Technical Realisation of Security Concepts
The techniques described here are only a small selection of what is useful
and possible to enhance the security of a private intranet connected to the threats
of the public internet.
The item Firewall often designates two things: on one hand it means the
whole security infrastructure as we describe it under
demilitarized Zone, on the other hand a Firewall is simply a
packet filter as it is realized with iptables.
iptables is able to analyse the data
packets of the Internet Protokoll (IP) about the attributes of the header and to
apply certain rules to the packet. These rules allow to let a packet pass
(ACCEPT), to throw it away
(DROP) or to return it
(REJECT). Furtheron rules can determine
if a packet gets logged in a file (LOG).
This firewall acts as a packet filter between two networks, usually the public
internet and a private network to be protected.
Another important capability of iptables
is the use of modified filter rules depending on the state of a connection, named
stateful inspection. This capability is used on protocolls which open child
connections which get other rules applied then the parent connection.
Masquerading is a function of the packet filter
iptables, too. When a firewall computer stands between a private network
and the internet, it replaces the private address of the initiating computer with
its own public IP-adress and keeps in mind to which address this packet was sent to.
When the answer arrives the destination address will be replaced by the private
address of the initiating computer to be sent to this client. This function is also
called Network Address Translation (NAT).
The public internet only can see the firewall machine, all packets it sends carry
its source address even they have been initiated by a computer in the intranet
behind. The computers in the private network are hidden behind the firewall like
under a mask.
The item Proxy means deputy and that is its task between intranet and
When a client in the private network wants to see a webpage in the internet it
tells its request to the proxyserver. This deputy now sends the request for the pages
to the webserver in the public network in place of the originator in the private
network. The proxy also receives the answer, the requested webpages, and hands
them over to the private client. The data connections run from the client to the
proxy and from the proxy to the webserver, but from the client it looks like as
if it is a direct connection from client to webserver.
The main advantage is that there is no direct connection between client and
server and the transfered contents can be analysed, e.g. to find virusses in the
data. Disadvantage is that all client computers have to be configured for the proxy
and that not all internet services are able to run over a proxyserver. These need
The best protection against virusses is to veto all communication to other
computers. Then no virusses can intrude, requiring there is no floppy drive and
no CDROM or DVD drive. But now the computer seems to be completely unusable for
the tasks we need it for. With the information from the internet and the communication
over email and more the work on the computer will generate a benefit.
Originally virusses have been the attempt to simulate the nature with computers.
How to simulate life on computers? How a desease? This is the world of infection,
desease and vaccines.
As in nature a virus wants to spread out. On computers this will happen using
programs. These programs can infect other programs adding their own code to the code
of the infected program. Or via email, sending email to every recipient in the
addressbook, infecting their computers when the email is opened and the attachment is
The format of the executable code is different from operatingsystem to operatingsystem.
Hence the most virusses are writen for the systems of the market leader to spread out
as far as possible. Virusses often exploit lacks in operatingsystems to increase.
The advantage of OpenSource operatingsystems is that they are tested stronger in the
community of the interested people and therefore contain lesser security lacks.
Virusses can be recognized by their code and deleted, best to be done before
execution. Therefore we need virus protection software that know a big variety
of so called virus signatures. Is a virus detected the befallen file can be deleted or
cleaned from the malicious piece of code. But a virus protection software is only as
good as the signatures and the actuality of the signatures. Because there are new
virusses all times let out into the wilderness of the internet, a serious virus
protection needs to be updated every day.
The item Demilitarized Zone is misleading in my opinion, I find
nomansland is fitting better.
It means an area between two computer networks, built to apply control and protection
on the traffic between the two computer networks. Usually it is placed between the
public internet and a privat company intranet or a home network.
Common is to enclose the demilitarized zone in two computers doing the packet filter
firewalling. In the demilitarized zone the computers are placed which offer services
to the internet and others acting as proxy servers for the clients in the intranet.
Here the mailserver will be located and the central virus protection will be done.
The filtering rules on the firewalls will ensure that no client from intranet can
access the internet directly and vice versa. This constellation prevents lots of
intrusion attempts from outside as well as from inside.