Network Computingwww.networkcomputing.com

^a It's really the endpoints, like the servers on your network, you need to secure, right? After all, that's where the sensitive data lives. You have password protection on your servers, and you've implemented other security measures there as well. You may even have an administrator for your servers who is security-savvy. However, are you willing to bet your company's private information in this way?

^b Do you want to let perpetrators even begin to work against your server's security? Isn't it possible that your administrator might go home at night and miss the attack? Can't human errors in password security be made now and then? Firewalls are designed to afford you a very important second layer of protection. Detection of security problems can be made at this layer before any security breach can begin on any of your data-sensitive servers.

^c A firewall provides the means for implementing and enforcing a network access policy. In effect, a firewall provides access control to users and services. Thus, a network access policy can be enforced by a firewall, whereas without a firewall, such a policy depends entirely on the cooperation of users. A site may be able to depend on its own users for their cooperation; however, it cannot and should not depend on Internet users in general.

^d All URLs shown in this article can change without notice.

^e DHCP provides an automated mechanism to control the allocation of IP addresses and IP network configuration data to network IP clients. The DHCP system provides for the creation of pools of IP addresses and configuration data oriented around IP subnets. These pools can reflect physical design or logical design of an IP network. In the Meta IP system, the DHCP protocol is used by the DHCP service—the host system for this protocol in the Meta IP system—and the RADIUS service uses DHCP to provide IP configuration data to RADIUS clients.

^f The UAM tracks and collates the information from dynamic IP address allocation and user network authentication. By combining this data in an open format, you allow other applications to access the data for network monitoring and policy-based management at the user level in dynamic environments.

^g CAUTION: The information in this article is provided on the as-is basis. Performance recommendations contained herein can be followed at your own risk. Check Point, UnixWorld and the author bear no responsibility whatsoever for any damage resulting from following the recommendations contained in this article. Many techniques mentioned in this article require extensive administrative knowledge of FireWall-1 and the underlying server OS and should be implemented with caution. Nothing in this article should be viewed as a commitment by Check Point, UnixWorld and the author to release or maintain any product, version, feature or performance level at any time. The performance data in this article is based on what was obtained from the Check Point Performance Laboratory and may differ with the results obtained elsewhere.

John Vacca is an information technology consultant and author based in Pomeroy, Ohio. Since 1982, John has written 29 books and more than 350 articles in the areas of Internet and intranet security, programming, systems development, rapid application development, multimedia and the Internet. John was also a configuration management specialist, computer specialist and the computer security official for NASA's space station program (Freedom) and the International Space Station Program, from 1988 until his early retirement from NASA in 1995. His most recent books include Internet Security Secrets (IDG Books/Published Date: 1-96/Translations: Russian, German, Spanish and French); VRML: Bringing Virtual Reality to the Internet (AP Professional/Published Date: 4-96/Translations: German); JavaScript Development: Bringing Development and Customization to Intranets and the Internet (AP Professional/Published Date: 11-96/Translations: German); Official Netscape LiveWire Pro Book (Ventana/Published Date: 3-97); Intranet Security (Charles River Media/Published Date: 8-97/Translations: Russian and Chinese); VRML Clearly Explained–2nd Edition (AP Professional/Published date 1-17-97); The Cabling Handbook, (Prentice Hall/Publication date: 9-98); "MCSE: Implementing and Supporting Microsoft Systems Management Server 2.0," (Prentice Hall/Publication date: 2-99); and, Satellite Encryption (Academic Press/Publication date: 8-99). John can be reached on the Internet at jvacca@hti.net.

¹ Check Point Software Technologies Ltd., Three Lagoon Drive, Suite 400, Redwood City, CA, 94065, 2000.

² Ibid.

³ Ibid.

⁴ Ibid.

⁵ Ibid.

⁶ Ibid.

⁷ Ibid.

⁸ Ibid.

⁹ Ibid.

¹⁰ Ibid.