Installation

1.Introduction to the Technology

Before exploring the Novell Security Manager powered by Astaro security system in detail, it may be helpful to take an overview of network and security technology in general. In particular, it is important to understand the serious risks that unprotected systems face as well as where and how to deploy this security system to mitigate these risks.

Networks

The Internet is already well established as a vital communications medium and a key marketplace for both traditional and new services.

Since its inception, its size has multiplied, with domain name growth between 1995 and 2003 reaching almost exponential proportions.

Computers on this worldwide network communicate using the Inter-

net Protocol (IP), as well as various higher-level protocols such as

TCP, UDP, and ICMP. IP addresses uniquely identify each of the computers reachable on the network.

The Internet itself is a collection of smaller networks of various kinds.

When two or more networks are connected, a number of issues arise which are dealt with by devices such as routers, bridges, and gateways. A firewall is another such device, designed with security in mind.

As a rule, three kinds of network meet at the firewall:

• An external or Wide Area Network (WAN)

• An internal or Local Area Network (LAN)

• A De-Militarized Zone (DMZ)

An example configuration is shown on the next page.

5

Installation

The Firewall

One of the components in this security system is a firewall. The characteristic tasks of a firewall connecting a WAN, LAN, and DMZ are:

• Protection against unauthorized access

• Access control

• Collection of audit trails

• Protocol analysis

• Reporting of security-related events

• Concealing internal network structure

• Separation of servers and clients using proxies

• Guaranteeing information confidentiality

6

Installation

A firewall combines several network components in order to provide these assurances. The following is a brief look at some of these tools and their uses.

Network-Layer Firewalls: Packet Filters

As the name suggests, this component filters IP packets on the basis of source and destination address, IP flags, and packet payload. This allows an administrator to grant or deny access to services based on factors such as:

• The source address

• The destination address

• The protocol (e.g., TCP, UDP, ICMP)

• The port number

The primary advantages of packet filters are their speed and their independence of operating systems and applications in use behind the firewall.

Advanced implementations of packet filters also inspect packets at higher network layers. Such filters interpret transport-level information (such as TCP and UDP headers) to analyze and record all current connections. This process is known as stateful inspection.

A stateful packet filter records the status of all connections, and allows only those packets associated with a current connection to pass. This is especially important for allowing connections from a protected network to an unprotected one, but disallowing connections in the opposite direction.

When a computer in the protected network establishes a connection with an external server, the stateful packet filter will allow the server’s response packets in to the protected network. When the original connection is closed, however, the packet filter will block all further packets from the unprotected network (unless, of course, they have been explicitly allowed).

Application-Layer Gateways: Application Proxies

7

Installation

The second main kind of firewall is the application-layer gateway.

These gateways act as a middleman in connections between external systems and protected ones. With such gateways, packets aren’t forwarded so much as translated and rewritten, with the gateway performing the translation.

The translation process on the gateway is called a proxy server, or

proxy for short. Because each proxy serves only one or a few welldefined application protocols, it is able to analyze and log protocol usage at a fine-grained level, and thereby offer a wide range of monitoring and security options.

The analysis can be especially intensive at the application level, because the application data transferred conforms to standardized protocols. The firewall knows about and can inspect every aspect of the data flow. This also means that small, manageable modules can be used for each kind of data, which in turn means the system is less prone to problems due to implementation errors.

For example, this security system includes the following proxies:

• An HTTP proxy with Java, JavaScript and ActiveX

• An SMTP proxy, which scans e-mails for viruses and controls email distribution

• A SOCKS proxy which acts as a generic authenticating circuit-level proxy for many applications

Application-level gateways have the advantage of allowing the complete separation of protected and unprotected networks. They ensure that no packets are allowed to move directly from one network to the other. This results in reduced administration costs: as proxies ensure the integrity of protocol data, they can protect all of the clients and servers in your network, independent of brand, version, or platform.

Protection Mechanisms

Some firewalls contain further mechanisms to ensure added security.

8

Installation

One such mechanism is supporting the use of private IP addresses in protected networks through Network Address Translation (NAT), specifically …

• Masquerading

• Source NAT (SNAT)

• Destination NAT (DNAT)

This allows an entire network to hide behind one or a few IP addresses, and hides the internal network topology from the outside.

This allows internal machines to access Internet servers while making it is impossible to identify individual machines from the outside.

Using Destination NAT, it is nevertheless possible to make internal or DMZ servers available to the outside network for specific services.

Example: An external user

(see graphic on left) with the IP address 5.4.3.2 sends a request from port 1111 to the web server in the DMZ. The user knows only the external IP and port (65.227.28.232, port

88).

Using DNAT, the firewall changes the destination address of the request to the internal address of the web server (192.168.2.99, port

80), and sends it to the web server. The web server then responds, using its own internal IP address (192.168.2.99, Port 80), and sends the reply back to the user. The firewall recognizes the packet from the user’s address and changes the source address of the reply from the

9

Installation web server’s address to its own external address (65.227.28.232, port 88).

Another advanced protection mechanism is the VPN technology. To meet the demands of modern business, IT infrastructures must offer real-time communication and allow close cooperation between business partners, consultants, and branch offices. Increasingly, these demands are being met through the use of extranets, which usually operate either

• via dedicated lines, or

• unencrypted over the Internet.

Each of these approaches has advantages and disadvantages which must be balanced according to cost and security requirements.

10

Installation

Virtual Private Networks (VPN) provide a cost-effective solution to this problem: they can connect LANs over the Internet using encrypted connections, thus enabling secure, transparent, end-to-end communication without the need for leased lines. This is especially useful when an organization has many branch offices connected to the

Internet. IPSec technology provides a standard model for these secure connections.

These secure connections can be used automatically, independent of the data being transferred – this protects the data without requiring extra configuration or passwords on the client systems.

At the other end of the connection, the data is transparently decoded and forwarded to the recipient in its original form.

The Firewall component of this security system is a hybrid of the preceding protection mechanisms, combining the advantages of each:

The Stateful Inspection Packet

Filter offers the platform-independent flexibility to define, enable, and disable all necessary services.

The Proxies incorporated into this security system transform it into an Application Gateway capable of securing vital services such as

HTTP, Mail and DNS. Further, the SOCKS proxy enables generic circuit-level proxying for all proxy-aware applications.

VPN, SNAT, DNAT, Masquerading and static routing capabilities make the firewall a powerful connection and control point on your network.

11