Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices
           9  3.1.1  Firewalls

Previous Topic/Section
Application-Level Firewalls
Previous Page
Pages in Current Topic/Section
1
Next Page
Personal Firewalls
Next Topic/Section

Network-Level Firewalls

Network-level firewalls work at the individual packet level, inspecting specific fields within the packets and comparing them with user-defined rules that determine whether or not the traffic should be allowed through the firewall. Typically the rules take into account any combination of the IP protocol number, packet’s source address, destination address and source and destination TCP/UDP port numbers. Typically, you can either “allow” access to an address (or subnet), or “deny” it. For example, you might wish to “deny” incoming connections to your company’s FTP server, by all IP addresses on the Internet except those belonging to certain collaborators. Or, you might want to “deny” all incoming connections to your network on the commonly used SQL Server port.

Unlike application-level firewalls, network-level firewalls are transparent to workstations on the network. No configuration changes are necessary to hosts when implementing or fine-tuning the rules on a strictly network-level firewall. On the downside, unlike with application-level firewalls, direct TCP/IP connections between external Internet hosts and internal systems are permitted. This potentially means that your network’s security could be compromised if a weakness in the lower levels of TCP/IP on any of your workstations was to be discovered and exploited by someone out on the Internet.

With an application-level firewall, since packets are recreated on the firewall before being directed to internal hosts, only the firewall itself is likely to be susceptible to attacks that take advantage of flaws in the lowest levels of a TCP/IP stack.

There are two varieties of network-level firewalls: packet filters, and stateful packet inspection fire walls.

Network-Level Firewalls

Network-level firewalls inspect packets as they travel by on the network, comparing them with user-defined rules that determine whether the traffic is allowed. Any unauthorized packets are blocked.

Pros: Transparent to network clients, faster than application-level firewalls

Cons: Direct TCP/IP connections between “inside” and “outside” hosts are permitted (allows for potential low-level TCP/IP attacks), can’t perform protocol-specific validation to the level of an application-level firewall

Two types of network-level firewalls include packet filters and stateful packet inspection firewalls.


Packet filters are the simplest firewall technology. They examine each packet going across the firewall’s network interface(s) individually, and compare it to the known rules on the firewall.

Because packet filters typically do little processing, they tend to be the fastest type of firewall. However, with increased speed comes less functionality – unlike application and stateful inspection firewalls, a packet filter does not look at each packet in the context of the conversation in which it is occurring.

Packet Filter Firewall

A packet filter is a network-level firewall that examines each network packet individually, and decides based on the contents of the single packet alone, whether to allow it through.


Stateful packet inspection firewalls take the idea of packet filtering one step further, by considering the “state” of the connection when a packet is inspected, when determining whether or not to allow the packet through.

A stateful packet inspection firewall keeps track of all active and pending network connections through the firewall. It knows which side (external host or internal host) initiated a particular connection, the status of that connection, and possibly a bit about the expected packet contents for conversations using application-level protocols like SMTP or FTP, plus the standard packet-filtering details known by stateless network-level firewalls.

By knowing connection status, a stateful packet inspection firewall is better able to protect the network from packets with spoofed addresses trying to masquerade as legitimate packets in that conversation. The tradeoff is that configuration of rules for this type of network-level firewall can be more complex than for simple packet filters.

Stateful Inspection Firewall

Stateful packet inspection firewalls are a type of network-level firewall that keeps track of open network connections and examine each network packet in the context of the conversation it is part of, when determining whether to allow the packet into the network.



Previous Topic/Section
Application-Level Firewalls
Previous Page
Pages in Current Topic/Section
1
Next Page
Personal Firewalls
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.