Objective 6.2: Firewall Features
The application layer firewall is the most functional of all the firewall types. As its name suggests, the application layer firewall functionality is implemented through an application. Application layer firewall systems can implement sophisticated rules and closely control traffic that passes through. Features of these firewalls can include user authentication systems and the capability to control which systems an outside user can access on the internal network. Some also provide bandwidth control mechanisms. Because they operate above the session layer of the Open Systems Interconnect (OSI) model, they can provide protection against any software-based network traffic that attempts to pass through them.
Network layer filtering through the analysis of packets enables the firewall to examine each packet that passes through it and determine what to do with it, based on the configuration. A packet-filtering firewall deals with packets at the data-link and network layers of the OSI model. The following are some of the criteria by which packet filtering can be implemented:
- IP address
- By using the IP address as a parameter, the firewall can allow or deny traffic, based on the source or destination IP address. For example, you can configure the firewall so that only certain hosts on the internal network are able to access hosts on the Internet. Alternatively, you can configure it so that only certain hosts on the Internet are able to gain access to a system on the internal network.
- Port number
- The TCP/IP (Transmission Control Protocol/Internet Protocol) suite uses port numbers to identify which service a certain packet is destined for. By configuring the firewall to allow certain types of traffic, you can control the flow. You might, for example, open port 80 on the firewall to allow Hypertext Transfer Protocol (HTTP) requests from users on the Internet to reach the corporate Web server. You might also, depending on the application, open the HTTP Secure (HTTPS) port, port 443, to allow access to a secure Web server application.
- Protocol ID
- Because each packet transmitted with IP has a protocol identifier in it, a firewall can read this value and then determine what kind of packet it is. If you are filtering based on protocol ID, you specify which protocols you will and will not allow to pass through the firewall.
- MAC address
- This is perhaps the least used of the packet-filtering methods discussed, but it is possible to configure a firewall to use the hardware-configured MAC address as the determining factor in whether access to the network is granted. This is not a particularly flexible method, and it is therefore suitable only in environments in which you can closely control who uses which MAC address. The Internet is not such an environment.
Many workplaces, schools, and colleges restrict the web sites and online services that are made available in their buildings. This is done with a specialized proxy, called a content filter. Requests made to the open Internet must first pass through an outbound proxy filter. The web-filtering company provides a database of URL patterns with associated content attributes. This database is updated weekly by site-wide subscription, much like a virus filter subscription. The administrator instructs the web filter to ban broad classes of content (such as sports, pornography, online shopping, gambling, or social networking). Requests that match a banned URL pattern are rejected immediately. Assuming the requested URL is acceptable, the content is then fetched by the proxy. At this point a dynamic filter may be applied on the return path. For example, JPEG files could be blocked based on flesh tone matches, or language filters could dynamically detect unwanted language.
Web filtering proxies are not able to peer inside secure HTTP transactions. As a result, users wanting to bypass web filtering will typically search the internet for an open and anonymous HTTPS proxy. They will then program their browser to proxy all requests through the web filter to this anonymous proxy. Those requests will be encrypted. The web filter cannot distinguish these transactions from, say, a legitimate access to a financial website. Thus, content filters are only effective against unsophisticated users.