Archives
  Columns
  Features
  Print Archives
1994-1998
  Special
  BYTE Digest
  Michael Abrash's Graphics Programming Black Book
  101 Perl Articles
  About Us
  How to Access BYTE.com
  Write to BYTE.com
  Advertise with BYTE.com

Newsletter
Free E-mail Newsletter from BYTE.com
 
    
  HOME   ABOUT US   ARCHIVES   CONTACT US   ADVERTISE   REGISTER
Visit the home page Browse the four-year online archive Download platform-neutral CPU/FPU benchmarks Find information for advertisers, authors, vendors, subscribers Request free information on products written about or advertised in BYTE Submit a press release, or scan recent announcements Talk with BYTE's staff and readers about products and technologies

ArticlesFirewall Technology Trade-Offs

June 1997 / BYTE Software Lab Report / Firewall Software for NT and Unix / Firewall Technology Trade-Offs
David Seachrist

The four basic firewall technologies involve clear trade-offs that differentiate them from each other:

Filtering gateways make routing decisions based on information in network packets. If a packet passes the security criteria, the gateway passes it through. Filtering gateways are easy to build but difficult to configure securely. Because filters pass traffic directly from an untrusted network, they are not as secure as oth er gateways.

Circuit-level gateways operate at the session level and require modified clients to communicate directly with the gateway, which appears to the outside host as the session originator. Typically these gateways use a state table listing valid connections, with subsequent connections granted or denied by comparing the request with state table data. Circuit gateways are less useful in environments where users need several types of Internet service or where in-bound services must be provided.

Application-level gateways (aka proxies) operate at the application level, negotiating each client/server connection made between a host on the trusted network and a host outside. Like the circuit gateway, they never directly link trusted and untrusted networks. Hosts inside the trusted network point their clients to the application gateway, which accepts client requests (e.g., HTTP, Telnet, or FTP) and relays them to an external destination host as if th e firewall were the requesting client. The firewall accepts replies from outside and resends them to the internal client. Operating at the application layer enables features such as user authentication and protocol-specific filters like ActiveX blocks.

Stateful inspection uses a table of rules in which the firewall administrator defines parameters for the different services on your network. The firewall then tests the "state" of TCP traffic as it passes through the firewall by checking it against the state table. Although stateful inspection detects many known attacks, with many more added as they become known, if the state table becomes corrupt the network has a chance of being exposed.

Up to the BYTE Software Lab Report section contentsGo to previous article: Firewall Technology Trade-OffsGo to next article: Denial Isn't Just a River in EgyptSearchSend a comment on this articleSubscribe to BYTE or BYTE on CD-ROM  
Flexible C++
Matthew Wilson
My approach to software engineering is far more pragmatic than it is theoretical--and no language better exemplifies this than C++.

more...

BYTE Digest

BYTE Digest editors every month analyze and evaluate the best articles from Information Week, EE Times, Dr. Dobb's Journal, Network Computing, Sys Admin, and dozens of other CMP publications—bringing you critical news and information about wireless communication, computer security, software development, embedded systems, and more!

Find out more
BYTE.com Store

BYTE CD-ROM
NOW, on one CD-ROM, you can instantly access more than 8 years of BYTE.
 
The Best of BYTE Volume 1: Programming Languages
The Best of BYTE
Volume 1: Programming Languages
In this issue of Best of BYTE, we bring together some of the leading programming language designers and implementors...

Copyright © 2005 CMP Media LLC, Privacy Policy, Your California Privacy rights, Terms of Service
Site comments: webmaster@byte.com
SDMG Web Sites: BYTE.com, C/C++ Users Journal, Dr. Dobb's Journal, MSDN Magazine, New Architect, SD Expo, SD Magazine, Sys Admin, The Perl Journal, UnixReview.com, Windows Developer Network