Firewalls can be an effective means of protecting a
local system or network of systems from network based security threats.
Firewalls can be either software based
or hardware based device with the functionality of which traffic is pass
through. If a firewall is a packet filter type then firewall policy
decides which packets are allowed to pass through the firewall. And if it’s an application proxy or gateway type then
it will decide which type of services will be allowed to be accessed through
the firewall. In general, the firewall policy can be divided into two
categories: allow by default and deny by
default.
Figure (a) illustrates the
packet filter firewall placement in the border router, on the security
perimeter, between the external less-trusted Internet, and the internal more
trusted private network
Figure
(b) illustrates an application-level gateway (or proxy server), emphasizing
that it only supports a specific list of application services
The
policy which is allow by default, allows every type of packets and services to
pass through the firewall. The ones which don’t want to permit will be denied
explicitly. This type of policy is Insecure by default because anything new and
uncovered in rules will pass through the firewall. The kind of policy is
normally used for research and development purposes. Deny by default policy is
to deny all packets and services to pass through the firewall. Anything which
wants to allow will be allowed explicitly. Also this kind of policy is secure
by nature because it has already denied any forthcoming unseen threats by
default.
In
the screened host firewall, single
homed bastion configuration, the firewall consists of two systems: a packet
filtering router and a bastion host. Router functions to forward IP packet to
and fro the bastion whereas bastion host performs authentication and proxy
functions. The screened host firewall, dual homed bastion configuration has
dual layer of security and physically prevents security breach when the packet
filtering router of single home configuration is completely compromised. The
third one screened subnet firewall is the most secure configuration in which
two packets filtering routers are used, one between the bastion host and the
internet and one between the bastion host and the internal network. It creates
an isolated sub network with several advantages and blocks the traffic across
the screened subnet.
No comments:
Post a Comment