Today the use of Firewalls is not only necessary, but nearly self-evident. So more and more the question arises, what the differences between the Firewalls are - exept the price for them.

Let's have a look on today's Firewalls which protect networks and server. The protection of a Personal Computer by a Personal Firewall will not be regarded here - even if such a Firewall should be on every PC, combined with a good Anti-Virus Software.

Basically different kinds of Firewalls can be used. Besides the severe classification shown here, hybrid Firewalls mixing the shown principles are deployed to increase the demanded security.

 

Packet Filters

(Static) Packet Filters are mostly configured on Routers. They filter the IP-addresses, the protocol and also the used ports, if the protocol is TCP or UDP. So special applications may be accepted explicitely by opening the ports, these applications use. If TCP is filtered, most of today's routers allow to filter the TCP-Flags of a packet, too.

The advantage of this solution is the price. The filters, mostly called ACL (Access Control List) only have to be configured on a Router. No extra Software is needed. Performance isn't really a problem in most cases, because Routers are optimized to forward packets. Due to the transparence of Packet Filters, no special Software is needed by the users, neither a special configuration on Servers or even extra Software.

Besides the advantages, there are also some principal disadvantages. Router can't filter any content of the application layer, due to their working principle. So they can't give any protection on this layer. Checks, if packets really belong to a specific connection can't be carried out. So the Packet Filter has to 'believe' the entries in the packet headers. On the network layer and transport layer quite many attacks might be possible, depending on the configuration of the packet filter. By these attacks packet filters can be tricked out, so they don't give the protection they are intended to. If more complex protocols like e.g. FTP or H.323 are used, the filters have to be opened wide. Then, these protocols will work, but a protection of the internal systems is hardly there.

Conclusion:
Packet filters are quite useful if they are configured additionally to a 'real' Firewall to protect internal systems against the Internet. In the Intranet, where the levels of trust don't differ too much, a packet filter is much better than configuring no protection at all.

 

Stateful Inspection

This kind of Firewall is often called 'dynamic packet filter'. The filtering of data is carried out in a kernel module. The main feature is the use of dynamic tables. They are mostly called 'State Tables'. In these tables information about the actual state of existing and expected connections (e.g. FTP-DATA) is saved. If a packet of an 'established connection' is checked, it's checked against the state tables. So the filtering mechanism doesn't look at one single packet, but the decision if a packet might pass depends on the connection as a whole and it's history.

The advantage of this solution is the complete control over every single connection - not only on packets. This kind of filtering is possible for TCP as well as for UDP or ICMP. Because the inspection is done in the kernel, the performance of Stateful Inspection is quite good. The solutions of most manufacturers filter the attacks typical for packet filters in a preliminary stage. Additionally, these Firewalls might be configured as well as static packet filters completely transparent for the user.

Possible disadvantages of a 'pure' Stateful Inspection are it's complexity and the missing complete control of the application layer, if this isn't done by other mechanisms. Most (successful) attacks are using this layer. And, the administrator is an 'element of uncertainty', as for static packet filters: An administrator might configure this kind of Firewall to accept any traffic from anywhere to everywhere - even without logging.

Conclusion:
Combining this kind of Firewall with further mechanisms to filter the traffic, Stateful Inspection is a quite safe Firewall. It has the advantages of packet filters and additionally a complete control over every single connection.

 

Circuit Level Gateways

This kind of Firewall resides in layer 6 of the ISO/OSI stack. It's also called "user defined Proxy" or "Generic Service Passer". This kind of Firewall can't interpret the data of the application layer, but it works as a proxy. The connection initiated by the user is terminated at the Firewall - and the Firewall itself initiates a connection to the destination the user wanted. There are several mechanisms to tell the Firewall which data from which server shall be transferred to the user. One of them is the "modified procedure". Here, the user connects to the Firewall first, logs in and gives the wanted destination. This information is transferred automatically when a "modified client" is used: A second protocol (e.g. socks) makes the handling easier for the user. Very user-friendly is "transparent IP masquerading". Using this kind of mechanism, the user initiates the connection as if there is no proxy. The Firewall itself has a modified TCP/IP stack which terminates the connection from the user and initiates a second connection to the destination automatically. So there is no need for special software on the user's PC.

An advantage is the protection against all attacks in the Network and Transport layer which are possible when using packet filters. The reason is the Firewall initiating an own connection to the target. Du to the inspection in layer 6 this kind of Firewall provides more possibilities for logging and accounting.

A possible disadvantage is this inspection in layer 6: The data of the application layer can't be interpreted and so a filtering e.g. of long URLs isn't possible. Some Circuit Level Gateways aren't userfriendly, so sometimes a good hotline is needed. Additionally, the connection to the target isn't transparent, which might give problems with some protocols. The performance of this kind of Firewall isn's as good as the performance of packet filters or Stateful Inspection.

Conclusion:
Modern Firewalls combine this mechanism with the principle of Application Level Gateways, so it's a good supplement for "exotic" services.

 

Application Level Gateways

Some people say, this kind of Firewall is "state of the art". They work as a proxy like Circuit Level Gateways, so the user has no direct connection to the destination. They work in layer 7 of the ISO/OSI stack, so they provide full control of all data transferred within the protocol like e.g. FTP.

If there is a special proxy for the protocol to be filtered, the big advantage is the full control of all data. A direct connection between Client and Server isn't initiated, so some of the disadvantages mentioned for packet filters aren't there. Another advantage is the possibility to filter active content within HTTP, so JavaScript or ActiveX can be blocked at this kind of Firewall. Users might be authenticated within the protocol, so also here a good protection can be configured.
When having applications with sensitive data, e.g. in E-Business, there are new Application Level Gateways which make an attack using the application layer nearly impossible. Here, a further check of e.g. Session-IDs and all Cookies is carried out.

A disadvantage of this kind of Firewall is the need of a special proxy for every protocol to be filtered. If using non-standard protocols, a special proxy has to be deployed - or the filtering carried through with a Ciruit Level Gateway. Proxies are applications, so the performance of this kind of Firewall is not as good as of Packet Filters or Stateful Inspection. A protection of the lower layers in the stack like e.g. Network Layer or Transport Layer isn't possible.

Conclusion:
For protecting the Application Layer, these Firewalls show good security and good possibilities for configuration. Combining this kind of Firewall with Circuit Level Gateways, some disadvantages may be compensated. The performance isn't very good sometimes.

 

Available Firewalls

Commercial Firewalls

The options for filtering the traffic are mostly combined in commercial Firewalls. Here one has to differentiate between solutions beeing pure Software for a system with Hardware and Operating System. Another possibility is the combination of an Operating System with an integrated Firewall. So only a Hardware is needed. Very many modern Firewalls are Appliances. They are complete solutions including Hardware. So if there is any problem, only one manufacturer has to be contacted.

"Semi-Commercial " Firewalls

This kind of Firewall is a combination of Open Source security Software (e.g. for Linux or FreeBSD) which is coupled with a commercial GUI and maybe also more commercial Software like Anti-Virus Server.

Free Firewalls

These Firewalls are free for private use or are a Firewall kit, which has to be built up. The first choice isn't for companies. If using a Firewall kit, the adminnistrator has to build up his own Firewall by combining the right and free tools. He has to install, configure and test them. Even if it's quite self-understood: These tools have to be always kept up-to-date.

Some manufacturers and products:

Astaro Security Linux, Borderware, Check Point R7x, Cisco ASA and PIX, CyberGuard Firewall Appliance, GENIA-SEC GENIAwall, Genua GeNUGate, NetScreen, Palo Alto Networks, Secure Computing Sidewinder, Sanctum AppShield, Seclutions AirLock, Symantec Enterprise Firewall, Whale e-Gap