Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
18 Network layer firewalls
These generally make their decisions based on the source, destination
addresses and ports (see Appendix C for a more detailed discussion of ports)
in individual IP packets. A simple router is the ``traditional'' network
layer firewall, since it is not able to make particularly sophisticated
decisions about what a packet is actually talking to or where it actually
came from. Modern network layer firewalls have become increasingly
sophisticated, and now maintain internal information about the state of
connections passing through them, the contents of some of the data streams,
and so on. One thing that's an important distinction about many network
layer firewalls is that they route traffic directly though them, so to use
one you either need to have a validly assigned IP address block or to use a
``private internet'' address block [3]. Network layer firewalls tend to be
very fast and tend to be very transparent to users.
Figure 1: Screened Host Firewall
[\begin{figure} \begin{center} \includegraphics {firewalls-faq1} \end{center}\end{figure}]
In Figure 1, a network layer firewall called a ``screened host firewall'' is
represented. In a screened host firewall, access to and from a single host
is controlled by means of a router operating at a network layer. The single
host is a bastion host; a highly-defended and secured strong-point that
(hopefully) can resist attack.
Figure 2: Screened Subnet Firewall
[\begin{figure} \begin{center} \includegraphics {firewalls-faq2} \end{center}\end{figure}]
Example Network layer firewall : In figure 2, a network layer firewall
called a ``screened subnet firewall'' is represented. In a screened subnet
firewall, access to and from a whole network is controlled by means of a
router operating at a network layer. It is similar to a screened host,
except that it is, effectively, a network of screened hosts.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
