What about network architecture?
What types of firewalls are there?
How do I protect against IP spoofing?
A firewall sits at the junction point or gateway between two networks - your LAN and the public network it is exposed to - examining all inbound and outbound traffic for certain criteria. Traffic that does not meet specified criteria is stopped.
Firewalls use two basic denial methodologies. Traffic can be disallowed because it does not meet specified criteria, or only traffic from the outside meeting specified criteria is allowed through.
Firewalls are also configured to check for certain types of traffic, or examine source or destination addresses and ports.
What about network architecture?
How
a firewall determines what traffic to let through depends on a network's
protocol architecture, and within that architecture, which of seven network
layers it operates at.
The TCP/IP (Transmission Control Protocol/Internet Protocol) architecture is the
de facto standard for open systems communications over the Internet. Most LANs
operate to the Open Systems Interconnection (OSI) architecture.
Firewalls operate at different layers to use different criteria to restrict
traffic. Of the seven OSI layers, the lowest level a firewall can operate at is
layer 3, the network layer, comparable to the IP layer of the TCP/IP model. The
lower in the stack the packet is intercepted, the more secure the firewall.
What types of firewalls are there?
There are four basic types of firewalls: packet filters, circuit-level gateways, application gateways, and stateful multilayer inspection firewalls.
Packet filtering firewalls apply a series of simple checks based on the source and destination IP address and ports. Packet filters are frequently located on routers, a device that receives packets from one network and forwards them to another network. As a result, they work at the network (layer 3) level. The advantage of packet filtering is its low cost and low impact on network performance.
Circuit-level gateways are similar to packet filters except that they allow unknown traffic only up to the session (level 4) layer of the OSI protocol stack, or the TCP layer of TCP/IP. Traffic is filtered based on specific session rules, such as when a session is initiated by a recognized computer. Circuit-level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect.
Application level gateways perform strong user authentication to ensure the person on the other end of the IP connection is who they say they are, thereby ensuring much higher security. Application specific, they can filter packets at the application layer (level 5) of the OSI model. Traffic is filtered based on specific application rules (a browser), or a protocol (FTP, gopher, telnet, X11).
Stateful multilayer inspection firewalls are a hybrid of the above-mentioned firewalls. Traffic is filtered at three levels based on a wide range of specified application, session and packet filtering rules. Such scrutiny can determine whether session packets are legitimate, and evaluate packet contents at the application layer, which allows trusted internal users through while forcing external users to identify themselves. More complex than the other three firewall types, multilayer inspection firewalls are also generally more expensive.
How do I protect against IP spoofing?
A firewall may be instructed to allow traffic through if it comes from a specific trusted host. However, a hacker with knowledge about the firewall's rules base could gain entry by "spoofing" the source IP address of packets sent to the firewall. An effective countermeasure is a Virtual Private Network (VPN) involving encryption of the packet data and source code.