Firewall |
Top Previous Next |
Configuring a firewall like Gibraltar correctly needs extensive knowledge about the functionality of a computer network and the techniques used by it. Only a firewall that is configured correctly enhances the security. This is the reason for explaining the most important basics and some essential terms at this point of the manual. A detailed explanation of all techniques would go beyond the scope of this manual. Some recommendable books and links can be found in the appendix.
A firewall is a security component of a computer network which allows or denies traffic using a defined rule set (policy). The aim of using a firewall is to divide different network segments based on their different states of trust. A typical situation for using a firewall is to control the traffic between a local area network (LAN) and the Internet.
Types of Firewalls
Generally firewalls are divided up into network firewalls and personal firewalls. A network firewall is a dedicate device that separates two networks or two network segments. The firewall controls the traffic between these network segments in this case. To divide the traffic of the different network segments the firewall has more than one network interface - one for each network segment. A personal firewall is a software that is installed at the computer that should be saved. It only secures the computer which it is installed on.
Gibraltar is a network firewall and can optionally be used at an exiting hardware or at Gibraltar Security Gateways that can be purchased at the online shop at http://www.gibraltar.at.
There are different ways a firewall uses to divide wanted traffic from not allowed traffic. The most important component is the packet filter.
Packet Filter
A packet filter is a software that filters incoming and outgoing traffic using predefined rules. It uses different information that is provided by each data packet. Common criteria are:
The administrator defines a special set of rules (firewall rules, policy) to specify what should be done with the incoming and outgoing packets. Generally the packet can be forwarded to another network (ACCEPT), can be ignored (DENY), can be sent back with an addition why it is sent back (REJECT), or can create a new entry in the syslog (LOG). The packet filter is the core of each firewall and therefore it is very important to configure it very responsible and attentively.
Gibraltar uses the principle: "If it is not allowed, it is denied!". This means that by default Gibraltar blocks all traffic except some special kind of packets to reach the web interface or to check basic network connections (ping). The administrator of Gibraltar opens the ports to allow traffic passing Gibraltar.
Stateful Packet Inspection
Stateful inspection is an extended form of packet filtering. A simple packet filter checks each packet for its own and decides for each separate packet using the information in it if it is forwarded or if it should be blocked. Stateful packet inspection recognizes a logical stream of packets that is opened by each connection and decides for all the packets assigned to this connection if they are allowed or if they are not. An additional filter criteria is the state of each packet depending on its situation within the logical stream (new, established, ..). This option can also be used to allow all answering packets to a specific connection automatically. This possibility eases the configuration of the filter rules and reduces the number of rules needed.
|