【正文】 he filtering points initially protect the services and, if the services are promised, limitthe ability of an attacker to proceed further into the system. Both entering and exitingtraffic is filtered, either by classic routers or dedicated firewalls.n Public servers placed in the DMZ require proper security measures. The services arehardened, making it difficult for an attacker to promise them.n ALGs, also known as proxy servers, located in the DMZ sanitize the data exchange withinthe application flow. This is especially remended for outbound connectivity. n An attacker who manages to break into the DMZ may not be able to launch attacks againstthe trusted inside network because the filtering points provide additional defense.169。 2006 Cisco Systems, Inc. All rights reserved.ISCW —66A modern firewall device with multiple “l(fā)egs or interfaces” creates multiple DMZs, each “l(fā)egnetwork” being separated from others via a single filtering device. The single device substitutes“outside” and “inside” routers of a classic DMZ, providing the same level of ingress and egressfiltering. Such a setup has the benefit of being simple, manageable, and costeffective.The first topology in the figure illustrates a stateful firewall, also known as stateful packet filter,with six network interfaces attached to it. Two interfaces each connect to the inside and outsidenetworks. The remaining interfaces are for the four DMZs.The second topology is identical to the first except that an ALG is used as the filtering deviceinstead of a stateful firewall.The third topology also identifies four DMZs, but two stateful firewalls provide theconnectivity structure instead of one. This topology provides better performance, because thefiltering tasks are divided between two devices, which provide more security throughpartmentalization but increase the overall costs of the solution.169。 2006 Cisco Systems, Inc.Each technology has advantages and disadvantages and each one has a “best fit” role toplay, depending on the needs of the security policy.Cisco IOS Threat Defense Features69The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Packet FilteringA packet filtering firewall selectively routes or drops IP packets based on information in thenetwork (IP) and transport (TCP or UDP) headers. It can be implemented on routers or on dualhomed gateways.Packet Filtering? Packet filtering limits traffic into a network based on thedestination and source addresses, ports, and other flagspiled in an ACL.169。 2006 Cisco Systems, Inc.Cisco IOS Threat Defense Features611The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Application Layer GatewayAn ALG is a firewall device that examines packets at the application layer of the Open SystemsInterconnection (OSI) reference model. Application Layer Gateway? The ALG intercepts and establishes connections to theInternet hosts on behalf of the client.169。 2006 Cisco Systems, Inc.Cisco IOS Threat Defense Features613The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Stateful Packet FilteringIn the mid1990s, packet filters and proxy servers were the two technologies used to buildfirewall systems. As the number of applications that needed to pass through firewalls increased,proxy server vendors could not keep up with the development of new proxy servers. On theother hand, packet filtering also could not support the dynamic nature of the many modernapplications. Thus, a new technology was born.Stateful Packet Filtering? Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes.? Stateful inspection then remembers certain details, or the state of that request.169。 2006 Cisco Systems, Inc. All rights reserved.The State TableISCW —615The state table, or session table, is part of the internal data structure of a stateful packet filter. Ittracks all the sessions, and inspects all the packets passing over the stateful packet filterfirewall. The packets only pass if they have the expected properties that the state table predicts.The state table dynamically changes and adapts with the traffic flow. If no state exists, a state iscreated and entered into the state table if the traffic flow meets the rules allowed in the firewall.Application AwarenessStateful packet filters are applicationaware through additional inspection of passing traffic. Byinspecting the session more closely, up