Title: A Network Perimeter With Secure External Access 
Authors:Frederick M. Avolio  Marcus J. Ranum   
File name:pubdocfirewallsAvolio_Ranum_isoc94-paper.ps.Z 
File size: 100467 bytes 

Abstract: A private network that carries sensitive data
between local computers requires proper security measures to
protect the privacy and integrity of the traffic.  When such a
network is connected to other networks, or when telephone access
is allowed into that network, the remote terminals, phone lines,
and other connections become extensions to that private network
and must be protected accordingly.  In addition, the private
network must be protected from outside attacks that could cause
loss of information, breakdowns in network integrity, or breaches
in security.  While security is important, security measures that
are onerous or cumbersome often end up being circumvented by
legitimate users of the network in order to get their work done.
Because of this, usability - or "user friendliness" - in security
features is ao of the utmost importance.  Trusted Information
Systems, Inc.  (TIS) has built a prototype system that provides
for strong user authentication, access control, and integrity
protection for unclassified but sensitive data on a private
(isolated) network (or collection of networks).  Furthermore, the
prototype system supports the secure connection of the private
network to an external Internet, as well as dial-up network
connections to the private network, via a firewall and secured
links, with strong user authentication and encryption of traffic. 
TIS used a combination of commercial off-the-shelf (COTS)
software and custom software for this project.  This paper
summarizes the extended system configuration and functional
services, and describes the required security services and
specific protection mechanisms used to provide these services.