User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE

Chapter 2. Securing Your Network

70

Apart from the differences between hardware and software firewalls, there are also differences in the

way firewalls function that separate one solution from another. Table 2.2, “Firewall Types” details three

common types of firewalls and how they function:

Table 2.2. Firewall Types

Method Description Advantages Disadvantages

NAT Network Address

Translation (NAT) places

private IP subnetworks

behind one or a small pool

of public IP addresses,

masquerading all requests

to one source rather than

several. The Linux kernel

has built-in NAT functionality

through the Netfilter kernel

subsystem.

· Can be configured

transparently to machines

on a LAN

· Protection of many

machines and services

behind one or more external

IP addresses simplifies

administration duties

· Restriction of user access

to and from the LAN can be

configured by opening and

closing ports on the NAT

firewall/gateway

· Cannot prevent malicious

activity once users connect

to a service outside of the

firewall

Packet

Filter

A packet filtering firewall

reads each data packet

that passes through a

LAN. It can read and

process packets by header

information and filters

the packet based on

sets of programmable

rules implemented by the

firewall administrator. The

Linux kernel has built-in

packet filtering functionality

through the Netfilter kernel

subsystem.

· Customizable through the

iptables front-end utility

· Does not require any

customization on the client

side, as all network activity

is filtered at the router level

rather than the application

level

· Since packets are not

transmitted through a

proxy, network performance

is faster due to direct

connection from client to

remote host

· Cannot filter packets for

content like proxy firewalls

· Processes packets at

the protocol layer, but

cannot filter packets at an

application layer

· Complex network

architectures can make

establishing packet

filtering rules difficult,

especially if coupled with

IP masquerading or local

subnets and DMZ networks

Proxy Proxy firewalls filter all

requests of a certain

protocol or type from LAN

clients to a proxy machine,

which then makes those

requests to the Internet on

behalf of the local client. A

proxy machine acts as a

buffer between malicious

remote users and the

internal network client

machines.

· Gives administrators

control over what

applications and protocols

function outside of the LAN

· Some proxy servers can

cache frequently-accessed

data locally rather than

having to use the Internet

connection to request

it. This helps to reduce

bandwidth consumption

· Proxy services can be

logged and monitored

closely, allowing tighter

control over resource

utilization on the network

· Proxies are often

application-specific (HTTP,

Telnet, etc.), or protocol-

restricted (most proxies

work with TCP-connected

services only)

· Application services cannot

run behind a proxy, so your

application servers must use

a separate form of network

security

· Proxies can become a

network bottleneck, as all

requests and transmissions

are passed through one

source rather than directly

from a client to a remote

service