Nortel 4134 Guia Do Utilizador
21
Firewall and NAT Fundamentals
Firewall Overview
Firewalls perform a critical role in perimeter security, protecting network
resources by determining who can access what on the network. To provide
this protection, a firewall is placed at the gateway (or node) at which a
secure network and an insecure network intersect; typically where the
internal network for an organization intersects the Internet.
resources by determining who can access what on the network. To provide
this protection, a firewall is placed at the gateway (or node) at which a
secure network and an insecure network intersect; typically where the
internal network for an organization intersects the Internet.
The firewall is a set of programs restricting incoming and outgoing traffic
between the Internet and the internal network according to user-specified
parameters. As a general rule, all network traffic, inbound and outbound,
flows through the firewall. The firewall screens all incoming traffic and blocks
that which does not meet the restrictions of the security policy.
between the Internet and the internal network according to user-specified
parameters. As a general rule, all network traffic, inbound and outbound,
flows through the firewall. The firewall screens all incoming traffic and blocks
that which does not meet the restrictions of the security policy.
There are three different types of firewall technologies available, namely, the
packet filter, application proxy, and stateful inspection firewall.
packet filter, application proxy, and stateful inspection firewall.
The central idea of a packet filter is that a set of rules are defined to monitor
inbound connections at the network layer level. As long as the inbound
packet conforms to the defined rules, the packet is allowed to pass. While
packet filters represent the fastest approach, with this solution, opened
ports remain open indefinitely. Also, for certain applications to function
properly, a wide range of ports must be opened. These two issues create
vulnerabilities within the packet filter solution.
inbound connections at the network layer level. As long as the inbound
packet conforms to the defined rules, the packet is allowed to pass. While
packet filters represent the fastest approach, with this solution, opened
ports remain open indefinitely. Also, for certain applications to function
properly, a wide range of ports must be opened. These two issues create
vulnerabilities within the packet filter solution.
The application proxy terminates the incoming connection from the
untrusted side, examines the packet in its entirety (up to the application
layer) and chooses to forward it further or not. While this is the safest
method, it is slower and highly application sensitive.
untrusted side, examines the packet in its entirety (up to the application
layer) and chooses to forward it further or not. While this is the safest
method, it is slower and highly application sensitive.
The approach that the SR4134 implements is a stateful inspection firewall.
The stateful inspection firewall relies on building network connections
and monitoring their state to make a decision on admitting an inbound
packet. All traffic passing through the stateful inspection firewall is analyzed
against the state of the network connections in order to determine whether
it is allowed to pass through. In a typical setup, only outbound rules are
defined to permit or deny certain types of traffic. When allowing a packet
The stateful inspection firewall relies on building network connections
and monitoring their state to make a decision on admitting an inbound
packet. All traffic passing through the stateful inspection firewall is analyzed
against the state of the network connections in order to determine whether
it is allowed to pass through. In a typical setup, only outbound rules are
defined to permit or deny certain types of traffic. When allowing a packet
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.