Firewall Technologies

This section focuses on the technologies used in various firewalls and how they work. The firewall taxonomy in Figure 2-1 shows the general types of firewalls.
Nội dung trích xuất từ tài liệu:
Firewall TechnologiesFirewall TechnologiesThis section focuses on the technologies used in various firewalls and how they work.The firewall taxonomy in Figure 2-1 shows the general types of firewalls. This sectionfocuses more on the underlying technologies that devices that fall into those types utilize.In some cases, one technology discussed here can fall into multiple types in the taxonomytree. The focus is on a wide range of firewall technologies, including the following: • Personal firewalls • Packet filters • Network Address Translation (NAT) firewalls • Circuit-level firewalls • Proxy firewalls • Stateful firewalls • Transparent firewalls • Virtual firewallsNow, you might be thinking, Wait, I thought there were three firewall products:software based, appliance based, and integrated. The firewall technologies discussed inthis section may be used by any of the three basic physical firewalls. Indeed, thesetechnologies simply allow us to define a firewall in a more granular fashion. So, forexample, an appliance firewall can be further quantified as a stateful firewall. Each ofthese technologies is examined and discussed to provide you with an understanding of thedifferences between these technologies, and by extension the firewall devices that utilizethese technologies. Each section focuses predominantly on the operation of the firewall inits function as a network security device. Discussion of the redundancy capabilities,performance, and management of specific firewalls is not covered. This section providesa brief introduction to some specific firewalls that subsequent chapters cover in greaterdetail.Personal FirewallsPersonal firewalls are designed to protect a single host. They can be viewed as a hardenedshell around the host system, whether it is a server, desktop, or laptop. Typically,personal firewalls assume that outbound traffic from the system is to be permitted andinbound traffic requires inspection. By default, personal firewalls include various profilesthat accommodate the typical traffic a system might see. For example, ZoneAlarm haslow, medium, and high settings that allow almost all traffic, selected traffic, or nearly notraffic, respectively, through to the protected system. In a similar vein, IPTableswhichyou can set up as a personal firewall as well as in a network firewall roleduring the setupof the Linux system, enables the installer to choose the level of protection for the systemand the customization for ports that do not fall into a specific profile.One important consideration with personal firewalls is centralized management. Somevendors have identified that a significant barrier to deployment of personal firewall onevery end system is the need for centralized management so that policies can bedeveloped and applied remotely to end systems and have developed such capabilitieswithin their products. Large enterprises are hesitant to adopt this personal firewalltechnology for their systems because of the difficulty of maintaining a consistent firewallpolicy across the enterprise.Packet FiltersPacket filters are network devices that filter traffic based on simple packet characteristics.These devices are typically stateless in that they do not keep a table of the connectionstate of the various traffic flows through them. To allow traffic in both directions, theymust be configured to permit return traffic. Simple packet filters include Cisco IOSaccess lists as well as Linuxs ipfwadm facility to name a few. Although these filtersprovide protection against a wide variety of threats, they are not dynamic enough to beconsidered true firewalls. Their primary focus is to limit traffic inbound while providingfor outbound and established traffic to flow unimpeded. Example 2-1 shows a simpleaccess list for filtering traffic. This list is based on the network example in Figure 2-2.The access list is applied to the inbound side of the filtering device that connects the LANto the Internet. Figure 2-2. Simple Access List Sample Network [View full size image]Example 2-1. Simple Access Listaccess-list 101 permit icmp any 192.168.185.0 0.0.0.255 echo-replyaccess-list 101 permit icmp any 192.168.185.0 0.0.0.255 ttl-exceededaccess-list 101 permit tcp any 192.168.185.0 0.0.0.255 establishedaccess-list 101 permit udp any host 192.168.185.100 eq 53access-list 101 permit udp any eq 123 192.168.185.0 0.0.0.255Note that inbound return traffic for DNS (53/UDP) and NTP (123/UDP) are explicitlystated toward the end of the filter list, as are Internet Control Message Protocol (ICMP)echo-reply and Time-To-Live (TTL)-exceeded responses. Without these statements, thesepackets would be blocked even though they are in response to traffic that originated inthe protected LAN. Finally, note the following rule:access-list 101 permit tcp any 192.168.185.0 0.0.0.255 establishedThis rule is required to allow return traffic from any outside system back to the192.168.185.0/24 subnet as long as the return traffic has the TCP ACK flag set. Packetfilters typically do not have any stateful capabilities to inspect outbound traffic anddynamically generate rules permitting the return traffic to an outbound flow. Figure 2-3shows a simple packet-filtering firewall. Figure 2-3. Packet-Filtering FirewallNAT FirewallsA distinct firewall that existed for a short period is the Network Address Translation(NAT) firewall. In todays firewall market, NAT is a part of almost every firewall productavailable. From the lowliest SOHO firewall such as the Linksys BEFSX41 to the high-end enterprise PIX 535, NAT is now a function of a firewall. NAT firewallsautomatically provide protection to systems behind the firewall because they only allowconnections that originate from the inside of th ...