Frequent Questions      


  Home > CompTIA > Network+ > Tutorial > Firewalls

Network+™ Tutorial

3.0 Network Implementation

 

  1. Basic Capabilities of Network Operating System (NOS)

  2. Firewalls

  3. VLANs

  4. Benefits of Using Antivirus software

  5. Fault tolerance

  6. Disaster recovery

3.2 Firewalls

   A firewall is a device (sometimes it could be a system) that prevents un-authorized access to a network from external sources. For example, any network that is connected directly to the Internet need some kind of firewall to protect the entire network from potential intrusions from the Internet.  

 

A "Firewall" may be implemented using one or more of the following technologies:

  • Proxy Server

  • Network Address Translator (NAT)

  • Packet filtering

  • Access Control Lists (ACLs)

  • DMZ

Sl. No.

Firewall technology

OSI layer at which the firewall operates

1.

Proxy service

Layer 7

2.

Packet Filtering

Layers 3 and 4

3. 

Stateful inspection

Layers 2,3, and 4

 Proxy servers:

    Proxy servers hides network resources behind itself. For example, by using Proxy Server, the internal IP addresses of a Corporate network can be made invisible to the external world.  It is usually a software program, that resides as an application on top of the Operating System.  A Proxy Server may work at several layers of OSI model, validating the data at each layer. 

Network Address Translator (NAT):

         Network Address Translation enables an internal network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the local network interfaces with the external network. 

NAT serves three main purposes:

  • Hides internal IP addresses from the external network.

  • Conserve public IP address space by enabling he use of more internal IP addresses. Public IP addresses are used only for communication with external world.  

  • Provide security to the internal network resources.

There are two types of NAT widely used:

  • Static NAT

  • Dynamic NAT

Static NAT: In a Static NAT, a private IP address is mapped to a fixed public IP address. The public address is always the same IP address for a given internal private IP address. The advantage of having a fixed mapping of private IP to public IP is that the internal resources such as web server can be reached from external network.  The main disadvantage is that it still takes one precious IP address from the public Internet.

Dynamic NAT: Dynamic NAT maps a private IP address to a public IP address that is dynamically selected from a pool of one or more public IP addresses.  The main advantages of dynamic NAT include the following:

  • Dynamic NAT provides securoty to an internal network as it masks the internal network from external world.

  • It conserves public IP addresses by using private IP addresses on the internal network. 

One of the main disadvantages is that if you need to locate a server on the internal network, such as an e-mail server, that has to be accessed from the public Internet, then you can not use dynamic NAT. The internal email server has to be assigned with a static mapping of IP address.

Packet Filtering:

    Packet Filtering is the ability of a router or a firewall to discard packets that don’t meet certain criteria. A packet filtering router should be able to filter IP packets based on the following four fields:

  • Source IP address

  • Destination IP address

  • TCP/UDP source port

  •  TCP/UDP destination port

Filtering is used to:

  • Allow/block connections from specific hosts or networks

  • Allow/block connections to specific hosts or networks

  • Allow/block connections to specific ports

  • Allow/block connections from specific ports

Packet filtering is usually employed by routers, and faster than Proxy servers that operate at higher layers. The main disadvantage of packet filters is that they operate at layer 3/4 of OSI model, and do not have the capability to analyze data or the traffic. As a result, it is possible for malicious applications to enter a protected network.

Access Control List (ACLs):

      ACL is similar to packet filtering. 

 The Demilitarized Zone (DMZ):

   DMZ is used by most of the firewalls, which is a network segment that is neither public nor local, but halfway between. A standard DMZ setup has three network cards in the firewall computer. The first goes the Internet, the second goes to the network segment and the third connects to the intranet.

 


           CONTENTS   Previous   Next

Copyright © 2000-2017 SimulationExams.com All rights reserved

Website design by Anandsoft.com

Disclaimer: All Simulation Exams practice tests, study guides and/or material are neither sponsored by, nor endorsed by, nor affiliated with CompTIA® or any other company. All trademarks are trademarks of their respective owners and duly  acknowledged. A+™, Network+™, i-Net+™, Server+™,Security+™ are registered trade marks of CompTIA®. The practice tests material is a copyright of SimulationExams.com and the same is not approved or endorsed by respective certifying bodies. Thank-you for your interest in Simulation Exams. Please see read me file before you download, install, and/or use any software from SimulationExams.com  For any information or questions regarding this Website, please e-mail webmaster at simulationexams.com