A firewall is a network gateway that enforces security rules on the conversion of peer-to-peer communications. Essentially, a firewall creates a boundary between two or more networks. A firewall is usually configured as a bastion host or a dual-homed bastion host. It evaluates each network packet against a network security policy, which is a collection of security rules, conventions, and procedures governing communications into and out of a network. Usually, IP traffic forwarding is disabled on the firewall to ensure that all traffic between the internal network and external networks passes through the firewall server, thereby allowing the firewall to inspect all network packets that traverse the network boundary.

Most firewall technologies provide different capabilities for auditing communication events. Usually, the firewalls generate audit records detailing the cause and circumstances surrounding the triggering of audit events. As firewall technology improves, firewalls inspect additional network packet information, use more sophisticated inspection algorithms, maintain more state information, and inspect the network packets at more network layers. As such, more mature firewall technology provides more detailed audit records, or summary information, about the network packets that are allowed through or prevented from traversing the firewall. By analyzing such audit records, administrators can often detect network security policy problems, such as attempts to break in or misconfiguration of the firewall's network security policy enforcement features. As a general rule, more detailed and descriptive audit record information yields better monitoring capabilities in a firewall product.

Before Cisco Centri Firewall, firewalls inspected network traffic using one of four architectural models, which are defined by the information that they examine to make security-relevant decisions. In the next four sections, we define these different architectures in detail.

How Packet Filters Work :

A packet filter firewall is a first-generation firewall technology that analyzes network traffic at the transport protocol layer. Each IP network packet is examined to see if it matches one of a set of rules defining what data flows are allowed. These rules identify whether communication is allowed based upon information contained within the internet and transport layer headers and the direction in which the packet is headed (internal to external network or vice-versa).

Packet filters typically enable you to manipulate (that is, permit or prohibit) the transfer of data based on the following controls:

* the physical network interface that the packet arrives on
* the address the data is (supposedly) coming from (source IP address)
* the address the data is going to (destination IP address)
* the type of transport layer (TCP, UDP, ICMP)
* the transport layer source port
* the transport layer destination port

Note This architecture implements a very limited command set to perform analysis for one or more network protocols; however, it performs its inspection in kernel space.

Packet filters generally do not understand the application layer protocols used in the communication packets. Instead, they work by applying a rule set that is maintained in the TCP/IP kernel. This rule set contains an associated action that will be applied to any packets matching the criteria mentioned above.

The action taken may take on one of two values: "deny" or "permit" the network packet. Two lists, the deny list and the permit list, are maintained in the kernel. For a network packet to be routed to its proper destination, it must first pass a check of both the deny and permit lists. That is, it must not be expressly denied, and it must be expressly permitted. Some packet filters that are incorporated into router hardware implement a different policy. In these types of packet filters, the packet must be expressly denied or else it is permitted. In order for you to understand the filtering rules, you must consider the security stance utilized by the routing hardware.

Packet filters typically implement command sets that allow the checking of the source and destination port numbers on the TCP and UDP transport layer protocols. This check determines whether an applicable permit or deny rule exists for that specific port and protocol combination. Due to the fact that the ICMP protocol layer does not utilize port numbers for its communications protocol, it is difficult for packet filters to apply any security policy to this form of network traffic. In order to apply an effective security policy to ICMP, the packet filter must maintain state tables to ensure that an ICMP reply message was recently requested from an internal host. This ability to track communications state is one of the primary differences between simple packet filters and dynamic packet filters.

Because packet filters are implemented in the network layer, they generally do not understand how to process state information in the high-level protocols, such as FTP. The more sophisticated packet filters are able to detect IP, TCP, UDP, and ICMP. Using a packet filter that includes the TCP/UDP port filtering capability, you can permit certain types of connections to be made to specific computers while prohibiting other types of connections to those computers and similar connections to other computers.

The complete network packet inspection adheres to the following general algorithm:

* If no matching rule is found, then drop the network packet.
* If a matching rule is found that permits the communication, then allow peer-to-peer communication.
* If a matching rule is found that denies the communication, then drop the network packet.

Because this type of firewall does not inspect the network packet's application layer data and does not track the state of connections, this solution is the least secure of the firewall technologies. It allows access through the firewall with a minimal amount of scrutiny. In other words, if the checks succeed, the network packet is allowed to be routed through the firewall as defined by the rules in the firewall's routing table. However, because it does less processing than the other technologies, it is the fastest firewall technology available and is often implemented in hardware solutions, such as IP routers.

Packet filter firewalls often readdress network packets so that outgoing traffic appears to have originated from a different host rather than an internal host. The process of readdressing network packets is called network address translation. Network address translation hides the topology and addressing schemes of trusted networks from untrusted networks.

hope u guys found it informative