156 Chapter 10 FirewallsNN47922-500Packet Filtering firewallsPacket filtering firewalls restrict access based on the source or destinationcomputer network address of a packet and the type of application.Application level firewallsApplication level firewalls restrict access by serving as proxies for externalservers. Because they use programs written for specific Internet services, such asHTTP, FTP and Telnet, they can evaluate network packets for valid applicationspecific data. Application level firewalls have a number of general advantagesover the default mode of permitting application traffic directly to internal hosts:1 Information hiding prevents the names of internal systems from being madeknown via DNS to outside systems, because the application gateway is theonly host whose name must be made known to outside systems.2 Robust authentication and logging preauthenticates application traffic beforeit reaches internal hosts and causes it to be logged more effectively than if itwere logged with standard host logging. Filtering rules at the packet filteringrouter can be less complex than if the router needed to filter application trafficand direct it to a number of specific systems. The router need only allowapplication traffic destined for the application gateway and reject the rest.Stateful Inspection firewallsStateful inspection firewalls restrict access by screening data packets againstdefined access rules. They make access control decisions based on IP address andprotocol. They also inspect the session data to assure the integrity of theconnection and to adapt to dynamic protocols. These firewalls generally providethe best speed and transparency; however, they often lack the granular applicationlevel access control or caching that some proxies support. For more information,see “Stateful inspection” on page 163.Firewalls, of one type or another, have become an integral part of standardsecurity solutions for enterprises.