検索

このコンテンツは選択した言語では利用できません。

Chapter 7. Firewalls

download PDF
Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux includes several powerful tools to assist administrators and security engineers with network-level access control issues.
Along with VPN solutions, such as IPsec (discussed in Chapter 6, Virtual Private Networks), firewalls are one of the core components of a network security implementation. Several vendors market firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data center solutions safeguarding vital enterprise information. Firewalls can be standalone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. There are also proprietary software firewall solutions developed for home and business markets by vendors such as Checkpoint, McAfee, and Symantec.
Apart from the differences between hardware and software firewalls, there are also differences in the way firewalls function that separate one solution from another. Table 7.1, “Firewall Types” details three common types of firewalls and how they function:
Table 7.1. Firewall Types
Method Description Advantages Disadvantages
NAT Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several.
· Can be configured transparently to machines on a LAN
· Protection of many machines and services behind one or more external IP address(es) simplifies administration duties
· Restriction of user access to and from the LAN can be configured by opening and closing ports on the NAT firewall/gateway
· Cannot prevent malicious activity once users connect to a service outside of the firewall
Packet Filter A packet filtering firewall reads each data packet that passes within and outside of a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.
· Customizable through the iptables front-end utility
· Does not require any customization on the client side, as all network activity is filtered at the router level rather than the application level
· Since packets are not transmitted through a proxy, network performance is faster due to direct connection from client to remote host
· Cannot filter packets for content like proxy firewalls
· Processes packets at the protocol layer, but cannot filter packets at an application layer
· Complex network architectures can make establishing packet filtering rules difficult, especially if coupled with IP masquerading or local subnets and DMZ networks
Proxy Proxy firewalls filter all requests of a certain protocol or type from LAN clients to a proxy machine, which then makes those requests to the Internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines.
· Gives administrators control over what applications and protocols function outside of the LAN
· Some proxy servers can cache frequently-accessed data locally rather than having to use the Internet connection to request it, which is convenient for cutting down on unnecessary bandwidth consumption
· Proxy services can be logged and monitored closely, allowing tighter control over resource utilization on the network
· Proxies are often application specific (HTTP, Telnet, etc.) or protocol restricted (most proxies work with TCP connected services only)
· Application services cannot run behind a proxy, so your application servers must use a separate form of network security
· Proxies can become a network bottleneck, as all requests and transmissions are passed through one source rather than directly from a client to a remote service

7.1. Netfilter and iptables

The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled through the iptables utility.

7.1.1. iptables Overview

The power and flexibility of Netfilter is implemented through the iptables interface. This command line tool is similar in syntax to its predecessor, ipchains; however, iptables uses the Netfilter subsystem to enhance network connection, inspection, and processing; whereas ipchains used intricate rule sets for filtering source and destination paths, as well as connection ports for both. iptables features advanced logging, pre- and post-routing actions, network address translation, and port forwarding all in one command line interface.
This section provides an overview of iptables. For more detailed information about iptables, refer to the Reference Guide.
Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.