Figure 2-1 Packet-Filtering Firewall
The advantage to using packet filters is that they tend to be very fast because they do not
concern themselves with upper-layer data. Some of the disadvantages of packet filtering are
as follows:
■ ACLs may be very complex and difficult to manage.
■ A packet-filtering firewall may be tricked into permitting access to an unauthorized user
who is falsely representing himself (spoofing) with an IP address that is authorized by
the ACL.
NOTE In addition to the elements just listed, some packet-filtering firewalls check for
header information to determine if the packet is from a new connection or an existing
connection.
Application
Presentation
Session
Transport
Network
Data Link
Physical
Source
Application
Presentation
Session
Transport
Network
Data Link
Physical
Packet Filtering
Router
Application
Presentation
Session
Transport
Network
Data Link
Physical
Destination
Firewall Technologies 29
■ Many new applications (such as multimedia applications) create multiple dynamically
negotiated connections on random ports with no way to determine which ports will be
used until the connection is established. Because access lists are manually configured, it
is very difficult to provide support for these applications without reducing the security
of the device.
Packet filtering is a feature that is commonly used on routers. Cisco Security Appliances also
use ACLs for packet filtering. Chapter 7, “Configuring Access,” discusses the unique context
in which the Security Appliances employ ACLs.