Chat with us, powered by LiveChat
Network Firewalls Or Hardware Firewalls | Part 4

Network Firewalls Or Hardware Firewalls | Part 4

Network Address Port Translation / Port Address Translation

Most firewalls for the private sector to enable it to connect using Dynamic Network Address Port Translation (NAPT, also PAT) multiple computers through a router to the Internet. The primary goal is to provide a public IP address with multiple computers with private IP addresses (e.g., from the networks / 16 or /  to access the Internet. Unlike a proxy to be here simply forwarded the packages only and can not be content analyzed.

One can only watch as a rudimentary security technology, since the computers are protected from the LAN by using a no access from the Internet to this computer is easily possible. This protection can be bypassed if the software tries to assign individual connections to each other, as is necessary for example, FTP and SIP. The protection afforded by a professional packet filter is not achieved by mere NAPT also.

Other features and aspects: Anti-spoofing (ingress filtering)

An important function of firewalls is to prevent IP spoofing. Because filtering is essentially based on the IP addresses that must be as good as possible to ensure that they are not forged. Firewalls with anti-spoofing functionality have therefore assign the possibility of certain network interfaces specific IP addresses and nets. The web interface will then automatically map all IP addresses except the used elsewhere.

Logged IP packets that arrive at a wrong interface are discarded. Firewall with an Internet connection can access the Internet interface all packets from and to private IP addresses (RFC 1918) discarded because they are not routed on the Internet anyway. Thus, an IP spoofing with these addresses is excluded from the Internet. Although the assignment of IP networks to specific network interfaces should be clearly actually occur in practice sometimes problems with dual-homed host, and routing loops (Packages based on round trip), take different routes.


Since the filtering based on IP addresses because a potential IP spoofing can never be totally trusted, some firewalls offer the ability to authenticate and get released only after expiration date certain rules. To provide a strong authentication such as the Check Point Firewall-1 and the Juniper Networks firewall compatibility with SecurID tokens from RSA Security.

High Availability

Due to the importance of the Internet firewalls are many companies now become critical network components and some are even a single point of failure for important business reason, attempts by high-availability techniques such as failover or cluster operations, and the risk of default reduced.

Another advantage of these techniques is that some firewalls for maintenance purposes or for software updates can be disabled without interrupting the connection are often used to implement the same solutions as in fault-tolerant routers (for example, HSRP, VRRP or CARP) or specific products such as RainWall from EMC2.

In the failover case, there are two ways in which the acquiring stateful inspection firewall with existing connections bypasses. One method is that all firewalls constantly synchronize their dynamic connection tables with each other so that each firewall in a position all connections are properly assigned. The other method works without adjustment, but all existing connections after the change from the receiving firewall checked again against the rules.

This solution is simpler, but also causes problems for complex protocols such as passive FTP. Since these negotiated ports for data connections are random, the receiving firewall can be ascribed to any of these packages and they will usually reject.

A synchronization of the connection tables provide, among other things, the firewalls from Check Point, OpenBSD (pf_sync above) and Linux (ct_sync above).

High-security environments

Different installations have different security requirements. For example, in the military, or wherever it goes to a lot of money (banks, stock exchange, etc.), there are demands for high security, here are therefore often multi-step processing solutions. A network packet uses several series-connected systems with largely the same firewall configuration.

Here are a variety of hardware architectures and various operating system and firewall implementations being used, or possibly lose systematic errors by programmers / producers, errors and loopholes built much of their effectiveness. Very few attackers know all the loopholes in all products.

In addition to the use of open source products, including an audit and a proper translation of the source code to be performed which largely excludes backdoors. In general, however, is precisely here that the tunneling an appreciable risk, so that all traffic to be explicitly regulated by white-lists is must cease, and any traffic that is not necessarily required to. One hundred percent certain it will provide more than the physical separation of networks.



Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.