Xem mẫu

  1. Firewall Taxonomy Firewalls come in various sizes and flavors. The most typical idea of a firewall is a dedicated system or appliance that sits in the network and segments an "internal" network from the "external" Internet. Most home or SOHO networks use an appliance-based device for broadband connectivity that includes a built-in firewall. In general, firewalls can be categorized under one of two general types: • Desktop or personal firewalls • Network firewalls The primary difference between these two types of firewalls simply boils down to the number of hosts that the firewall protects. Within the network firewall type, there are primary classifications of devices, including the following: • Packet-filtering firewalls (stateful and nonstateful) • Circuit-level gateways • Application-level gateways The preceding list describes general classes of firewalls but, as discussed later, many network firewalls represent hybrids of the preceding classifications. Many firewalls have characteristics that place them in more than one classification. Figure 2-1 shows a breakdown of the various firewall types currently available. This figure does not provide complete details of the various capabilities within each firewall type but rather shows the general taxonomy of the different firewalls available in the two primary types: personal/desktop firewalls and network firewalls. Figure 2-1. Firewall Taxonomy [View full size image]
  2. Given these various firewall types available, users may have a hard time identifying exactly what they need. In many cases, costs represent a driving factor in the purchase of a firewall, but knowing which types of firewalls are available and what capabilities they provide helps users make a more informed final decision. Personal Firewalls Personal firewalls are designed to protect a single host from unauthorized access. Over the years, this has evolved so that modern personal firewalls now integrate additional capabilities such as antivirus software monitoring and in some cases behavior analysis and intrusion detection to protect the device. Some of the more popular commercial personal firewalls include BlackICE as well as Cisco Security Agent. In the SOHO market Trend Micro's PC-cillin, ZoneAlarm, and the Symantec personal firewall are some of the more popular offerings. Microsoft's Internet Connection Firewall is also among the top personal firewalls installed because of the install base of machines running Windows XP with Service Pack 2. Whereas personal firewalls make immense sense in the SOHO and home user market because they provide the end user protection as well as control of the policy, in the enterprise the issues are more complex. Perhaps the biggest concern for enterprise users with regard to personal firewalls is the ability to provide a centralized policy control mechanism for the firewall. The need to centralize policy control is critical to the use of personal firewalls in an enterprise environment to minimize the administrative burden. What is administrative burden? As the number of firewalls deployed in an organization increases, the network administrator must be concerned with the proper configuration and monitoring of each one of these firewalls. Therefore, it is extremely important that as the
  3. number of firewalls increases, the ability to administer them does not become overly burdensome. By centralizing policy control and monitoring, many vendors have eased the effort of properly configuring the firewall policy and of monitoring the events. Network Firewalls Network firewalls are designed to protect whole networks from attack. Network firewalls come in two primary forms: a dedicated appliance or a firewall software suite installed on top of a host operating system. Examples of appliance-based network firewalls include the Cisco PIX, the Cisco ASA, Juniper's NetScreen firewalls, Nokia firewalls, and Symantec's Enterprise Firewall. The more popular software-based firewalls include Check Point's Firewall-1 NG or NGX Firewalls, Microsoft ISA Server, Linux-based IPTables, and BSD's pf packet filter. The Sun Solaris operating system has, in the past, been bundled with Sun's enterprise firewall, SunScreen. With the release of Solaris 10, Sun has begun bundling the open source IP Filter (IPF) firewall as an alternative to SunScreen. Many network firewalls provide enterprise users the maximum flexibility and protection in a firewall system. These firewalls have over the past few years incorporated many new features such as in-line intrusion detection and prevention as well as virtual private network (VPN) termination capabilities both for LAN-to-LAN VPNs as well as remote- access-user VPNs. Another feature that has been introduced into network firewalls is a deep packet-inspection capability. The firewall can identify traffic requirements not just by looking at Layer 3 and Layer 4 information but by delving all the way into the application data so that the firewall can make decisions as to how to best handle the traffic flow. This evolution in firewall design and capabilities has led to the development of a new firewall product, the integrated firewall, which is covered in more detail in the next section.