C03-101
1
,
2
(Packet-filtering Firewall) (stateful Inspection Firewall) (Proxy) (Circuit Level gateway) (application-level gateway) (Hybrid Firewall)
2
IP TCP 10.0.0.x TCP Any High Any 80 80 10.0.0.x High
IP TCP UDP ICMP (Header) TCP 10.0.0.x TCP Any High 80 Any 10.0.0.x 80 High TCP/UDP IP
: IP IP (TCP, UDP, ) TCP UDP TCP UDP ICMP TCP TCP 10.0.0.x Any High 80 Any 10.0.0.x 80 High TCP/UDP IP
(Operating Systems) (Routers e.g. IOS ACL) (Specific Network Service) (e.g. L3/L4 Switch)
2
(Stateful Inspection Firewall) (more granularly)
(monitor the state of the connection at all times)
TCP SYN/ACK 210..2.2.1:80 10.1.1.2 OK 102.1.1.2:6431 (7) ACK TCP. 102.1.1.2.. 6431. 210.2.2.1 80.. OK.
2
(Proxy Server) (Circuit-Level Gateway) (Application-Level Gateway)
TCP TCP TCP IP IETF -SOCKS
Out In Out Out In In
TCP/IP TCP UDP ( ICMP)
(Proxy) ( HTTP) ( FTP HTTP URL)
HTTP SMTP DNS IM
(Contents) ( HTTP, FTP, E- MAIL) (User Authentication)
(Contents)
2
/ (OSI) ( ) ( ) ( )
(hybrid firewall) 1. 1. 2. 2. 3. 3.
3
(Demilitarized zone Screened Subnet Perimeter Network)
3
(Dual-Homed Hosts) (Screened Hosts Firewall) (Screened subnet Firewall)
(Dual-homed) (bastion host) (Intranet)
(Screening Host) 1. 3. (Screening Router) 2. 4.
(Screening Subnet) 2. (Intranet) (Screening Router) 1. 3.
3 (DMZ)
(DMZ) DMZ 38 2 Internet ( ) DMZ Internet Web server DNS server ( ) DMZ
DMZ (DMZ) (Three-Homed)
DMZ (DMZ)
4
VPN