Firewall Classification - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
PC
Figure 1-1 A firewall separating the intranet from the Internet
The firewall is not only applied to the Internet connection, but also used to protect the
mainframe and crucial resources like data on the intranet of the organization. Access to
the protected data should be permitted by the firewall, even if the access is initiated
from the organization.
An external network user must pass through the firewall before it can access the
protected network resources. Likewise, an intranet user must pass through the firewall
before it can access the external network resources. Thus, the firewall plays the role of
"guard" and discards the denied packets.

1.4.2 Firewall Classification

Normally, firewalls are classified into two categories: network layer firewalls and
application layer firewalls. Network layer firewalls mainly obtain the header information
of packet, such as protocol, source address, destination address, and destination port.
Alternatively, they can directly obtain a segment of header data. The application layer
firewalls, however, analyze the whole information traffic.
Firewalls that you often meet are divided into the following categories:
Application gateway: It verifies all the application layer data in packets that will
traverse it. Take a File Transfer Protocol (FTP) application GW as an example.
From the perspective of the client of a connection, the FTP application GW is an
FTP server. But from the perspective of the server, it is an FTP client. All the FTP
packets transmitted on the connection must pass this FTP application GW.
Circuit-Level Gateway: The "circuit" in this particular context refers to Virtual
Circuit (VC). Before TCP or UDP is allowed to open a connection or VC, the
session reliability must be verified. The packet transmission is allowed only if the
handshake has been proved valid and accomplished. After a session is set up, its
information will be written into the valid connection table maintained by the firewall.
A packet can be permitted only if the session information carried by it matches an
Internet
Firewall
Ethernet
PC
Server
3Com Corporation
Chapter 1 Network Security Configuration
PC
1-3