Page 811 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 811

gateway firewalls are considered second-generation firewalls because
               they represent a modification of the application-level gateway firewall

               concept.

               Stateful Inspection Firewalls Stateful inspection firewalls (also
               known as dynamic packet filtering firewalls) evaluate the state or the
               context of network traffic. By examining source and destination
               addresses, application usage, source of origin, and relationship
               between current packets and the previous packets of the same session,

               stateful inspection firewalls are able to grant a broader range of access
               for authorized users and activities and actively watch for and block
               unauthorized users and activities. Stateful inspection firewalls
               generally operate more efficiently than application-level gateway
               firewalls. They are known as third-generation firewalls, and they
               operate at the Network and Transport layers (layers 3 and 4) of the
               OSI model.


               Deep Packet Inspection Firewalls Deep packet inspection (DPI)
               firewalls is a filtering mechanism that operates typically at the
               application layer in order to filter the payload contents of a
               communication rather than only on the header values. DPI can also be
               known as complete packet inspection and information extraction (IX).
               DPI filtering is able to block domain names, malware, spam, or other
               identifiable elements in the payload of a communication. DPI is often

               integrated with application layer firewalls and/or stateful inspection
               firewalls.

               Next-Gen Firewalls A next-gen firewall is a multifunction device
               (MFD) composed of several security features in addition to a firewall;
               integrated components can include an IDS, an intrusion prevention
               system (IPS), a TLS/SSL proxy, web filtering, QoS management,
               bandwidth throttling, NATing, VPN anchoring, and antivirus.


               Multihomed Firewalls


               Some firewall systems have more than one interface. For instance, a
               multihomed firewall must have at least two interfaces to filter traffic
               (they’re also known as dual-homed firewalls). All multihomed
               firewalls should have IP forwarding, which automatically sends traffic
   806   807   808   809   810   811   812   813   814   815   816