In: Root » Computers and technology » VPN » Lower Data Transfer Rates Than a Packet Filter
Networking Standard A stateful inspection firewall is the de facto standard for network protection at this time. Installing less is not a wise move without good reason (e.g., a requirement for the fastest possible data transfer while maintaining some protection for the internal network). Performance and Protection The balance of performance versus protection between a packet filter and an application proxy is excellent. Since stateful inspection is the current standard, most vendors support this type of firewall and offer it in many levels of data transfer rates and cost. Cons There are very few reasons not to use a stateful inspection firewall; however, there are a few possible considerations. Lower Data Transfer Rates Than a Packet FilterAs stated above, there is performance degradation over a packet filter.Tables are maintained and logic is used to parse the access lists, costing memory and processor power. Lack of Fine Control Fine control of application proxies is lost in favor of better performance. Stateful inspection firewall software is written to be generic (i.e., usable in nearly any environment), whereas application proxies are specific and therefore provide fine control for the specific applications. Deciding on a Firewall Introduction Choosing a firewall solution involves many factors, some that can be controlled (e.g., features and cost) and others that cannot be controlled (e.g., overall network structure, history, and politics).This article presents the benefits and the drawbacks of various firewalls.The final decision of what will work best in your environment rests on your shoulders and on those who control the budget. Appliance/Hardware SolutionConsidered the most secure approach, a network appliance is a highly specialized device that is placed on the network between a hostile environment and a safe environment. A “hostile” environment could mean the Internet with access open to anyone; the network containing the user base vs. the network containing servers, which should have limited access; or dividing the network into segments of varying security or access, where some areas have less access due to the sensitive data stored there. Compliance with various laws is particularly important for government and private agencies when choosing between firewall types. Such laws include the Federal Information Processing Standards (FIPS) (www.itl.nist.gov/fipspubs) and the Health Insurance Portability and Accountability Act (HIPAA) (www.hhs.gov/ocr/hipaa) in the US, and the Canadian Security of Information Act (SOIA) (www.tbssct. gc.ca/pubs-pol/gospubs/tbm-12a/sia-lpi1-e.asp#effe).These laws require that certain standards be met, including hardware firewall standards. If you fall under one of these laws, you may not have the option of a software firewall. Hardware With a hardware-based solution, you have a network appliance whose sole purpose is to provide a firewall that will pass packets in and out quickly, while inspecting them based on a defined security policy.A network device’s hardware provides the single function of packet filtration and/or inspection. In its simplest form, a network router configured as a packet filter is a hardwarebased firewall. In its most complex form, it is an application proxy on specialized hardware protecting a specific application package. Packet Filter Warning!Do not depend on packet-filtering routers for your firewall needs; these attacks can go straight through a packet filter (e.g., the Microsoft Structured Query Language (SQL) server has an exploit that can be compromised using the well known SQL port 1433). Blocking all other ports to the SQL server so that users can query the database decreases the attack surface, and won’t protect you against an attack to that port. Using an application proxy allows you to analyze the packets and reduce the possibility that a malicious packet will traverse the firewall and compromise your server. The operating system (OS) and inspection software are sometimes modified for a particular hardware. It is rare for network hardware to be sold without an integrated OS; however, that OS may not be unique to the hardware. Linux, UNIX, and Windows are often the base OS. Even with this, the OS is usually hardened against network attacks and/or stripped down to provide a specific set of functions. It is difficult to add third-party products or change the basic functionality of a hardware-based firewall. Consider the security implications of changing the functionality of a well-designed and hardened OS.Teams of dedicated people have worked to design hardware and software to use together for the greatest functionality and security.You don’t have to worry about how the OS functions; just plug it in, define the rule sets, and go.Your sole responsibility concerning the OS and filtering software is maintaining up-to-date patches. |
legal disclaimer
Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.
related articles
Are you ready to start writing your logical security configurations? If you are like most security professionals, this is what we like to do. While we all understand planning is a critical process for success, it is the actual configurations and implementations we like to spend our time working on. Since firewall and VPN solutions provide different capabilities, we have divided this section into two parts.The first part covers Firewall logical security configurations, and the second part covers VPN logical...
Who Needs Remote Access? Determining who needs to use your VPNs is not an easy task that can be done in just minutes. It is not uncommon for almost every employee to need some form of VPN access at one point or another.This introduces many challenges from user management to the auditing of your systems and individual access logs.This is an area in which your user groups and centralized user management systems will play an important role. It will help ensure your access rights are secure and grant...
3. Attacks can be divided into three main categories
Attacks Attacks can be divided into three main categories: - Reconnaissance Attacks Hackers attempt to discover systems and gather information. In most cases, these attacks are used to gather information to set up an access or a Denial of Service (DoS) attack. A typical reconnaissance attack might consist of a hacker pinging Internet Protocol (IP) addresses to discover what is alive on a network.The hacker might then perform a port scan on the system to see which applica...
4. System and Software Exploits
System and software exploits allow hackers to take advantage of weaknesses of particular OSs and applications (often called bugs). Like protocol exploits, they are used by intruders to gain unauthorized access to computers or networks, or to crash or clog up the systems to deny service to others. Common bugs can be categorized as follows: - Buffer Overflows Many common security holes are based on buffer overflow problems. Buffer overflows occur when the number ...
5. Types of attack and protocols
Phishing, the new information gathering technique, is spreading and becoming more sophisticated. Phishing e-mails either ask the victim to fill out a form or direct them to a Web page designed to look like a legitimate banking site.The victim is asked for personal information such as credit card numbers, social security number, or other data that can then be used for identity theft.There has been at least one insidious phishing scheme that uses a Secure Sockets Layer (SSL) certificate so that the data...
6. Attacks over TCP and UDP ports
TCP/UDP Ports A port number is a virtual “mail slot” on each of these machines. Applications running on computers listen to the Internet for incoming information on these ports. Certain applications listen on certain ports.The Internet Assigned Numbers Authority (IANA [www.iana.org]) defines these ports (e.g.,Web servers listen on ports 80 and 443 and File Transfer Protocol (FTP) servers listen on port 21. Hypertext Transfer Protocol (HTTP), Hyper-Text Transfer Protocol Secure socke...
7. Application Proxy and Gateway Firewalls
Firewall Types There are two basic types of firewalls: Application Proxy and Gateway. Gateways are divided into packet filters and stateful inspection firewalls.These differ in function and design and have different uses in network architecture. Never try to have one type of firewall do the duty of another type. It is better to have a well-run and securely configured firewall doing its intended job, than to have something doing a job for which it wasn’t designed.This is an invitati...
8. The inspection of TCP IP packets
The Inspection Process The inspection of TCP/IP packets is a multi-step procedure. What follows is a summary of the steps, not necessarily in order : 1. A packet arrives at the outside interface. It is checked for permitted or denied ports and IP addresses. Note that stateful inspection firewalls require both a port and an IP address. IP addresses can be in the form of a single machine, group of IP addresses, or “any,” meaning any valid IP address on the spec...