Chapter 9 Firewalls; Firewall Overview; Types Of Firewalls - ZyXEL Communications ZyWALL 5 User Manual

This chapter gives some background information on firewalls and introduces the ZyWALL
9.1

Firewall Overview

Originally, the term firewall referred to a construction technique designed to prevent the spread of fire
from one room to another. The networking term "firewall" is a system or group of systems that
enforces an access-control policy between two networks. It may also be defined as a mechanism used
to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every
security problem. A firewall is one of the mechanisms used to establish a network security perimeter
in support of a network security policy. It should never be the only mechanism or method employed.
For a firewall to guard effectively, you must design and deploy it appropriately. This requires
integrating the firewall into a broad information-security policy. In addition, specific policies must be
implemented within the firewall itself.
9.2

Types of Firewalls

There are three main types of firewalls:
1. Packet Filtering Firewalls
2. Application-level Firewalls
3. Stateful Inspection Firewalls
9.2.1 Packet Filtering Firewalls
Packet filtering firewalls restrict access based on the source/destination computer network address of a
packet and the type of application.
9.2.2 Application-level Firewalls
Application-level firewalls restrict access by serving as proxies for external servers. Since they use
programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate
network packets for valid application-specific data. Application-level gateways have a number of
general advantages over the default mode of permitting application traffic directly to internal hosts:
i. Information hiding prevents the names of internal systems from being made known via DNS to
outside systems, since the application gateway is the only host whose name must be made
known to outside systems.
ii. Robust authentication and logging pre-authenticates application traffic before it reaches internal
hosts and causes it to be logged more effectively than if it were logged with standard host
logging. Filtering rules at the packet filtering router can be less complex than they would be if
the router needed to filter application traffic and direct it to a number of specific systems. The
router need only allow application traffic destined for the application gateway and reject the
rest.
Firewalls
ZyWALL 5 Internet Security Appliance
Chapter 9
Firewalls
firewall.
9-1