Page 376 - StudyBook.pdf
P. 376

360    Chapter 6 • Infrastructure Security: Devices and Media

             packet-filtering firewall works at the network layer of the Open Systems
             Interconnect (OSI) model and is designed to operate rapidly by either allowing or
             denying packets.The second generation of firewalls is called “circuit level firewalls,”
             but this type has been largely disbanded as later generations of firewalls absorbed
             their functions.An application layer gateway operates at the application layer of the
             OSI model, analyzing each packet and verifying that it contains the correct type of
             data for the specific application it is attempting to communicate with.A stateful
             inspection firewall checks each packet to verify that it is an expected response to a
             current communications session.This type of firewall operates at the network layer,
             but is aware of the transport, session, presentation, and application layers and derives
             its state table based on these layers of the OSI model.Another term for this type of
             firewall is a “deep packet inspection” firewall, indicating its use of all layers within
             the packet including examination of the data itself.
                 To better understand the function of these different types of firewalls, we must
             first understand what exactly the firewall is doing.The highest level of security
             requires that firewalls be able to access, analyze, and utilize communication infor-
             mation, communication-derived state, and application-derived state, and be able to
             perform information manipulation. Each of these terms is defined below:

                  ■   Communication Information Information from all layers in the
                      packet.
                  ■   Communication-derived State The state as derived from previous
                      communications.

                  ■   Application-derived State That state as derived from other applica-
                      tions.

                  ■   Information Manipulation The ability to perform logical or arithmetic
                      functions on data in any part of the packet.

                 Different firewall technologies support these requirements in different ways.
             Again, keep in mind that some circumstances may not require all of these, but only
             a subset. In that case, it is best to go with a firewall technology that fits the situa-
             tion rather than one that is simply the newest technology.Table 6.1 shows the fire-
             wall technologies and their support of these security requirements.











          www.syngress.com
   371   372   373   374   375   376   377   378   379   380   381