Cisco® CCNA Security Exam Notes : Different Firewall Technologies

5. Cisco Firewall Technologies

5.1 Different Firewall technologies

Application Layer Gateways

Application layer firewalls (also called proxy firewalls) are specific to the protocol that they are designed to forward and can provide increased access control. Sometimes, application layer firewalls support only a limited number of applications.

Application layer firewalls offer advantages:

1. Authenticate individuals, not devices

2. Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks

3. Can monitor and filter application data

4. Can provide detailed logging

The disadvantages are as follows:

1. Process packets in software, and may be slow

2. Support a small number of applications

3. Sometimes require special client software

4. Are memory- and disk-intensive

The Packet Filters work at Network Layer of OSI model.

1. The Application Layer Proxy works at the Application Layer of OSI model

2. Network Address Translation (NAT) is primarily used to hide internal network from external network, such as the Internet. A NAT basically translates the internal IP addresses to external IP addresses and vice-versa. This functionality assures that external users do not see the internal IP addresses, and hence the hosts.

3. A Firewall implemented with stateful technology (like Checkpoint Firewall) works at all layers of the OSI model.

DMZ is short for DeMilitalized Zone: If a company intends to host its own servers to be accessed from public Internet, a DMZ is most preferred solution. The network segment within the DMZ is secured by two firewalls, one interfacing with the public Internet, and the other interfacing the internal corporate network. Thus, a DMZ provides additional layer of security to internal corporate network. The type of servers that are hosted on DMZ may include web servers, email servers, file servers, DNS servers, etc.

Types of Firewalls

1. Packet Filtering Firewalls: Packet Filtering Firewalls work at theNetwork Layer of OSI Model. Packet Filtering Firewalls work on the Basis of Rules defined by Access Control Lists. They check all the Packets and screen them against the rules defined by the Network Administrator as per the ACLs. Advantages include lower cost and resource utilization.

2. Circuit Level Gateway Firewalls: Circuit level gateways are deployed at the Session layer of the OSI model and they monitor sessions like TCP three way handshake to see whether a requested connection is legitimate or not.

3. Application level Firewalls: Application level gateways work on the Application layer of the OSI model and provide protection for a specific Application Layer Protocol. Proxy server is the best example of Application Leyer Firewall. Application level firewalls can also be configured as Caching Servers which in turn increase the network performance and makes it easier to log traffic. They may also be used for reverse proxy server.

The following example illustrates the concept of reverse proxy:

Consider 3 systems as below.

  • X = your computer, or "client" computer on the internet
  • Y = the reverse proxy web site, proxy.example.com
  • Z = the web site you want to visit, www.example.net

Normally, one would connect directly from X -> Z.

However, in some scenarios, it is better for the administrator of z to restrict or disallow direct access, and force visitors to go through Y first. So, as before, we have data being retrieved by Y -> Z on behalf of X, which chains as follows: X -> Y -> Z.

What is different this time compared to a "forward proxy," is that this time the user X does not know he is accessing Z, because the user X only sees he is communicating with Y. The server Z is invisible to clients and only the reverse proxy Y is visible externally. A reverse proxy requires no (proxy) configuration on the client side.

The client X thinks he is only communicating with Y (X -> Y), but the reality is that Y forwarding all communication (X -> Y -> Z again).

Reverse proxy is also useful in cloud environment, where you have multiple computers sharing the load.

4. Stateful Multilayer Inspection Firewalls: Stateful multilayer Inspection Firewall is a combination of all the firewalls that work at different layers of OSI model. They can Filter packets at Network layer using ACLs, check for legitimate sessions on the Session Layers and they also evaluate packets on the Application layer. Stateful Multilayer Inspection firewall can also implement algos that are protocol specific, making the connections and data transfer more secure.

Compare stateful vs stateless firewall

  • A Stateful firewall remembers the state of a connection (for example, a client going out to a web server) and dynamically allows the return traffic back to the client.
  • Provides more control over which packets are allowed through and which are blocked than a stateless firewall
  • It is fairly easy to spoof packets and get them to pass through a stateless firewall whereas it is difficult to do the same across a stateful firewall
  • The stateful firewall keeps a track of all tcp connections made through the firewall and knows which IP addresses are currently being connected to. It also knows which unprivileged ports are used either side of the firewall it blocks any packet not using these IP addresses and port numbers and it tracks TCP flags (ack, syn, fin, data etc).

Previous   Contents   Next