|
Page 9 of 15 FirewallsA firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria. Packet filtering firewalls (1st Gen)
It is the most basic firewall making access desition based on ACL's. It will filter traffic based on source and destination IP (network layer) and port address (transport layer). It is not a context aware (stateful) device. 1st Generation firewall allows following types of controls: - physical network interface that the packet arrives on
- address the data is (supposedly) coming from (source IP address)
- address the data is going to (destination IP address)
- type of transport layer (TCP, UDP, ICMP)
- transport layer source port
- transport layer destination port
Packet filters generally do not understand the application layer protocols used in the communication packets. Instead, they work by applying a rule set that is maintained in the TCP/IP kernel, resultantly a relatively high performance. This rule set contains an associated action that will be applied to any packets matching the criteria mentioned above.
Circuit Level Firewalls (2nd Gen)
A circuit level firewall is a second-generation firewall technology that validates the fact that a packet is either a connection request or a data packet belonging to a connection, or virtual circuit, between two peer transport layers. It employs a stateful inspection
The firewall maintains a table of valid connections (which includes complete session state and sequencing information) and lets network packets containing data pass through when network packet information matches an entry in the virtual circuit table. Once a connection is terminated, its table entry is removed, and that virtual circuit between the two peer transport layers is closed.
SOCKS is an example of a circuit-level proxy gateway that provides a secure channel between two TCP/IP computers. It does not provide detailed protocol-specific control.
Application Layer Firewalls (3rd Gen)
An application layer firewall is a third-generation firewall technology that evaluates network packets for valid data at the application layer before allowing a connection. It examines the data in all network packets at the application layer and maintains complete connection state and sequencing information. In addition, an application layer firewall can validate other security items that only appear within the application layer data, such as user passwords and service requests.
Most application layer firewalls include specialized application software and proxy services. Proxy services are special-purpose programs that manage traffic through a firewall for a specific service, such as HTTP or FTP. Proxy services are specific to the protocol that they are designed to forward, and they can provide increased access control, careful detailed checks for valid data, and generate audit records about the traffic that they transfer. Dynamic Packet Filters (4th Gen)
A dynamic packet filter firewall is a fourth-generation firewall technology that allows modification of the security rule base on the fly. This type of technology is most useful for providing limited support for the UDP transport protocol. The UDP transport protocol is typically used for limited information requests and queries in application layer protocol exchanges.
This firewall accomplishes its functional requirements by associating all UDP packets that cross the security perimeter with a virtual connection. If a response packet is generated and sent back to the original requester, then a virtual connection is established and the packet is allowed to traverse the firewall server. The information associated with a virtual connection is typically remembered for a short period of time, and if no response packet is received within this time period, the virtual connection is invalidated.
|
