3com 3031 Instruccion De Instalación
Packet Filter and Firewall
773
Figure 190 Firewall separating the intranet from the Internet
The firewall is not only applied to the Internet connection, but also used to protect
the mainframe and crucial resources like data on the intranet of the organization.
Access to the protected data should be permitted by the firewall, even if the
access is initiated from the organization.
the mainframe and crucial resources like data on the intranet of the organization.
Access to the protected data should be permitted by the firewall, even if the
access is initiated from the organization.
An external network user must pass through the firewall before it can access the
protected network resources. Likewise, an intranet user must pass through the
firewall before it can access the external network resources. Thus, the firewall
plays the role of “guard” and discards the denied packets.
protected network resources. Likewise, an intranet user must pass through the
firewall before it can access the external network resources. Thus, the firewall
plays the role of “guard” and discards the denied packets.
Firewall Classification
Normally, firewalls are classified into two categories: network layer firewalls and
application layer firewalls. Network layer firewalls mainly obtain the header
information of packet, such as protocol, source address, destination address, and
destination port. Alternatively, they can directly obtain a segment of header data.
The application layer firewalls, however, analyze the whole information traffic.
application layer firewalls. Network layer firewalls mainly obtain the header
information of packet, such as protocol, source address, destination address, and
destination port. Alternatively, they can directly obtain a segment of header data.
The application layer firewalls, however, analyze the whole information traffic.
Firewalls that you often meet are divided into the following categories:
■
Application gateway: It verifies all the application layer data in packets that will
traverse it. Take a File Transfer Protocol (FTP) application GW as an example.
From the perspective of the client of a connection, the FTP application GW is an
FTP server. But from the perspective of the server, it is an FTP client. All the FTP
packets transmitted on the connection must pass this FTP application GW.
traverse it. Take a File Transfer Protocol (FTP) application GW as an example.
From the perspective of the client of a connection, the FTP application GW is an
FTP server. But from the perspective of the server, it is an FTP client. All the FTP
packets transmitted on the connection must pass this FTP application GW.
■
Circuit-Level Gateway: The "circuit” in this particular context refers to Virtual
Circuit (VC). Before TCP or UDP is allowed to open a connection or VC, the
session reliability must be verified. The packet transmission is allowed only if
the handshake has been proved valid and accomplished. After a session is set
up, its information will be written into the valid connection table maintained by
the firewall. A packet can be permitted only if the session information carried
by it matches an entry in the valid connection table. After the session is
terminated, the session entry will be deleted from the table. Circuit-level GW
authenticates a connection only at the session layer. If the authentication is
passed, any application can be run on the connection. Take FTP as an example.
A circuit-level GW only authenticates an FTP session at the TCP layer at the
beginning of the session. If the authentication is passed, all the data can be
transmitted on this connection until the session is terminated.
Circuit (VC). Before TCP or UDP is allowed to open a connection or VC, the
session reliability must be verified. The packet transmission is allowed only if
the handshake has been proved valid and accomplished. After a session is set
up, its information will be written into the valid connection table maintained by
the firewall. A packet can be permitted only if the session information carried
by it matches an entry in the valid connection table. After the session is
terminated, the session entry will be deleted from the table. Circuit-level GW
authenticates a connection only at the session layer. If the authentication is
passed, any application can be run on the connection. Take FTP as an example.
A circuit-level GW only authenticates an FTP session at the TCP layer at the
beginning of the session. If the authentication is passed, all the data can be
transmitted on this connection until the session is terminated.
Ethernet
Internet
PC
Server
Firewall
PC
PC