Firewall Design Principles

A firewall is a dedicated hardware, or software or a combination of both, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.
Firewall Capabilities
  • A firewall defines a single choke point that keeps unauthorized users out the protected network……..
  • A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system.
  • A firewall is a convenient platform for several Internet functions that are not security related.
  • A firewall can serve as the platform for IPSec. Using the tunnel mode capability, the firewall can be used to implement virtual private network.
Firewall Limitations
  • The firewall can not protect against attacks that bypass the firewall (dial-up…).
  • The firewall does not protect against internal threats.
  • The firewall can not protect against the transfer of virus-infected programs or files.
  • All traffic from inside to outside, and vice verse, must pass through the firewall.
  • Only authorized traffic, as defined by the local security policy, will be allowed to pass.
  • The firewall itself is immune to penetration. This implies the use of a trusted system with a secure operating system
  • User control

     Only authorized users are having access to the other side of the firewall

  • Access control

    The access over the firewall is restricted to certain services. A service is characterized e.g. by IP address and port number.

  • Behavior control

    For an application, the allowed usage scenarios are known. E.g. filters for e-mail attachments (virus removing)

  • Direction control

    Different rules for traffic into the Intranet and outgoing traffic to the Internet can be defined

Packet Filtering
Packet filtering is the simplest packet screening method. A packet filtering firewall does exactly what its name implies -- it filters packets. The most common implementation is on a router or dual-homed gateway. The packet filtering process is accomplished in the following manner. As each packet passes through the firewall, it is examined and information contained in the header is compared to a pre-configured set of rules or filters. An allow or deny decision is made based on the results of the comparison. Each packet is examined individually without regard to other packets that are part of the same connection.
Application Gateways/Proxies
An application gateway/proxy is considered by many to be the most complex packet screening method. This type of firewall is usually implemented on a secure host system configured with two network interfaces. The application gateway/proxy acts as an intermediary between the two endpoints. This packet screening method actually breaks the client/server model in that two connections are required: one from the source to the gateway/proxy and one from the gateway/proxy to the destination. Each endpoint can only communicate with the other by going through the gateway/proxy.
Circuit-level Gateway
Unlike a packet filtering firewall, a circuit-level gateway does not examine individual packets. Instead, circuit-level gateways monitor TCP or UDP sessions. Once a session has been established, it leaves the port open to allow all other packets belonging to that session to pass. The port is closed when the session is terminated. In many respects this method of packet screening resembles application gateways/proxies and adaptive proxies, but circuit-level gateways operate at the transport layer (layer 4) of the OSI model.


Dear Guest,
Spend a minute to Register in a few simple steps, for complete access to the Social Learning Platform with Community Learning Features and Learning Resources.
If you are part of the Learning Community already, Login now!

Creative Commons license icon


Your rating: None Average: 5 (1 vote)


Posted by

Fri, 05/15/2009 - 14:58