Furthermore, administrator considers that a certain threat can proceed from the concrete subnetwork of 194.226.55.0/24 networks 194.226, and it desires to forbid access from it to its machines.

Rule s exists "rule on silence", it will be begun to operate, if packet does not approach the requirements, indicated in the first two rules.

The key advantage of use FP - low cost of their realization and minimum influence on the productivity of network. If in it is already established instrument room or program IP-tables, that ensures the possibility of filtering the packets (for example, production Cisco Systems, Bay Networks or Novell), tuning screen will manage completely free of charge, without considering the time, spent on the creation of the rules of the filtration of packets.

But if we speak about the deficiencies FP, then basic of them - smaller reliability than in other types of screens. One additional negative moment - absence of authentication of users. Briefly, this protection cannot be considered perfect.

Usually in the concrete realizations firewall package filtration is combined with other architectures, most frequently with the inspection of states. In that case we obtain the screen of the expert level, which just as package filter, checks titles IP of packets, but, furthermore, it memorizes the numbers of all connections and these connections after the completion of maintenance are discarded. The mechanism of the inspection of states is realized in system Checkpoint Firewall v 1.2.

Shielding sluices

Internetwork screen can be constructed with the aid of the shielding agents, which ensure the installation of the connection between the subject and the object, and then send information, accomplishing control and/or registration. The use of the shielding agents adds one additional shielding function - concealment from the subject of true object, while subject seems that it directly with it interacts. Usually screen is not symmetrical, for it are determined the concepts "inside" and "outside". In this case the task of screening is formulated as the protection of interior from the uncontrollable and potentially hostile external.

High-level services TCP and UDP with the method of packet assume that the address of sender, indicated in the packet, is true. In other words, address IP is basis for decision making by the screen: it is considered that the packet is sent from existing host, and precisely from that, whose address is indicated in the packet. IP has an option, called the "option of routing source", which can be used for the indication of the precise straight and return route between the sender and the recipient. This option makes it possible to begin to operate with the transfer of the packets of host, usually that is not used for the transfer of packets from one machine to the next. For some services the packet, which arrived with this option, seems the sent latter from host in the chain of route, but not by true sender. This special feature IP can be formulated as the protection of interior from the uncontrollable and potentially hostile external.

Sluice Of the level of Appendix

The Server- mediator of application level with obtaining of demand starts the appropriate service on the sluice, which checks the transmission of data. There are services for all standard services, such as telnet, ftp, http and so forth in this case also is used the server of authentification, who determines, one or other service, is accessible to this user. All this, of course, increases the protection of systems, but badly it affects speed and transparency of the work of system.

The work of server- mediator can be examined based on the example of the program packet of firm Trusted International Security TIS FWTK. this product is the not final internetwork screen, but the tool kit for the preparation of the same. This packet assumes its installation to number Unix- systems, these as BSD, Solaris, Sun OS, Linux and so forth after installation packet substitutes the existing demons of the services, caused in the file of /.etch/rch, by those correspondingly modified. Then with obtaining of demand to the specific application appropriate daemon is turned to the special file of the configuration of /.usr/ local of /.etch/ netperm-table, in which are indicated the rules of the transmission of information through this network. Daemon reads consecutively rules and, when that relating to it meets, the correspondence of the entered demand to established rule is checked and is made the decision about grant/denied to pass packet.

Additional forms of the protection

Majority of the existing commercial systems IS provides for also the concealment of the internal structure IP- network of organization (so called network address translation). Usually IS is tuned as the minimum to two interfaces: internal - for the local network and external. Furthermore, Me can have an interface for the connection of the so-called demilitarized zones - Web and FTP servers.

Commercial products IS often possess graphic interface (GUI) and powerful means of administration, which make it possible to formulate the flexible rules of filtration. However, the producers of products assert that use GUI slows down the work of system, and they advise to start it from the command line. Furthermore, serious internetwork screen must have possibility remote konfigurirovani4 and control system, and also recording event, for example, for example, attempt unsanctioned access and so forth.