The Firewall it is hardware-program complex, allowing to divide a network into two or more segments and to realize a set corrected, defining conditions of passage of packages in the protected segment. As a rule, this border is spent between a local network of the enterprise and INTERNET though it can be lead and inside of a local network. The firewall, thus, passes through itself all traffic. For each passing package the firewall makes a decision to pass it or not. That the firewall could make these decisions, it is necessary for it to define a set corrected.

Usually firewalls functioning under control of UNIX - more often it BSDI, SunOS, AIX, IRIX. Sometimes - Cisco IOS, DOS, VMS, WNT, Windows NT. From hardware platforms meet Cisco, INTEL, Sun SPARC, RS6000, Alpha, HP PA-RISC, family RISC of processors R4400-R5000. Besides Ethernet, many firewalls support FDDI, Token Ring, 100Base-T, 100VG-AnyLan, various serial devices. Requirements to operative memory and volume of a hard disk depend on quantity of machines in a protected segment of a network, but it is recommended to have not less 32Mb the RAM and 500 Mb on a hard disk more often.

In operational system under control of which the firewall works are made changes, which purpose - increase of protection of the firewall. These changes mention both a kernel of OS, and corresponding files of a configuration. Some firewalls work only in the one-user mode. Hardware firewalls have system of check of integrity of program codes. Thus the control sums of program codes are stored in the protected place and compared at start of the program in order to prevent substitution of the software.

All can be divided fireproof walls into three types:

• packet filter
• application gateways
• circuit gateways

All types can simultaneously meet in one fireproof wall.

Firewalls with batch filters make a decision on that, to pass or not a package, looking through IP-addresses, flags or numbers TCP of ports in heading of this package. The IP-address and number of port is an information of network and transport levels accordingly, but batch filters use also the information of an applied level since all standard services in TCP/IP associate with certain number of port.

Firewalls with servers of an applied level use a server of concrete services - TELNET, FTP, HTTP. Proxy server, is started on a hardware firewall and passes through itself all traffic concerning given service. Thus, between the client and a server two connections are formed: from the client up to a firewall and from a firewall up to destination.

The full set of supported servers differs for each concrete firewall, however meet a server for following services more often:

• Telnet, Rlogin
• Ftp
• SMTP, POP3
• HTTP
• Gopher
• Wais
• X Window System
• Printer
• Rsh
• Finger
• NNTP, etc.

Use of servers of an applied level allows to solve the important problem - to hide from external users structure of a local network, including the information in headings of post packages or services of domain names (DNS). Other positive quality is the opportunity autentification at the user level.

At the description of rules of access such parameters as are used:

• The name of service;
• A name of the user;
• An admissible time range of use of service;
• Computers from which it is possible to use service;
• Schemes of autentification.

Server of an applied level protocols allow to provide the highest level of protection - interaction with external the worlds is realized through a small number of the applied programs completely supervising all entering and leaving traffic.

The server of a connection level is compiler TCP of connection. The user forms connection with the certain port on a firewall then last makes connection with destination on other party from a firewall. During a session this compiler copies bites in both directions, operating as a wire.

Usually the destination is set in advance while sources can be much (connection of type one - much). Using various ports, it is possible to create various configurations.

Such type of a server allows to create the compiler for any service certain by the user who are based on TCP, to carry out the control of access over this service, gathering of statistics on its use.

Below the basic advantages and disadvantages of batch filters and servers of an applied level rather each other are resulted.

Advantages of batch filters:

• Rather low cost
• Flexibility in definition of rules of a filtration
• A small delay at passage of packages

Disadvantages:

• The local network is visible from internet;
• Rules of a filtration of packages are difficult in the description, very good knowledge of technologies TCP and UDP are required;
• At infringement of working capacity of a fireproof wall all computers behind it become completely not protected or inaccessible;
• autentification with use of the IP-address it is possible to deceive use IP-spoofing (the attacking system gives out itself for another, using its IP-address);
• Is absent autentification at the user level;

Advantages of servers of an applied level:

• The local network is invisible from internet;
• At infringement of working capacity of a fireproof wall packages cease to pass through a firewall, that does not arise threat for machines protected by it;
• Protection at a level of appendices allows to carry out a plenty of additional checks, reducing that probability of breaking with use of holes in the software;
• Autentification at the user level the system of the immediate prevention of attempt of breaking can be realized.

Disadvantages:

• Higher, than for batch filters cost;
• Impossibility use of reports RPC and UDP;
• Productivity below, than for batch filters.

A number of firewall servers allows to organize also virtual corporate networks (Virtual Private Network), i.e. to unite some the local networks in one virtual network. VPN allow to organize transparent connection for users of local networks, keeping privacy and integrity of the transferred information by means of enciphering. Thus by transfer on internet are ciphered not only data of the user, but also the network information - network addresses, numbers of ports, etc.

Ease of administration is one of key aspects in creation of effective and reliable system of protection. Mistakes at definition of rules of access can form a hole through which the system can be cracked. Therefore in the majority of firewalls the service utilities facilitating input, removal, viewing of a set of rules are realized. Presence of these utilities allows to make also checks on syntactic or logic mistakes at input or editing of rules. As a rule, these utilities allow to look through the information grouped on what or criteria - for example, all that concerns to the concrete user or service.

One more important component of a firewall server is the system of gathering of statistics and the prevention of attack. The information on all events - the refusals entering, leaving connections, number of the transferred bytes, used services, time of connection, etc. - collects in files of statistics. Many firewalls allow to define flexibly events a subject recording, to describe actions of a firewall at attacks or attempts of not authorized access is there can be a message on the console, the post message to the manager of system, etc. the Immediate conclusion of the message on attempt of breaking to the screen of the console or the manager can help, if attempt has appeared successful and attacking already has got into system. The structure of many firewalls includes generators of reports, employees for processing statistics. They allow to collect statistics on use of resources by concrete users, on use of services, refusals, sources from which attempts of not authorized access.

Autentification is one of the most important components of fireproof walls. Before the right to take advantage will be given to the user that or other service, it is necessary to be convinced, that it is valid for whom it gives out itself(himself) (it is supposed, that this service for the given user is resolved: process of the definition, what services are resolved refers to as authorization. Authorization is usually considered in a context of autentification - as soon as the user autentificated, for it the services resolved to it) are defined. At reception of inquiry about use of service on behalf of any user, the fireproof wall checks, what way autentification is certain for the given user and transfers management to a server autentification. After reception of the positive answer from a server of autentification the firewall forms connection required by the user.

As a rule, the principle which has received the name " is used that it knows " - i.e. the user knows some confidential word which it sends a server autentification in reply to its inquiry.

One of autentification schemes is use standard UNIX passwords. This scheme is the most vulnerable from the point of view of safety - the password can be intercepted and used by other person.