Firewalls can be an implementation of software, hardware, or a combination of the two. Once deployed, they can be used to augment existing environment security, and/or prevent unwanted network traffic from passing through to the internal network. Because of the many benefits that firewalls offer, they have become a standard component for most businesses that need to link their internal network to the Internet. Some of the more common types of firewalls in use are packet filtering firewalls and network address translation (NAT) firewalls.
A firewall is a router system between two subnets. In addition to the routing, it also filters all communication. Only packets that pass at least one filter rule are allowed to pass the firewall. All other packets are discarded.
A filter rule usually consists of the protocol type, a direction, a source port
and a destination port. Instead of a specific port, also a port range can be
given.
Following are firewall filtering criteria:
User or Group(s)
of Users
Network address
translation is often used on firewall systems in combination with port, protocol,
and IP restrictions. The IP addresses that are sent through the firewall will
be translated into other IP addresses. There are several reasons to translate
the IP addresses. One common reason is the IP addresses on the internal side
of the firewall are not valid IP addresses on the external side of the firewall;
therefore they cannot be used on the Internet. NAT firewalls can be configured
to translate addresses of systems on either side of the firewall. The figure
below shows a NAT firewall configuration where the IP address for the internal
system has been translated. System ISP1 connects to the internal system CUST1
using the IP address 154.66.4.250. The firewall uses the NAT table to translate
the 154.66.4.250 global address to the 10.0.0.1 local address and routes the
traffic to the correct system.
NAT firewall support between OVPM and OVPA
In a service provider environment, duplicate IP ranges are common. The figure below shows two customer networks, which have duplicate IP addresses on their internal network. To allow the service provider to communicate with the customer systems, each customer must configure their NAT firewall to map their systems to unique IP addresses which are accessible by the Service Provider. For example, suppose both customers have a system with the Internal Local IP address 10.0.0.1.
Customer 1 can translate the Internal Local IP address 10.0.0.1 to the Internal Global IP address 154.66.4.200.
Customer 2 can
translate the Internal Local IP address 10.0.0.1 to the Internal Global IP address
154.66.4.250. The service provider will then have unique IP addresses for each
of the customer systems.