Firewalls

In Information Security a firewall is any device that prevents a specific type of information from moving between trusted and untrusted network. Trusted is in-side world, Un-trusted is outside the world such as Internet. The firewall may be a separate computer system, a service running on an existing router or server, or a separate network containing a number of supporting devices.

First generation of firewalls are packet filtering firewalls, are networking devices that filter packets by examining every incoming and outgoing packet header.  Second generation firewalls known as application-level firewalls; often consist of dedicated computers kept separate from the first filtering router, commonly used in conjunction with a second or internal filtering router. Second server is often called as proxy server.  Third generation firewalls, stateful inspection firewalls, keep track of each network connection established between internal and external systems using as state table. State tables track the state and context of each exchanged packet by recording which station sent which packet and when.  Like first generation stateful inspection firewalls perform packet filtering; stateful inspection firewall can restrict incoming packets by restricting access to packets that constitute responses to internal requests. If the stateful inspections firewall receives an incoming packet that it cannot match in its state table, it defaults to its access control list (ACL) to determine whether to allow the packet to pass. Fourth Generation firewalls called ‘dynamic packet filtering firewalls’, allow only a particular packet with specific source, destination, and port address to pass through the firewall. The new generation firewall is a hybrid built from capabilities of modern networking equipment that can perform a variety of tasks according to the organization’s needs, known as Unified Threat Management (UTM).

Firewall Architectures

Configurations are sometimes mutually exclusive, sometimes can be combined. Architectural implementations of firewalls are

Packet filtering routers:  Routers configured to block packets that the organization doesn’t allow into the network.  This lowers the organization risk from external attack.

Screened-Host Firewall Systems: Combines the packet filtering with a separate, dedicated firewall such as an application proxy server. Approach allows the router to screen packets to minimize the network traffic and load on the internal proxy.

Dual-homed host firewalls: Bastion host contains two network interfaces; one that is connected to external network and one that is connected to the internal network. All traffic must go through the firewall to move between the internal and external networks.

Screened –subnet firewalls: Consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network. 

First general model uses two filtering routers, with one or more dual homed bastion hosts between them.  The second general model connections from the outside or untrusted network are routed through an external filter router, connections from the outside or untrusted network are route into and then out of a routing firewall to the separate network segment known as the DMZ, connections into the trusted internal network are allowed only from the DMZ bastion host servers.

Source: Management of Information Security by Whitman and Mattord.