Denies all network packets except those that are

Info icon This preview shows pages 17–25. Sign up to view the full content.

View Full Document Right Arrow Icon
Denies all network packets except those that are explicitly allowed The Deny-all approach has two advantages: 1)You have to maintain only a small list of allowed network traffic rules . The smaller the list, the easier it is for you to verify that the configuration of the firewall is correct. 2)You don’t have to constantly add new rules to exclude newly discovered problems.
Image of page 17

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
18 Advantages and disadvantages  of traditional packet filters Advantages One screening router can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even  Linux boxes Disadvantages Can possibly be penetrated Cannot enforce some policies. For example, permit  certain users.  Rules can get complicated and difficult to test
Image of page 18
Packet Filtering What are fragments? Not all of network segments or links may allow the same maximum packet size. The maximum packet size is called the Maximum Transmission Unit (MTU) of the network If a larger IP packet has to cross a network link that allows only a smaller size, the original IP packet can be broken into smaller IP packets and continue. These smaller packets are called IP fragments Each of these IP fragments has its own IP header that contains the source and final destination IP addresses, as well as a fragment position number Each IP fragment contains only a part of the original TCP information. Therefore, only the first fragment contains the TCP part that shows the TCP port number
Image of page 19

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Packet Filtering What are fragments?
Image of page 20
Stateful packet filtering With stateful packet filtering, the firewall remembers “state” about expected return packets. Any unexpected packet arriving at the firewall claiming to be a solicited response is blocked immediately When an IP packet is a request for information , the IP packet lists its return IP address and an unused return port number greater than 1023 (for example, 2065) to which to deliver the response. Stateful packet filtering blocks all traffic on ports greater than 1023 and allows only network traffic that matches the response port of a previously sent IP packet . The firewall internally maintains a table of information on which ports it may expect traffic. If the firewall determines that a communication exchange is finished, it removes that information from the table.
Image of page 21

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Stateful Inspection Applications Presentations Sessions Transport Data Link Physical Data Link Physical Applications Presentations Sessions Transport Data Link Physical Network Network Network Presentations Sessions Transport INSPECT Engine Applications Dynamic Dynamic State Tables Dynamic Dynamic State Tables State Tables Dynamic State Tables Packets Inspected between data link layer and network  layer in the OS kernel State tables are created to maintain connection context Invented by Check Point
Image of page 22
Source IP Address Source Port Number Destination IP Address Destination Port Number State ………. Time IP Protocol Session Identifier 23 Firewall Session Table Stateful Packet Filtering Firewall Uses session/state table to track connection state
Image of page 23

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Network Address Translation (NAT) Converts a network s illegal IP addresses to  legal or public IP addresses Hides the true addresses of individual hosts,  protecting them from attack Allows more devices to be connected to the 
Image of page 24
Image of page 25
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern