Presentation on theme: "A Brief Taxonomy of Firewalls"— Presentation transcript:
1 A Brief Taxonomy of Firewalls A network firewall, as defined in the “NSA Glossary of Terms Used in Security and Intrusion Detection” written by Stocksdale, is a “system or combination of systems that enforces a boundary between two or more networks.”Firewalls operate at different layers using different criteria to pass or restrictTraffic:The lowest layer at which a firewall can operate is layer 3. In the OSImodel and the TCP/IP model, this is the network layer. This layer is concerned with the routing of packets to their destination.The highest layer at which a firewall can operate is application layer. In the OSI model and the TCP/IP model, this is the top most layer.
3 Types of Firewalls Packet filtering firewalls: Packet filtering firewalls are the most basic type of firewall. Packet filtering firewalls work at the lowest level of the protocol stack possible. It receives packets and decides their fate based upon a set of rules that are usually in the form of access control lists.Packet filtering firewalls also offer Port-level NAT (Network Address Translation) or PAT for added security. On the firewall, IP packets coming into a specific port number are re-written and forwarded to the internal server providing the requested service. The reply packets from the server are re-written to make it appear as ifthey originated on the firewall.Some of the more common items packet filters can act upon are:- Source address (e.g., pass in all packets from through but all other packets are blocked)- Destination address (e.g., packets bound for are not permitted to pass)- Source and destination port number (e.g., all TCP packets bound for port 80 [the HTTP port] would be permitted in but TCP packets bound for ports [NetBIOS/NetBUI] would be blocked)
4 Two advances in packet filtering firewalls were came about, dynamic packet filtering and stateful inspectionDynamic packet filtering: Dynamic packet filters open and close apertures in the firewall based on header information in the packet. Once a series of packets has passed through the aperture to its destination, the firewall closes the aperture.Stateful inspection: Stateful inspection in a packet filtering firewall analyzes the network traffic that traverses it. A packet filtering firewall with stateful inspection has the ability to peer inside a packet to allow certain types of commands within an application while disallowing others. For example, a stateful packet filtering firewall can allow the FTP “GET” command while disallowing the “PUT” command.
5 Circuit-level Firewalls: A circuit-level firewall is a second generation firewall that validates TCP and UDP sessions before opening a connection. Once a handshake has taken place, it passes everything through until the session is ended. Circuit-level firewalls operate at the session layer of the OSI model, the transport layer of TCP/IP model.The firewall maintains a table of valid connections, which includes session state and sequencing information, and lets networkpackets containing data pass through when the network packet information matches an entry in the virtual circuit table. When a connection is terminated, its table entry is removed and that virtual circuit between the two peers is closed.A circuit-level firewall maintains two connections per session, one between client and firewall and one between firewall and server.
6 Application-level Firewalls: Application-level firewalls are so-called because they operate at the application layer of the protocol stack. An application-level firewall runs a proxy server application acting as an intermediary between two systems. Consequently, application-level firewalls are sometimes referred to as proxy server firewalls.An internal client sends a request to the server running on the application-level firewall to connect to an external service such as FTP, or HTTP. The proxy server evaluates the request and decides to permit or deny the request based on a set of rules that apply to the individual network service. Proxy servers understand the protocol of the service they are evaluating. Thus, they only allow packets through complying with the protocol for that service.Since a proxy server is a program executing in the context of a process it has several advantages over packet filtering firewalls or circuit-level firewalls executing in kernel mode. It can read and write files, fork/exec copies of other programs or itself, and create log entries.
7 An application-level firewall, by its very nature, implements the security policy of "that which is not expressly permitted is forbidden.“Application-level firewalls are typically slower than their packet filtering or circuit-level firewall counterparts.To alleviate this performance problem, the adaptive proxy firewall was developed and incorporated into application-level firewalls. Adaptive proxy firewalls combine a proxy server operating at the application layer and a dynamic packet filter operating at the network layer. Even though the adaptive proxy firewall uses a packet filter, the proxy server makes all security decisions.When a new connection comes in, the dynamic packet filter notifies the proxy server and provides it with connection data. After processing the received data comparing it against rules, the proxy server directs the dynamic packet filter to accept or reject the connection.Packets flow at the network layer like a traditional packet filter with the same performance level of a packet filter.
8 The resource is a part of SANS ( SysAdmin, Audit, Network, Security ) institute, The Trusted Source for Computer Security Training, Certification and Research.The resource has brief description on evolution of various types of firewalls and their advantages and disadvantages.For beginners in network security it is must to read documentation.