The
Firewalls and Internet Security seminar defines three basic types of firewalls:
packet filters, circuit level gateways, and application gateways. Of course there
are also hybrid firewalls, which can be combinations of all three. Packet filter
gateways are usually comprised of a series of simple checks based on the source
and destination IP address and ports. They are very simple to the user since it
will probably not even realize that the checks are taking place (unless of course
it was denied!!). However, that simplicity is also their biggest problem: there
is no way for the filter to securely distinguish one user from another. Packet
filters are frequently located on routers and most major router vendors supply
packet filters as part of the default distribution. You may have heard of smart
packet filters. Smart packet filters are really
not very different from simple packet filters except they have the ability to
interpret the data stream and understand that other connections, which would normally
be denied, should be allowed (e.g. ftp's PORT command would be understood and
the reverse connection allowed). Smart packet filters, however, still cannot securely
distinguish one user on a machine from another. Brimstone incorporates a very
smart and configurable application layer filter.Circuit-level
gateways are much like packet filters except that they operate at a different
level of the OSI protocol stack. Unlike most packet filters, connections passing
through a circuit-level gateway appear to the remote machine as if they originated
from the firewall. This is very useful to hide information about protected networks.
Socks is a popular de-facto standard for automatic circuit-level gateways. Brimstone
supports both Socks and a manual circuit-level gateway. Application gateways represent
a totally different concept for firewalls. Instead of a list of simple rules which
control which packets or sessions should be allowed through, a program accepts
the connection, typically performs strong authentication on the user which often
requires one-time passwords, and then often prompts the user for information on
what host to connect to. This is, in some senses, more limited than packet-filters
and circuit-level gateways since you must have a gateway program for each applications
(e.g. telnet, ftp, X11, etc).