Chapter 11 Firewalls
•To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address.
•The firewall performs better than filtering if you need to check many rules.
•Use the firewall if you need routine
•The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.
11.8Triangle Route
When the firewall is on, your switch acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the switch to protect your LAN against attacks.
Figure 109 Ideal Setup
11.8.1 The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. Some companies have more than one route to one or more ISPs. If the alternate gateway is on the LAN (and it’s IP address is in the same subnet), the “triangle route” problem may occur. The steps below describe the “triangle route” problem.
1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.
2The switch reroutes the SYN packet through Gateway A on the LAN to the WAN.
3The reply from the WAN goes directly to the computer on the LAN without going through the switch.
As a result, the switch resets the connection, as the connection has not been acknowledged.
170 |
| |
| ||
|
|
|