Network Firewall - Access Control

Network Firewalls control access to Networks by permitting or denying network traffic and/or users based on a Network Security Policy defined in the firewall by the Security Administrator. Firewalls can be used to establish identity of the user by integrating them with other security tools. Firewall segments the network in zones and establishes different layers of trust, to ensure critical resources are better protected and help contain traffic to specific network segments.

There are different types of firewalls to secure your network…

1.    Stateful Inspection Firewall

2.    Packet Filter Firewalls

3.    Application Proxy Firewall

Stateful Inspection Firewall

Stateful Inspection collects information on various components in a packet header including Source IP Address, Destination IP Address, Source port, Destination port, packet sequence numbers. This is how the State Table is maintained by Statefule Inspection Firewall for TCP based sessions. For UDP it implements technology to create pseudo-session traversing firewall. Usually the first reply is accepted and then the connection is closed by firewall in case of UDP traffic. Stateful Inspection technology compares the aforementioned information i.e. IP, Port and Packet Sequence in the response packet against the state table to enhance security by allowing only matching packet to traverse the firewall. TCP reassembly may be performed to ensure accurate interpretation of TCP communication. Stateful Inspection Firewall focus on Network Layer of OSI model.

Usually all ISA certified firewalls in modern days by default drop all traffic unless explicitly permitted. Checkpoint, CISCO PIX, Juniper as among the leading companies in Firewall Technologies.

Packet Filter Firewall

A packet filter may check source and destination IP Address and Port details to permit or deny connection. Since it does not maintain the state table it is easy to highjack the session and access server on open port. Also systems can be compromised by sending traffic for a protocol other than the one assigned on the port. E.g. Potentially any protocol traffic can be sent on port 80 generally used by http or web traffic. Therefore packet filter firewall pose a potential security threat. Performance wise packet filtering would be faster than Stateful Packet Inspection.

Application Proxy Firewall

Proxy firewall is different in their functionality than the Stateful Inspection and Packet Filtering. Proxy firewall terminates all connections from clients and then act as broker between client and server. Proxy firewall broker all connections between client server architecture.

Proxy firewalls usually implement complete client/server implementations of protocol which results in performance degradation. Hence proxy firewalls many a time fail to meet the linear multi-gigabit throughput requirements of network segments. However, application proxy firewalls can provide much enhanced security based on application protocol as against the Stateful Packet Inspection firewall which operates at Network Layer in OSI model abbreviated for Open Systems Interconnection.

The second major drawback of proxy firewalls stems from variations in protocol implementation by different vendors. Proxy firewalls also suffer from issues associated with support for new protocols and scalability on one hand whereas fault tolerance and HA abbreviated for High Availability on the other hand.