Page 313 - DCAP103_Principle of operating system
P. 313
Principles of Operating Systems
Notes Stateless firewalls require less memory, and can be faster for simple filters that require less time
to filter than to look up a session. They may also be necessary for filtering stateless network
protocols that have no concept of a session. However, they cannot make more complex decisions
based on what stage communications between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source
port, destination IP address or port, destination service like WWW or FTP. They can filter based
on protocols, TTL values, netblocks of originator, of the source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/
Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).
9.6.5.2 Application-layer
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser
traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application.
They block other packets (usually dropping them without acknowledgment to the sender). In
principle, application firewalls can prevent all unwanted outside traffic from reaching protected
machines.
On inspecting all packets for improper content, firewalls can restrict or prevent outright the
spread of networked computer worms and Trojans. The additional inspection criteria can add
extra latency to the forwarding of packets to their destination.
9.6.5.3 Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose
machine) may act as a firewall by responding to input packets (connection requests, for example)
in the manner of an application, whilst blocking other packets.
Proxies make tampering with an internal system from the external network more difficult and
misuse of one internal system would not necessarily cause a security breach exploitable from
outside the firewall (as long as the application proxy remains intact and properly configured).
Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their
own purposes; the proxy then masquerades as that system to other internal machines. While
use of internal address spaces enhances security, crackers may still employ methods such as IP
spoofing to attempt to pass packets to a target network.
9.6.5.4 Network Address Translation
Main article—Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts protected
behind a firewall commonly have addresses in the “private address range”, as defined in
RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts.
Originally, the NAT function was developed to address the limited number of IPv4 routable
addresses that could be used or assigned to companies or individuals as well as reduce both
the amount and therefore cost of obtaining enough public addresses for every computer in an
organization. Hiding the addresses of protected devices has become an increasingly important
defense against network reconnaissance.
A firewall is a set of related programs, located at a network gateway server,
that protects the resources of a private network from users from other
networks.
306 LOVELY PROFESSIONAL UNIVERSITY
