- Enterasys Security Router User's Guide
Firewall Feature Set Overview
16-10 Configuring Security on the XSR
Figure 16-10 XSR Firewall Topology
There are many possible network configurations for a firewall. The figure above shows a scenario
with the firewall connected to the trusted network (internal) and servers that can be accessed
externally (via the DMZ).
The XSR firewall feature set inspects packets coming in from open ports and either passes them on
to the router or drops them based on policies defined in the policy database which is configured
using the XSR’s CLI.
In this example, the firewall acts as a shield for traffic coming in and out of the external and DMZ
networks. The internal interface does not have nor does it need firewall inspection enabled
because it is a trusted network.
While this flexibility is useful, it emphasizes the fact that the shield is only as effective as the
intelligence of the policies. Functionally, the XSR’s policy database defines the configuration and
retains information about the sessions currently allowed through the firewall.
Types of Firewalls
Generally speaking, there are three types of firewalls: Access Control List (ACL) or Packet Filter,
Application Level Gateway (ALG) or Proxy, and Stateful Inspection. Each of these firewall types
operate at different layers of the TCP/IP network model, using different criteria to restrict traffic.
ACL and Packet Filter Firewalls
ACL and packet filter firewalls statically apply security policy to a packet’s contents according to
pre-configured rules you specify such as permitted or denied source and destination addresses
DMZ
Internal
HTTP server
Internet
Policy DB
Firewall
inspection
enabled
External
Client
Firewall
inspection
enabled
SMTP server
XSR
Router