Firewalls - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

[root@myServer ~] # /sbin/ifdown <nickname>

43.8. Firewalls

Information security is commonly thought of as a process and not a product. However, standard
security implementations usually employ some form of dedicated mechanism to control access
privileges and restrict network resources to users who are authorized, identifiable, and traceable.
Red Hat Enterprise Linux includes several tools to assist administrators and security engineers with
network-level access control issues.
Firewalls are one of the core components of a network security implementation. Several vendors
market firewall solutions catering to all levels of the marketplace: from home users protecting one
PC to data center solutions safeguarding vital enterprise information. Firewalls can be stand-alone
hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as
Checkpoint, McAfee, and Symantec have also developed proprietary software firewall solutions for
home and business markets.
Apart from the differences between hardware and software firewalls, there are also differences in the
way firewalls function that separate one solution from another.
three common types of firewalls and how they function:
Method Description
Network Address
NAT
Translation (NAT) places
private IP subnetworks
behind one or a small pool
of public IP addresses,
masquerading all requests
to one source rather than
several. The Linux kernel
has built-in NAT functionality
through the Netfilter kernel
subsystem.
Packet A packet filtering firewall
Filter reads each data packet
that passes through a
LAN. It can read and
process packets by header
information and filters
the packet based on
sets of programmable
rules implemented by the
firewall administrator. The
Linux kernel has built-in
packet filtering functionality
through the Netfilter kernel
subsystem.
Table 43.2, "Firewall Types"
Advantages
· Can be configured
transparently to machines
on a LAN
· Protection of many
machines and services
behind one or more external
IP addresses simplifies
administration duties
· Restriction of user access
to and from the LAN can be
configured by opening and
closing ports on the NAT
firewall/gateway
· Customizable through the
iptables front-end utility
· Does not require any
customization on the client
side, as all network activity
is filtered at the router level
rather than the application
level
· Since packets are not
transmitted through a
proxy, network performance
is faster due to direct
connection from client to
remote host
Firewalls
details
Disadvantages
· Cannot prevent malicious
activity once users connect
to a service outside of the
firewall
· Cannot filter packets for
content like proxy firewalls
· Processes packets at
the protocol layer, but
cannot filter packets at an
application layer
· Complex network
architectures can make
establishing packet
filtering rules difficult,
especially if coupled with
IP masquerading or local
subnets and DMZ networks
697