13. Complete the text by translating Russian phrases given in brackets.
Like every other component or device in your network, firewalls also (1 необходимо модернизировать ) so that they can continue to perform and respond to new threats.
Not that you should be pessimist, but (2 если Вы считаете, что Ваш межсетевой экран устарел еще в тот день, когда Вы его установили), you will be more able to cope with the constant need to update and cover the new services under your firewall, sometimes, if you have a packet filtering firewall, you may even need to recycle it.
Of course, (3 Вам нужен доступ к Интернет-почте и новостям), vendors, and other users to be a part of the dialog about changes in network security practices. Just as with application upgrades, (4 необходимо добавить новую услугу в Вашу сеть) the day it is issued from the vendors. (5 безопаснее немного подождать и понаблюдать) while the market “shakes out“ the bugs and (6 и будут разработаны новые стратегии безопасности). But without a doubt, (7 Ваш межсетевой экран не вечен), and eventually you will need to recycle it, update it to say the least.
14. Translate into English the following passage.
Для эффективного построения распределенных информационных технологий необходимо участие пользователя в функциях, выполняемых в распределенных устройствах, часто удаленных от места положения самого пользователя. В связи с этим встает задача идентификации и аутентификации пользователей в различных компонентах распределенной системы и программной инфраструктуры в зависимости от выполняемых бизнес-процессов. Существует классификация взаимодействия различных пользователей, которая требует различных решений по идентификации и аутентификации и защите информации в целом. Для служащих компании аутентификация должна позволить обеспечить доступ к различным распределенным приложениям, обеспечивая интеграцию различных приложений и в то же время устанавливая заданные требования по безопасности (В2Е).
Для покупателей и пользователей услуг идентификация и аутентификация должны позволять обеспечить доступ к услугам информационной системы при обеспечении заданных требований по безопасности (В2С). Для бизнес-партнеров идентификация и аутентификация в распределенной системе должны обеспечивать требуемые партнерские отношения и одновременно уменьшить риск от враждебных транзакций (В2В). В различных источниках описано множество примеров развития требований к идентификации и аутентификации в связи с совершенствованием информационных технологий и расширением электронного бизнеса.
15. Text 2. Read the second part of the article and write one sentence to characterize each type of firewall architecture.
On occasion companies choose to implement a firewall based solely on a single machine, be it a router or host. More often than not, however, the stronger firewalls are composed of multiple parts. In this section, we'll take a look at what we consider the five most common types of firewall architectures: the screening router, the dual homed gateway, the screened gateway, the screened subnet, and the "belt-and-suspenders" firewall.
Screening Router
The simplest way to implement a firewall is by placing packet filters on the router itself. This architecture is completely transparent to all parties involved, but leaves us with a single point of failure. Moreover, since routers are primarily designed to route traffic, the default failure mode on routers is usually to pass traffic to another interface. (Although most routers include an implied"... and deny everything else" statement at the end of an access list, we are referring more to the possibility of a failure in the security mechanism.) If something were to happen to the router access control mechanism (such as the vulnerability found in one router vendor's software in early 1995), then the possibility would exist for unauthorized traffic to find its way into the network or for proprietary information to "leak" out of the network.
Moreover, screening routers tend to violate the choke point principle of firewalls. Although all traffic does pass through the router at one point or another, the router merely passes the traffic on to its ultimate destination. Each and every potential destination within the network, rather than just a single choke point, must therefore be secured. Although screening routers can be an important part of a firewall architecture, we don't consider them adequate firewall mechanisms on their own.
Dual-Homed Gateways
Another common architecture places a single machine with two networks as a dual-homed gateway. Such gateway can be used as a generic dual-homed gateway, as described earlier, in which all users must log in to the machine before proceeding on to the other network, or as a host for proxy servers, in which user accounts are not required.
From a "fail-safe" perspective, dual-homed gateways offer a step up from the simple screening router. Because most host-based systems such as these have packet forwarding disabled by default, passing traffic without configuring the host to do so is nearly impossible. As a result, the failure mode of dual-homed gateways is usually more robust than that of screening routers. Nevertheless, as we discussed earlier in this chapter, dual-homed gateways have certain feasibility and usability problems that don't always make them easy to use.
Screened Host Gateway
Now let's take a look at how hosts and routers can be used together in a firewall architecture. One of the most common combinations in use today is the screened host gateway.
In the screened host gateway scenario, the router is still the first line of defense. All packet filtering and access control is performed at the router. The router permits only that traffic that the policy explicitly identifies, and further restricts incoming connections to the host gateway. This gateway performs a number of functions:
1. It acts as the name server for the entire corporate network.
2. It serves as a "public" information server, offering Web and anonymous FTP access to the world.
3. It serves as a gateway from which external parties can communicate with internal machines.
It is fairly straightforward to implement public servers such as FTP, Web, and DNS, but this machine must have modified servers to handle other individual protocols such as incoming telnet and non anonymous FTP. These servers can be modified in one of two ways: they can be replaced with proxy servers, such as those described earlier, and they can be made capable of communicating with a separate authentication server. This architecture has two major drawbacks:
The gateway host must run a number of services, in order to be able to offer them to external users. if proxy servers are not used, user accounts must also be established on the gateway. Both of these items tend to create attractive targets to a potential intruder, who will now have additional passwords to try and guess, and additional services to try and break.
The gateway still provides a single point of failure - if anything were to happen to an individual service on the machine, such as a DNS server crash or a flaw in the Web server, then the entire Internet connection could be shut down or compromised.
Nevertheless, screened host gateways remain a popular implementation, since they allow companies to easily enforce various security policies in different directions without much inconvenience to internal users. Moreover, they are relatively easy to implement, using a standard router and a single host machine. Screened gateways provide a substantial improvement over both screening routers and dual homed gateways.
Screened Subnet
The screened subnet approach takes the idea of a screened host gateway one step further. The screening router is still present as the first point of entry into the corporate network, and screens incoming traffic between the Internet and the public hosts. Rather than a single gateway, as in the screened host gateway approach, however the functions of that gateway are spread among multiple hosts. One of the hosts could be a Web server, another could serve as the anonymous FTP server, and yet a third as the proxy server host, from which all connections to and from the internal corporate are made.
Functionally, the screened subnet is similar to the screened host gateway: the router protects the gateway from the Internet, and the gateway protects the internal network from the Internet and other public hosts. One distinct advantage that the subnet has over the screened gateway is that it is much easier to implement a screened subnet using "stripped down" hosts, that is, each host on the subnet can be configured to run only those services it is required to server, thus providing an intruder with fewer potential targets on each machine. Furthermore, the machines on the subnet can be made equally accessible to clients on the internal network as well as Internet-based clients.
The internal machines need not treat the machines on the subnet any differently than they would any other "external" machines on the Internet. In fact, if this approach is taken, a screened subnet can significantly increase the potential security of a network, as any compromise of an external machine (except, perhaps, for the gateway machine with the proxy servers running) is unlikely to provide access into the internal network.
Belt and Suspenders Approach
A final architecture takes the idea of the screened subnet and extend still another step further. The principles are the same as the subnet architecture: an external screening router protects "public" machines from the Internet. Instead of a gateway running proxy server software as well as protecting the internal network, however, those functions are split: the proxy server host now resides on the DMZ subnet, while an internal screening router serves to protect the internal network from the public machines. This architecture is often called the "belt-and-suspenders" architecture.
The belt-and-suspenders architecture is only subtly different from the screened subnet, but the difference is important from a security point of view. Whereas the subnet relies on the proxy servers to perform all access control to and from the internal network, the belt-and-suspenders approach relies on the proxy server as the first line of authentication defense, but the internal router serves to back up the server, as well as to protect the internal network from the machines on the public network.
