Re: hardware firewall
From: Gregory W Zill (gregory_at_r3g.net)
Date: 12/01/04
- Previous message: Gregory W Zill: "Re: New DMZ Questions"
- In reply to: CZ: "Re: hardware firewall"
- Next in thread: Arthur Hagen: "Re: hardware firewall"
- Reply: Arthur Hagen: "Re: hardware firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 22:38:26 -0600
CZ wrote:
> In general, a useful overview of different firewalls techniques:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;321050
>
> Most firewalls use two or more of the following techniques:
> . Packet filters: A packet filter looks at each packet that enters or leaves
> the network and accepts or rejects the packet based on user-defined rules.
> Packet filtering is fairly effective and transparent, but it is difficult to
> configure. In addition, it is susceptible to IP spoofing.
> . Application gateway: An application gateway applies security mechanisms to
> specific programs such as FTP and Telnet. This technique is very effective,
> but can cause performance degradation.
> . Circuit-layer gateway: This technique applies security mechanisms when a
> Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
> connection is established. After the connection has been established,
> packets can flow between the hosts without further checking.
> . Proxy server: A proxy server intercepts all messages [for specific
> protocols] that enter and leave the network. The proxy server effectively
> hides the true network addresses.
> . Application proxies: Application proxies have access to the whole range of
> information in the network stack. This permits the proxies to make decisions
> based on basic authorization (the source, the destination, and the
> protocol), and also to filter offensive or disallowed commands in the data
> stream. Application proxies are "stateful," meaning that they keep the
> "state" of connections inherently. The Internet Connection Firewall feature
> that is included in Windows XP is a "stateful" firewall, as well as Windows
> Firewall. Windows Firewall is included in Windows XP Service Pack 2 (SP2).
>
There is alot of heady info here in this whole RE: hardware firewall thread.
I think of hardware firewall (HF) as a device straddling two networks or
subnets. The HF software is placed in the network stack and implements
rules. The HF itself performs NAT and routing. HF can also provide proxy
services to enforce the RFC of whichever protocol.
I think os software firewall (SF) as a stripped-down version of HF.
There is only one network available to the host, so this occupies the
network stack and creates networks within the 127.0.0.x system. The SF
has to make use of spare localhost addresses and intercepts the packets
there to apply whatever rules are in force. The SF host does not provide
proxy usually
There is naturally no passage between separate networks in the HF, so
the HF must provide that access. The SF firewall is already comprimised,
so to speak, and just shuffles the packets on the host network stack.
How hard the rules or the actual software is in either case is
subjective. The best defense is layers, and so if a HF were implemented
in say Linux for a Windoze or heterogeneous network, I would think that
would be very good.
--
"Never have so many understood so little about so much."
-- James Burke
- Previous message: Gregory W Zill: "Re: New DMZ Questions"
- In reply to: CZ: "Re: hardware firewall"
- Next in thread: Arthur Hagen: "Re: hardware firewall"
- Reply: Arthur Hagen: "Re: hardware firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
