Packet Filtering Firewall



next up previous contents
Next: Dual-homed Gateway Firewall Up: Putting the Pieces Previous: Putting the Pieces

Packet Filtering Firewall

The packet filtering firewall (fig. gif) is perhaps most common and easiest to employ for small, uncomplicated sites. However, it suffers from a number of disadvantages and is less desirable as a firewall than the other example firewalls discussed in this chapter. Basically, one installs a packet filtering router at the Internet (or any subnet) gateway and then configures the packet filtering rules in the router to block or filter protocols and addresses. The site systems usually have direct access to the Internet while all or most access to site systems from the Internet is blocked. However, the router could allow selective access to systems and services, depending on the policy. Usually, inherently-dangerous services such as NIS, NFS, and X Windows are blocked.

  
Figure: Packet Filtering Firewall.

A packet filtering firewall suffers from the same disadvantages as a packet filtering router, however they can become magnified as the security needs of a protected site becomes more complex and stringent. These would include the following:

A packet filtering router can implement either of the design policies discussed in section gif. However, if the router does not filter on source port or filter on inbound as well as outbound packets, it may be more difficult to implement the second policy, i.e., deny everything unless specifically permitted. If the goal is to implement the second policy, a router that provides the most flexibility in the filtering strategy is desirable. Again, see [Chap92] as well as [Ches94] for more information.



next up previous contents
Next: Dual-homed Gateway Firewall Up: Putting the Pieces Previous: Putting the Pieces



John Wack
Thu Feb 9 18:17:09 EST 1995