in mind to which address this packet was sent to. When the answer arrives the destination address will be replaced by the private address of the initiating computer to be sent to this client. This function is also called Network Address Translation (NAT).
The public internet only can see the firewall machine, all packets it sends carry its source address even they have been initiated by a computer in the intranet behind. The computers in the private network are hidden behind the firewall like under a mask.



The item Proxy means deputy and that is its task between intranet and internet.
When a client in the private network wants to see a webpage in the internet it tells its request to the proxyserver. This deputy now sends the request for the pages to the webserver in the public network in place of the originator in the private network. The proxy also receives the answer, the requested webpages, and hands them over to the private client. The data connections run from the client to the proxy and from the proxy to the webserver, but from the client it looks like as if it is a direct connection from client to webserver.
The main advantage is that there is no direct connection between client and server and the transfered contents can be analysed, e.g. to find virusses in the data. Disadvantage is that all client computers have to be configured for the proxy and that not all internet services are able to run over a proxyserver. These need extra treatment.


Virus Protection

The best protection against virusses is to veto all communication to other computers. Then no virusses can intrude, requiring there is no floppy drive and no CDROM or DVD drive. But now the computer seems to be completely unusable for the tasks we need it for. With the information from the internet and the communication over email and more the work on the computer will generate a benefit.
Originally virusses have been the attempt to simulate the nature with computers. How to simulate life on computers? How a desease? This is the world of infection, desease and vaccines.
As in nature a virus wants to spread out. On computers this will happen using programs. These programs can infect other programs adding their own code to the code of the infected program. Or via email, sending email to every recipient in the addressbook, infecting their computers when the email is opened and the attachment is run.
The format of the executable code is different from operatingsystem to operatingsystem. Hence the most virusses are writen for the systems of the market leader to spread out as far as possible. Virusses often exploit lacks in operatingsystems to increase. The advantage of OpenSource operatingsystems is that they are tested stronger in the community of the interested people and therefore contain lesser security lacks.
Virusses can be recognized by their code and deleted, best to be done before execution. Therefore we need virus protection software that know a big variety of so called virus signatures. Is a virus detected the befallen file can be deleted or cleaned from the malicious piece of code. But a virus protection software is only as good as the signatures and the actuality of the signatures. Because there are new virusses all times let out into the wilderness of the internet, a serious virus protection needs to be updated every day.


Demilitarized Zone

The item Demilitarized Zone is misleading in my opinion, I find nomansland is fitting better.
It means an area between two computer networks, built to apply control and protection on the traffic between the two computer networks. Usually it is placed between the public internet and a privat company intranet or a home network.
Common is to enclose the demilitarized zone in two computers doing the packet filter firewalling. In the demilitarized zone the computers are placed which offer services to the internet and others acting as proxy servers for the clients in the intranet. Here the mailserver will be located and the central virus protection will be done. The filtering rules on the firewalls will ensure that no client from intranet can access the internet directly and vice versa. This constellation prevents lots of intrusion attempts from outside as well as from inside.

Security Targets up Documents
_Home ] _Services ] _Training ] _OpenSource ] _Wellknown OpenSource Projects ] _Security Goals ] _Security Concepts ] _Documents ] _Impressum ]