Firewall Fundamentals

Although firewalls do provide significant protection for systems, they do not necessarily represent the entire suite of defense that today's systems require. Many traditional firewalls do not stop data-driven attacks that use ports that are configured to pass through the firewalls. To offset such attacks, many vendors' firewalls now include the capability to conduct packet payload inspection like a dedicated IDS appliance. Additionally, some vendors are coupling their firewall offerings with other point-defense products such as content- and SMTP-filtering applications and devices. This coupling allows an IDS device or another detection device to instruct the firewall to block traffic deemed to be an attack against a system or the network. Even more compelling are integrated devices such as the Cisco ASA that combine firewall, IPS, and VPN functionality in a single device to provide a turnkey solution.

Firewalls can also require some additional effort on the part of network administrators to ensure that all services work properly through them. Firewall effects must be considered when deploying IPsec VPNs, primarily because the impact of NAT on these types of VPNs.

You need to be aware of some limitations when implementing these advanced features. You must consider the processing impact that these additional functions place on the firewall. A firewall that is expected to filter network traffic, perform application inspection, filter e-mail, filter web content, and decrypt IPsec VPN traffic will not be able to perform as well as a firewall that does not need to perform as many functions. Additionally, by integrating multiple functions into a single device, you increase not only the impact of a failure of any one component, but also create a potential single point of failure in your network security. For example, if the hardware that provides the VPN functionality in the firewall (for example, the processor) fails, you will need to take the entire firewall down to repair it (as opposed to if the functionality were being provided by distinct devices, in which case only the VPN device would be effected).

Категории