568 Chapter 15: Network Security Technologies
Stateful filters have the following benefits:
·
Rich set of security features
·
High performance because they work at Layer 4
·
A command structure similar to that of the Cisco IOS on Cisco routers
·
Higher security against low-level attacks because they identify connections from endpoint
to endpoint
Disadvantages of stateful filters include the following:
·
It's difficult to analyze the content of upper layers because the PIX operates at Layer 4.
·
Auditing capabilities. Other application programs would be necessary to maintain
auditing of user transactions through the PIX.
Demilitarized Zone (DMZ)
When you're designing security for customers, the term DMZ usually comes up when firewalls
are discussed. DMZ is also called the screened subnet, the dirty LAN, and the isolation LAN.
The demilitarized zone is a buffer between the customer internetwork and the outside world, as
shown in Figure 15-10. This is known as a three-layer firewall system--the inside network, the
outside network or Internet, and the DMZ area. The DMZ is usually where the customer's
WWW servers reside and is usually all that is visible to the outside world. The DMZ is not
visible to the inside or clean networks either.
Figure 15-10
DMZ
client
Internet
or outside
Pix firewall
Perimeter router
Mail
DNS
WWW
DMZ
"dirty"
Inside network "clean"
87200333.book Page 568 Wednesday, August 22, 2001 1:41 PM