Firewalls and virtual private networks (1998)
AuthorsHarris, B. A.show all
The Internet has become a global computing phenomenon, and during the 1990's has had more influence on the computer- communications industry than any other development in its history. There are two major issues effecting the development of the Internet for the 21st century; performance and security. This thesis is concerned with the later; in particular the issues raised by the interconnection of TCPIIP based networks between trusted and untrusted network domains. Four main topics are addressed: the common threats and vulnerabilities that effect the TCP/IP protocol suite at the Network, Transport, and Application layers; the application of firewall architectures to counter the risks posed by TCP/IP based connections between trusted and untrusted network domains; the issue of independent firewall architecture evaluation and certification; and the application of Virtual Private Network (VPN) technology to protect traffic over untrusted networks. This thesis examines the common threats and vulnerabilities which effect the current TCP/IP protocol suite, and hence the Internet. A firewall architecture can be a powerful tool for preventing attacks based on TCP/IP vulnerabilities, however, it is only as effective as the security policy that it implements. Although firewalls can benefit computer and network security, they suffer from several significant limitations, including; the inability to protect network traffic; defending against insider abuse; and controlling the content of end-user access (e.g. virus infected files, Java applets, etc.) Firewalls are generally considered impregnable, however they are certainly not immune to software and hardware vulnerabilities. Therefore, this thesis examines independent evaluation and certification of firewall architectures with particular focus on New Zealand and Australian efforts. The final section of this thesis examines the use of VPNs for securing network traffic. The amalgamation of VPN and firewall technologies allows the security policy to be extended onto the network in the form of services, such as, confidentiality, integrity, non-repudiation, and strong authentication.