ParkerVision WR3000 Chapter 11:

WR3000 4-Port Wireless DSL/Cable Router

Chapter 11:

This chapter gives some background information on ﬁ rewalls and

introduces the WR3000 Wireless Router ﬁ rewall.

11.1 Firewall Overview

Originally, the term Firewall referred to a construction technique designed to prevent the

spread of ﬁ re from one room to another. The networking term “ﬁ rewall” is a system or group of

systems that enforces an access-control policy between two networks. It may also be deﬁ ned

as a mechanism used to protect a trusted network from an untrusted network. Of course,

ﬁ rewalls cannot solve every security problem. A ﬁ rewall is one of the mechanisms used to

establish a network security perimeter in support of a network security policy. It should never be

the only mechanism or method employed. For a ﬁ rewall to guard effectively, you must design

and deploy it appropriately. This requires integrating the ﬁ rewall into a broad information-

security policy. In addition, speciﬁ c policies must be implemented within the ﬁ rewall itself.

11.2 Types of Firewalls

There are three main types of ﬁ rewalls:

1. Packet Filtering Firewalls

2. Application-level Firewalls

3. Stateful Inspection Firewalls

11.2.1 Packet Filtering Firewalls

Packet ﬁ ltering ﬁ rewalls restrict access based on the source/destination computer network

address of a packet and the type of application.

11.2.2 Application-level Firewalls

Application-level ﬁ rewalls restrict access by serving as proxies for external servers. Since they

use programs written for speciﬁ c Internet services, such as HTTP, FTP and telnet, they can

evaluate network packets for valid application-speciﬁ c data. Application-level gateways have a

number of general advantages over the default mode of permitting application trafﬁ c directly to

internal hosts:

i. Information hiding prevents the names of internal systems from being made known via DNS

to outside systems, since the application gateway is the only host whose name must be made

known to outside systems.

ii. Robust authentication and logging pre-authenticates application trafﬁ c before it reaches

internal hosts and causes it to be logged more effectively than if it were logged with standard

host logging. Filtering rules at the packet ﬁ ltering router can be less complex than they would be

if the router needed to ﬁ lter application trafﬁ c and direct it to a number of speciﬁ c systems.

The router need only allow application trafﬁ c destined for the application gateway and reject

the rest.