The fireproof wall is a system or a combination of the systems, allowing to divide a network on two or more parts and to realise a set corrected, defining conditions of passage of packages from one part in another (sm fig. 1). As a rule, this border is spent between a local network of the enterprise and INTERNET though it can be spent and in a local network of the enterprise. The fireproof wall thus passes through itself all traffic. For each passing package the fireproof wall makes decision to pass it or to reject. That the fireproof wall could make these decisions, it is necessary for it to define a set corrected. How these rules are described also what parametres are used at their description it will be a question more low.

As a rule, fireproof walls function on any UNIX to a platform - more often it BSDI, SunOS, AIX, IRIX etc., is more rare - DOS, VMS, WNT, Windows NT. From hardware platforms meet INTEL, Sun SPARC, RS6000, Alpha, HP PA-RISC, family RISC of processors R4400-R5000. Besides Ethernet, many fireproof walls support FDDI, Token Ring, 100Base-T, 100VG-AnyLan, various serial devices. Requirements to operative memory and hard disk volume depend on quantity of cars in a protected segment of a network, but it is recommended to have not less 32Мб the RAM and 500 Mb on a hard disk more often.

As a rule, the changes are made to an operating system under which management the fireproof wall works, which purpose - increase of protection of the fireproof wall. These changes mention both OS kernel, and corresponding files of a configuration. On the fireproof wall it is not authorised to have accounts of users (so also potential holes), only an abacus of the manager. Some fireproof walls work only in the one-user mode. Many fireproof walls have system of check of integrity of program codes. Thus the control sums of program codes are stored in the protected place and compared at start of the program in order to avoid software substitution.

All fireproof walls can be divided into three types:

Package filters (packet filter)
Server of applied level (application gateways)
Server of level of connection (circuit gateways)

All types can meet simultaneously in one fireproof wall.

Package filters

Fireproof walls with package filters make the decision on that, to pass a package or to reject, looking through IP-addresses, flags or numbers TCP of ports in heading of this package. The IP-address and port number is an information of network and transport levels accordingly, but package filters use also the information of applied level since all standard services in TCP/IP associate with certain number of port.

For the description of rules of passage of packages type tables are made:

Action Package type ��ԫ�� address. Port источн. �ạ�� address. Port назнач. Flags

The field "action" can accept to pass or reject values.
Package type - TCP, UDP or ICMP.
Flags - flags from IP-pas-Siberian salmon heading.
Fields "source port" and "port of destination" make sense only for TCP and UDP packages.

Server of applied level Fireproof walls with servers of applied level use a server of concrete services - TELNET, FTP etc. (proxy server), started on a fireproof wall and passing through themselves all traffic concerning given service. Thus, between the client and a server two connections are formed: from the client to a fireproof wall and from a fireproof wall to destination. The full set of supported servers differs for each concrete fireproof wall, however meet a server for following services more often:

Terminals (Telnet, Rlogin)
File transfer (Ftp)
E-mail (SMTP, POP3)
WWW (HTTP)
Gopher
Wais
X Window System (X11)
The printer
Rsh
Finger
News (NNTP) etc.

Use of servers of applied level allows to solve the important problem - to hide from external users structure of a local network, including the information in headings of post packages or services of domain names (DNS). Other merit is possibility аутентификации at the user level (аутентификация - process of acknowledgement of identity something; in this case it is acknowledgement process, whether really the user is for whom it gives out itself(himself)). A bit more in detail about аутентификации it will be told more low. At the description of rules of access such parametres as the service name, a name of the user, an admissible time range of use of service, computers from which it is possible to use service, schemes аутентификации are used. Server of reports of applied level allow to provide the highest level of protection - interaction with external the worlds is realised through a small number of the applied programs completely supervising all entering and leaving traffic.

Server of level of connection the Server of level of connection is connection compiler TCP. The user forms connection with certain port on a fireproof wall then last makes connection with destination on other party from a fireproof wall. During a session this compiler copies bytes in both directions, operating as a wire. As a rule, the destination is set in advance while sources can be much (type connection one - much). Using various ports, it is possible to create various configurations. Such type of a server allows to create the compiler for any service defined by the user who are based on TCP, to carry out the access control to this service, statistics gathering on its use.

Comparative characteristics are More low resulted the basic advantages and lacks of package filters and servers of applied level rather each other. It is necessary to carry the following to merits of package filters:

Rather low cost
Flexibility in definition of rules of a filtration
Small delay at passage of packages

Lacks at the given type of fireproof walls the following:

The local network is visible (маршрутизируется) from INTERNET
Rules of a filtration of packages are difficult in the description, very good knowledge of technologies TCP and UDP is required
At infringement of working capacity of a fireproof wall all computers behind it become completely not protected or inaccessible
аутентификацию with IP-address use it is possible to deceive IP-spoofing use (the attacking system gives out itself for another, using its IP-address)
Is absent аутентификация at the user level

It is necessary to carry the following to advantages of servers of applied level:

The local network is invisible from INTERNET
At infringement of working capacity of a fireproof wall packages cease to pass through a fireproof wall, thereby there is no threat for cars protected by it
Protection at level of appendices allows to carry out a considerable quantity of additional checks, reducing thereby probability of breaking with use of holes in the software
аутентификация at the user level the system of the immediate prevention of breaking attempt can be realised.

Lacks of this type are:

Higher, than for package filters cost;
Impossibility use of reports RPC and UDP;
Productivity more low, than for package filters.

Virtual networks a Number of fireproof walls allows to organise also virtual corporate networks (Virtual Private Network), i.e. to unite some the local networks included in INTERNET in one virtual network. VPN allow to organise transparent connection for users of local networks, keeping privacy and integrity of the transferred information by means of enciphering. Thus by transfer on INTERNET are ciphered not only the data of the user, but also the network information - network addresses, numbers of ports etc.

Connection schemes

For connection of fireproof walls various schemes are used. The fireproof wall can be used as an external router, using supported types of devices for connection to an external network (sm fig. 1). The scheme represented нарис 3, however to use to it is sometimes used follows only as a last resort as very accurate adjustment of routers and small errors is required can form serious holes in protection.

If the fireproof wall can support two Ethernet the interface (so-called dual-homed a fireproof wall) more often connection is carried out through an external router (sm fig. 4).

Thus between an external router and a fireproof wall there is only one way on which there is all traffic. Usually the router is adjusted in such a manner that the fireproof wall is unique visible outside by car. This scheme is the most preferable from the point of view of safety and reliability of protection. Other scheme is presented on fig. 5.

Thus the fireproof wall protects only one подсеть from several leaving of a router. In area not protected by a fireproof wall servers which should be visible outside (WWW, FTP etc.) often have. These suggest to place some fireproof walls of a server on him - the decision, the best is far not from the point of view of loading of the car and safety of the fireproof wall There are decisions (sm fig. 6) which allow to organise for servers which should be visible outside, the third network; it allows to provide the control over access to them, keeping at the same time necessary level of protection of cars in the basic network.

Thus a lot of attention is given to that users of an internal network could not open casually or deliberately a hole in a local network through these of a server. For increase of level of security probably to use in one network some fireproof walls standing one after another.

Administration Ease of administration is one of key aspects in creation of effective and reliable system of protection. Errors at definition of rules of access can form a hole through which the system can be cracked. Therefore in the majority of fireproof walls the service utilities facilitating input, removal, viewing of a set of rules are realised. Presence of these utilities allows to make also checks on syntactic or logic errors at input or editing of rules. As a rule, these utilities allow to look through the information grouped on what or criteria - for example, all that concerns the concrete user or service.

Systems of gathering of statistics and the prevention of attack by One more important component of a fireproof wall the system of gathering of statistics and the prevention of attack is. The information on all events - the refusals entering, leaving connections, number transferred the byte, used services, connection time etc. - collects in statistics files. Many fireproof walls allow to define flexibly events subject to recording, to describe fireproof wall actions at attacks or attempts of unapproved access is there can be a message on the console, the post message to the manager of system etc. the Immediate conclusion of the message on breaking attempt to the console or manager screen can help, if attempt has appeared successful and attacking already has got into system. The structure of many fireproof walls includes generators of reports, employees for statistics processing. They allow to collect statistics on use of resources by concrete users, on use of services, refusals, sources from which attempts of unapproved access etc. were spent

Autentifikatsija Autentifikatsija is one of the most important components of fireproof walls. Before the right to take advantage of that or other service will be given the user, it is necessary to be convinced that it is valid for whom it gives out itself(himself) (it is supposed that this service for the given user is resolved: the definition process, what services are resolved is called as authorisation. Authorisation is usually considered in a context аутентификации - as soon as the user аутентифицирован, for it the services resolved to it) are defined. At reception of inquiry about use of service on behalf of any user, the fireproof wall checks, what way аутентификации is defined for the given user and transfers control to a server аутентификации. After reception of an affirmative reply from a server аутентификации the fireproof wall forms connection requested by the user. As a rule, the principle which has received the name "is used that he knows" - i.e. The user knows some confidential word which it sends to a server аутентификации in reply to its inquiry. One of schemes аутентификации is use standard UNIX passwords. This scheme is the most vulnerable from the point of view of safety - the password can be intercepted and used other person. More often schemes with use of disposable passwords are used. Even being intercepted, this password will be useless at the following registration, and to receive the following password from previous is the extremely difficult problem. For generation of disposable passwords are used both program, and hardware generators - the last are the devices inserted in слот of the computer. The knowledge of a confidential word is necessary for the user for reduction of this device in action. A number of fireproof walls support Kerberos - one of the most widespread methods аутентификации. Some schemes demand change of the client software - a step which is no means always comprehensible. As a rule, all commercial fireproof walls support some various schemes, allowing the manager to make a choice of the most comprehensible to the conditions.