4.3 About packet inspection
Before investing in a firewall appliance or software that claims to
provide packet-level intrusion prevention, it is important that
certain nuances of terminology be clarified (so you know what
you’re getting). Trying to pass a set of “words” to a vendor is
useless without clarity of definitions. What do all these terms mean
(see FYI 4.1)?
4.3.1 Selecting a firewall
A clear threatscape defense architecture begins to emerge, one
that portrays a firewall collective as an array of security tools—one
that is manageable under one roof with software and servers
working in concert to provide a secure computing environment.
The following sections aptly examine the strengths and weaknesses
of several of the market’s best solutions. Ultimately, the pass/fail
indicators of any firewall system are the following questions:
How well does it handle attacks unknown? How well can it defend,
can it recognize, and can it respond? Any system connected to
the Internet is subjected to daily attempts to access; its ports are
scanned, probed, and checked perhaps hundreds of times per day,
even per hour.
What to expect
What can a firewall do against all this? Many routers provide basic
packet filtering, but as I have mentioned to many clients, this is only
the foundation of a good system. A router’s packet filtering is usu-
ally quite simple, and it is expected that it will only act as a sub-
sidiary firewall device. As has been mentioned before in this book, a
firewall is a policy that encapsulates the entire security philosophy.
A “Firewall” may also be marketed by marketers (who else?) as a
single device, usually a computer, that straddles a network connec-
tion and prevents all that is “bad” on one side—the outside—from
getting through to the inside. How does it do this?
Most firewalls will allow the administrator to configure the most
common protocols that are known by the administrator to be used
in the firewall environment. If there are DNS, FTP, web, file, e-mail,
72 4.3 About packet inspection