April 8th, 2011 
sahlan 
Computer networks can be protected from internal and external threats by using firewalls. The concept is that a specially configured firewall on the network will block unwanted access. However, this is a grossly misunderstood concept, and many organizations do not understand firewall capabilities and limitations. As a result, there can be a false sense of security. Let’s consider the advantages and disadvantages of network firewalls:
Firewall advantages Reduces external access to the network.
Firewall disadvantages There is always a hole for traffic to pass through—either good traffic or bad traffic or both. A firewall can control only the traffic that passes directly through it. It does not protect modems or other access points. A firewall can be misconfigured or technically circumvented. There is no such thing as a completely safe firewall. The firewall concept creates a false sense of security.
Network firewalls have undergone several generations of improvement. The first generation was simply a router with a primitive access list specifying the to destination and the sender’s from network addresses. Attackers became more sophisticated, and so did the need for better firewalls. The following are the different generations of firewall technology:
First generation: Packet filter
The first generation was a packet filter. Filtering is based on the sending and receiving address combined with the service port (a packet). The advantage of this design is its low cost. The first-generation packet filter design was prone to problems. The design was plagued with poor logging and granular rules that were difficult to implement effectively. Hackers were still able to get in.
Second generation: Application proxy filter
A firewall application program was added to the first-generation design of packet filtering. The second generation uses an application proxy to relay requests through the firewall. The proxy checks the inbound request to ensure that it complies with safe computing in both format and type of request. Application proxies perform user requests without granting direct access to the target software. The application proxy is also referred to as a circuit-level firewall. This is because the application proxy is required to complete the circuit; otherwise, no connection exists. This design improved event logging; however, hackers were still able to get in.
Third generation: Stateful inspection
Hackers were able to trick second-generation firewalls by sending a request that was formatted to bypass the proxy design. Application proxy firewalls relied on open connections maintained with the user. Connectionless sessions such as the User Datagram Protocol (UDP) in IP were not protected. In the third generation, UDP connectionless requests are recorded into a history table. The historic “state” of connectionless requests is now controlled by the firewall for better protection. This is referred to as stateful inspection. Stateful inspection is the de facto minimum standard for network firewall technology. However, still there is room for improvement.
Fourth generation: Adaptive response
Improvements in technology allow the firewall to communicate with an intrusion detection system. This provides an adaptive response to network attacks. The firewall administrator can configure stored procedures designed to rebut many types of firewall attack. The firewall can reconfigure itself to block ports or reset connections. One drawback is that a skilled attacker may masquerade as a critical device such as a necessary server. The fourth-generation firewall could accidentally disable the critical device, which would create a denial of service problem.
Fifth generation: Kernel process
The fifth-generation firewall is actually an internal control mechanism designed into the operating system kernel. Individual processing requests are verified against an internal access control list. Those not on the list are rejected. Special military systems have been using fifth-generation firewalls for many years. Microsoft Windows XP has implemented a basic fifth-generation firewall.
The network firewall is the best defense for protecting a network. Each generation provides different levels of cost and protection. Network firewalls can be implemented by using one of three basic designs.
The first method is the screened host implementation. The screened host protects a single host through the firewall. The host computer is strongly defended. It is expected that this host may be attacked. Technical manuals may refer to this as the bastion host.
bastion host
The second method of firewall implementation is to install two interface cards in the same host. This method is referred to as to dual-homed. The host computer is configured with the routing disabled. A special software application such as an application proxy relays appropriate communication between the two interface cards. This is the configuration of many Internet firewalls.
dual homed host
The third method of firewall implementation is known as the screened subnet, or DMZ (Demilitarized Zone) design. DMZ is a term that refers to the demilitarized zone between enemy forces on a battlefield. The DMZ design allows several computers to be placed in a protected subnet that is accessible from the outside and by systems inside the network. Any military veteran will tell you that it’s possible to be attacked and killed in the DMZ. The same applies to computers located here.
Screened subnet - DMZ map
Firewall systems should be implemented to support a separation of duties. Separation of duties is just as important for machines as for personnel. The intention is to provide additional layers of control. Separate firewalls allow tighter access-control rules. Selected data is mirrored from internal production servers to a DMZ server for access by business partners or clients. This eliminates the dangers of direct access to an internal server. In addition, the redundancy improves overall availability. An outage would affect a smaller audience.
Taken from:
CISA® Study Guide Second Edition (chapter 7) by David L. Cannon
Picture taken by Googling
Related posts:
Posted in 
Tags: