Firewalls - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

Information security is commonly thought of as a process and not a product. However, standard secu-
rity implementations usually employ some form of dedicated mechanism to control access privileges
and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat En-
terprise Linux includes several powerful tools to assist administrators and security engineers with
network-level access control issues.
Aside from VPN solutions such as CIPE or IPsec (discussed in Chapter 6 Virtual Private Networks),
firewalls are one of the core components of network security implementation. Several vendors market
firewall solutions catering to all levels of the marketplace: from home users protecting one PC to
data center solutions safeguarding vital enterprise information. Firewalls can be standalone hardware
solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. There are also proprietary
software firewall solutions developed for home and business markets by vendors such as Checkpoint,
McAfee, and Symantec.
Apart from the differences between hardware and software firewalls, there are also differences in the
way firewalls function that separate one solution from another. Table 7-1 details three common types
of firewalls and how they function:
Method Description
NAT Network Address
Translation (NAT) places
internal network IP
subnetworks behind one or
a small pool of external IP
addresses, masquerading all
requests to one source
rather than several
Packet Packet filtering firewalls
Filter read each data packet that
passes within and outside of
a LAN. It can read and
process packets by header
information and filters the
packet based on sets of
programmable rules
implemented by the firewall
administrator. The Linux
kernel has built-in packet
filtering functionality
through the netfilter kernel
subsystem.
Advantages
Can be configured
transparently to machines
on a LAN
Protection of many
machines and services
behind one or more
external IP address(es),
simplifying administration
duties
Restriction of user access
to and from the LAN can be
configured by opening and
closing ports on the NAT
firewall/gateway
Customizable through the
front-end
iptables
utility
Does not require any
customization on the client
side, as all network
activity is filtered at the
router level rather than at
the application level
Since packets are not
transmitted through a proxy,
network performance is
faster due to direct
connection from client to
remote host
Chapter 7.

Firewalls

Disadvantages
Cannot prevent malicious
activity once users connect
to a service outside of the
firewall
Cannot filter packets for
content like proxy firewalls
Processes packets at the
protocol layer, but cannot
filter packets at an
application layer
Complex network
architectures can make
establishing packet filtering
rules difficult, especially if
coupled with IP
masquerading or local
subnets and DMZ networks