Beruflich Dokumente
Kultur Dokumente
Roll No-C07348 1
Firewall Architecture & Types
Roll No-C07348 2
Firewall Architecture & Types
Roll No-C07348 3
Firewall Architecture & Types
Roll No-C07348 4
Firewall Architecture & Types
routers that have more than two came from. Modern network layer
interfaces and don't have this firewalls have become increasingly
capability.If you merge the interior and more sophisticated, and now maintain
exterior routers, as we how in you'll internal information about the state of
still have a perimeter net . connections passing through them at
any time.
2.4.3) Merge the Bastion Host
and the Exterior Router Network layer firewall is a type of
firewall that works as a packet filter by
There might be cases in which you use deciding what packets will pass the
a single dual-homed machine as both firewall according to rules defined by
your bastion host and your exterior the administrator. Filtering rules can
router.Unlike merging the interior and act on the basis of source and
exterior routers, merging the bastion destination address and on ports, in
host with the exterior router, does not addition to whatever higher-level
open significant new vulnerabilities. It network protocols the packet contains.
does expose the bastion host further. In Network layer firewalls tend to operate
this architecture, the bastion host is very fast, and transparently to users.
more exposed to the Internet, protected Network layer firewalls generally fall
only by whatever filtering (if any) its into two sub-categories, stateful and
own interface package does, and you non-stateful. Stateful firewalls hold
will need to take extra care to protect some information on the state of
it. connections as part of their rules.
Stateless firewalls have packet-filtering
capabilities but cannot make more
3.1) FIREWALL TYPES complex decisions on what stage
communications between hosts have
Security expert Michael Gregg says the
reached. Stateless firewalls therefore
National Institute of Standards and
offer less security.
Technology 800-10 divides firewalls in
to five basic types: Packet filters
,Stateful Inspection ,Proxys ,Dynamic 3.2) APPLICATION LAYER
and Kernel.These divisions, however, FIREWALLS
are not quite well defined as most
modern firewalls have a mix of Application layer firewalls defined, are
abilities that place them in more than hosts running proxy servers, which
one of the categories shown above. permit no traffic directly between
networks, and they perform elaborate
3.1) NETWORK LAYER logging and examination of traffic
passing through them. Since proxy
FIREWALLS applications are simply software
running on the firewall, it is a good
Network layer firewalls generally
place to do lots of logging and access
make their decisions based on the
control. Application layer firewalls can
source address, destination address and
be used as network address translators,
ports in individual IP packets. A
since traffic goes in one side and out
simple router is the traditional network
the other.Application layer firewall is a
layer firewall, since it is not able to
firewall operating at the application
make particularly complicated
layer of the networking
decisions about what a packet is
communication. Generally, it is a host
actually talking to or where it actually
using various forms of proxy servers to
Roll No-C07348 5
Firewall Architecture & Types
proxy traffic instead of routing it. As it as the IP addresses and ports involved
works on the application layer, it may in the connection and the sequence
inspect the contents of the traffic, numbers of the packets traversing the
blocking what the firewall connection. The most CPU intensive
administrator views as inappropriate checking is performed at the time of
content, such as certain websites, setup of the connection. All packets
viruses, attempts to exploit known after that (for that session) are
logical flaws in client software, and so processed rapidly because it is simple
forth. and fast to determine whether it
belongs to an existing, pre-screened
A network-based application layer session. Once the session has ended, its
firewall is a computer networking entry in the state-table is discarded.
firewall operating at the application
layer of a protocol stack[1], and are also In order to prevent the state table from
known as a proxy-based or reverse- filling up, sessions will time out if no
proxy firewall. Application firewalls traffic has passed for a certain period.
specific to a particular kind of network These stale connections are removed
traffic may be titled with the service from the state table. Many applications
name, such as a web application therefore send keepalive messages
firewall. They may be implemented periodically in order to stop a firewall
through software running on a host or a from dropping the connection during
stand-alone piece of network hardware. periods of no user-activity, though
Often, it is a host using various forms some firewalls can be instructed to
of proxy servers to proxy traffic before send these messages for applications. It
passing it on to the client or server. is worth noting that the most common
Host-based application firewall can Denial of Service attack on the internet
monitor any application input, output, these days is the SYN flood, where a
and/or system service calls made from, malicious user intentionally sends
to, or by an application. This is done large amounts of SYN packets to the
by examining information passed server in order to overflow its state
through system calls instead of or in table, thus blocking the server from
addition to a network stack. A host- accepting other connections.Many
based application firewall can only stateful firewalls are able to track the
provide protection to the applications state of flows in connectionless
running on the same host.An example protocols, like UDP. Such sessions
of a host-based application firewall usually get the ESTABLISHED state
which controls system service calls by immediately after the first packet is
an application is the Mac OS X seen by the firewall. Sessions in
application firewall.Host-based connectionless protocols can only end
application firewalls may also provide by time-out.
network-based application firewalling.
Roll No-C07348 6