Firewall Technologies
A variety of firewall technologies exist:
■ Packet filtering—A packet filter (such as an access list on a router)
permits or denies packets based in information in the Layer 3 or Layer
4 packet headers.
■ Application layer gateway—An application layer gateway (ALG) is a
piece of software that intercepts application layer requests between the
endpoints of a network conversation. The ALG typically passes
requests from a client to a server and vice versa after inspecting the
application layer packets to ensure that they pass configured security
criteria. In some circumstances, the ALG may change the contents of
packets moving in either direction.
■ Stateful packet filtering—A stateful packet filter combines aspects of
a packet filter and an ALG. The attributes of each communications
session are maintained in a state table. Only packets whose attributes
match the rules of the state table are permitted to pass. For example,
an HTTP response packet would typically only be allowed to pass if it
is a response to a query packet that was previously permitted by the
firewall. Modern stateful packet filters are also capable of tracking
complex information about application sessions. For example, a Voice
over IP (VoIP)-aware stateful firewall would typically be able to
“know” that it should dynamically open UDP ports for a Real-time
Transport Protocol (RTP) session based on information gained from
examining the call setup traffic that takes place inside various callcontrol
protocols