Figure 1: Screened Host Firewall
TYPES
Conceptually, there are two
types of firewalls:
1.
Network
layer
2.
Application
layer
They are not as different as you might think, and latest technologies are blurring the distinction to the point where it's no longer clear if either one is ``better'' or ``worse.'' As always, you need to be careful to pick the type that meets your needs.
Which is which depends on what
mechanisms the firewall uses to pass traffic from one security zone to another.
The International Standards Organization (ISO) Open Systems Interconnect (OSI)
model for networking defines seven layers, where each layer provides services
that ``higher-level'' layers depend on. In order from the bottom, these layers
are physical, data link, network, transport, session, presentation, application.
The important thing to
recognize is that the lower-level the forwarding mechanism, the less examination
the firewall can perform. Generally speaking, lower-level firewalls are faster,
but are easier to fool into doing the wrong thing.
Network layer firewalls
These generally make their
decisions based on the source, destination addresses and ports in individual IP
packets. A simple router is the ``traditional'' network layer firewall, since it
is not able to make particularly sophisticated decisions about what a packet is
actually talking to or where it actually came from. Modern network layer
firewalls have become increasingly sophisticated, and now maintain internal
information about the state of connections passing through them, the contents of
some of the data streams, and so on. One thing that's an important distinction
about many network layer firewalls is that they route traffic directly though
them, so to use one you either need to have a validly assigned IP address block
or to use a ``private internet'' address block. Network layer firewalls tend to
be very fast and tend to be very transparent to users.
Figure 1:
Screened Host Firewall
Figure 2:
Screened Subnet Firewall
Example Network layer firewall:
In figure 2, a network layer firewall called
a ``screened subnet firewall'' is represented. In a screened subnet firewall,
access to and from a whole network is controlled by means of a router operating
at a network layer. It is similar to a screened host, except that it is,
effectively, a network of screened hosts.
These generally are hosts
running proxy servers, which permit no traffic directly between networks, and
which perform elaborate logging and auditing of traffic passing through them.
Since the proxy applications are software components running on the firewall, it
is a good place to do lots of logging and access control. Application layer
firewalls can be used as network address translators, since traffic goes in one
``side'' and out the other, after having passed through an application that
effectively masks the origin of the initiating connection. Having an application
in the way in some cases may impact performance and may make the firewall less
transparent. Early application layer firewalls such as those built using the TIS
firewall toolkit, are not particularly transparent to end users and may require
some training. Modern application layer firewalls are often fully transparent.
Application layer firewalls tend to provide more detailed audit reports and tend
to enforce more conservative security models than network layer firewalls.
Figure 3:
Dual Homed Gateway
Example Application layer
firewall
: In figure 3, an application layer
firewall called a ``dual homed gateway'' is represented. A dual homed gateway is
a highly secured host that runs proxy software. It has two network interfaces,
one on each network, and blocks all traffic passing through it.
The Future of firewalls lies someplace between network layer
firewalls and application layer firewalls. It is likely that network layer
firewalls will become increasingly ``aware'' of the information going through
them, and application layer firewalls will become increasingly ``low level'' and
transparent. The end result will be a fast packet-screening system that logs and
audits data as it passes through. Increasingly, firewalls (network and
application layer) incorporate encryption so that they may protect traffic
passing between them over the Internet. Firewalls with end-to-end encryption can
be used by organizations with multiple points of Internet connectivity to use
the Internet as a ``private backbone'' without worrying about their data or
passwords being sniffed.
Definition | Importance | Types | Firewall Utility |Viruses | Limitation