Page 311 - DCAP103_Principle of operating system
P. 311
Principles of Operating Systems
Notes packet’s source and destination address, its protocol, and, for TCP and UDP traffic, the port
number).
TCP and UDP protocols constitute most communication over the Internet, and because TCP
and UDP traffic by convention uses well known ports for particular types of traffic, a “stateless”
packet filter can distinguish between, and thus control, those types of traffic (such as web
browsing, remote printing, email transmission, file transfer), unless the machines on each side
of the packet filter are both using the same non-standard ports.
Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which
means most of the work is done between the network and physical layers, with a little bit of
peeking into the transport layer to figure out source and destination port numbers. When a packet
originates from the sender and filters through a firewall, the device checks for matches to any
of the packet filtering rules that are configured in the firewall and drops or rejects the packet
accordingly. When the packet passes through the firewall, it filters the packet on a protocol/
port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then
the firewall will block the IP protocol for port number 23.
9.6.2 Second Generation: Application Layer
The key benefit of application layer filtering is that it can “understand” certain applications
and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect if an
unwanted protocol is sneaking through on a non-standard port or if a protocol is being abused
in any harmful way.
An application firewall is much more secure and reliable compared to packet filter firewalls
because it works on all seven layers of the OSI model, from the application down to the physical
Layer. This is similar to a packet filter firewall but here we can also filter information on the basis
of content. Good examples of application firewalls are MS-ISA (Internet Security and Acceleration)
server, McAfee Firewall Enterprise & Palo Alto PS Series firewalls. An application firewall can
filter higher-layer protocols such as FTP, Telnet, DNS, DHCP, HTTP, TCP, UDP and TFTP (GSS).
For example, if an organization wants to block all the information related to “foo” then content
filtering can be enabled on the firewall to block that particular word. Software-based firewalls
(MS-ISA) are much slower than hardware based stateful firewalls but dedicated appliances
(McAfee & Palo Alto) provide much higher performance levels for Application Inspection.
In 2009/2010, the focus of the most comprehensive firewall security vendors turned to expanding
the list of applications such firewalls are aware of now covering hundreds and in some cases
thousands of applications which can be identified automatically. Many of these applications can
not only be blocked or allowed but manipulated by the more advanced firewall products to allow
only certain functionally enabling network security administrations to give users functionality
without enabling unnecessary vulnerabilities. As a consequence these advanced version of
the “Second Generation” firewalls are being referred to as “Next Generation” and surpass the
“Third Generation” firewall. It is expected that due to the nature of malicious communications
this trend will have to continue to enable organizations to be truly secure.
9.6.3 Third Generation: “Stateful” Filters
From 1989-1990, three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma,
and Kshitij Nigam, developed the third generation of firewalls, calling them circuit level firewalls.
304 LOVELY PROFESSIONAL UNIVERSITY
