Page 162 - DCAP516_COMPUTER_SECURITY
P. 162
Computer Security
Notes 13.2.2 Rules based vs. Policy based Firewalls
Rules based Firewalls
Rules based firewall systems use rules to control communication between hosts inside and
outside the firewall. These rules are a single line of text information containing network addresses
and virtual port numbers of services that are permitted or denied. These rules are stored together
in one or more text files which are read when the firewall starts up. Rules based systems are
static in that they cannot do anything they haven’t been expressly configured to do. There must
be a line in one of their configuration files somewhere that tells them exactly what to do with
each packet that flows through the device. This makes the system more straight-forward to
configure, but less flexible and less adaptive to changing circumstances.
Policy based Firewalls
Policy-based systems are more flexible than rules based systems. They allow the administrator
to define conditions under which general types of communication are permitted, as well as
specifying what functions and services will be performed to provide that communication.
A policy-based system can dynamically set up permitted communication to random IP addresses.
Any system that supports IPsec Authentication Header and Encapsulating Security Payload is
considered a policy based system.
13.2.3 Packet Filtering vs. Packet Inspecting Firewalls
Packet Filtering Firewalls
Packet Filtering firewalls watch the following fields in an IP datagram it receives:
Source IP address
Destination IP address
Source Port Number
Destination Port Number
Protocol type
Using these fields, the packet filtering firewall can either permit or drop the packet in either
direction. Routers with access control lists can also perform packet filtering, however a purely
packet filtering firewall cannot recognize dynamic connections such as that used by FTP.
Packet Inspecting Firewalls
Packet inspection involves opening IP packets, looking beyond the basic network protocol
information such as source and destination IP address and other packet header information.
Using TCP/IP as an example, a packet inspecting firewall can tell the difference between a web
request (TCP port 80), a Telnet request (TCP port 23) and a DNS lookup (UDP port 53). It can tell
the difference between the web request, and the web server’s response and will only permit the
proper response. “Deep” inspection firewalls can see the Web URL that is being retrieved and in
some cases, can see the Java Applets, JavaScript and cookies contained within the web page. Such
‘deep inspection’ firewalls can remove the offending Java Applets and block the cookies based
on the URL of the web server delivering the page or other criterion.
156 LOVELY PROFESSIONAL UNIVERSITY
