Pluses and minuses

Last years were marked by the expansion of the possibilities of using the information resources, accessible through network Internet. Many organizations today join to it local networks in order through its working stations to obtain access to the internetwork information resources. Internet it became the vitally necessary and constantly growing global network, which changed the means of life and thinking of many people. But at the same time it gave birth to many problems, in the first place, connected with the organization of safety, since the most common protocols, which are used for the exchange of data carriers, do not provide protection from the interception of data. Several reasons for the prevailing situation:

- the vulnerability of the basic services: the base protocol Internet is the collection of protocols TCP/IP, whose service programs do not guarantee safety;

- no encrypting of the larger part of the information transferred through Internet, which gives the possibility of observation of data links: electronic mail, passwords and transferred files can be easily intercepted by criminal with the aid of the accessible programs;

- the complexity of configuration - means of control of access it is often complex in the tuning and the control of them, which entails the incorrect configuration of such means and it leads to the unsanctioned access.

In view of the named reasons the administrator of corporate network constantly encounters the problem of the protection of the service lives of local network from the unsanctioned access. Is especially urgent this problem for the organizations, which operate with classified information, be it financial information or the information, which relates to the sphere of national interests.

Use by hackers of vulnerability Internet

The existing level of the development of software allows for sufficiently competent hacker, familiar with the stack of protocols TCP/IP, no authorized to be connected to the remote system, to seize the connections of legal users and even to obtain the privileges of supervisor.

By many firms (Satan, Cops, etc.) were developed program products for facilitating the work of system administrator on the search and liquidation of "holes" in safety system. But in reality they are frequently used by hackers with the only the difference that the burglars do not hurry to liquidate the discovered "holes", but on the contrary, are used they for its purposes.

With the case study of the protection of information in the corporate network it is necessary to consider the following:

- network does not ensure safety (security and integrity) of data;

- network does not ensure quality and the accessibility of interaction between the applications;

- network must protect its own service lives;

- network is divided on the subnetwork of safety;

- subnetwork can have different of the policy of safety;

- subnetwork must be divided by internetwork screens.

Specific character of the protection of the corporate networks

The fact that in Internet are not provided the effective means of protection impels to their search. All problems are caused by the originally placed principles of openness Unix- systems. The thought as system, intended for the joint operation at the universities, Unix was subsequently sufficiently artificially supplemented with the elements of protection. Furthermore, requirements for safety systems in existing Unix- systems are not standardized. Therefore for administrators it is necessary to be oriented to the existing program platform.

The specific character of the protection of the information of the service lives of corporate networks is specified even and on the fact that they most frequently consist of subnetworks or segments. In this case in the protected network the segments with the different vulnerability can exist:

- freely accessible (WWW- server, FTPserver);

- with the limited access;

- closed for the access.

The rules of access to these resources must be determined by administration in such a way as, from one side, to avoid the unsanctioned access to the protected information resources, and with another - to ensure to user the maximum transparency of work with the information necessary for it.

Internetwork screens (IS). General characteristic

Taking into account the urgency of the problem of circuit protection, that use protocols TCP/IP, state technical commission with the President of the Russian Federation on 25 June, 1997, published the leading document "the means of computer technology. Internetwork screens. Protection from the unsanctioned access to information. Indices of protection from the unsanctioned access to information "(further RD to Me) as addition to the leading documents" the means of computer technology. Protection from the unsanctioned access to information. Indices of protection from the unsanctioned access to information "and" the automated systems. Protection from the unsanctioned access to information. Classification of the automated systems and requirements at protection of information ", 1992 (RD to ACE).

In RD to internetwork screens are defined as "the local (single-component) or functional- distributed program (firmware) means (complex), which realizes control of the information, which enters in ACE and/or by that emerging from ACE. IS provides protection ACE by means of the filtration of information, i.e., its analysis on the basis of criteria and making of a decision about its propagation in (from) ACE on the basis of the assigned rules, carrying out thus the differentiation of the access of subjects of one ACES to the objects another ACE. Each rule forbids or permits the transmission of the information of the specific form between the subjects and the objects. As consequence, subjects from one ACES obtain access only to the permitted information objects from another ACE. The interpretation of the collection of rules is carried out by the sequence of the filters, which solve or forbid the transmission of data (packets) to the following filter or the level of protocol ".

Usually IS protecting the internal network of company from the "intrusions" from Internet. However, they can be used, also, for the protection from "attacks", for example, from the corporate intra-network, to which is connected your network. As in the case of the realization of any other mechanism of net protection, the organization, which manufactures the concrete policy of safety, among other things, it must define the type of traffic TCP/IP, which will be received by fire wall as "authorized". For example, it is necessary to solve, will be limited the access of users to the specific services on base TCP/IP, and if it is, then to what extent. The policy formulation of safety will make it possible to explain, what components of fire wall for you are necessary and as them to configured in order to ensure the limitations of access, assigned by you.