III.MAC Layer Firewalls

III.MAC layer Firewalls:

MAC layer firewalls are designed to operate at the media access control layer of the OSI network mode. This gives these firewalls the ability to consider the specific host computer’s identity in its filtering decisions. Using this approach, the MAC addresses the specific host computers are linked to ACL entries that identify the specific types of packets that can be sent to each host, and all other traffic is blocked.

Fig 6-5 shows where in the OSI model each of the firewall processing modes inspects data.

IV.Hybrid Firewalls:

Hybrid Firewalls combine the elements of other types of firewalls-that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways. Alternately, a hybrid firewall system may actually consist of two separate firewall devices: each is a separate firewall system, but they are connected so that they work in tandem. For example, a hybrid firewall system might include a packet filtering firewall that is set up to screen all acceptable requests then pass the requests to a proxy server, which in turn, requests services from a Web server deep inside the organization’s networks. An added advantage to the hybrid firewall approach is that it enables an organization to make a security improvement without completely replacing its existing firewalls.

Firewalls Categorized by Development Generation

The first generation of firewall devices consists of routers that perform only simple packet filtering operations. More recent generations of firewalls offer increasingly complex capabilities, including the increased security and convenience of creating a DMZ-demilitarized zone. At present time, there are five generally recognized generations of firewalls, and these generations can be implemented in a wide variety of architectures.

First Generation: First generation firewalls are static packet filtering firewallsthat is, simple networking devices that filter packets according to their headers as the packets travel to and from the organization’s networks.

Second generation: Second generation firewalls are application-level firewalls or proxy servers-that is, dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.

Third Generation: Third generation firewalls are stateful inspection firewalls, which as you may recall, monitor network connections between internal and external systems using state tables.

Fourth Generation: While static filtering firewalls, such as first and third generation firewalls, allow entire sets of one type of packet to enter in response to authorized requests, the fourth generation firewalls, which are also known as dynamic packet filtering firewalls, allow only a particular packet with a particular source , destination, and port address to enter.

Fifth Generation:The fifth generation firewall is the kernel proxy, a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT. This type of firewall evaluates packets at multiple layers of the protocol stack, by checking security in the kernel as data is passed up and down the stack. Cisco implements this technology in the security kernel of its Centri firewall. The Cisco security kernel contains three component technologies: The Interceptor/Packet analyser, the securittanalyser, the security verification engine

(SVEN), and kernel Proxies. The interceptor captures packets arriving at the firewall server and passes them to the packet analyzer., which reads the header information, extracts signature data,and passes both the data and the packet, map it to an exisiting session, or create a new session. If a current session exists, the SVEN passes the information through a custom-built protocol stack created specifically for that session. The temporary protocol stack uses a customized implementation of the approach widely known as Network Address Translation (NAT). The SVEN enforces the security policy that is configured into the Kernel Proxy as it inspects each packet.

Firewalls Categorized by Structure:

Firewalls can also be categorized by the structure used to implement them; Most commercial grade firewalls are dedicated appliances. That is , they are stand –alone units running on fully customized computing platforms that provide both the physical network connection and firmware programming necessary to perform their function, whatever that function (static filtering, application proxy etc.,) may be. Some firewall applications use highly customized, sometimes proprietary hardware systems that are developed exclusively as firewall devices. Other commercial firewall systems are actually off-theshelf general purpose computer systems. These computers then use custom application software running either over standard operating systems like Windows or Linux/Unix or on specialized variants of these operating systems. Most small office or residential-grade firewalls are either simplified dedicated appliances running on computing devices, or application software installed directly on the user’s computer.