Data security is an important issue for all organizations. When an organization connects to the Internet, they have created a pathway for data to flow in and out. A firewall is a tool that can be used to restrict the flow of data between a n internal network and the external network. There are two main types of firewalls: Network-level firewalls which filter packets as they pass through the firewall, and Application-level firewalls that process the content of the data being sent and then resend as appropriate.

Network-level firewalls process data fast when simple rule sets are used; they are also transparent to the end users. With complex setups, performance and security may be degraded. Application-level firewalls allow for higher levels of security, whic h come at the cost of performance and price. An organization must look at its security needs to determine which type of firewall, or a combination of both types, will meet their needs.

Executive Summary *

Table of Contents *

Background *

Key Issues *

Analysis of network level firewalls *

Analysis of application-level firewalls *

Conclusions *

References *

In this day and age almost every business wants to get onto the Internet. When you connect your network to the Internet you are not only allowing your users to connect out to the Internet, you are allowing everybody on the Internet access t o your network. In a perfect world this would be great; unfortunately, the Internet contains all types of people including those who want to connect to your network for mischievous purposes. A firewall can be used to restrict traffic flowing between the se two networks. A firewall is a system or group of systems that are placed between an internal network and the Internet. With a properly setup firewall, internal users will have access resources they need to get to on the Internet and outside users can have access to public information stores without being given access to proprietary data on the internal network.

Before considering the technical merits of a firewall, an organization must decide on a security policy. An organization must know what type of data it is protecting and what other holes need to be plugged before an organization can secure its data. Data is only as secure as the weakest link in the system, so all types of access to your data network must be considered. The security policy will dictate what data is allowed to enter and leave your organizations network. You can then use this informat ion to help decide what firewall to get and how to configure the firewall.

There are two basic types of firewalls: network level and application level. Network level firewalls are often referred to as packet filters. Application level firewalls are also known as application gateways or proxies. This report will explain what these two types of firewalls are and discussion the differences between them and compare the benefits and drawbacks of each. Important aspects that will be investigated include the level of security, the ease of setup, the performance, and t he transparency provided to the end users.

A network level firewall filters packets as they pass through the firewall or a router with packet filtering enabled. The header of each packet is examined as it passes through the router and it is either allowed to pass through or it is di scarded. A packet filter can only base its decisions on the header, it can not examine the actually data passing through. The information examined in the header includes the IP source address, destination addresses, source port, destination port, and the message type (TCP, UDP, ICMP, etc). The information from the header packet header is then compared to a set of rules. It is these site-specific rules that are used to determine which packets are blocked. The rules can be setup to allow incoming packet s to only go to a small subset of the hosts on the internal network, or to not allow any packets from a set of untrusted hosts. A site might configure the packet filter to allow traffic to only flow to specific ports on a machine. For example only allow ing traffic to port 25 (SMTP mail), or port 80 (HTTP).

A common configuration is to allow all outbound traffic. That is to allow all traffic from internal hosts to external hosts and associated return traffic on connection based traffic (TCP messages). Inbound traffic is restricted to machines and servic es being provided to the outside world, such as SMTP to the mail server and HTTP to the web server.

The major plusses of network-level firewalls is that they tend to be very fast and transparent to the users. Beyond the time spent planning the filter rules, the cost for implementing packet filters is low. Packet filtering is usually included as a f eature of the router, which an organization is already using to connect your network to the Internet.

Packet filters do have a few drawbacks. Defining the filter rules can be a complex task, especially as the number and types of data need to be allowed or restricted from passing increases. If the rule set becomes very long and complex the response ti me of the router will be reduced. Each rule that is added is one more check that must be performed by the router before a packet can be forwarded on. It is also hard to test that your rule set will actually keep your network secure. There is no guarant ee that the data within the packet will not cause havoc once it reaches an internal host. Any host that packets are allowed to go to must be secure against attack from those types of data. If intruder gains accesses to one internal host, other internal hosts are no longer protected by the network level firewall. These are all things that must be considered.

An application-level firewall is quite different from a network-level firewall. It does not forward packets between the two networks. It takes a packet, examines the contents, processes it, and then resends the data as appropriate. The pa cket content is processed by special purpose piece of code (a proxy service) that must be installed on the firewall for each type of data that will be passing through the firewall. The proxy services have a more in-depth knowledge of the type of data the y are processing. Proxies may support only a subset of a standard applications command set; features that could cause problems are disabled. The proxies can implement a first layer of security before allowing a user to connect to a service on an internal host (e.g. on telnet or ftp gateways). The application firewall provides a convenient place to produce detailed audit logs, which are essential for discovering attempts to break into a network. Application level firewalls allow an administrator full co ntrol over traffic between the networks. A Proxy can also hide the existence of internal hosts. If the internal network is using a different naming convention, the firewall can do network address translations before letting an internal host talk to the Internet.

These higher levels of security do come at a price. Hardware and software will have to be purchase to run the firewall. Each service may have to be configured separately and the time and knowledge to configure the gateway is required. All of the ext ra processing of data may produce a noticeable decrease in the level of service provided to users. An application level firewall is not transparent to the end users. Some applications may not have the ability to use proxies and other applications will n eed special configuration options set before they will work.

Which type of a firewall an organization should use will depend of many factors including: how secure the organization needs to be and how much data will be shared across the firewall, technical expertise, and economics. A network-level fir ewall will work for an organization that does not have a need for bulletproof security or has a relatively simple network configuration where a simple rule set will do the job. An organization that wishes to limit the interactions with the Internet or ha ve a need for stricter security may be better suited to an application-level firewall. If your organization has more complex requirements, you may need to use a combination of the two to meet your needs.

No matter which firewall an organization uses, it must plan out the implementation. In today’s world an organization must protect its data from the misfits who wish to use it for their own purposes.

Semeria, Chuck. Internet Firewalls and Security. Online. 3com. Available: http://www.3com.com/nsc/pdf/50061901.pdf

Ranum, Marcus J. Internet Firewalls Frequently Asked Questions. Online. Available: http://www.v-one.com/html/faq.htm

Wack, John P. & Carnahan, Lisa J. Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. Online. Nation Institute of Standards and Technology, Publication 800-10, 2/3/95. Available: http://csrc.ncsl.nist.gov/nistpub s/800-10/