Companies such as Cisco and other major vendors have introduced a multitude of firewall products that are capable of monitoring traffic using different techniques. Some of today's firewalls can inspect data packets up to Layer 4 (TCP layer). Others can inspect all layers (including the higher layers) and are referred to as deep packet firewalls. This section defines and explains these firewalls.
The three types of inspection methodologies are as follows:
1.Packet Filtering and Stateless Filtering Firewall
Packet filters (basic access-list filters on routers) are now easy to break, hence the introduction of proxy servers that limit attacks to a single device. A proxy server is a server that sits between a client application, such as a web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. A proxy requests a connection to the Internet based on requests from internal or hidden resources. Proxy servers are application based, slow, and difficult to manage in large IP networks. The next generation of packet filters is stateless firewalls. Basically, a stateless firewall permits only the receipt of information packets that are based on the source's address and port from networks that are trusted.
A stateless firewall was introduced to add more flexibility and scalability to network configuration. A stateless firewall inspects network information based on source and destination address. Figure 2-1 illustrates the inspection depth of a packet filter or stateless firewall. Packets are inspected up to Layer 3 of the OSI model, which is the network layer. Therefore, stateless firewalls are able to inspect source and destination IP addresses and protocol source and destination ports.
Figure 2-1. Stateless Firewall and Packet Filtering Firewall
*********************************************************************************************************************
2.Stateful Filtering Firewall
A stateful firewall limits network information from a source to a destination based on the destination IP address, source IP address, source TCP/UDP port, and destination TCP/UDP port. Stateful firewalls can also inspect data content and check for protocol anomalies. For example, a stateful firewall is much better equipped than a proxy filter or packet filter to detect and stop a denial-of-service attack. A proxy filter or packet filter is ill-equipped and incapable of detecting such an attack. Because the source and destination address are valid, the data is permitted through whether it is legitimate or an attempted hack into the network. Figure 2-2 illustrates the inspection depth of a stateful firewall. Packets are inspected up to Layer 4 of the OSI model, which is the transport layer. Therefore, stateful firewalls are able to inspect protocol anomalies.
Figure 2-2. Stateful Firewall
*********************************************************************************************************************
3.Deep Packet Layer Inspection Firewall
With deep packet layer inspection, the firewall inspects network information from a source to a destination based on the destination IP address, source IP address, source TCP/UDP port, and destination TCP/UDP port. It also inspects protocol conformance, checks for application-based attacks, and ensures integrity of the data flow between any TCP/IP devices. The Cisco Intrusion Detection System (IDS), and NetScreen firewall products support deep packet layer inspection. The Cisco PIX Firewall supports stateless and stateful operation, depending on your product. Please refer to the Cisco website for the specific support for your product. Figure 2-3 displays how a device inspects packets with deep packet layer inspection.
Figure 2-3. Deep Packet Layer Firewall
*********************************************************************************************************************
NOTE
At the time of this writing, the Cisco PIX Firewall did not support deep packet layer inspection. The NetScreen firewall products are capable of deep packet layer inspection and support this method only in hardware-based ASIC chips.
Figure 2-3 displays how a deep packet layer device inspects packets to
- Ensure that the packets conform to the protocol.
- Ensure that the packets conform to specifications.
- Ensure that the packets are not application attacks.
- Police integrity check failures.
No comments:
Post a Comment