60 International Journal of Strategic Information Technology and Applications, 3(3), 60-68, July-September 2012 The Effect of Firewall Testing Types on Cloud Security Policies Annie Shebanow, Colorado Technical University, USA Richard Perez, Colorado Technical University, USA Caroline Howard, Colorado Technical University, USA ABSTRACT An important aspect of security requirements is a firm understanding of the threats to systems so that specific defense mechanisms can be implemented. Globally scattered network systems and on-demand access to systems such as cloud computing require a high level of security, because the software and hardware of networks are integrated in vulnerable shared or outsourced environments. Hackers are relentless in finding new techniques to gain access to sensitive data. Securing infrastructures is a challenging task, but when researchers identify and investigate potential threats and create solutions, vulnerabilities may be reduced. The purpose of this paper is to explore how use, misuse, positive and negative, obstacle, and abuse testing cases of firewalls have broadened the security policies that mitigate or prevent threats in a cloud environment. Keywords: Abuse, Cases, Cloud Computing, Firewall, Misuse, Obstacle, Policies, Security, Testing INTRODUCTION Cloud computing is emerging as a viable solution for companies competing in a rapidly changing global business environment, because survival depends on the implementation of scalable, flexible, and cost-effective strategies and technology. The rising demand for multimedia information, video streaming and compression, media synchronization mechanisms, and graphical rendering has vastly increased the need for computational resources (Wu, Hou, Zhu, Zhang, & Peha, 2003). With its capability of solving large-scale problems, hosting client DOI: 10.4018/jsita.2012070105 applications and data storage, and billing by consumption, cloud computing has transformed information-technology infrastructures. As Srinivasan and Getov describe this evolution, “Cloud computing represents a fundamental shift in the delivery of information technology services that has permanently changed the computing landscape” (2011). The notion of cloud computing is not new. The initial concept can be traced back to Licklider, one of the pioneers of ARPANET, who helped to make the intergalactic computer network a reality while working at the Advanced Research Project Agency. In 1960, Licklider saw the need for sharing information, computing resources, and collaboration through the use of computers anywhere and access data anywhere. When Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. International Journal of Strategic Information Technology and Applications, 3(3), 60-68, July-September 2012 61 Parkhill presented the challenge of a computer utility in 1966, his idea was to provide a wide range of computing-related services as public utilities, just like electricity, gas, telephone, and water. Utility computing has been the subject of discussion for nearly 50 years. Although cloud technology has been available through the Internet for some time, public cloud services are a more recent phenomenon. Through virtualization, cloud computing offers infinite on-demand resources (Armbrust et al., 2009) and almost instant accessibility with minimum startup time (Ramakrishnan, Jackson, Canon, Cholia, & Shalf, 2010). Cloud computing service providers can offer resources as a utility, employing the standard “pay-as-youuse” model. The positive economic impact of using cloud computing is extremely attractive to businesses, but cloud’s security challenges are enough of a barrier preventing some companies from buying into the service. Cloud computing requires a high level of security, as software and hardware are integrated in vulnerable shared or outsourced environments. In fact, many studies, such as those of Wang (2010), Jensen et al. (2009), and Owens (2010), indicate that security remains the most challenging issue of cloud computing. Security should protect storage, core services, and any components used to form an infrastructure. Certain cloud computing environments, such as virtual private clouds with dedicated resources and isolated, virtual, private networks, offer a measure of security of their own. Securing cloud environments requires a firm grasp of potential risks and protective measures. Some security testing is applied in testing of the firewalls, which are a combination of hardware and software that form the primary barriers between internal and external networks. The main purpose of a firewall is to secure a private network when connected to a public network by filtering incoming packets. Firewalls authenticate access, record and report events, and prevent undesirable traffic from flowing through the system. The four basic categories of a firewall—packet filters, circuit-level gateways, application-level gateways (proxies), and stateful multilayer inspection—are vital in screening network traffic. Each packet is compared to a set of rules and then action is taken. In a circuit-level gateway, each connection setup is examined to verify the legitimate Transmission Control Protocol (TCP) handshaking has occurred in a packet-filtering firewall. Existence of proxies allows packets to access services; this is application-level gateway. The last category of firewalls combines aspects of the other three. To effectively protect networks from security compromises, a firewall ideally should run on a dedicated system that does not include any user-accessible programs. Since no specific rules exist that can be applied to firewall design, the skills that firewall architects hold are of vital importance in configuring the design and implementation: Incorrect configuration can cause damage to the network, and deployment errors make firewalls vulnerable. When comparing the efficacy of different types of firewalls, the focus should be on the capabilities of the data-transfer layers and the position of the firewalls. It is best to use the four layers of the Transmission Control Protocol/Internet Protocol (TCP/IP), which work together to transfer data between hosts: hardware (data), IP (network), transport, and the application layers. Basic firewalls operate on one or two layers, usually the lower layers, while advanced firewalls examine all of the layers. Over the years, through trial and error, a better understanding has been developed regarding which types of firewall should be positioned on a node where the network splits into multiple paths, and which should be placed on a single network path. In routed networks, firewalls are positioned at the start of a traffic path. In general, a firewall should fit into a network architecture, and firewalls are not always placed in similar locations on different network architectures. The decision regarding what type of firewall to use and where to place it on a network requires deliberate, advanced planning and policy coordination to prevent security lapses. Techniques such as risk assumption, avoidance, limitation, and transference enable risk Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. 7 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/effect-firewall-testing-typescloud/70753?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Library Science, Information Studies, and Education. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2 Related Content Impact of Prior Usage Experience on the Intention to Adopt 3G Mobile Service for the Youth in Hong Kong Kevin K. W. Ho (2011). International Journal of Strategic Information Technology and Applications (pp. 1-19). www.igi-global.com/article/impact-prior-usage-experienceintention/60141?camid=4v1a Understanding Human Factors in Systems Selection and Implementation: Exploring the Role of Power and Politics Konrad Peszynski (2010). International Journal of Strategic Information Technology and Applications (pp. 10-25). www.igi-global.com/article/understanding-human-factors-systemsselection/45766?camid=4v1a Using Semantics to Discover Web Services Based on Partial Data: An Update of Previous Research Catarina Ferreira da Silva, Paulo Melo, Paulo Rupino da Cunha, Pedro Milheiro and Parisa Ghodous (2013). International Journal of Strategic Information Technology and Applications (pp. 44-59). www.igi-global.com/article/using-semantics-to-discover-web-services-basedon-partial-data/103866?camid=4v1a Developing and Analysing Core Compentencies for Alignment with Strategy Keith Sawyer and John Gammack (2009). Selected Readings on Strategic Information Systems (pp. 20-33). www.igi-global.com/chapter/developing-analysing-core-compentenciesalignment/28685?camid=4v1a