A firewall can be using different methods to distinguish desirable from undesirable network traffic, of which not every product supports all. The technologies used will be briefly described below:
Packet filter: packet filtering, firewall rules
The simple filtering of data packets based on destination port, source and destination address, etc. is the basic function of all network firewalls. Testing is done by using firewall administrator-defined rules. In the one data packet header information on OSI layer 2 are analyzed to 4 and used as filter criteria. In the following exemplary filter rules should be noted that not really in accordance with those protocols, but the corresponding TCP or UDP ports are filtered:
- From the Internet to the mail server in the DMZ mail services (SMTP – TCP port 25, POP3 – TCP port 110 to allow IMAP – TCP port 143).
- The mail server from the DMZ can send emails to the Internet via SMTP and make DNS queries.
- Are from the local network administration services (SSH, Remote Desktop, Backup – TCP port 22) allows the mail server.
- All other packets in or out of the DMZ are written to a log file and then discarded.
The filtering decisions are taken for each package individually and independently. This type of filtering is now implemented in most routers, and switches from OSI Layer 3.
Stateful Inspection / Stateful Packet Inspection
Stateful inspection (stateful) is an advanced form of packet filtering, performs at the OSI layer a short header analysis, to create a state table of all network connections. This makes the firewall detects relationships between the packages and may include active in the relationship with the associated connection.
Thus it succeeds in establishing a connection to recognize if and when the internal client communicates with the external target system and can only answer to it. Sends the target system, i.e., data that were not requested by the internal client, then the firewall blocked the transfer even if a connection exists between the client and the target system. This distinguishes it from an ordinary solid firewall packet filtering.
Unlike a proxy, the connection is not affected themselves.
Application layer firewall / proxy firewall / Web Application Firewall
A respected application layer firewall (ALF) in addition to the pure traffic as source, destination or service or the content of network packets at the OSI layer 7 This allows the use of so-called dedicated proxies, allowing for specialized content filtering, or even a malware-scan.
Contrary to a popular misunderstanding of the basic task of an ALF is not to specific applications (programs) to grant access to the network or prohibit. Application The name was derived solely from the application layer of the OSI layer 7th.
However, a circuit level proxy can be placed on such a firewall, which only supports one protocol-port and address filtering, a (possible) authentication for the connection, without which an application is not possible to communicate with the external network (internet).
A firewall can use a content filter the user data to evaluate a compound. Applications can be, for example:
- Block viruses or Trojan horses into web pages
- Filtering of confidential company information (e.g., financial data)
- Blocking of unwanted web sites using key words
- Block unwanted application protocols (e.g., file sharing)
Most systems allow only the definition of very simple rules but the problem is very complex but in principle and the concept is perhaps not completely technically feasible.
For example, should really be completely filtered out confidential information from such data to unauthorized systems, it would have only the technical problem to be solved, such as confidential or steganographic encoded information can be detected and filtered.
Despite the current firewall systems in fairly simple rules designed to execute can be very complex: Often, individual packages must be assembled so that the considered traffic (e.g., detected web pages) as a whole, can be searched and possibly changed. Subsequently, the data must again be divided into individual packets and forwarded.
ALF uses built-in proxies, which build the basis of their functioning vicariously for the clients to connect to the target system. For the server as the sender, only the IP address of the proxy and not the client’s profile. The structure of the LAN from the Internet is thus not evident.
For each higher level communication protocol (HTTP, FTP, DNS, SMTP, POP3, MS-RPC, etc.) there is a separate, dedicated proxy ‘. On a single ALF can run multiple, dedicated proxies simultaneously ‘. It can also prevent unwanted protocol options, such as in an SMTP transaction is not BDAT, VRFY or the like. Allow.
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems (IDS) and intrusion prevention systems (IPS) are increasingly integrated into firewalls. Both recognize a burglary attempt on the basis of communication patterns. The difference is that IDS identifies attack detections and IPS prevent attempts to block the attack.
Such a system can, but sometimes the only option for creating a Denial of Service attack. For example, some systems place a temporary firewall rule on that block all further connection attempts from the putative attacking IP address. But now, an attacker sends packets with a spoofed sender address to your system so it can reach so that access to the fake address is no longer possible. He can turn all the addresses from the compromised system foreclose the need for this to work (DNS servers, etc.).
Latest posts by Santosh (see all)
- Cloud Computing: The Concept and Examples of its Virtual Services | Part 1 - July 23, 2012
- Why Rapidly Growing Companies Need Cloud Computing | Part 1 - July 22, 2012
- Web Designing Process | Strategic Planning | Part 1 - August 7, 2011