Network firewall - Revision history

Jackieburkhart at 19:44, 9 January 2010

2010-01-09T19:44:10Z

← Older revision		Revision as of 19:44, 9 January 2010
Line 74:		Line 74:
	:* The interface the packet arrives on		:* The interface the packet arrives on
	:* The interface the packet will go out on		:* The interface the packet will go out on
-		+	:* [http://www.rushessay.com/custom_essay.php write my essay]
	And finally, a IP packet filtering firewall will keeps track of packets that it has seen knows some useful historical fact, such as:		And finally, a IP packet filtering firewall will keeps track of packets that it has seen knows some useful historical fact, such as:
	:* Whether this packet appears to be a response to another packet, which means its source was the destination of a recent packet and it destination is the source of that other packet.		:* Whether this packet appears to be a response to another packet, which means its source was the destination of a recent packet and it destination is the source of that other packet.

Fulx: /* Time-stamped Signature */

2009-04-12T10:03:17Z

Time-stamped Signature

← Older revision		Revision as of 10:03, 12 April 2009
Line 261:		Line 261:

	==Time-stamped Signature==		==Time-stamped Signature==
-	[[User:Fulx\|Fulx]] 03:02, 12 April 2009 (EDT)	+	[[User:Fulx\|Fulx]] 06:03, 12 April 2009 (EDT)

Fulx: /* Screened host */

2009-04-12T10:02:11Z

Screened host

← Older revision		Revision as of 10:02, 12 April 2009
Line 186:		Line 186:
	===Screened host===		===Screened host===
	[[image:ScreenedHost.JPG\|thumb\|right\|350px\|Figure 6 - Screened Host Architecture]]		[[image:ScreenedHost.JPG\|thumb\|right\|350px\|Figure 6 - Screened Host Architecture]]
-	Figure 6 shows a simple version of screened host architecture. The [[Network firewall#~~bastion host~~\|bastion host]] sits on the internal network. The packet filtering on the screening router is set up in such way that [[Network firewall#~~bastion host~~\|bastion host]] is the only system on the internal network that hosts on the Internet can open connection. On another hand, any external system trying to access internal system will have to connect to this host. This allows site administrator to monitor and control the information flow between site and Internet.	+	Figure 6 shows a simple version of screened host architecture. The [[Network firewall#Bastion Host\|bastion host]] sits on the internal network. The packet filtering on the screening router is set up in such way that [[Network firewall#Bastion Host\|bastion host]] is the only system on the internal network that hosts on the Internet can open connection. On another hand, any external system trying to access internal system will have to connect to this host. This allows site administrator to monitor and control the information flow between site and Internet.
	The packet filtering router on screened host architecture is normally configured to do one of the following:		The packet filtering router on screened host architecture is normally configured to do one of the following:
	:* Allow other internal hosts to open connections to hosts on the Internet for certain service		:* Allow other internal hosts to open connections to hosts on the Internet for certain service
Line 192:		Line 192:
	Hence, this architecture is more flexible than dual-homed host, since it may allow direct connection from internal host to external host, where dual-home host architecture is not, but also introduced more risk, as if the router is compromised, the entire network is available to an attacker.		Hence, this architecture is more flexible than dual-homed host, since it may allow direct connection from internal host to external host, where dual-home host architecture is not, but also introduced more risk, as if the router is compromised, the entire network is available to an attacker.

-	Unlike previous architecture, screened-host can provide Internet services to other hosts on Internet through [[Network firewall#~~bastion host~~\|bastion host]], in practice, a screened host architecture is appropriate when:	+	Unlike previous architecture, screened-host can provide Internet services to other hosts on Internet through [[Network firewall#Bastion Host\|bastion host]], in practice, a screened host architecture is appropriate when:
	:* Easy [[Web Services\|web services]], means few connections are coming from the Internet (in particular, it is not an appropriate architecture if the screened host is a public web server).		:* Easy [[Web Services\|web services]], means few connections are coming from the Internet (in particular, it is not an appropriate architecture if the screened host is a public web server).
	:* The network being protected has a relatively high level of host security.[1:126]		:* The network being protected has a relatively high level of host security.[1:126]

Fulx: /* Screened host */

2009-04-12T10:01:17Z

Screened host

← Older revision		Revision as of 10:01, 12 April 2009
Line 186:		Line 186:
	===Screened host===		===Screened host===
	[[image:ScreenedHost.JPG\|thumb\|right\|350px\|Figure 6 - Screened Host Architecture]]		[[image:ScreenedHost.JPG\|thumb\|right\|350px\|Figure 6 - Screened Host Architecture]]
-	Figure 6 shows a simple version of screened host architecture. The bastion host sits on the internal network. The packet filtering on the screening router is set up in such way that bastion host is the only system on the internal network that hosts on the Internet can open connection. On another hand, any external system trying to access internal system will have to connect to this host. This allows site administrator to monitor and control the information flow between site and Internet.	+	Figure 6 shows a simple version of screened host architecture. The [[Network firewall#bastion host\|bastion host]] sits on the internal network. The packet filtering on the screening router is set up in such way that [[Network firewall#bastion host\|bastion host]] is the only system on the internal network that hosts on the Internet can open connection. On another hand, any external system trying to access internal system will have to connect to this host. This allows site administrator to monitor and control the information flow between site and Internet.
	The packet filtering router on screened host architecture is normally configured to do one of the following:		The packet filtering router on screened host architecture is normally configured to do one of the following:
	:* Allow other internal hosts to open connections to hosts on the Internet for certain service		:* Allow other internal hosts to open connections to hosts on the Internet for certain service
Line 192:		Line 192:
	Hence, this architecture is more flexible than dual-homed host, since it may allow direct connection from internal host to external host, where dual-home host architecture is not, but also introduced more risk, as if the router is compromised, the entire network is available to an attacker.		Hence, this architecture is more flexible than dual-homed host, since it may allow direct connection from internal host to external host, where dual-home host architecture is not, but also introduced more risk, as if the router is compromised, the entire network is available to an attacker.

-	Unlike previous architecture, screened-host can provide Internet services to other hosts on Internet through bastion host, in practice, a screened host architecture is appropriate when:	+	Unlike previous architecture, screened-host can provide Internet services to other hosts on Internet through [[Network firewall#bastion host\|bastion host]], in practice, a screened host architecture is appropriate when:
	:* Easy [[Web Services\|web services]], means few connections are coming from the Internet (in particular, it is not an appropriate architecture if the screened host is a public web server).		:* Easy [[Web Services\|web services]], means few connections are coming from the Internet (in particular, it is not an appropriate architecture if the screened host is a public web server).
	:* The network being protected has a relatively high level of host security.[1:126]		:* The network being protected has a relatively high level of host security.[1:126]

Fulx: /* Firewall Architectures */

2009-04-12T09:57:26Z

Firewall Architectures

← Older revision		Revision as of 09:57, 12 April 2009
Line 148:		Line 148:
	==Firewall Architectures==		==Firewall Architectures==
	There are many Firewall Architectures exist within different Computer Networks, but three basic ones are:		There are many Firewall Architectures exist within different Computer Networks, but three basic ones are:
-	:* Single-Box	+	:* [[Network firewall#Single-Box\|Single-Box]]
-	:* Screened host	+	:* [[Network firewall#Screened host\|Screened host]]
-	:* Screened subnet	+	:* [[Network firewall#Screened subnet\|Screened subnet]]
	This section will expose those architectures' structure and their appropriate uses.		This section will expose those architectures' structure and their appropriate uses.
	===Single-Box===		===Single-Box===

Fulx: /* Dual-Hoed Host */

2009-04-12T09:56:08Z

Dual-Hoed Host

← Older revision		Revision as of 09:56, 12 April 2009
Line 167:		Line 167:
	:* You require maximum performance and redundancy.[1:122]		:* You require maximum performance and redundancy.[1:122]

-	====Dual-~~Hoed~~ Host====	+	====Dual-Homed Host====
	[[image:DualHomeArc.JPG\|thumb\|right\|350px\|Figure 5 - Dual Homed host architecture]]		[[image:DualHomeArc.JPG\|thumb\|right\|350px\|Figure 5 - Dual Homed host architecture]]
	A dual-host host architecture is built around the dual-homed host computer -- a computer that has at lease two network interfaces. Such a hos could act as a router between the networks interfaces are attached to, as it shows in Figure 5.		A dual-host host architecture is built around the dual-homed host computer -- a computer that has at lease two network interfaces. Such a hos could act as a router between the networks interfaces are attached to, as it shows in Figure 5.

Fulx: /* Firewall Types */

2009-04-12T09:55:38Z

Firewall Types

← Older revision		Revision as of 09:55, 12 April 2009
Line 58:		Line 58:
	:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic		:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic
	:* [[Network firewall#Application Firewalls: proxy servers\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user		:* [[Network firewall#Application Firewalls: proxy servers\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user
-	:* [[Network firewall#Multilayer-inspection ~~firewalls~~\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.	+	:* [[Network firewall#Multilayer-inspection Firewalls\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.
	===Simple packet filtering: IP packet filtering Firewall===		===Simple packet filtering: IP packet filtering Firewall===
	An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:[[Image:IpHeader.JPG\|thumb\|right\|350px\|Figure 2 - Typical Ipv4 Packet Header]]		An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:[[Image:IpHeader.JPG\|thumb\|right\|350px\|Figure 2 - Typical Ipv4 Packet Header]]

Fulx: /* Firewall Types */

2009-04-12T09:54:48Z

Firewall Types

← Older revision		Revision as of 09:54, 12 April 2009
Line 57:		Line 57:
	There are three types of Firewalls, as:		There are three types of Firewalls, as:
	:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic		:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic
-	:* [[Network firewall#Application~~-layer firewall~~: ~~Proxy server~~\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user	+	:* [[Network firewall#Application Firewalls: proxy servers\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user
	:* [[Network firewall#Multilayer-inspection firewalls\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.		:* [[Network firewall#Multilayer-inspection firewalls\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.
	===Simple packet filtering: IP packet filtering Firewall===		===Simple packet filtering: IP packet filtering Firewall===

Fulx: /* Firewall Types */

2009-04-12T09:53:48Z

Firewall Types

← Older revision		Revision as of 09:53, 12 April 2009
Line 56:		Line 56:
	==Firewall Types==		==Firewall Types==
	There are three types of Firewalls, as:		There are three types of Firewalls, as:
-	:* Simple packet filtering: IP or filtering firewalls -- Block all but selected network traffic	+	:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic
-	:* Application-layer firewall: Proxy server -- act as intermediary to make requested network connections for the user	+	:* [[Network firewall#Application-layer firewall: Proxy server\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user
-	:* Multilayer-inspection firewalls -- extract the relevant communication and application state information and analyze all packet communication layers.	+	:* [[Network firewall#Multilayer-inspection firewalls\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.
	===Simple packet filtering: IP packet filtering Firewall===		===Simple packet filtering: IP packet filtering Firewall===
	An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:[[Image:IpHeader.JPG\|thumb\|right\|350px\|Figure 2 - Typical Ipv4 Packet Header]]		An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:[[Image:IpHeader.JPG\|thumb\|right\|350px\|Figure 2 - Typical Ipv4 Packet Header]]

Fulx: /* Application Firewalls: proxy servers */

2009-04-12T09:46:48Z

Application Firewalls: proxy servers

← Older revision		Revision as of 09:46, 12 April 2009
Line 115:		Line 115:
	In general, a [[Proxy Server\|Proxy]] is something or someone who does something on somebody else's behalf. For instance, you may give somebody the authority to vote for you in an election.[1:110]		In general, a [[Proxy Server\|Proxy]] is something or someone who does something on somebody else's behalf. For instance, you may give somebody the authority to vote for you in an election.[1:110]

-	It is called application-level firewall is because the proxies provide replacement connections and act as gateways to service. In addition, proxies are usually called connection bridges, since an virtual "air gap" is exists in the firewall between inside and outside, and proxy server is the only way to exchange information. As figure 4 shows, a "Dual-Homed Host" is act as a proxy server, proxy clients make request directly to this proxy server rather than the real service provider. It is the proxy server's duty to decide whether or not to forward the clients' service request to the real server, and it is also the proxy server's duty to decide whether or not to release the response to the service requesting clients.	+	It is called application-level firewall is because the proxies provide replacement connections and act as gateways to service. In addition, proxies are usually called connection bridges, since an virtual "air gap" is exists in the firewall between inside and outside, and proxy server is the only way to exchange information. As figure 4 shows, a "[[Network firewall#Dual-Hoed Host\|Dual-Homed Host]]" is act as a proxy server, proxy clients make request directly to this proxy server rather than the real service provider. It is the proxy server's duty to decide whether or not to forward the clients' service request to the real server, and it is also the proxy server's duty to decide whether or not to release the response to the service requesting clients.

	Most proxy systems are used to control and optimize outbound connections; they are normally controlled by a site administrator. It is also possible to use proxy servers to control and optimize inbound connections. For instance, to balance connections among multiple servers or to apply extra security. This is sometimes called reverse proxying.		Most proxy systems are used to control and optimize outbound connections; they are normally controlled by a site administrator. It is also possible to use proxy servers to control and optimize inbound connections. For instance, to balance connections among multiple servers or to apply extra security. This is sometimes called reverse proxying.

← Older revision		Revision as of 09:55, 12 April 2009
Line 58:		Line 58:
	:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic		:* [[Network firewall#Simple packet filtering: IP packet filtering Firewall\|Simple packet filtering: IP or filtering firewalls]] -- Block all but selected network traffic
	:* [[Network firewall#Application Firewalls: proxy servers\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user		:* [[Network firewall#Application Firewalls: proxy servers\|Application-layer firewall: Proxy server]] -- act as intermediary to make requested network connections for the user
-	:* [[Network firewall#Multilayer-inspection ~~firewalls~~\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.	+	:* [[Network firewall#Multilayer-inspection Firewalls\|Multilayer-inspection firewalls]] -- extract the relevant communication and application state information and analyze all packet communication layers.
	===Simple packet filtering: IP packet filtering Firewall===		===Simple packet filtering: IP packet filtering Firewall===
	An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:[[Image:IpHeader.JPG\|thumb\|right\|350px\|Figure 2 - Typical Ipv4 Packet Header]]		An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:[[Image:IpHeader.JPG\|thumb\|right\|350px\|Figure 2 - Typical Ipv4 Packet Header]]