Type of Firewall and Placement
I have compiled the following for sharing. If it is incorrect, please do let me know.
Firewall Generation
Firewall Type
Characteristic
OSI Layer
Generation 1 Firewall
Packet Filtering
Examines both the source and destination addresses of the incoming data packet and applies ACL’s to them.
Layer 3 (Network Layer) or Layer 4 Transport Layer
Generation 2 Firewall
Application and Circuit FW are the only types of proxy based firewall
Proxy Server
2 types of proxy firewall
1) circuit level proxy
-Often called a Proxy Server. It works by transferring a copy of each accepted data packet from one network to another.
-Looks only at the header packet information/make decision based on header information and not the protocol structure e.g Socks firewall
Layer 5 (Session Layer)
2) Application Proxy
Look deeps into packets and make granular access control decision. It required one proxy per protocol
Layer 7 (Application Layer)
Generation 3 Firewall
Stateful inspection
Packets are captured by the inspection engine operating at the network layer and then analyzed at all layers
Layer 3 (Network Layer)
Generation 4 Firewall
Dynamic packet filtering
Makes informed decisions on the ACL’s to apply
Layer 3 (Network Layer)
Generation 5 Firewall
Kernel Proxy
- Very specialized architecture that provides modular kernel-based, multi-layer evaluation and runs in the NT executive space
- Faster because processing is done at the kernel.
- One network stake is created for each packet
Layer 7 (Application Layer)
Notes :
1) Application and Circuit are only types of proxy based firewall
2) Packet and stateful firewall do not use proxy
RADIUS
DIAMETER
TACACS
TACACS+
Client Server Model
Peer to Peer model
Client Server Model
Client Server Model
UDP
TCP
TCP
TCP
Combine Authentication, Authorization and accounting service
Authentication & Authorization not done by DIAMETER BASE protocol but by diameter application
Separates authentication, authorization, and accounting services
Separates authentication, authorization, and accounting services
User Name is not encrypted
-Only encrypt password between RADIUS client and RADIUS server.
RADIUS support 28 attribute-value pairs
DIAMETER is peer to peer
RADIUS and TACACS+ are client to server
DIAMETER support 232 attribute-value pairs
Users send an ID and a static (reusable) password for authentication (Used fixed password for authentication
Entire TACAC+ Packet is encrypted
Can use multiple authentication type (PAP, CHAP, EAP)
Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that allows users to dial into an environment and authenticate over a PPP or SLIP connection
Use IPSEC or TLS
PPP, AppleTalk, NetBIOS, IPX, and others
PPP, AppleTalk, NetBIOS, IPX, and others
Uses UDP port 1812 (Authentication), and auditing 1813 (Accounting)
TACACS+ uses TCP port 49
Used by ISP
Mobile IP (Wireless Device Technology)
Diameter Advantage over RADIUS
- Diameter use more reliable TCP protocol instead of UDP
- A Diameter session can be encrypted with SSL (TLS)
Firewall Generation
Firewall Type
Characteristic
OSI Layer
Generation 1 Firewall
Packet Filtering
Examines both the source and destination addresses of the incoming data packet and applies ACL’s to them.
Layer 3 (Network Layer) or Layer 4 Transport Layer
Generation 2 Firewall
Application and Circuit FW are the only types of proxy based firewall
Proxy Server
2 types of proxy firewall
1) circuit level proxy
-Often called a Proxy Server. It works by transferring a copy of each accepted data packet from one network to another.
-Looks only at the header packet information/make decision based on header information and not the protocol structure e.g Socks firewall
Layer 5 (Session Layer)
2) Application Proxy
Look deeps into packets and make granular access control decision. It required one proxy per protocol
Layer 7 (Application Layer)
Generation 3 Firewall
Stateful inspection
Packets are captured by the inspection engine operating at the network layer and then analyzed at all layers
Layer 3 (Network Layer)
Generation 4 Firewall
Dynamic packet filtering
Makes informed decisions on the ACL’s to apply
Layer 3 (Network Layer)
Generation 5 Firewall
Kernel Proxy
- Very specialized architecture that provides modular kernel-based, multi-layer evaluation and runs in the NT executive space
- Faster because processing is done at the kernel.
- One network stake is created for each packet
Layer 7 (Application Layer)
Notes :
1) Application and Circuit are only types of proxy based firewall
2) Packet and stateful firewall do not use proxy
RADIUS
DIAMETER
TACACS
TACACS+
Client Server Model
Peer to Peer model
Client Server Model
Client Server Model
UDP
TCP
TCP
TCP
Combine Authentication, Authorization and accounting service
Authentication & Authorization not done by DIAMETER BASE protocol but by diameter application
Separates authentication, authorization, and accounting services
Separates authentication, authorization, and accounting services
User Name is not encrypted
-Only encrypt password between RADIUS client and RADIUS server.
RADIUS support 28 attribute-value pairs
DIAMETER is peer to peer
RADIUS and TACACS+ are client to server
DIAMETER support 232 attribute-value pairs
Users send an ID and a static (reusable) password for authentication (Used fixed password for authentication
Entire TACAC+ Packet is encrypted
Can use multiple authentication type (PAP, CHAP, EAP)
Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that allows users to dial into an environment and authenticate over a PPP or SLIP connection
Use IPSEC or TLS
PPP, AppleTalk, NetBIOS, IPX, and others
PPP, AppleTalk, NetBIOS, IPX, and others
Uses UDP port 1812 (Authentication), and auditing 1813 (Accounting)
TACACS+ uses TCP port 49
Used by ISP
Mobile IP (Wireless Device Technology)
Diameter Advantage over RADIUS
- Diameter use more reliable TCP protocol instead of UDP
- A Diameter session can be encrypted with SSL (TLS)
Comments
-
Spin Lock
Member Posts: 142
Thanks for taking the time to put this together and sharing it.
I've got two comments about the AAA chart:
1. TACACS, I believe, supports both TCP and UDP.
2. You chart describes DIAMETER as a peer to peer protocol, which I've seen it referred to as well. However, DIAMETER still defines systems as clients and servers. So when a user authenticates, it will be with a DIAMETER client which then sends that information to a DIAMETER server. The point I'm trying to make is, not to get confused and assume "peer to peer" means any DIAMETER node can perform client and server duties simultaneously.
RFC 3588 defines DIAMETER, and this is what it says about DIAMETER being a peer to peer implementation:
Any node can initiate a request. In that sense, Diameter is a peer- to-peer protocol.... ...A Diameter client generates Diameter messages to request authentication, authorization, and accounting services for the user. A Diameter agent is a node that does not authenticate and/or authorize messages locally; agents include proxies, redirects and relay agents. ...A Diameter server performs authentication and/or authorization of the user. A Diameter node MAY act as an agent for certain requests while acting as a server for others. -
Sirkassad
Member Posts: 43 ■■■□□□□□□□
I realize I'm a little late to the 'firewall' party but you did say if we have any corrections to let you know. In your 2nd generation firewall you have proxy server and you say:
Generation 2 Firewall
Application and Circuit FW are the only types of proxy based firewall
Which is wrong because the 5th generation 'Kernel Proxy' firewall (you even call Kernel a proxy firewall so you should have caught it yourself) is also a proxy based firewall, meaning that the Application Proxy , Circuit level Proxy, and Kernel proxy firewalls all break the connection between sender and receiver and act as the middleman. The main difference is that the Kernel builds a 'virtual' protocol stack based on the type of application packet it receives.