Network Firewalls Or Hardware Firewalls | Part 2

Network Firewalls Or Hardware Firewalls | Part 2

Proxy Firewall

Here, the firewall acts as a proxy between the source and target system, and generally meets for at least one of the two sides even as an alleged communication partner in appearance. Unlike the routing firewall it terminates the connections on both sides (it is thus two distinct connections), which means that they communicate not just forwards, but even leads.

Therefore, it can analyze the content of network packets connected, filter requests and make any adjustments when necessary to decide, but also passed on whether and in what form the response from the target to the actual client.

The hardware component of each of these types of firewalls has multiple network interfaces (typically 2 to 20), which are each connected to the dividing network areas. Depending on the product they can in the following network and trust zones be divided:

The external network (WAN)

Usually the Internet, but another customer network. These are regarded as uncertain (no confidence).

The internal network (LAN)

From the perspective of the firewall, this is, at its own network, which must be protected and the firewall to be trustworthy high level of confidence.

IE, network management

This network connection is optional. From here, all requests made to the configuration of the firewall system to restore the rules and other administrative functions (absolute confidence). With the help of this network is achieved that the firewall does not simply adjust from the internal network out.

The “demilitarized zone” (DMZ)

That is (also optional) network connection from the external network of accessible servers (hosts) little confidence. These servers can build on its own no or only limited connections to the internal network, whereas the internal clients typically have access to these servers as well as on the server from the Internet. This has the advantage that – should be taken with such a server from the external network out – from where the intruder is no direct access to the internal network possible.

Larger companies often have multiple firewalls and DMZs to separate, each with different rights, e.g., to easily vulnerable Web servers and mail servers from the servers with the data for the sales staff.

Those exposed DMZ ‘(also briefly DMZ’) and, exposed host ‘

The designation, exposed DMZ “(demilitarized zone exposed”) allows the presumption that this might not be a separate network, although you can assign the virtual network connection to a single internal computer. This “zone” according to the manufacturer sometimes briefly referred to “DMZ” (not “exposed”), but neither has anything in common with a real DMZ, even with a separate network zone.

Rather, some manufacturers misusing the term “DMZ” for some other functionality, which is known in professional circles as exposed host. Although many cheap devices for cost reasons do not provide the technical prerequisites for a true DMZ, is also aware of their product advertised with the wrong technical term.

On this exposed host all the packets are passed from the external network that can not be assigned to another beneficiary. It is thus on the external address of the firewall access to all its ports from the Internet, allowing participants to access the Internet from almost full to all its network services.

However, once this (exposed host) is occupied by a computer intruder, you have firewall protection for all other internal parties lost, as is possible from where an unhindered access to the internal network. It is thus an element with a low level of trust (exposed host), which belongs properly to a true DMZ, in the midst of an area with a high level of trust the internal network.

Besides the possibility of a suitable machine a software firewall (such as Check Point Firewall-1 or IPCop) to install and harden the operating system itself, there is the possibility to use a firewall appliance: they offer a matched combination of hardware, hardened operating system and firewall software (such as Cisco ASA or Astaro Security Gateway).

Personal firewalls

A personal or desktop firewall is a software that is installed locally on the protected computers. It controls the connection between the PC and the network is connected to your PC and is thus capable of filtering network requests between the PC and the Internet just to see how the traffic between the PC and the local network.

The installation on the protected computer also allows filtering, application-specific or user IDs. The direct access to the monitored system extends the capabilities of this software much easier. In reverse, however, also have programs that run on the same hardware as the firewall, a lot more possibilities to manipulate them and to be avoided, as in an external firewall. Therefore, the desktop firewall, an external firewall can only supplement, cannot replace it.

The protective effect of personal firewalls is controversial because it could aggravate the one hand, unwanted traffic, and by other errors in your code to make sure the computer.



Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.