ghostpc
Posts : 85 أهمية العضو : 0 Join date : 18/11/2008
| موضوع: Firewalls Part (2) الثلاثاء نوفمبر 25, 2008 7:40 pm | |
|
Advantages and disadvantages of different firewalls
• Packet-filtering firewall:
Advantages :
1. Transparent firewall system. As packet contents (what it does) is not intercepted by the packet-filtering firewall, from the network users point of view, packet-filtering firewall is almost transparent .
2. Fast network performance.
3. Simpler to configure than the other types of firewall .
4. Only one machine is required for protecting the entire network .
5. Packet filtering capability is available in many hardware and software routing products. Many commercial products such as routers from Cisco Systems and Bay Network as well as freely available products including Drawbridge, KarlBridge and screend have this capability.
6. Network hiding is supported. Some packet-filtering firewalls such as the Cisco PIX router support the Network Address Translation services.
Disadvantages :
1. IP spoofing may easily occur. Because the packet-filtering router permits or denies a network connection based on the source and destination addresses of the packet, any attack that uses valid IP address may not be detected. In order to handle this problem, the routing table has to be examined.
2. Logged information is not descriptive enough. If the packet filtering system is setup at the router, logging may not be available.
3. Partial access control cannot be used. In most of the packet-filtering firewalls, only the IP packets would be inspected, that is, examination of the network connections will be performed on the network layer only, not on the operations requested. For example, SMTP services can either be accepted or rejected, but not accepted based on user identity.
4. May not be able to guard against source routing attacks In source routing attack, the route a packet used for traveling across the Internet was specified by the source station and this route is not the expected path to the destination and bypasses the firewall host.
5. Packet-filtering rules are comparatively harder to be designed and configured.
6. Not all protocols could be filtered by the packet filtering firewall. For instance, RPC-based protocols and any protocol which uses a composite form of TCP/IP and UDP/IP protocols may not be filtered by packet filtering firewalls.
7. Tiny fragment attacks may beat the packet-filter firewall. In this scheme an intruder uses the IP fragmentation feature to create extremely small fragments which contain separate TCP header information. Since user-defined filtering rules may only examine the first fragment and allow the other fragment to enter.
8. Data-driven attack cannot be prevented using packet-filter firewall.
• Application-gateway firewall :
Advantages :
1. User identity could be verified before the network connection is allowed to be established.
2. Descriptive logs could be generated. All traffic going through the firewall could be logged .
3. Simple and cost effective configuration process. Application-gateway firewalls are usually easier to be configured because Internet services could be supported by simply installing proxy servers at the firewall host.
4. Supports information and network hiding. As connections established between the internal and external networks are handled by the proxy servers, information of the internal network can be hidden from the external network.
5. Comparatively less-complex filtering rules.
6. Better controllability. A particular service will not be supported unless the proxy server for that service is explicitly installed.
Disadvantages :
1. Need a proxy server for each type of supported service.
2. Network performance is degraded. Because application-gateway firewalls examine the contents of all application level messages across the firewall, network connection speed will be affected. It may not be fast enough to handle high-speed network traffic such as T3 or ATM network.
3. The firewall is not transparent to users. Proxy server will intercept the communications across the firewall. So that different procedures are required for users to establish Internet services.
4. Client applications may require modifications. As the client-server communication model is disturbed by the firewall, modification of the client applications may be required.
5. "Delay" in new service support. Proxy servers will take some time to be developed for supporting new applications..
6. More than one firewall hosts may be required. From the performance point of view, different servers may be required for different supported services.
• Bastion Host firewall (and Dual-homed gateway firewall)
Advantages :
1. Full control of the network connections. Because any traffic entering the local network has to pass through this choke point, network administrators can control the network flow easily.
2. Same advantages as for the application-gateway firewall.
Disadvantages :
1. Because the bastion host is the only entry point to the location network, it also becomes the single point of attack. If hackers compromise the bastion host, they can enter the local network freely.
2. Degrade network performance. When a bastion host is installed on a slow machine, the overall performance of the network would be degraded. This type of firewall has to be run on a fairly high powered platform such as Sparc workstation in order to maintain the performance of the network.
3. In general, it shares the same disadvantages as those for the application gateway firewall.
• Stateful inspection firewall :
Advantages :
1. Both the state and context of the transmission can be used as the blocking criteria. If the examined packet content violates the rules, even though the service is permitted into the network, transmission can still be rejected.
2. Connectionless protocols such as RPC and UDP/IP are also supported in the Stateful Inspection Firewall.
3. All connections are logged. Same as application-gateway firewalls, any successful and unsuccessful connections could be logged.
4. Higher network performance. As fewer packets will be examined in detail, the network communication speed is not delayed too much.
Disadvantages :
1. Difficult to configure. Stateful inspection firewall which is also configured using the packet-filtering rules is comparatively more difficult to be configured.
2. Not perfectly secure. Because only part of the connections will be examined, some insecure connections may be established across the firewall.
• Turnkey firewall :
Advantages :
1. No extra hardware is required.
2. Easy to configure. Some turnkey firewall products are provided in a plug-and-play form, thus minimal amount of configuration would be required.
3. Reduce administration effort. As all firewalls in the organization can be configured in the same format, configuration and management are made easier.
Disadvantages :
1. Limited modifications. Because the firewall configuration is restricted by the hardware and software provided by the vendors, any enhancement of the hardware and software as well as support for new software, application, vulnerability management could not be done locally.
• Screened host firewall :
Advantages :
1. More flexible firewall than the dual-homed gateway firewall.
2. Slightly more secure with both the bastion host and the screening router. However, most literature consider the screened host firewall to have the same level of security as the dual-homed gateway firewall.
Disadvantages :
1. While the screening router could provide extra security level to the internal network, but once it is compromised, hackers could enter directly into the internal network without going through the bastion host. Therefore, this "extra security" depends on the security of the screening router.
2. More difficult to configure. Extra work is needed for configuring the additional screening router.
3. IP spoofing attack problem is not eliminated. Hackers can still attack the network by sending packets with false source addresses.
4. Extra component is required. In this architecture, both bastion host and screening router are required.
• Screened subnet firewall :
Advantages :
1. More flexible protection. With both packet-filtering and proxy servers used, any connection established could be decided by one or both of the firewall components.
2. Highest security level of protection. Intruders must crack three separate devices in order to penetrate into the private network.
3. Network hiding is supported. Only the DMZ network needs to be advertised to the Internet users.
Disadvantages :
1. Extra resources are needed. Two screening routers and a bastion host are required.
2. Difficult to configure. For the screening subnet firewall architecture to work properly, both screening routers must be configured properly.
| |
|
A.Tamimi Admin
Posts : 1593 أهمية العضو : 16 Join date : 13/11/2008 Age : 39 Location : Jordan
| موضوع: رد: Firewalls Part (2) الجمعة ديسمبر 05, 2008 2:35 pm | |
| | |
|
M.ALS3OD
Posts : 854 أهمية العضو : 0 Join date : 13/09/2009 Age : 30 Location : AMMAN
| موضوع: رد: Firewalls Part (2) السبت سبتمبر 19, 2009 7:34 pm | |
| يـــعـــطـــيـــك الـــعـــافـــيـــة | |
|