Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices

Previous Topic/Section
3.1  Devices
Previous Page
Pages in Current Topic/Section
Next Page
Application-Level Firewalls
Next Topic/Section

3.1.1  Firewalls

In the non-computer world, a firewall is a fireproof wall used as a barrier to prevent the spread of fire.263 In the computer world, it’s a barrier intended to prevent undesired access to computer and network resources, keeping those on the outside of your network out, and those on the inside of your network, compliant with company policies on network use. In chapter 1, we mentioned using firewalls to block or open access to different TCP/IP protocols, as a means of controlling access to resources. For example, if you want to allow selected users to surf the web, but not allow access to the Internet by others, you could set up the firewall to allow only port 80 and 443 connections from those users’ workstations outbound to the Internet. When a firewall is protecting an entire network, it is normally a separate system that is not used for any other task on the network. It may be ordinary PC’s running specialized software, or perhaps, a customized hardware ‘box’ specifically manufactured to provide firewall functions.

Is there anything else a firewall can do for the network? In addition to providing access control based on port numbers and source/destination address, firewalls can provide other functionality such as:

  • Access control based on time of day or an authenticated user ID, allowing access to a service only during certain times of the day or by certain user ID’s, and disallowing it at other times or for other users

  • Session logging, useful for tracking connection utilization

  • Intrusion detection and notification (and optionally, network reconfiguration in response to an intrusion)

Additionally, some provide a facility known as Network Address Translation, or NAT. Most commonly, this feature allows computers on your internal, non-Internet-addressable network to gain access to the Internet, by automatically translating internal network addresses to external network addresses.

The benefit of this is that your internal IP numbers are not known or accessed by Internet hosts.

Any internal nodes, for which NAT is not performed, are effectively isolated from the Internet (unless, of course, someone compromises one of your internal systems and uses that as a springboard to get to other internal systems).

There are two main types of enterprise network firewalls: application-level and network-level (sometimes called circuit level). Each has its advantages and disadvantages, as we’ll see in the upcoming sections.


Firewalls protect the network and its computers from unauthorized access. They are usually placed between the Internet and a company’s internal network, and can be used to:

· Block connections from internal hosts to the Internet.

· Block connections from Internet hosts to services on internal machines.

Firewalls can restrict access based on many criteria such as TCP/IP port number; source address; time of day; destination address and, authenticated user ID (for application level firewalls).

Figure 27: Firewalls can utilize a complex set of formulas. This example is denying FTP.


Quick navigation to subsections and regular topics in this section


263. American Heritage Dictionary of the English Language, Fourth Edition, Houghton Mifflin Company, 2000.

Previous Topic/Section
3.1  Devices
Previous Page
Pages in Current Topic/Section
Next Page
Application-Level Firewalls
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.