Firewalls Chapter 9: Network Requirements and Preparation
packet is inspected and processed. Any type of traffic that is deemed to be “illegal” (based
on rules that specify protocol type, source or destination IP address, and so on) is not
allowed through the firewall. Using this tool, administrators can achieve tight control over
the activities they allow into and out of their corporate network or e-business site. In a
corporate network, a firewall prevents intruders from accessing corporate resources while
allowing employees Internet access. In an e-business site, it allows outside access to the
web server while preventing unauthorized access or attacks.
Often, a typical network access point, called a DMZ (demilitarized zone), is implemented
to offer an “outside” presence for e-commerce clients, e-business partners, and web surfers.
The DMZ acts as the gateway through which all Internet communications with the
company or site transpire. It allows for controlled access to front-end web servers while
protecting mission-critical resources (databases, routers, servers, and so on). Thus, the
DMZ needs to be flexible, reliable, and available.
The firewall is often the first line of defense in this environment. Always vigilant, this
device must look into all traffic for the site. As part of its duty, the firewall recognizes and
deals with denial-of-service attacks, such as TCP SYN flood and Ping of Death. In each of
these attacks, the hackers are simply attempting to overwhelm the devices that provide an
Internet presence for the company.
With a TCP SYN flood, a stream of TCP SYN packets is sent to the receiving device (often
the firewall). The finite memory and size of the TCP entry tables can be overrun by
spurious SYN packets, preventing any real users from making a TCP connection required
for HTTP communications.
An ICMP flood attack also floods a device, by streaming ICMP echo packets at a recipient
destination. This flood of packets requires the device to process and respond to these pings,
burning precious resources and preventing other traffic from being serviced. By examining
the site’s traffic patterns, advanced firewalls can apply logical rules that prevent the device
Figure 9-2 Firewalls