Appendix B. Introducing firewalls 191
We provide a brief overview of each firewall tool and its components to give you
a general understanding of each of these features.
Packet filtersPacket filters are the tools that inspect the information coming in and going out of
the network packet by packet. Packet filters inspect packets at the session level
based upon multiple criteria such as time of day, source/destination IP address
and port number, packet type, and subnet. The filter rules work with the IP
gateway function so the machine is required to have two or more network
interfaces, each in a separate IP network or subnetwork. One set of interfaces is
declared non-secure and the other set is declared secure. The filter acts between
these two sets of interfaces. Packet filtering provides the basic protection
mechanism for the firewall. Filters allow you to determine what kind of traffic can
pass across the firewall based on IP session details, thereby protecting the
secure network from external threats such as scanning for secure servers or IP
address spoofing. Packet filters act as the base on which the other higher layer
firewall tools can be constructed.
Stateful packet filtering
Some firewalls in the market do implement packet filtering based on state of the
session and hence the packet filters being stateful. Every time the connection is
established/attempted, the firewall maintains the session details and the state of
connection for that session and packet filtering happens, depending on the s tate
diagram for that particular protocol (that is, deciding on what kinds of packets to
allow, depending on the state diagram, unlike the stateless packet filters which
just allow any permit rule match). But these kinds of stateful packet filters are
more prone to DoS attacks, as compared with stateless packet filters.
Proxy serversProxies are application level gateways. Unlike filtering, which inspects the
packets passing through, proxies perform specific TCP/IP functions on behalf o f
a network user. There exist a separate proxy for each application, that is, http
proxy, telnet proxy, ftp proxy, etc., and they all run on the predefined application
ports. Hence, this doesn't require any special client software to connect to proxy
servers, and normal clients specific to the application can be used.
The user contacts the proxy server using one of the TCP/IP applications. The
proxy server then contacts with the remote host on behalf of the user, thus
controlling access wh ile hiding your internal n etwork structure from exter nal
users.