Methods for Handling Traffic

Access control lists (ACLs) are a very basic method for permitting or denying traffic from one network to another. The rules are simple: Control which machines (using IP addresses) can talk to one another on what services (using network port numbers). The data being sent back and forth over each channel is not inspected—all that is scrutinized is whether it's using a network port that is explicitly permitted. Cisco, 3Com, Lucent, and Livingston all support ACLs.

A far more advanced feature is content inspection (CI). CI reviews the information in this two-way network communication, and if any of the content matches a rule, it performs an action. For example, one CI engine must look for Java applets sent across a particular network port. When it sees one, it blocks the Java applet (which supports the corporate policy for no Java). Another CI engine might notice when an Internet phone call is started, and the communication path has to be two-way. This CI would create a temporary opening on the firewall to allow an external machine talk to an internal machine. Most firewall vendors (Checkpoint, Cisco, Sun) support CI, as do most router vendors (Lucent, Cisco).