The default discard policy is the more conservative. Initially everything is blocked, and services must be added on a case-by-case basis. This policy is more visible to users, who are most likely to see the firewall as a hindrance. The default forward policy increases ease of use for end users but provides reduced security. Advantages of packet filter router 1. Simple 2. Transparent to users 3. Very fast Weakness of packet filter firewalls 1. Because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ application specific vulnerabilities or functions. 2. Because of the limited information available to the firewall, the logging functionality present in packet filter firewall is limited. 3. It does not support advanced user authentication schemes. 4. They are generally vulnerable to attacks such as layer address spoofing. Some of the attacks that can be made on packet filtering routers and the appropriate counter measures are the following: 1. IP address spoofing: –The intruders transmit packets from the outside with a source IP address field containing an address of an internal host. Countermeasure: to discard packet with an inside source address if the packet arrives on an external interface. 2. Source routing attacks –The source station specifies the route that a packet should take as it crosses the internet; i.e., it will bypass the firewall. Countermeasure: to discard all packets that uses this option. 3. Tiny fragment attacks : –the intruder create extremely small fragments and force the TCP header information into a separate packet fragment. The attacker hopes that only the first fragment is examined and the remaining fragments are passed through. Countermeasure: to discard all packets where the protocol type is TCP and the IP fragment offset is equal to 1. Application level gateway An Application level gateway, also called a proxy server, acts as a relay of application level traffic. The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. Application level gateways tend to be more secure than packet filters. It is easy to log and audit all incoming traffic at the application level. A prime disadvantage is the additional processing overhead on each connection.
Circuit level gateway Circuit level gateway can be a stand-alone system or it can be a specified function performed by an application level gateway for certain applications. A Circuit level gateway does not permit an