Features Found in Firewall Products

by Craig Nelson.

Share
|
Homepage | Submit your article | Contact | TOS
More articles on software  

You are here: Categories » Computers and technology » Software

Firewalls can analyze incoming packets of various protocols. Based upon that analysis, a firewall can undertake various actions. Firewalls are therefore capable of performing conditional evaluations. ("If this type of packet is encountered, I will do this.")

These conditional constructs are called rules. Generally, when you erect a firewall, you furnish it with rules that mirror access policies in your own organization. For example, suppose you had both accounting and sales departments. Company policy demands that only the sales department should have access to your FTP site. To enforce this policy, you provide your firewall with a rule; in this case, the rule is that connection requests from accounting to your FTP site are denied.

In this respect, firewalls are to networks what user privilege schemes are to operating systems. For example, Windows NT enables you to specify which users can access a given file or directory. This is discretionary access control at the operating-system level. Similarly, firewalls enable you to apply such access control to your networked workstations and your Web site.

However, access screening is only a part of what modern firewalls can do. Over the past two years, firewall vendors have begun implementing the "kitchen sink" approach to feature development—that is, many vendors have been tossing every feature BUT the kitchen sink into their firewall offerings. Some of the added features include

· Content filtering. Some organizations want to stop their users from browsing particular Web sites: Web-based email sites, "underground" sites, day trading gateways, sites with pornography, and so on. Content filtering features and services can help block these sites, as well as protect against some types of ActiveX and Java-based hostile code and applets.

· Virtual Private Networking (VPN). VPNs are used to tunnel traffic securely from point A to point B, usually over hostile networks (such as the Internet). Although there is a wide range of dedicated VPN appliances on the market today, vendors such as Checkpoint and Cisco are happily rolling VPN services into their firewall offerings. Many firewall products now offer both client-to-enterprise VPN functionality, as well as LAN-to-LAN functionality.

· Network Address Translation (NAT). Network address translation is often used for mapping illegal or reserved address blocks (see RFC 1918) to valid ones (for example, mapping 10.0.100.3 to 206.246.131.227). Although NAT isn't necessarily a security feature, the first NAT devices to show up in corporate environments are usually firewall products.

· Load Balancing. More of a generic term then anything else, load balancing is the art of segmenting traffic in a distributed manner. Although firewall load balancing is one thing, some firewall products are now supporting features that will help you direct Web and FTP traffic in a distributed manner.

· Fault Tolerance. Some of the higher-end firewalls like the Cisco PIX and the Nokia/Checkpoint combination support some fairly intricate fail-over features. Often referred to as High-Availability (HA) functionality, advanced fault-tolerance features often allow firewalls to be run in pairs, with one device functioning as a "hot standby" should the other one fail.

· Intrusion Detection. The term "intrusion detection" can mean many things, but in this case, some vendors are beginning to integrate an entirely different product type with their firewall offering. While this doesn't create a problem in itself, people should be weary of the kind of work load this might impose on their firewall.

Although the thought of managing all these features from within a single box or product can be appealing, one should approach the kitchen sink mentality with a fair amount of skepticism. Firewalls have always been viewed as playing pivotal roles in organizations'security models. Borrowing from the KISS (Keep It Simple, Stupid) principle that is held so dear in the network administration world, we could suggest that going the route of feature bloat might not be the smartest thing to do when it comes to a security product. But we need not speculate on this…the latest round of firewall vulnerabilities have confirmed our suspicions for us. Read on.

Leave a comment or ask a question
Total comments: 0

Software Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Detecting SoftICE by Calling INT 68h - Here's a way to detect the presence of SoftICE in memory by calling INT contain the value 43h before calling INT be in the AX register. 68h. The AH register must 68h. If SoftICE is active in memor (more...)
How Can You Increase Your computer performance - Basic computer knowledge or/ and appropriate technical assistance can help you increase computer performance. Computers have become an expected supporter in this modern world. O (more...)
Detecting SoftICE by Searching Memory - This detection searches the memory in the V86 mode for the WINICE.BR string. Because this method is infrequently used, it's worth considering, though it can only be used in Windows 9x. Thi (more...)
Fight for the Future, Digital Future: Google VS Apple - We can be proud as we watch one of the greatest virtual wars unleashing at the digital market. If 15 years ago it was Apple Vs Windows confrontation, today it has slightly changed its main parties (more...)
The Beginner's Guide to iPad Video Conversion on Mac - So, you've just taken in a shiny new iPad and impressed by its beautiful display. There are several possible sources of content that you will want to convert for viewi (more...)
Touch and View: iPad application - iPad application development has become an extremely popular topic at numerous conferences and workshops since the product introduction keynote. Mobile software companies went boldly into the une (more...)
Deciding on TIFF vs. JPEG Output for Scanned Images - It can be difficult to understand which file type is best for saving your scanned images. Here's a brief breakdown of the two most common options. Preserving beloved memories is on (more...)
Photoshop Clipping Path and Masking Techniques :: Wonderful Technique to Knock Out Image Background - Graphic design is being the promotional key in every spare of business and individual life. Business organizations seek graphic tools to have publicity by dint of bill board, catalogs, magazines, w (more...)
Tips on Getting MP3 from CD as iPhone Ringtone on Mac - Many people must have favorite CDs filled with their bookcase or CD case somewhere at home due to the songs they loved while they still need to pay $0.99 each to get the same songs as their iPhone (more...)
Know about Architectural CAD Drawing - Architectural CAD drawing, which literally mean architectural drawing on the computer. Getting your architectural drawing in digital format. This applies to residential, commercial, pho (more...)

 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.