Network-level firewalls work at the individual packet level, inspecting specific fields within the packets and comparing them with user-defined rules that determine whether or not the traffic should be allowed through the firewall. Typically the rules take into account any combination of the IP protocol number, packets source address, destination address and source and destination TCP/UDP port numbers. Typically, you can either allow access to an address (or subnet), or deny it. For example, you might wish to deny incoming connections to your companys FTP server, by all IP addresses on the Internet except those belonging to certain collaborators. Or, you might want to deny all incoming connections to your network on the commonly used SQL Server port.
Unlike application-level firewalls, network-level firewalls are transparent to workstations on the network. No configuration changes are necessary to hosts when implementing or fine-tuning the rules on a strictly network-level firewall. On the downside, unlike with application-level firewalls, direct TCP/IP connections between external Internet hosts and internal systems are permitted. This potentially means that your networks security could be compromised if a weakness in the lower levels of TCP/IP on any of your workstations was to be discovered and exploited by someone out on the Internet.
With an application-level firewall, since packets are recreated on the firewall before being directed to internal hosts, only the firewall itself is likely to be susceptible to attacks that take advantage of flaws in the lowest levels of a TCP/IP stack.
There are two varieties of network-level firewalls: packet filters, and stateful packet inspection fire walls.
Packet filters are the simplest firewall technology. They examine each packet going across the firewalls network interface(s) individually, and compare it to the known rules on the firewall.
Because packet filters typically do little processing, they tend to be the fastest type of firewall. However, with increased speed comes less functionality unlike application and stateful inspection firewalls, a packet filter does not look at each packet in the context of the conversation in which it is occurring.
Stateful packet inspection firewalls take the idea of packet filtering one step further, by considering the state of the connection when a packet is inspected, when determining whether or not to allow the packet through.
A stateful packet inspection firewall keeps track of all active and pending network connections through the firewall. It knows which side (external host or internal host) initiated a particular connection, the status of that connection, and possibly a bit about the expected packet contents for conversations using application-level protocols like SMTP or FTP, plus the standard packet-filtering details known by stateless network-level firewalls.
By knowing connection status, a stateful packet inspection firewall is better able to protect the network from packets with spoofed addresses trying to masquerade as legitimate packets in that conversation. The tradeoff is that configuration of rules for this type of network-level firewall can be more complex than for simple packet filters.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.