Today, network security techniques are using a firewall, which is generally known as a combination of hardware and software used to implement a security policy governing network traffic between two or more networks, some of which may be private as being under administrative control of a customer or network provider (e.g., organizational networks) and some of which may not be under administrative control (e.g., the Internet) also called a public network. A network firewall commonly serves as a primary line of defense against external threats to an organization's computer systems, networks, and critical information. Firewalls can also be used to partition networks isolate or interconnect VPNs.
Using other words, a Firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially Intranets having firewalls can also be used between two Intranets. All messages entering or leaving the Intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. They may also be used to interconnect private networks managed by two different administrative entities. In that case, generally, two firewalls are cascaded with an intermediate link called a DMZ, each firewall being managed by a different administrative authority.
Firewalls perform various decision-making processes and principally the in particular perform packet filtering which consists of looking at each packet entering or leaving the associated network and accepting or rejecting this packet based on user-defined rules. However, other security-related functions can be implemented in a firewall such as an application gateway by applying a security mechanism to specific applications such as FTP and Telnet servers, circuit-level gateway by applying a security mechanism when a TCP or UDP connection is established and a proxy server which enables the establishment of a connection on behalf of a client between the proxy server and destination device.
In addition to these security-related functions, firewalls can also perform routing functions that are associated with the network being protected and that are conventionally associated with a separate/individual router. Routing is the process of deciding the disposition of each packet that a routing device handles. This applies to incoming packets, outbound packets leaving a network for external destinations, and packets being routed among internal networks. Ultimately, there can be only two possibilities for the packets: forward or discard. The routing mechanism uses a routing table and a destination IP address in the packet header to make a decision.
A routing configuration that reflects the network topology is generally used so that the firewall is able to deliver legitimate packets to their desired destinations. A firewall routing table contains a list of IP network addresses for which the firewall is intended to provide routing services. If the lookup of the routing table is successful for a packet, the table provides either the address of the next router to send the packet or the interface to be used for sending the packet out. If the table lookup fails, the packet is discarded and an ICMP “unreachable” message is generally returned to the source indicating that the packet was undeliverable.
However, such routing mechanism is too dynamic and unreliable and cannot be used to implement a security policy. As such, a security technique called stateful inspection or dynamic packet filtering is often used. Whereas classic packet filtering is based only on header information on each individual packet without considering any prior packets, the stateful inspection filtering allows both complex combinations of payload (message content) and context established by prior packets to influence filtering decisions. As with packet filtering, stateful inspection is implemented as an “add-on” to routing. The principle motivation for stateful inspection is a compromise between performance and security. As a routing “add-on,” stateful inspection provides much better performance than the proxies. It also provides an increase in the level of firewall function beyond simple packet filtering. Like proxies, much more complex access control criteria can be specified and like packet filtering, stateful inspection depends on a high quality (i.e. correct) underlying routing implementation.
But, in any case, two physically different firewalls are implemented one after the other in an interconnection between Intranet networks because each network is administratively managed by a different organization that wants to have a dedicated administrative access to the firewall for defining rules and taking logs. Some of the rules are common but are run twice which decrease the overall system performance. The expense and complexity are high, and reliability is low because two serial devices are used. Configuration is more complex because there is an additional link between the two firewalls.