In: Categories » Computers and technology » VPN » Lower Data Transfer Rates Than a Packet Filter
Networking Standard
A stateful inspection firewall is the de facto standard for network protection at this time. Installing less is not a wise move without good reason (e.g., a requirement for the fastest possible data transfer while maintaining some protection for the internal network).
Performance and Protection
The balance of performance versus protection between a packet filter and an application proxy is excellent. Since stateful inspection is the current standard, most vendors support this type of firewall and offer it in many levels of data transfer rates and cost. Cons There are very few reasons not to use a stateful inspection firewall; however, there are a few possible considerations.
Lower Data Transfer Rates Than a Packet Filter
As stated above, there is performance degradation over a packet filter.Tables are maintained and logic is used to parse the access lists, costing memory and processor power. Lack of Fine Control Fine control of application proxies is lost in favor of better performance. Stateful inspection firewall software is written to be generic (i.e., usable in nearly any environment), whereas application proxies are specific and therefore provide fine control for the specific applications.
Deciding on a Firewall Introduction
Choosing a firewall solution involves many factors, some that can be controlled (e.g., features and cost) and others that cannot be controlled (e.g., overall network structure, history, and politics).This article presents the benefits and the drawbacks of various firewalls.The final decision of what will work best in your environment rests on your shoulders and on those who control the budget.
Appliance/Hardware Solution
Considered the most secure approach, a network appliance is a highly specialized device that is placed on the network between a hostile environment and a safe environment. A “hostile” environment could mean the Internet with access open to anyone; the network containing the user base vs. the network containing servers, which should have limited access; or dividing the network into segments of varying security or access, where some areas have less access due to the sensitive data stored there. Compliance with various laws is particularly important for government and private agencies when choosing between firewall types. Such laws include the Federal Information Processing Standards (FIPS) (www.itl.nist.gov/fipspubs) and the Health Insurance Portability and Accountability Act (HIPAA) (www.hhs.gov/ocr/hipaa) in the US, and the Canadian Security of Information Act (SOIA) (www.tbssct. gc.ca/pubs-pol/gospubs/tbm-12a/sia-lpi1-e.asp#effe).These laws require that certain standards be met, including hardware firewall standards. If you fall under one of these laws, you may not have the option of a software firewall.
Hardware
With a hardware-based solution, you have a network appliance whose sole purpose is to provide a firewall that will pass packets in and out quickly, while inspecting them based on a defined security policy.A network device’s hardware provides the single function of packet filtration and/or inspection. In its simplest form, a network router configured as a packet filter is a hardwarebased firewall. In its most complex form, it is an application proxy on specialized hardware protecting a specific application package.
Packet Filter Warning!
Do not depend on packet-filtering routers for your firewall needs; these attacks can go straight through a packet filter (e.g., the Microsoft Structured Query Language (SQL) server has an exploit that can be compromised using the well known SQL port 1433). Blocking all other ports to the SQL server so that users can query the database decreases the attack surface, and won’t protect you against an attack to that port. Using an application proxy allows you to analyze the packets and reduce the possibility that a malicious packet will traverse the firewall and compromise your server. The operating system (OS) and inspection software are sometimes modified for a particular hardware. It is rare for network hardware to be sold without an integrated OS; however, that OS may not be unique to the hardware. Linux, UNIX, and Windows are often the base OS. Even with this, the OS is usually hardened against network attacks and/or stripped down to provide a specific set of functions. It is difficult to add third-party products or change the basic functionality of a hardware-based firewall. Consider the security implications of changing the functionality of a well-designed and hardened OS.Teams of dedicated people have worked to design hardware and software to use together for the greatest functionality and security.You don’t have to worry about how the OS functions; just plug it in, define the rule sets, and go.Your sole responsibility concerning the OS and filtering software is maintaining up-to-date patches.
legal notice
Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above.
related articles
System and software exploits allow hackers to take advantage of weaknesses of particular OSs and applications (often called bugs). Like protocol exploits, they are used by intruders to gain unauthorized access to computers or networks, or to crash or clog up the systems to deny service to others. Common bugs can be categorized as follows: - Buffer Overflows Many common security holes are based on buffer overflow problems. Buffer overflows occur when the number ...
2. Types of attack and protocols
Phishing, the new information gathering technique, is spreading and becoming more sophisticated. Phishing e-mails either ask the victim to fill out a form or direct them to a Web page designed to look like a legitimate banking site.The victim is asked for personal information such as credit card numbers, social security number, or other data that can then be used for identity theft.There has been at least one insidious phishing scheme that uses a Secure Sockets Layer (SSL) certificate so that the data...
3. Attacks over TCP and UDP ports
TCP/UDP Ports A port number is a virtual “mail slot” on each of these machines. Applications running on computers listen to the Internet for incoming information on these ports. Certain applications listen on certain ports.The Internet Assigned Numbers Authority (IANA [www.iana.org]) defines these ports (e.g.,Web servers listen on ports 80 and 443 and File Transfer Protocol (FTP) servers listen on port 21. Hypertext Transfer Protocol (HTTP), Hyper-Text Transfer Protocol Secure socke...
4. Application Proxy and Gateway Firewalls
Firewall Types There are two basic types of firewalls: Application Proxy and Gateway. Gateways are divided into packet filters and stateful inspection firewalls.These differ in function and design and have different uses in network architecture. Never try to have one type of firewall do the duty of another type. It is better to have a well-run and securely configured firewall doing its intended job, than to have something doing a job for which it wasn’t designed.This is an invitati...
The Inspection Process The inspection of TCP/IP packets is a multi-step procedure. What follows is a summary of the steps, not necessarily in order : 1. A packet arrives at the outside interface. It is checked for permitted or denied ports and IP addresses. Note that stateful inspection firewalls require both a port and an IP address. IP addresses can be in the form of a single machine, group of IP addresses, or “any,” meaning any valid IP address on the spec...
6. RFC 959 specifies the commands that a minimum implementation
Minimum Implementation RFC 959 specifies the commands that a minimum implementation of FTP must support, and RFC 1123 updates this list with additional commands. The implementation specified by RFC 1123 is more capable in handling communications between computers that may use different operating systems, file systems, and firewall protection. However, RFC 1123 says that computers whose operating system or file system doesn’t allow or support a command aren’t obligated to add support for it. So f...
7. Four Rules for Securing Your Devices and Local Network
Paying attention to the following four rules will go a long way in ensuring that your device, data, and local network are as secure as possible from security risks: 1. Use a firewall and configure it with the most restrictive settings that allow your device to perform the communications it requires. 2. Restrict access to individual protected resources with user names and passwords. 3. Validate data provided by users to ensure the contents won’t cause harm. 4. Encrypt data that must rema...