firewall methods


firewall methods

Following are the different methods used to provide firewall protection, and several of them are often used in combination. See firewall.

Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many internal IP addresses; one on each client station. It performs the conversion back and forth. The most basic firewall, NAT is built into routers, and any user's computer that shares its Internet connection with others uses a software version. See NAT.

Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. It generally can examine multiple layers of the protocol stack, including the data if required, so that blocking can be made at any depth. See stateful inspection.

Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (email, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See TCP/IP port and bastion host.

Proxy Server
Serves as a relay between two networks, breaking the connection between the two. It also typically caches Web pages (see proxy server).


Protected and More Protected
In the top diagram, the internal network is protected by only one screening router (a router with packet filtering). If servers on the internal network provide services to Internet users, this offers minimal protection against an attack. The use of two screening routers in the bottom diagram offers two points of protection from the outside world to the internal LAN.


Protected and More Protected
In the top diagram, the internal network is protected by only one screening router (a router with packet filtering). If servers on the internal network provide services to Internet users, this offers minimal protection against an attack. The use of two screening routers in the bottom diagram offers two points of protection from the outside world to the internal LAN.







Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer packet analysis and network address translation (NAT) to secure a network. The left column scrolled down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)