Filter and Firewall
Left running head:
Chapter name (automatic)
718
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
FIREWALL MECHANISMS
This section provides details about firewall mechanisms.
• “Packet Filtering”
• “Stateful Inspection”
P
ACKET FILTERING
This is a simple firewall solution that is usually implemented on devices like
routers that filter packets. The packet-headers are inspected when going through
the firewall. Packets are analyzed against a set of rules. Depending on these
rules, the packet is either accepted or denied.
Once a match is found, the rule action is obeyed. The rule action could be to drop
the packet, to forward the packet, or even to send an ICMP message back to the
originator. Only the first match counts, as the rules are searched in order. Hence,
the list of rules can be referred to as a ``rule chain''. On match, the specified action
is taken. Typical actions are deny/ allow / drop/ reject packets or reset connection.
S
TATEFUL INSPECTION
This is an advanced implementation of packet filtering that inspects packets at
higher network layers, up to the application layer. Such filters interpret transport-
level information (such as TCP and UDP headers) to analyze and record all
current connections. This process is known as stateful inspection.
A stateful packet filter records the status of all connections and allows only those
packets that are associated with a current connection. Information traveling from
inside the firewall to the outside is monitored for specific defining characteristics.
The incoming information is then compared to these defining characteristics and
upon a reasonable match, the information is permitted, else it is denied.
When a computer in the protected network initiates a connection with an external
server, the stateful packet filter allows the server's response packets into the
protected network. When the original connection is closed, however, the packet
filter will block all further unsolicited packets from the untrusted zone. Stateful
firewalls are also known as "dynamic" packet filters.
Note: OmniAccess 5740 USG supports stateful and stateless inspection. By default,
OmniAccess 5740 USG firewall is ‘stateful’.
To Next Page
Loading...
Need help?
General
