Firewall Fundamentals - page 19

Summary

Firewalls, regardless of how complex in design and implementation, have a simple responsibility to act as security policy enforcement points. Firewalls can do this by inspecting the data that is received and tracking the connections that are made to determine what data should be permitted and what data should be denied . In addition, firewalls can act as an intermediary and proxy requests to the protected host while at the same time providing a means of authenticating access to better ensure that only approved access is granted. Finally, firewalls can report and alert on events related to all of these processes to allow you, the administrator, to know what is going on with your firewall and the systems it is protecting.

Any number of motivations drive people to develop threats to our systems. By examining the threats and the appropriate responses, you can develop a security policy that minimizes the risk presented by a threat through the proper implementation and configuration of a firewall. Although a firewall cannot prevent all attacks, it is one of the best methods of protecting resources; and when in doubt, there is a good chance that a firewall can help make your resources even more secure than if there were no firewall at all.

Chapter 2. Firewall Basics

This chapter covers the basics of firewalls. Firewalls can be distinguished in a variety of ways: from the size of the network they are designed to operate in to the way they provide protection. This chapter examines the basic taxonomy of firewalls and uses the convention of classifying firewalls based on "size"personal or desktop firewalls, small office/home office (SOHO) firewalls, and enterprise-level firewalls. In addition, this chapter discusses the various ways firewalls defend the networks they are placed in, from simple packet filters to stateful packet filters to application proxies.

This chapter provides a high-level overview of the various firewall products discussed throughout the book.

Firewall Taxonomy

Firewalls come in various sizes and flavors. The most typical idea of a firewall is a dedicated system or appliance that sits in the network and segments an "internal" network from the "external" Internet. Most home or SOHO networks use an appliance-based device for broadband connectivity that includes a built-in firewall. In general, firewalls can be categorized under one of two general types:

Desktop or personal firewalls
Network firewalls

The primary difference between these two types of firewalls simply boils down to the number of hosts that the firewall protects. Within the network firewall type, there are primary classifications of devices, including the following:

Packet-filtering firewalls (stateful and nonstateful)
Circuit-level gateways
Application-level gateways

The preceding list describes general classes of firewalls but, as discussed later, many network firewalls represent hybrids of the preceding classifications. Many firewalls have characteristics that place them in more than one classification.

Figure 2-1 shows a breakdown of the various firewall types currently available. This figure does not provide complete details of the various capabilities within each firewall type but rather shows the general taxonomy of the different firewalls available in the two primary types: personal/desktop firewalls and network firewalls.

Figure 2-1. Firewall Taxonomy

Given these various firewall types available, users may have a hard time identifying exactly what they need. In many cases, costs represent a driving factor in the purchase of a firewall, but knowing which types of firewalls are available and what capabilities they provide helps users make a more informed final decision.

Personal Firewalls

Personal firewalls are designed to protect a single host from unauthorized access. Over the years , this has evolved so that modern personal firewalls now integrate additional capabilities such as antivirus software monitoring and in some cases behavior analysis and intrusion detection to protect the device. Some of the more popular commercial personal firewalls include BlackICE as well as Cisco Security Agent. In the SOHO market Trend Micro's PC-cillin, ZoneAlarm, and the Symantec personal firewall are some of the more popular offerings. Microsoft's Internet Connection Firewall is also among the top personal firewalls installed because of the install base of machines running Windows XP with Service Pack 2.

Whereas personal firewalls make immense sense in the SOHO and home user market because they provide the end user protection as well as control of the policy, in the enterprise the issues are more complex. Perhaps the biggest concern for enterprise users with regard to personal firewalls is the ability to provide a centralized policy control mechanism for the firewall. The need to centralize policy control is critical to the use of personal firewalls in an enterprise environment to minimize the administrative burden. What is administrative burden ? As the number of firewalls deployed in an organization increases , the network administrator must be concerned with the proper configuration and monitoring of each one of these firewalls. Therefore, it is extremely important that as the number of firewalls increases, the ability to administer them does not become overly burdensome. By centralizing policy control and monitoring, many vendors have eased the effort of properly configuring the firewall policy and of monitoring the events.

Network Firewalls

Network firewalls are designed to protect whole networks from attack. Network firewalls come in two primary forms: a dedicated appliance or a firewall software suite installed on top of a host operating system. Examples of appliance-based network firewalls include the Cisco PIX, the Cisco ASA, Juniper's NetScreen firewalls, Nokia firewalls, and Symantec's Enterprise Firewall. The more popular software-based firewalls include Check Point's Firewall-1 NG or NGX Firewalls, Microsoft ISA Server, Linux-based IPTables, and BSD's pf packet filter. The Sun Solaris operating system has, in the past, been bundled with Sun's enterprise firewall, SunScreen. With the release of Solaris 10, Sun has begun bundling the open source IP Filter (IPF) firewall as an alternative to SunScreen.

Many network firewalls provide enterprise users the maximum flexibility and protection in a firewall system. These firewalls have over the past few years incorporated many new features such as in-line intrusion detection and prevention as well as virtual private network (VPN) termination capabilities both for LAN-to-LAN VPNs as well as remote-access-user VPNs. Another feature that has been introduced into network firewalls is a deep packet-inspection capability. The firewall can identify traffic requirements not just by looking at Layer 3 and Layer 4 information but by delving all the way into the application data so that the firewall can make decisions as to how to best handle the traffic flow. This evolution in firewall design and capabilities has led to the development of a new firewall product, the integrated firewall, which is covered in more detail in the next section.

Buy on amazon.com >>

Noonan W.J., Dubrawsky I.

<< Previous page

Table of contents

Next page >>