In addition to protecting individual computers and servers attached to the network, it is important to control traffic traveling to and from the network.
A firewall is one of the most effective security tools available for protecting internal network users from external threats. A firewall resides between two or more networks and controls the traffic between them and also helps prevent unauthorized access. Firewall products use various techniques for determining what is permitted or denied access to a network. These techniques are:
- Packet filtering - Prevents or allows access based on IP or MAC addresses.
- Application filtering - Prevents or allows access by specific application types based on port numbers.
- URL filtering - Prevents or allows access to websites based on specific URLs or keywords.
- Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks such as denial of service (DoS).
Firewall products may support one or more of these filtering capabilities. Additionally, firewalls often perform Network Address Translation (NAT). NAT translates an internal IP address or group of IP addresses into an outside, public IP address that is sent across the network. This allows internal IP addresses to be concealed from outside users.
Firewall products come packaged in various forms, as shown in the figure.
- Appliance-based firewalls - An appliance-based firewall is a firewall that is built-in to a dedicated hardware device known as a security appliance.
- Server-based firewalls - A server-based firewall consists of a firewall application that runs on a network operating system (NOS) such as UNIX or Windows.
- Integrated firewalls - An integrated firewall is implemented by adding firewall functionality to an existing device, such as a router.
- Personal firewalls - Personal firewalls reside on host computers and are not designed for LAN implementations. They may be available by default from the OS or may come from an outside vendor.