Page 312 - DCAP103_Principle of operating system
P. 312
Unit 9: System Security
Third-generation firewalls, in addition to what first- and second-generation look for, regard Notes
placement of each individual packet within the packet series. This technology is generally referred
to as a stateful packet inspection as it maintains records of all connections passing through the
firewall and is able to determine whether a packet is the start of a new connection, a part of
an existing connection, or is an invalid packet. Though there is still a set of static rules in such
a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.
This type of firewall can actually be exploited by certain Denial-of-service attacks which can fill
the connection tables with illegitimate connections.
9.6.4 Subsequent Developments
In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were
refining the concept of a firewall. The product known as “Visas” was the first system to have
a visual integration interface with colours and icons, which could be easily implemented and
accessed on a computer operating system such as Microsoft’s Windows or Apple’s MacOS.
In 1994, an Israeli company called Check Point Software Technologies built this into readily
available software known as FireWall-1.
The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-
prevention systems (IPS).
Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force
(IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
Another axis of development is about integrating identity of users into Firewall rules. Many
firewalls provide such features by binding user identities to IP or MAC addresses, which is very
approximate and can be easily turned around. The NuFW firewall provides real identity-based
firewalling, by requesting the user’s signature for each connection. authpf on BSD systems loads
firewall rules dynamically per user, after authentication via SSH.
9.6.5 Types
There are several classifications of firewalls depending on where the communication is taking
place, where the communication is intercepted and the state that is being traced.
9.6.5.1 Network Layer and Packet Filters
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP
protocol stack, not allowing packets to pass through the firewall unless they match the established
rule set. The firewall administrator may define the rules; or default rules may apply. The term
“packet filter” originated in the context of BSD operating systems.
Network layer firewalls generally fall into two subcategories, stateful and stateless. Stateful
firewalls maintain context about active sessions, and use that “state information” to speed packet
processing. Any existing network connection can be described by several properties, including
source and destination IP address, UDP or TCP ports, and the current stage of the connection’s
lifetime (including session initiation, handshaking, data transfer, or completion connection). If
a packet does not match an existing connection, it will be evaluated according to the rule set
for new connections. If a packet matches an existing connection based on comparison with the
firewall’s state table, it will be allowed to pass without further processing.
LOVELY PROFESSIONAL UNIVERSITY 305
