Firewall Taxonomy
Firewalls come in various sizes and flavors. The most typical idea of a firewall is a
dedicated system or appliance that sits in the network and segments an "internal" network
from the "external" Internet. Most home or SOHO networks use an appliance-based
device for broadband connectivity that includes a built-in firewall. In general, firewalls
can be categorized under one of two general types:
• Desktop or personal firewalls
• Network firewalls
The primary difference between these two types of firewalls simply boils down to the
number of hosts that the firewall protects. Within the network firewall type, there are
primary classifications of devices, including the following:
• Packet-filtering firewalls (stateful and nonstateful)
• Circuit-level gateways
• Application-level gateways
The preceding list describes general classes of firewalls but, as discussed later, many
network firewalls represent hybrids of the preceding classifications. Many firewalls have
characteristics that place them in more than one classification.
Figure 2-1
shows a breakdown of the various firewall types currently available. This
figure does not provide complete details of the various capabilities within each firewall
type but rather shows the general taxonomy of the different firewalls available in the two
primary types: personal/desktop firewalls and network firewalls.
Figure 2-1. FirewallTaxonomy
[View full size image]
Given these various firewall types available, users may have a hard time identifying
exactly what they need. In many cases, costs represent a driving factor in the purchase of
a firewall, but knowing which types of firewalls are available and what capabilities they
provide helps users make a more informed final decision.
Personal Firewalls
Personal firewalls are designed to protect a single host from unauthorized access. Over
the years, this has evolved so that modern personal firewalls now integrate additional
capabilities such as antivirus software monitoring and in some cases behavior analysis
and intrusion detection to protect the device. Some of the more popular commercial
personal firewalls include BlackICE as well as Cisco Security Agent. In the SOHO
market Trend Micro's PC-cillin, ZoneAlarm, and the Symantec personal firewall are
some of the more popular offerings. Microsoft's Internet Connection Firewall is also
among the top personal firewalls installed because of the install base of machines running
Windows XP with Service Pack 2.
Whereas personal firewalls make immense sense in the SOHO and home user market
because they provide the end user protection as well as control of the policy, in the
enterprise the issues are more complex. Perhaps the biggest concern for enterprise users
with regard to personal firewalls is the ability to provide a centralized policy control
mechanism for the firewall. The need to centralize policy control is critical to the use of
personal firewalls in an enterprise environment to minimize the administrative burden.
What is administrative burden? As the number of firewalls deployed in an organization
increases, the network administrator must be concerned with the proper configuration and
monitoring of each one of these firewalls. Therefore, it is extremely important that as the
number of firewalls increases, the ability to administer them does not become overly
b
urdensome. By centralizing policy control and monitoring, many vendors have eased the
effort of properly configuring the firewall policy and of monitoring the events.
Network Firewalls
N
etwork firewalls are designed to protect whole networks from attack. Network firewalls
come in two primary forms: a dedicated appliance or a firewall software suite installed on
top of a host operating system. Examples of appliance-based network firewalls include
the Cisco PIX, the Cisco ASA, Juniper's NetScreen firewalls, Nokia firewalls, and
Symantec's Enterprise Firewall. The more popular software-based firewalls include
Check Point's Firewall-1 NG or NGX Firewalls, Microsoft ISA Server, Linux-based
IPTables, and BSD's pf packet filter. The Sun Solaris operating system has, in the past,
been bundled with Sun's enterprise firewall, SunScreen. With the release of Solaris 10,
Sun has begun bundling the open source IP Filter (IPF) firewall as an alternative to
SunScreen.
Many network firewalls provide enterprise users the maximum flexibility and protection
in a firewall system. These firewalls have over the past few years incorporated many new
features such as in-line intrusion detection and prevention as well as virtual private
network (VPN) termination capabilities both for LAN-to-LAN VPNs as well as remote-
access-user VPNs. Another feature that has been introduced into network firewalls is a
deep packet-inspection capability. The firewall can identify traffic requirements not just
by looking at Layer 3 and Layer 4 information but by delving all the way into the
application data so that the firewall can make decisions as to how to best handle the
traffic flow. This evolution in firewall design and capabilities has led to the development
of a new firewall product, the integrated firewall, which is covered in more detail in the
next section.
. general taxonomy of the different firewalls available in the two
primary types: personal/desktop firewalls and network firewalls.
Figure 2-1. Firewall Taxonomy. NetScreen firewalls, Nokia firewalls, and
Symantec's Enterprise Firewall. The more popular software-based firewalls include
Check Point's Firewall- 1