NET 121b: Essentials of Networking

Chapter 12: Firewalls and Proxies


This chapter discusses three varieties of firewalls. The topics of this chapter are:

  1. Defining firewalls
  2. Packet filtering firewalls
  3. Bastion host firewalls
  4. NAT firewalls
Defining firewalls

A firewall can be a software, hardware, or software/hardware solution that keeps specific kinds of traffic from entering or exiting your network, except through approved channels. The methods discussed in this chapter are packet filtering, proxy service, and network address translation.

Packet filtering firewalls

A packet filtering router discards packets bound for ports or IP addresses that are considered forbidden by your network policy. The text makes a point that you need a network security policy, else you have nothing to implement with the router. A software solution for this sort of firewall may use a list of forbidden web sites that your network users are not allowed to access.

Bastion host firewalls

Bastion host firewalls are described as fortified servers. The fortification seems to be that they are stripped of all services but those necessary to provide whatever access your security policy allows. Two versions of a bastion firewall were described in a previous text:

  • screened-host firewall, single-homed bastion - this refers to a host on your network (single home), not a router, that still acts like a router in that it filters all incoming and outgoing traffic
  • screened-host firewall, dual-homed bastion - this refers to a host on your network that sits on another network as well (dual home), and both networks belong to you. Your resources that you provide to the users on the Internet sit on the outer network: your web and FTP servers, for example. The bastion sits on this outer network and your inner network, where it acts like the single-homed bastion above.
NAT firewalls

Network Address Translation (NAT) services run on routers that provide the interface between your private network and the Internet. As the text explains, the router prevents access to your network by being the only device that has a registered IP address. All traffic on your network that is bound for the Internet is received by the NAT router, and sent to the Internet with the router's address. The router may track which traffic is associated with which device on your network by assigning a logical port to each device it services.