Internet Security is a lot more than a firewall and a security policy. Internet Security involves deterrence, detection, and response.
A firewall is the primary deterrence device used in a network. Understanding the basic features of a firewall will help in choosing a firewall that meets the needs of a business. The three firewall categories are: Packet Filtering, Stateful Inspection, and Application Proxy.
The Packet Filtering firewall is the simplest firewall technology. This firewall filters TCP/IP traffic based on the TCP/IP address (source or destination) and/or the port of an individual packet. This firewall does not track the TCP/IP session, so it is possible to "hijack" a session and gain access to a protected network. This firewall does not analyze the packet for malformed data or unauthorized commands. The big advantage to this firewall technology is speed. This firewall is the fastest firewall technology. A router can usually perform the function of a packet filtering firewall.
A Stateful Inspection firewall adds additional features to the packet filter firewall. This firewall tracks the entire TCP/IP session. This makes it much more difficult to "hijack" a session or insert unauthorized packets into the data stream.
A more advanced Stateful Inspection firewall, such as the Cisco Pix and the Checkpoint Firewall1, can analyze some payload information looking for malformed data and unauthorized commands. This firewall may also include advanced features installed include Intrusion Detection Systems, Domain Naming System (DNS), AAA authentication, Virtual Private Networking, and others.
A Stateful Inspection firewall offers very good security combined with very fast performance.
The Application Proxy firewall is the most secure firewall, however, it is also very slow compared to Packet Filter and Stateful Inspection firewalls. Increased security is gained because of two features. First, the Application Proxy does not allow the two communicating devices to talk directly to each other, the two devices must communicate with the firewall. Second, the firewall tears down each packet, analyzes the packet for malformed data (based on the RFC), and unauthorized commands. The firewall then rebuilds the packet and sends it to the destination. This analysis can only occur if the firewall has a proxy application that is written to analyze the type of traffic (HTTP, SMTP, Telnet, FTP, etc.)
The Application Firewall usually includes other features such as Intrusion Detection Systems, Domain Naming System (DNS), AAA authentication, Virtual Private Networking, and others.