Appliance-based Firewalls
A firewall is a system or
group of systems that enforces an access control policy between two or more
networks
. There are many
dedicated hardware appliance-based firewalls available to secure a network.
Appliance-based firewalls typically are custom designed platforms without hard
drives. This allows them to boot faster, inspect traffic at higher data rates,
and be less prone to failure. Cisco solutions include an integrated IOS
Firewall and a dedicated Private Internet Exchange (PIX) Security Appliance.
The IOS Firewall feature set can be installed and configured on perimeter Cisco
routers. It adds features such as stateful, application-based filtering,
dynamic per-user authentication and authorization, defense against network
attacks, Java blocking, and real-time alerts. The PIX Security Appliance is a
dedicated hardware/software security solution/appliance that provides packet
filtering and proxy server technologies. Other appliance-based firewall vendors
include Juniper, Nokia, Symantec, Watchguard, and Nortel Networks. For home
networks, Linksys, DLink, Netgear, and SonicWALL provide lower cost models with
basic firewall capabilities.
Server-based Firewalls
A server-based security solution runs on a
network operating system (NOS) such as UNIX, NT or Win2K, or Novell. It is
generally an all-in-one solution that combines a firewall, access control, and
virtual private networking features into one package. Examples of a
server-based security solution include Microsoft ISA Server, Linux, Novell
BorderManager, and Check Point Firewall-1.
Remember that appliance-based
firewalls are specialized computers as well, but they run only a single
embedded firewall application or operating system, whereas server based
firewalls run on top of a general purpose OS. Server based firewalls can be
less secure than dedicated firewall because of security weaknesses of the
general purpose OS. Server based firewalls typically do not perform as well in
high bandwidth networks compared to dedicated firewalls
.
Furthermore, they are prone to higher failure rates since they utilized
mechanical hard-drives.
Network-based Intrusion Detection Systems
Just like host-based
intrusion technology, a network-based intrusion detection system (NIDS) can be
based on active or passive detection. Figure
illustrates a
typical network deployment of intrusion technology. Sensors are deployed at
network entry points that protect critical network segments. The network
segments have both internal and external corporate resources. Sensors capture
and analyze the traffic as it traverses the network. Sensors are typically
tuned for intrusion detection analysis. The underlying operating system is
stripped of unnecessary network services and essential services are secured.
The Sensors report to a central Director server located inside the corporate
firewall.
Virtual Private Networks
The broadest definition of a Virtual
Private Network (VPN) is any network built upon a public network and
partitioned for use by individual users. As a result, public Frame Relay, X.25,
and ATM networks are considered VPNs. These types of VPNs are generically
referred to as Layer 2 VPNs. The emerging form of VPNs consists of networks
constructed across shared IP backbones, referred to as IP VPNs, which focus on
Layer 3.
IP VPNs are not simply encrypted tunnels. IP VPNs, encompass an
entire spectrum of technologies and supporting products including firewalls,
encryption, authentication, intrusion detection, tunneling, QoS, and network
management
. There are
fundamentally three different corporate or business uses of VPNs:
- Remote-access VPNs

- Site-to-site extranet and intranet VPNs

- Campus VPNs
Trust and Identity
Identity refers to the accurate and
positive identification of network users, hosts, applications, services, and
resources. Standard technologies that enable identification include
authentication protocols such as Remote Access Dial-In User Service (RADIUS)
and Terminal Access Controller Access Control System Plus (TACACS+), Kerberos,
and one-time password (OTP) tools. New technologies such as digital
certificates, smart cards, and directory services are beginning to play
increasingly important roles in identity solutions.
Throughout this
course, authentication, authorization, and access control (AAA) are
incorporated into the concept of identity
. Although these
concepts are distinct, they all pertain to each individual user of the network,
be it a person or device. Each person or device is a distinct entity that has
separate abilities within the network and is allowed access to resources based
on who they are.