ZyXEL p-660h-61 用户指南
Prestige 660H Series User’s Guide
Firewalls
10-1
Chapter 10
Firewalls
This chapter gives some background information on firewalls and introduces the Prestige
firewall.
10.1 Firewall Overview
Originally, the term firewall referred to a construction technique designed to prevent the spread of fire
from one room to another. The networking term “firewall” is a system or group of systems that
enforces an access-control policy between two networks. It may also be defined as a mechanism used
to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every
security problem. A firewall is one of the mechanisms used to establish a network security perimeter
in support of a network security policy. It should never be the only mechanism or method employed.
For a firewall to guard effectively, you must design and deploy it appropriately. This requires
integrating the firewall into a broad information-security policy. In addition, specific policies must be
implemented within the firewall itself.
from one room to another. The networking term “firewall” is a system or group of systems that
enforces an access-control policy between two networks. It may also be defined as a mechanism used
to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every
security problem. A firewall is one of the mechanisms used to establish a network security perimeter
in support of a network security policy. It should never be the only mechanism or method employed.
For a firewall to guard effectively, you must design and deploy it appropriately. This requires
integrating the firewall into a broad information-security policy. In addition, specific policies must be
implemented within the firewall itself.
10.2 Types of Firewalls
There are three main types of firewalls:
♦
Packet Filtering Firewalls
♦
Application-level Firewalls
♦
Stateful Inspection Firewalls
10.2.1 Packet Filtering Firewalls
Packet filtering firewalls restrict access based on the source/destination computer network address of a
packet and the type of application.
packet and the type of application.
10.2.2 Application-level Firewalls
Application-level firewalls restrict access by serving as proxies for external servers. Since they use
programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate
network packets for valid application-specific data. Application-level gateways have a number of
general advantages over the default mode of permitting application traffic directly to internal hosts:
programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate
network packets for valid application-specific data. Application-level gateways have a number of
general advantages over the default mode of permitting application traffic directly to internal hosts:
Information hiding prevents the names of internal systems from being made known via DNS to
outside systems, since the application gateway is the only host whose name must be made known to
outside systems.
outside systems, since the application gateway is the only host whose name must be made known to
outside systems.
Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts
and causes it to be logged more effectively than if it were logged with standard host logging. Filtering
rules at the packet filtering router can be less complex than they would be if the router needed to filter
application traffic and direct it to a number of specific systems. The router need only allow application
traffic destined for the application gateway and reject the rest.
and causes it to be logged more effectively than if it were logged with standard host logging. Filtering
rules at the packet filtering router can be less complex than they would be if the router needed to filter
application traffic and direct it to a number of specific systems. The router need only allow application
traffic destined for the application gateway and reject the rest.