CompTIA Network+ | Microsoft MTA Networking: Firewalls
Source mc mcse Certification Resources
- Application Layer vs. Network Layer – An application layer firewall works at the application layer of a protocol stack. (This is true for both the OSI model and the Internet Protocol Suite (TCP/IP)) Sometimes referred to as a proxy-based firewall or proxy server, it can be software running on a computer or server or as a stand-alone piece of hardware.The main function of the application layer firewall is to analyze traffic before passing it to a gateway point. A network layer firewall is sometimes referred to as a packet filter and these will operate at the network layer. The devices will not allow packets to pass the firewall unless they match the rule set as configured by the firewall administrator. Network layer firewalls can be either stateful or stateless.
- Stateful vs. Stateless – Stateful firewalls maintain pertinent information about any active sessions they have will speed packet processing using this information. This might include source and destination IP address, UDP or TCP ports, and other details about the connection such as the session initiation, type of data transfer and so forth. With Stateful processing if a packet does not match a currently established connection, it will be evaluated according to the rule set for new connections. If it does match it will be allowed to pass without needing to be compared to the rule sets in use. Stateless firewalls treat all of the packets on the network in isolation and independently from all of the other traffic on the wire. They have no way to know if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet.
- Scanning Services – the process that is used by all firewalls to review the packets that are passing through them. Sometimes they will just review the header information or they may be configured to look at the data as well. More advanced firewalls might also combine virus detection and / or other forms of malware detection as part of their scanning process to halt the transmission of suspect packets through the device.
- Content Filtering – generally used at the application level to restrict or prevent access to websites that are not approved for work use, to block sites with objectionable material, or on a corporate black list for one reason or another. Content could be filtered in many different ways from suspect keywords, images on the site, downloadable files present, or site content labeling as defined by the website host itself (e.g. an adult site that defines itself as such – the content filter would review the site content level and apply the filter).
- Signature Identification – a method of indentifying certain types of traffic based on a known behavior of that traffic. A firewall would know based on the signature definition comparison whether the traffic should be allowed to pass as permitted (e.g. http traffic or DNS traffic) or whether to deny traffic (e.g. repeated attempts to connect to multiple systems from multiple sessions, appearing as a possible Distributed Denial of Service (DDoS) attack.
- Zones – demarcation points from one network type to another. Networks internal to a company are considered internal zones or intranets. A network external to the internal network is generally considered “the internet” or external zones. If there is a network that the company manages that is not a part of the internal intranet but is in place between the intranet and the internet this is called the demilitarized zone or the DMZ. The main purpose of this zone is to act as an additional layer of security buffer between the intranet and the internet.
Want more information on how to become CompTIA Net+ Certified? Learn more!
Also published on Medium.