Sei sulla pagina 1di 19


Stateful Inspection Firewall

A stateful inspection packet filter tightens up the rules for
TCP traffic by creating a directory of outbound TCP
It will allow incoming traffic to high-numbered ports only
for those packets that fit the profile of one of the entries
in the directory.
Hence they are better able to detect bogus packets sent
out of context.

It reviews the same packet information as a packet filtering

firewall & also records information about TCP connections.
Some stateful firewalls also keep track of TCP sequence
numbers to prevent attacks that depend on the sequence
number, such as session hijacking.
Some even inspect limited amounts of application data for
some well-known protocols like FTP, IM and SIPS commands,
in order to identify and track related connections.

Application Level Gateway

An application-level gateway acts as a relay of applicationlevel traffic
Also known as a proxy server
has full access to protocol
user requests service from proxy
proxy validates request as legal
Then actions request and returns result to user
If the gateway does not implement the proxy code for a
specific application, then it is not supported and cannot be
Also, the gateway can be configured to support only specific
features of an application

Higher security than packet filters
Only need to scrutinize a few allowable applications
Easy to log and audit all incoming traffic
Additional processing overhead on each connection
(gateway as splice point) gateway must examine & forward
all traffic in both direction

Circuit Level Gateway

Can be stand-alone system or hosted
Specialized function performed by an Application-level
does not permit end-to-end TCP connection
sets up two TCP connection one on either side
The gateway typically relays TCP segments from one
connection to the other without examining the contents
Typically use is a situation in which the system administrator
trusts the internal users

Bastion Host
Common characteristics of a bastion host
executes a secure version of its O/S, making it a trusted
has only essential services installed on the bastion host
may require additional authentication before a user may
access to proxy services
configured to use only subset of standard commands,
access only specific hosts
maintains detailed audit information by logging all traffic

each proxy module a very small software package designed

for network security
has each proxy independent of other proxies on the bastion
have a proxy performs no disk access other than read its
initial configuration file
have each proxy run as a non-privileged user in a private
and secured directory

Firewall Configurations
Three common firewall configurations
Screened host firewall, single-homed bastion
Screened host firewall, dual-homed bastion
Screened subnet firewall

Screened host firewall, single-homed bastion

Firewall consists of two systems:

A packet-filtering router
A bastion host
Only packets from and to the bastion host are allowed to pass through the router.

-From Internet, only IP packets destined for the bastion host are allowed.
-From internal network, only IP packets from bastion host are allowed out.

Greater security than single configurations because of two reasons:

This configuration implements both packet-level and application-level filtering.

An intruder must generally penetrate two separate systems.

The router can allow direct traffic between the Internet and the information server.

Screened host firewall, dual-homed bastion

Traffic between the Internet and other hosts on the private network has to flow through the bastion

If the packet-filtering router is completely compromised, traffic will not flow freely between Internet
and protected network.

Information server can be allowed direct communication with the router.

Screened subnet firewall

Most secure configuration of the three.

Two packet-filtering routers are used.

Creation of an isolated sub-network(consist of the bastion host, one or more information servers &



Three levels of defense against intruders.

The outside router advertises only the existence of the screened subnet to the Internet (internal
network is invisible to the Internet)

Inside router advertises only the existence of the screened subnet to the internal network.
An inside host can not construct direct route to the Internet.