Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

A Rookie's Guide to Defensive Blocks: Page 2 of 7

• Stateful packet-filter firewalls. Stateful packet filters are packet filters that overdosed on Jolt. These firewalls maintain a table that stores the state information of every connection and thus can see when a connection is initiated, handshaking and ending. This is much better than a packet filter from a security standpoint because the firewall can protect against out-of-sequence packets and spoofed TCP connections. Attackers also can't pass packets that falsely appear to be from an existing connection. You could make a single rule to reject all incoming SYN connections and not have to worry much about people scanning or connecting to your network through common spoofing methods.

The downside is that stateful firewalls require lots of CPUs and memory, and as the number of connections grows, so do the processing requirements. When you test stateful firewalls, measuring packets per second alone is not adequate. Instead, you need to look at simultaneous connections on networks with many users or on high-traffic Web sites. A firewall that performs well with a few users may not scale to several thousand.

• Proxy firewalls. The proxy is generally the most secure type of firewall because it enforces protocol, though performance is an issue. There are two types of proxy firewalls, application specific (as in protocol, such as HTTP or SMTP) and generic. Generic proxies protect against IP attacks, such as fragmentations and spoofs, but offer no security benefit over stateful packet filters for protocol attacks.

In a proxy, the client and server do not have a direct channel. To the server, the proxy acts as a client, and to the client, the proxy acts as a server--the proxy is the middleman, passing messages between the two.

Application-specific proxies can inspect traffic, some even at Layer 7, and can check for valid HTTP in Web connections and try to detect exploits, such as buffer overflows. But not all proxies are equally intelligent. Typically, they work only at the protocol level, not all the way into the application layer, and if a proxy is checking only protocol syntax, destructive data payloads could get through. Proxy firewalls also are limited in protocol support; they're usually specialized. Performance is another big concern: Some organizations may want one or more specialized proxies to handle HTTP or FTP traffic and to protect the borders with a stateful firewall.