ABSTRAK

Computer networks are not new today. Almost every company there is a network of computers to facilitate the flow of information within the company them. Internet are gaining popularity today is a giant computer network which is a network-connected computer, and can interact with each other. it is may occur due to the development of network technology very rapidly. But in some way connected to the Internet can be a threat dangerous, many attacks can occur both inside and outside such as viruses, trojans, and hackers. In the end computer security and computer networks will play an important role in this case. A good firewall configuration and optimized to reduce the threats them. Configure the firewall there are 3 types of them are screened host firewall system (single-homed bastion), screened host firewall system (dual-homed bastion), and screened subnet firewall. And also configure the firewall to open portport the right to have a connection to the internet, because the configure these ports a firewall can filter packets that entered in accordance with the policy or policies. Firewall architecture that will used to optimize a firewall on the network.

BAB I
1

Pendahuluan
1.1. Latar Belakang

Internet is often referred to as a world without borders. Various information can be found at internet and anyone can access that information. Along with the development information technology, the Internet not only provides a positive contribution to the lives of but also a threat. More frightening threat is coming from cyberspace, starting from viruses, trojans, phishing cracker bias to meddle security computer systems. Connected to the internet's like opening the door to the computer can be accessed by anyone. Through the door tersebutlah, you very easily could explore wilderness of cyberspace whether it's for shopping online, reading news, sending e-mail, and so forth. But through that door also, hackers can enter and easily meddle even take control of a computer system. On many occasions, we need to determine which option should be trusted and which who do not. Even if something is coming from a trusted source and safe to run. You may receive e-mails from trusted sources in which included a link and clicking on it. But who would have thought if it turns through the link, hackers slip malicious program to spy on a computer without the knowledge You. For this reason, the computer needs a fort to protect computer from malicious threats on the internet. In the virtual world, this fortress called firewall. Computer security and computer networks, especially those connected to the internet must be planned and coordinated in order to protect resources (resource) and the investment in it. Information (data) and service (service) is become a very important commodity. The ability to access and provide information quickly and accurately to be essential for a organization, be it a commercial organization (company), universities, government agencies, and individual (private).

1.2. Tujuan

Based on the above background the purpose of this study was to optimize firewall on the network so as to reduce contained in the internet world and we become more comfortable surf the internet

1.3. Metode Penelitian

The research method used in the manufacture of writing this journal is to using literature. With this method the authors collect various information relating to the subject matter of this journal article.

BAB II Landasan Teori

3

2.1. Jaringan Komputer

The computer network is a collection of computers, printers and other equipment connected. Information and data moving through the wires enabling computer network users can exchange documents and data, print on the same printer and together using hardware / software connected with the network. Each computer, printer or peripherals connected to the network called a node. A computer network can have two, tens, thousands or even millions of nodes. A network usually consists of 2 or more interconnected computers between each other, and share resources such as CDROM, Printers, exchange files, or allow it to communicate with each other electronics.

2.1.1. Jenis Jenis Jaringan

here are 3 different types of networks: 1. Local Area Network (LAN) LAN is a network that is limited by the relatively small area, generally bounded by the environment such as an office area in a building, or a school, and usually not far from about 1 sq. km.

2. Metropolitan Area Network (MAN)

MAN typically covers a larger area than a LAN, for example between regions within a province. In this case, the network linking several pieces small networks into a larger area of the environment, for example Bank of tissue in which several branches a bank in a major cities connected to each other

3. Wide Area Network (WAN)

Wide Area Networks (WAN) is a network whose scope is usually by means of satellite or submarine cable as an example of a whole BANK BNI network in Indonesia or that exist in other countries.

2.2. Firewall

The Internet is a computer network that is open in the world, the consequences that should be on the responsibility is no guarantee of security for the network related to Internet. This means that if the operator is not careful in setting up the system, then most likely related to the Internet network will easily enter the which is not in law from the outside. It is the duty of the operator is concerned, to reduce these risks to a minimum. The selection of strategy and skill network administrator, it would be easy to distinguish whether a network penetrated or not. Firewall is a tool to implement the security policy (security policy). Meanwhile, security policy, based on the balance between facility provided with its security implications. The more stringent security policies, increasingly complex service configuration information or the fewer facilities available on the network. Conversely, with more and more facilities are available or such a simple configuration is applied, the more easily the people 'Nosy' from outside into the system (a direct result of the weakness of the security policy). In the real
6

world, a firewall is a wall that can separate room, so fire in a room does not spread to other rooms. But the truth firewall on the Internet is more like a defense around the fort, which is maintained against external attack. Purpose: restrict the movement of people entering into the internal network restrict the movement of people out of the internal network prevent the attacker approached a layered defense So that in and out of the firewall should be acceptable. A firewall is a combination of routers, servers, and software appropriate complementary. A firewall is a way / system / mechanism which is applied both to the hardware, software or system itself in order to protect both with filter, limit or even reject any or all relationships / activities a segment of the private network to the outside network that is not a space scope. These segments can be a workstation, server, router, or local area network (LAN) you.

Sumber : Artikel Internet (Firewall)

(Building Internet Firewalls, oleh Chapman dan Zwicky). A firewall is a system or group of systems that enforces an access control policy between two networks (http://www.clark.net/pub/mjr/pubs/fwfaq/). The main purpose of a firewall system is to control access to or from a protected network. It implements a network access policy by forcing connections to pass through the firewall, where they can be examined and evaluated (http://csrc.ncsl.nist.gov/nistpubs/800-10/node31.html). 2.2.1 Tugas Tugas Firewall

Firewalls generally designated to serve: Engineering / Computers Each machine is a computer that is connected directly to the external network or the Internet and wants all found on his computer protected. Network Computer network consisting of more than one computer and various types of network topology is used, whether owned by the companies, organizations etc.. Firewall has several tasks: First and most importantly: to be able to implement policies network security (site security policy). If some action is not allowed by this policy, the firewall must ensure that all businesses
representing operation should fail or be defeated. Thus, all illegal access inter-network (not authorized) will be rejected. 8

 Perform filtering: require all traffic to pass through the existing firewall for all the delivery and utilization of information. In this context, the flow of data packets to / from the firewall, selected based on the IP-address, port number, or direction, and adapted to the security policy. Firewalls should also be able to record / record suspicious events and notify administrators against all efforts to penetrate the policy security. There are some things that can not be done by the firewall: Firewalls can not protect against insider Firewalls can not protect against that is not through the firewall (not through chocke point). For example there are installing dial-up service, so network can be accessed via modem. Firewalls can not protect the internal network against attacks models new. Firewalls can not protect the network against viruses. source

Sumber : Artikel Internet (Modul Personal Firewall) 2.2.2. Karakteristik Firewall

1. The whole relationship / activity from the inside out, pass through the firewall. it is can be done by block / limit both physically all access the local network, except through the firewall. There are so many forms of network possible. 2. Only activities listed / known to pass through / have sex, this can be done by adjusting the local security policy on the configuration. There are so many types of firewalls that can be selected as well as various types of policies that offered. 9

3. Firewall itself should be relatively strong or invulnerable to attacks / weaknesses. This means that the use of reliable systems and the operating system relatively safe.
2.2.3. Teknik Yang Digunakan Firewall

1. Service Control (control of the service)Based on the types of services used on the Internet and may be accessed either for into or out of the firewall. Usually, the firewall will check no IP Address and port number in use both TCP and UDP protocols, can even include software for the proxy to be received and translate any demand for a service before allowing. It could even be software on the server itself, as well as web services for for mail. 2. Conrol direction (the direction control) Under the direction of the various requests (request) to the services that will recognized and permitted through the firewall. 3. User control (the user control) Based on user / user to be able to run a service, it means a user No one can and can not run a service, it is because user is not allowed to pass through the firewall. Typically used for restrict users from the local network to access the exit, but it could also applied to restrict the user from outside. 4. Behavior Control (control of treatment) Based on how much the service has been used. For example, a firewall can email filtering to overcome / prevent spam.

2.2.4. Tipe Tipe Firewall

1. Packet Filtering Router Packet filtering is applied by way of organizing all the good IP packet towards, past or will be addressed by the packet. In this type of packet is will be set if the received and forwarded or rejected. packet filtering This in configure to filter packets to be transferred in both directions (both to and from the local network). Filtering rules based on IP header and transport header, including the starting address (IP) and destination address (IP) protocol transport that is in use (UDP, TCP), and port number used. Excess of this type is easy to implement, transparent to users, relatively faster. The weakness is pretty complicated for setting the package to be
10

appropriately filtered, and weak in terms of authentication. The attack can be occurs in firewall with this type are: IP address spoofing: Intruder (intruder) from the outside can do this by how to include / use the ip address of the local network that has allowed to pass through the firewall. Source routing attacks: This type is not analyzed the IP source routing information, making it possible to bypass the firewall. Tiny Fragment attacks: Intruder IP divide into parts (fragments) Smaller and forced division of the TCP header information. This type of attack is designed to fool the filtering rules that depend to information from the TCP header. Attackers hoping just a part (fragment) The first course to be in check, and the rest will be able to pass freely. Case This can be in the tackle by refusing all packet with TCP protocol and it has offset = 1 IP fragment (the IP)

Sumber : Artikel Internet (Ammar-Firewall) 2. Application-Level Gateway

Application-level Gateway commonly also known as a proxy server that serves to reinforce / channel flow applications. This type will manage all relationships using the application layer, be it FTP, HTTP, GOPHER, etc.. The way it works is that if there are users who use an application such as FTP to access remotely, the gateway will prompt the user to enter the address of the remote host will be in akses.Saat user sends the user ID and other relevant information the gateway will make a connection to the application located on the remote host, and distribute data between two points. If the data does not match then the firewall will not forward or reject the data. Furthermore, in this type of firewall can be configured to support only a few applications only and reject other applications to pass through the firewall. The surplus is relatively safer than the type of packet filtering router is easier to inspect and log all 11

incoming data streams at the application level. The drawback is the excessive additional processing on each connection. That will result in a connection there are two connections between the user and the gateway, where the gateway will check and forward all of the two-way flow.

Sumber : Artikel Internet (Ammar-Firewall)

3. Circuit-level Gateway The third type can be a stand-alone system, or you may formed a special function of the type of application-level gateway.tipe this does not allow end-to-end TCP connections (direct)

How it works: Gateway will set both the TCP connection, one between himself with TCP on the local user (inner host) and 1 again between himself with TCP external users (outside the host). When the two realized the relationship, gateway will distribute TCP segments from one relationship to another without check the contents. The security function lies in determining which relationships are allowed. The use of this type usually because administrators believe with internal users (internal users). source

12

Sumber : Artikel Internet (Ammar-Firewall)

2.2.5. Merencanakan Jaringan Dengan Firewall Plan a firewall system on the network, is closely related to what type of facility which will be provided to users, the extent of the risk-level of security that can be received, and how much time, money and expertise available (technical factors and economical). Firewalls generally comprises a filter (also called screen or choke) and the gateway (gate). Filter function to restrict access, narrow canals, or to block certain traffic classes. Occurrence of access restrictions, meant to reduce the function of the network. to remain maintain the function of network communication in an air-firewall environment, generally taken two ways: First, if we think we are in a network of protection of a fort, communication can take place through the doors of the fortress exit. Way This is known as packet-filtering, where the filter is used to reject traffic on the channel or channels that are not used with enough risk-security large, while traffic on the other channels are still allowed. Different policies can be applied to perform packet filtering operations. On essentially, a level controlled mechanism that allowed the data flow from and / or to the internal network, using multiple parameters contained in the packet header data: direction (inbound or outbound), home address and destination, the port of origin and destination, and the type of transport protocol. Router will evaluate information in each data packet that flows through it, then specify the action to be performed on the package, based on a set rules / programs in the packet-filtering. So the basic routing decision router , then comes the part of the network security policy. The following table will show a sample configuration of packet-filtering operations, for providing facilities only SMTP inbound and outbound on the network.

13

Sumber : http://www.klik-kanan.com/fokus/firewall4.shtml

Rules A and B serve relationship inbound SMTP (email to come), the rules of C and D served relationship outbound SMTP (outgoing email) and E rules are the rules The default is done if the previous rules failed. If observed more close, in addition to SMTP traffic configuration still allows the relationship in and out on port> 1023 (Rule B and D), so there is a possibility for programs such as the X11 server (port 6000), OpenWindows (port 2000), or most of the base program data (Sybase, Oracle, Informix, etc.), to be reached from the outside. To cover this possibility, the evaluation of the parameters required others, such as the evaluation of the port of origin. In this way, the only gap through the firewall is to use SMTP port. If we are still not sure

the honesty of the users of this port, to do further evaluation of ACK information. The second way, using proxy system, where every communication that occurs between the two networks must be made through an operator, in this case the proxy server. Some protocols, such as telnet and SMTP (Simple Mail Transport Protocol), will be more effectively dealt with evaluation packet (packet filtering), while others such as FTP (File transfert Protocol), Archie, Gopher and HTTP (Hyper-Text Transport Protocol) will be more effectively dealt with by the system proxy. Most firewalls use a combination of the two techniques (packet filtering and proxy). In a network that implements the proxy system, communication links to the Internet done through delegation system. Computers that can be recognized by Internet acting as a 'representative' for wanting other machines connected to the outside. Proxy server (set) a particular protocol run on a dual-homed or bastion host-host, where all users on the network can communicate him, then the proxy server acts as a delegate. In other words each client program will relate to proxy servers and proxy servers who will relate to the real server on the internet. Proxy servers will evaluate each connection request from a client and decide which ones allowed and which are not. When a connection request is approved, the proxy server relays the request to the real server.

14

Sumber : http://www.klik-kanan.com/fokus/firewall4.shtml

There are several terms refer to the type of proxy server, such as application-level proxy, circuit level proxies, generic or specific proxy, proxy smart, etc.. Whatever type of proxy is used, there are some consequences of the implementation of this system: Generally require client modifications and / or procedures as well as access requires the provision of different programs for each application server. The use of a proxy system allows the use of private IP addresses for internal network. Consequently we can choose to use the IP Address class A (10.xxx) for the private IP address used in the internet; so that the computer can connect to the internal network can achieve number of millions of computers. Package SOCKS or TIS FWTK an example of proxy software packages commonly used and freely available on the internet.

BAB III Pembahasan

To optimize a firewall there are a few things to consider. Among them:

15

The first we need to define a firewall policy or stretcher Policy. because they determination of policy or policies merupak very important thing, good or bad a firewall is determined by the policy or the policy implemented. Determination the policy include: Determine what needs to be serviced. That is what will be charged policy that we will create. Determining the individuals or groups who will be subject to policy or policy. Determine which services dibuthkan by each individual or groups that use the network. Based on each service used by individuals or groups be determined bagaimanan best configuration that will make it more comfortable. Implement all the policy or the policy. Next to analyze the list of ports that are used by various protocol and open these ports into the firewall and ports must terebut appropriate. Web servers often identified through port 80, FTP (File Transfer Protocol) through port 21, SSH via port 22. This port indicates which port be opened on the web server side. In the PC ports need to be opened is to making outgoing connections, the setting for it is usually done by the firewall automatically when when we run a program that requires a connection to internet. When we know which ports needed by the program open these ports into the firewall. Basically, the more open ports on the firewall then increasingly PC is safe, especially on file and printer-sharing under Windows. Hacker

often find and exploit weak points there. If we were using a notebook that is connected to a public hotspot lid open ports. Modern firewall will automatically recognize and configure the network itself Self seseuai the situation. Most firewalls today offers a setting function automated file and printersharing. On the other firewall like XP-firewall must each configuration time manually. To enable file and printer-sharing, open port TCP 139 and 445 and UDP ports 137 and 138 for data entry. In addition we need allow ICMP echo requests. When we are connected to the internet via a router is better if configure the router. Router settings need to be changed is a function of Port Forwarding 16

should be enabled, because most routers the port function Forwarding is usually turned off by default. With proper configuration, router will reject IP packets with false sender. Optimizing the next firewall is to determine the configuration of a firewall appropriately. There are some firewall configuration: Dual-homed host source

Sumber : http://library.adisanggoro.or.id/Security/TransparanDigisec-5firewall.htm

Dual homed host can be a router, but to be a firewall then traffic IP in this architecture really is blocked. So if there are packets going out go in, you go through a proxy.

Screened Host

17

Sumber : http://library.adisanggoro.or.id/Security/TransparanDigisec-5firewall.htm

Using a bastion host is placed in the intranet, and all communications and out to go through a proxy on the bastion and then through screening router. Bastion host is a system / part considered the strongest in the network security systems by administrator.atau can call the forefront which is considered the most powerful in holding the attack, so it becomes part important in securing a network, usually the firewall component or the outer portion of the public system. Overview shows that dual-homed architecture more secure, but in practice many system failures that allow packets to pass from one side to the other dual homed architecture. So the main reason for using screened host as a router architecture is more easily secured than a computer / host. The main evil is that they both have a 'single point of failure '

18

Screened Subnet

Sumber : http://library.adisanggoro.or.id/Security/TransparanDigisec-5firewall.htm

The reason why Bastion hosts are often the target of attacks. Because the idea is if the bastion host has been compromised, the attacker not to enter into internal network. Therefore put bastion host on the perimeter network. To break into the network, hackers have attacked the exterior and interior router router. There is also has a layered perimeter, where the condition to be effective each layer is a defense system must be different. Perimeter network that is if someone is able to penetrate into the exterior router and bastion, then the attacker can only see a roaming package network perimeter only. So the communication traffic on the internal network (which relatively sensitive) can not be seen by the attacker from the perimeter network. Bastion host acts as an entry point connections from the outside, including SMTP, FTP and DNS. Meanwhile, to make the connection from the client to the server on the Internet can be done in 2 ways: Routers that allow clients to get in touch with the Internet server directly. Using a proxy server on the bastion. Interior routers protecting the internal network from the Internet and the perimeter network. Better traffic is allowed between the

essentials. For example, the relationship between the bastion with the SMTP mail server internal. Consider any internal server computer that is connected to bastion, because that will
19

be the target of the attack if bastion successful destroyed by hackers. Exterior router in practice allow many packages out, and only a few filter incoming packets. However, usually for screening internal network, the setting is the same between the internal and the external router. The main task of an external router is to block packets with false addresses from the outside (as trying to disguise the IP address of one of the hosts in the internal network). Because certainly from the Internet. Why not on the internal router? Because they can be of perimeter of the net a little more trusted.

BAB IV
20

Kesimpulan

With the right configuration at the firewall the possibility of securing a data or a remote computer on the network more secure. Konfigrasi a firewall first is the determination of policy or firewall policy is about what will be subject to the policy, who will subject to the policy and services required for each individual. Then specify the ports that are used by different protocols and open these ports into the firewall, and also open the port used for file sharing and ping request. Next is to determine the exact configuration and in accordance with the state of the network. Screened subnet is a configuration highest level of security, because the configuration used 2 pieces pack filtering router, so the local network becomes invisible (invisible) and can not be constructing routing directly to the internet or in other words, the Internet becomes invisible due to external router that will serve the relationship between the internet and the bastion host, However that does not mean the local network can not connect to the internet.

21

Solusi

A security is a very important thing in the world of internet either computer security and network security that many are filled with a variety of threats both from within and from without, and the firewall is the solution to be overcome such security. With this configuration enables us to boost firewall security much better than internet threats. However, it is possible that we fixed networks can be attacked by hackers who attack highly directional. But slightly better protected than nothing.

Referensi
1. Tanembaum, Andrew S. 1996. Jaringan Komputer Edisi Bahasa Indonesia Jilid 1. Prenhallindo : Jakarta. 2. Majalah CHIP edisi Mei 2007. Firewall Yang Sempurna.
22

3. http://www.erlangga.co.id/blog/viewtopic.php?t=188&sid=f9320f1898d08eba99484 54883072f1b 4. http://students.ukdw.ac.id/~22022807/kommasd.html 5. http://library.adisanggoro.or.id/Security/TransparanDigisec-5firewall.htm 6. http://www.klik-kanan.com/fokus/firewall.shtml 7. http://www.ictwatch.com/internetsehat/download/internetsehatmodulemanual/ modul_personalfirewall.pdf 8. http://www.ictwatch.com/internetsehat/download/internetsehatmodulemanual/ modul_personalfirewall.pdf 9. http://ilmukomputer.com

23