|
Firewalls
Restrict access from one network to another, internally or externally.
DMZ - Demilitarized Zone:
A Network segment that is located between the protected and the unprotected networks.
Packet filtering:
A method controlling what data can flow into and from a network.
Take place by using ACL's, which are developed and applied to
a device.
Is based on network layer information, which means that the device cannot look too far into the packet itself.
Is not application dependent.
Do not keep track of the state of a connection.
Provides high performance.
Used in first-generation firewalls.
Stateful Packet Filtering:
It remembers and keeps track of what packets went where until that particular connection is closed. This requires the firewall to maintain a state table, which is like a score sheet of who said what to whom.
Make decisions on what packets to allow or disallow.
Works at the network layer.
Proxy firewalls:
Stands between a trusted and untrusted network and actually makes the connection, each way, on behalf of the source.
Makes a copy of each accepted packet before transmitting it and repackages the packet to hide the packet's true origin.
Works at the application layer
Dual-homed firewall:
Has two interfaces; one facing the external network and the other facing the internal network.
Has two NICs and has packet forwarding turned off.
Are often used when a company uses proxy firewalls.
Application-level proxies:
Inspect the entire packet and make access decisions based on the actual content of the packet.
Understand different services and protocols and the commands that are used within them
There must be one application-level proxy per service.
Works at the application level.
Circuit-level proxy:
Creates a circuit between the client computer and the server
It knows the source and destination addresses and makes access decisions based on this information.
Can handle a wide variety of protocols and services.
Works at the network layer.
SOCKS:
Is an example of a circuit-level proxy gateway that provides a
secure channel between two TCP/IP computers.
Does not provide detailed protocol-specific control.
|
|
