Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
351352353354355356357358359360
324 XSR Users Guide
Firewall Feature Set Overview Chapter 13
Configuring Security on the XSR
Filter bad packets and bad contents to protect internal hosts incapable
of protecting themselves against these attacks:
Bad packets (too long or too short)
Un-recognized commands (possible attack)
Legal but undesirable commands/operations (as set by policy)
Objectionable contents (content and URL filtering)
Drop incoming/outgoing connections such as FTP, gopher, or Telnet
applications at the proxy firewall first
Create two connections, one from the client to the firewall, the other
from the firewall to the actual server. This generates a completely
new packet which is sent to the actual server based on its data “read
of the incoming packet and correct implementation of the
application's protocol. When the server replies, the proxy firewall
again interprets and regenerates a new packet to send to the client.
Build another layer of protection between interior hosts and the
external world forcing a hacker to first break into the proxy server in
order to launch attack on internal hosts
But the above advantages of an application or proxy firewall are offset by the
following weaknesses:
Higher overhead - because it is usually implemented at the Application
layer, additional processing is needed to transfer packets between the
kernel and the proxy application
Non-scalability - support for a new protocol or a new feature of an
existing protocol often lags by months or years
Non-transparency - proxy server users may discover the server bars an
application, forcing users to find alternatives
Stateful Inspection Firewalls
A stateful inspection firewall combines the aspects of other firewalls to filter
packets at the network layer, determine whether session packets are
legitimate and evaluate the payload of packets at the application layer.
It allows a direct connection between client and host, alleviating the lack of
transparency of ALGs. Also, it employs algorithms to recognize and process
Layer 5 data rather than run application-specific proxies.