An example of firewall is the block diagram in fig.1. In this block diagram there is private network consisting of 2 servers and a client and an external client connected through the internet. For an example if in the private network there is FTP server, the Firewall could be configured to deny access to the external client who is trying to download file.
Figure 1
Firewalls are working on the different layers of the OSI model and they cover all 7 layers. Mostly the firewalls work on the network and transport layer, where they explore the packet datagram of TCP/IP protocols and make decisions regarding the IP address of the sender or the destination, the port number of which the packet is received or will be sent to, or any other combination of those parameters. The firewalls working on the application layer take care of issues like spam, computer viruses and Trojans looking for them in the packet’s relation to information.
More deeply there are several type classifications of the firewalls depending on where the communication is taking place and the state that is being traced for taking action against it. They are Network layer and packet filters, Application-layer, Proxies and Network address translation (NAT).
The Network layer firewall or also called packet filters operate at very low level of the TCP/IP stack, and their aim is to block the passing of packets, which do not match the rules set by the administrator, through the firewall.
There are 2 sub-categories of the network layer firewalls – stateful and stateless. The stateful firewalls focus on the active sessions which provide speed at the packet processing. The existing network connections can be described by several properties – source and destination IP address, UDP or TCP ports, and the current stage of the connection lifetime (session initiation, handshaking, data transfer or complete connection). If a packet does not match an existing connection, it will be redirected for new connection and if it does, it will be allowed to pass without further processing.
The stateless firewalls are faster for simple filters and they require less memory. They also may take part at filtering stateless network protocols that have no concept of a session. Their main disadvantage is that they can’t make more complex decisions on what stage communications between hosts have reached.
The application layer firewalls work on the application level of the TCP/IP stack. They provide security in delivering packets of applications such as FTP and Telnet servers and block the not related packets (usually dropping them without acknowledgement to the sender). Application firewalls also inspect all packets for containing improper content like computer worms and Trojans.
In general the application firewalls prevent the protected machines from unwanted outside traffic.
The Proxies sometimes are used as firewall and upon that usage they are responsible for responding to connection requests like an application, while blocking packets from other unwished connections. The proxy effectively hides the true IP address of the user.
Network Address Translation (NAT) is the process in which the information in the IP’s datagram header is rewritten by a router or firewall. In this way many hosts of a private network can reach the internet while using one and the same IP address. NAT is used for hiding IP addresses of private networks.
Note: The diagram is hard to read due to some issues with the blogspot.com. If the reader has difficulties please contact on westside_gesh@abv.bg for recieving the jpeg file.
More deeply there are several type classifications of the firewalls depending on where the communication is taking place and the state that is being traced for taking action against it. They are Network layer and packet filters, Application-layer, Proxies and Network address translation (NAT).
The Network layer firewall or also called packet filters operate at very low level of the TCP/IP stack, and their aim is to block the passing of packets, which do not match the rules set by the administrator, through the firewall.
There are 2 sub-categories of the network layer firewalls – stateful and stateless. The stateful firewalls focus on the active sessions which provide speed at the packet processing. The existing network connections can be described by several properties – source and destination IP address, UDP or TCP ports, and the current stage of the connection lifetime (session initiation, handshaking, data transfer or complete connection). If a packet does not match an existing connection, it will be redirected for new connection and if it does, it will be allowed to pass without further processing.
The stateless firewalls are faster for simple filters and they require less memory. They also may take part at filtering stateless network protocols that have no concept of a session. Their main disadvantage is that they can’t make more complex decisions on what stage communications between hosts have reached.
The application layer firewalls work on the application level of the TCP/IP stack. They provide security in delivering packets of applications such as FTP and Telnet servers and block the not related packets (usually dropping them without acknowledgement to the sender). Application firewalls also inspect all packets for containing improper content like computer worms and Trojans.
In general the application firewalls prevent the protected machines from unwanted outside traffic.
The Proxies sometimes are used as firewall and upon that usage they are responsible for responding to connection requests like an application, while blocking packets from other unwished connections. The proxy effectively hides the true IP address of the user.
Network Address Translation (NAT) is the process in which the information in the IP’s datagram header is rewritten by a router or firewall. In this way many hosts of a private network can reach the internet while using one and the same IP address. NAT is used for hiding IP addresses of private networks.
Note: The diagram is hard to read due to some issues with the blogspot.com. If the reader has difficulties please contact on westside_gesh@abv.bg for recieving the jpeg file.
No comments:
Post a Comment