≡ Menu

Firewall Classifications and Architectures

Classifications of Firewalls:

  1. Packet Filtering
  2. Circuit Level Gateway
  3. Application Level Gateway

Architectures of Firewall:

  1. Screening Router
  2. Dual Homed Gateway
  3. Screened-Host Gateway
  4. Screened Subnet

 

Classification

Description

Advantages

Disadvantages

Packet Filtering

Basic. Operates at Network or Transport Layers. Examines TCP,IP,ICMP,UDP headers from the packet and routes based on a firewall ACL

  1. In expensive and Fast
  2. Easy to setup
  3. Transparent to users
  1. No Context level routing
  2. Can be hit by Spoofing
  3. Limited Logging
  4. No strong user authentication

Circuit Level Gateway

Operates at Session Layer. Uses state information about the established connections. Once the virtual circuit is formed, no packet analysis is done.

  1. Fast
  2. Low maintenance
  1. Limited Logging.
  2. Once connection is established, no further analysis is done

Application Level Gateway

Operates at Application Layer. Implemented as a Proxy Server.

  1. Supports Strong user authentication
  2. Data is not directly sent to the destination.
  1. Low performance because packet needs to be brought all the way up to Application layer for analysis
  2. High maintenance.

 

Architecture

Description

Advantages

Disadvantages

Screening Router

Basic Packet Filtering Firewall

  1. Cheap
  2. Transparent to users
  1. Makes internal Network structure complex
  2. No user authentication
  3. Single point of failure

Dual homed Gateway

It is bastion host with two network interface cards. It may be connected to an external screening router

  1. Fail safe mode. If it fails, nothing is allowed access
  2. Internal network structure is masked
  1. Additional auth required for users
  2. May slow down performance
  3. May not be available for all services.

Screened Host Gateway

External Screening router and internal Bastion Host.

  1. Transparent outbound access and restricted inbound access
  1. Screening router can by-pass the Bastion host
  2. Masking internal network is difficult

Screened subnet

Most secure. Forms a DMZ network between external and internal firewall

  1. Transparent, flexible
  2. Internal Network is masked
  1. Difficult to maintain
  2. Expensive

 

Comments on this entry are closed.