: Firewalls

Sim-Ex™ Tutorial for Network+

3.0 Network Implementation

  1. Basic Capabilities of Network Operating System (NOS)
  2. Firewalls
  3. VLANs
  4. Benefits of Using Antivirus software
  5. Fault tolerance
  6. Disaster recovery

3.2 Firewalls

A firewall is a device (sometimes it could be a system) that prevents un-authorized access to a network from external sources. For example, any network that is connected directly to the Internet need some kind of firewall to protect the entire network from potential intrusions from the Internet.

aplus tutorial images

A "Firewall" may be implemented using one or more of the following technologies:

  • Proxy Server
  • Network Address Translator (NAT)
  • Packet filtering
  • Access Control Lists (ACLs)
  • DMZ
Sl. No. Firewall technology OSI layer at which the firewall operates
1. Proxy service Layer 7
2. Packet Filtering Layers 3 and 4
3.  Stateful inspection Layers 2,3, and 4

Proxy servers: Proxy servers hides network resources behind itself. For example, by using Proxy Server, the internal IP addresses of a Corporate network can be made invisible to the external world. It is usually a software program, that resides as an application on top of the Operating System. A Proxy Server may work at several layers of OSI model, validating the data at each layer.

Network Address Translator (NAT): Network Address Translation enables an internal network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the local network interfaces with the external network.

NAT serves three main purposes:

  • Hides internal IP addresses from the external network.
  • Conserve public IP address space by enabling he use of more internal IP addresses. Public IP addresses are used only for communication with external world.
  • Provide security to the internal network resources.

There are two types of NAT widely used:

  • Static NAT
  • Dynamic NAT

Static NAT: In a Static NAT, a private IP address is mapped to a fixed public IP address. The public address is always the same IP address for a given internal private IP address. The advantage of having a fixed mapping of private IP to public IP is that the internal resources such as web server can be reached from external network. The main disadvantage is that it still takes one precious IP address from the public Internet.

Dynamic NAT: Dynamic NAT maps a private IP address to a public IP address that is dynamically selected from a pool of one or more public IP addresses. The main advantages of dynamic NAT include the following:

  • Dynamic NAT provides securoty to an internal network as it masks the internal network from external world.
  • It conserves public IP addresses by using private IP addresses on the internal network.

One of the main disadvantages is that if you need to locate a server on the internal network, such as an e-mail server, that has to be accessed from the public Internet, then you can not use dynamic NAT. The internal email server has to be assigned with a static mapping of IP address.

Packet Filtering:Packet Filtering is the ability of a router or a firewall to discard packets that don't meet certain criteria. A packet filtering router should be able to filter IP packets based on the following four fields:

  • Source IP address
  • Destination IP address
  • TCP/UDP source port
  • TCP/UDP destination port

Filtering is used to:

  • Allow/block connections from specific hosts or networks
  • Allow/block connections to specific hosts or networks
  • Allow/block connections to specific ports
  • Allow/block connections from specific ports

Packet filtering is usually employed by routers, and faster than Proxy servers that operate at higher layers. The main disadvantage of packet filters is that they operate at layer 3/4 of OSI model, and do not have the capability to analyze data or the traffic. As a result, it is possible for malicious applications to enter a protected network.

Access Control List (ACLs): ACL is similar to packet filtering.

The Demilitarized Zone (DMZ): DMZ is used by most of the firewalls, which is a network segment that is neither public nor local, but halfway between. A standard DMZ setup has three network cards in the firewall computer. The first goes the Internet, the second goes to the network segment and the third connects to the intranet.

Previous     CONTENTS     Next


Disclaimer: Simulationexams.com is not affiliated with any certification vendor, and Sim-Ex™ Practice Exams are written independently by SimulationExams.com and not affiliated or authorized by respective certification providers. Sim-Ex™ is a trade mark of SimulationExams.com or entity representing Simulationexams.com.A+™,Network+™,Security+™,Server+™ are trademark of CompTIA® organization.