Categories of Firewall
4.6.3 Categories of Firewall
The firewall can be roughly classified into two categories: packet filtering and application proxy.
(1) Packet filtering: it works on the network layer and transmission layer, and it determines the passage of data according to the packet source address, destination address, port number, and protocol category. Only those data packages that satisfy filtering logic are forwarded to the destination, and others are discarded.
(2) Application proxy: it is also called application gateway. Working at the application layer, it completely “blocks” the communication flow of the network. The communication flow at the application layer is monitored and controlled by means of compiling special agents for application services. Application gateways are actually implemented with special workstations.
1. Packet filtering firewall
Packet filtering is a universal, low-cost and effective security means. It is universal because no special processing will be taken with respect to every network service; it is low-cost because most routers have packet-filtering function; it is effective because it satisfies the security requirements of enterprises to the greatest extent.
Packet filtering works at the network layer and transmission layer. It determines the passage of packets according to the source and destination addresses, port
Introduction to E-commerce
number and protocol category. The information it relies on comes from the header of IP, TCP or UDP.
The advantage of packet filtering is that there is no need to modify the application programs on the client and host in that it works at the network layer and transmission layer. But the weak points are also obvious: the information it relies on from network layer and transmission layer cannot meet all requirements sufficiently; the number of filtering rules is finite, and the performance is thus affected as the number of rules increases; because of the lack of context linkage information, UDP and RPC protocols cannot be effectively filtered. What’s more, most filters are lacking in audit and alarm mechanisms, and undesirable managerial way and user interface pose high requirements for the security administrator, who has to rely on his deep understanding of protocols and roles of different applications to establish security rules. Thus the filter is usually used with the gateway to constitute the firewall system.
2. Application proxy firewall
Application proxy firewall is the separation point of internal network and external network monitoring and separating the communication flow at the application layer, as illustrated in Fig. 4.7. It is working in the highest layer of the OSI model, with all the information concerning the system security controlled.
Figure 4.7 Application proxy firewalls
3. Hybrid firewall
The two methods mentioned above are usually combined to constitute the hybrid firewall. This combination is usually implemented in two ways.
(1) Host-screened firewall structure: in this structure, the packet filtering router or the firewall is connected with the Internet; meanwhile a bastion host is installed in the intranet. And filtering rules of the packet filtering router or firewall are set to make the bastion host a unique node that can be reached by other nodes on the Internet, which ensures that the intranet will not be attacked
4 Security Technologies in E-commerce
by unauthorized users.
(2) Subnet-screened firewall structure: the bastion host is placed in a subnet to form a non-militarized zone, with two packet filtering routers placed at the two ends of this subnet, which separates this subnet from the Internet and intranet. In this architecture, the bastion host and the packet filtering router constitute the foundation of the firewall.