WR3000 4-Port Wireless DSL/Cable Router
®
85
Chapter 11:
Introduction to Firewalls
This chapter gives some background information on fi rewalls and
introduces the WR3000 Wireless Router fi rewall.
11.1 Firewall Overview
Originally, the term Firewall referred to a construction technique designed to prevent the
spread of fi re from one room to another. The networking term “fi rewall” is a system or group of
systems that enforces an access-control policy between two networks. It may also be defi ned
as a mechanism used to protect a trusted network from an untrusted network. Of course,
fi rewalls cannot solve every security problem. A fi rewall is one of the mechanisms used to
establish a network security perimeter in support of a network security policy. It should never be
the only mechanism or method employed. For a fi rewall to guard effectively, you must design
and deploy it appropriately. This requires integrating the fi rewall into a broad information-
security policy. In addition, specifi c policies must be implemented within the fi rewall itself.
11.2 Types of Firewalls
There are three main types of fi rewalls:
1. Packet Filtering Firewalls
2. Application-level Firewalls
3. Stateful Inspection Firewalls
11.2.1 Packet Filtering Firewalls
Packet fi ltering fi rewalls restrict access based on the source/destination computer network
address of a packet and the type of application.
11.2.2 Application-level Firewalls
Application-level fi rewalls restrict access by serving as proxies for external servers. Since they
use programs written for specifi c Internet services, such as HTTP, FTP and telnet, they can
evaluate network packets for valid application-specifi c data. Application-level gateways have a
number of general advantages over the default mode of permitting application traffi c directly to
internal hosts:
i. Information hiding prevents the names of internal systems from being made known via DNS
to outside systems, since the application gateway is the only host whose name must be made
known to outside systems.
ii. Robust authentication and logging pre-authenticates application traffi c before it reaches
internal hosts and causes it to be logged more effectively than if it were logged with standard
host logging. Filtering rules at the packet fi ltering router can be less complex than they would be
if the router needed to fi lter application traffi c and direct it to a number of specifi c systems.
The router need only allow application traffi c destined for the application gateway and reject
the rest.