Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
351352353354355356357358359360
XSR Users Guide 323
Chapter 13 Firewall Feature Set Overview
Configuring Security on the XSR
While this flexibility is useful, it emphasizes the fact that the shield is only as
effective as the intelligence of the policies. Functionally, the XSR’s policy
database defines the configuration and retains information about the sessions
currently allowed through the firewall.
Types of Firewalls
Generally speaking, there are three types of firewalls: Access Control List
(ACL) or Packet Filter, Application Level Gateway (ALG) or Proxy, and
Stateful Inspection. Each of these firewall types operate at different layers of
the TCP/IP network model, using different criteria to restrict traffic.
ACL and Packet Filter Firewalls
ACL and packet filter firewalls statically apply security policy to a packet’s
contents according to pre-configured rules you specify such as permitted or
denied source and destination addresses and port numbers. These firewalls
are scalable, easy to implement and widely deployed for simple Network
layer filtering, but they suffer the following disadvantages:
Do not maintain states for an individual session nor track a session
establishment protocol. Ports are usually always open or blocked
Do not examine application data
Do not work well with applications which open secondary data
channels using embedded port information in the protocol - “difficult
protocols” such as FTP and H.323 (video conferencing applications)
Cannot detect protocol-level problems and attacks
Less secure than stateful inspection or proxy firewalls
ALG and Proxy Firewalls
ALG or proxy firewalls filter packets at the top of the stack - Layer 5. They:
Act as an agent (proxy) between IP client and server transactions. A
proxy server often runs on dedicated, hardened operating systems
with limited functionality, offering less of a chance to be
compromised