Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chapter 10
Firewall
Contents
• Various Generations of Firewalls
• FAQ.
Objectives
After completion of this module you will be able to know:
Firewall
In its most basic terms, a firewall is a system designed to control access between two
networks.
Learn how firewalls have progressed from simple packet filtering to more sophisticated
application-level filtering.
• Source IP address
• Destination IP address
• TCP/UDP source port
• TCP/UDP destination port
For example, to allow e-mail to and from an SMTP server, a rule would be inserted into
the firewall that allowed all network traffic with a TCP source and destination port of 25
(SMTP) and the IP address of the mail server as either the source or destination IP
address. If this were the only filter applied, all non-SMTP network traffic originating
outside of the firewall with a destination IP address of the mail server would be blocked
by the firewall.
Many people have asked the question, “Is a router with an access list a firewall?” The
answer is yes, a packet filter firewall can essentially be a router with packet filtering
capabilities. (Almost all routers can do this.) Packet filters are an attractive option where
your budget is limited and where security requirements are deemed rather low.
But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing,
where an intruder tries to gain unauthorized access to computers by sending messages to
a computer with an IP address indicating that the message is coming from a trusted host.
Information security experts believe that packet filtering firewalls offer the least security
because they allow a direct connection between endpoints through the firewall. This
leaves the potential for a vulnerability to be exploited. Another shortcoming is that this
form of firewall rarely provides sufficient logging or reporting capabilities.
Within the same generation of static packet filtering firewalls are firewalls known as
stateful packet inspection firewalls. This approach examines the contents of packets
rather than just filtering them; that is, it considers their contents as well as their addresses.
You can compare this to the security screener at an airport. A ticket validates that you
must be traveling from your source to your destination; however, your carry-on contents
must be checked to get to your final destination.
These firewalls are called stateful because they can permit outgoing sessions while
denying incoming sessions. They take into account the state of the connections they
handle so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked. By using
something known as session or intelligent filtering, most stateful inspection firewalls can
effectively track information about the beginning and end of network sessions to
dynamically control filtering decisions. The filter uses smart rules, thus enhancing the
filtering process and controlling the network session rather than controlling the individual
packets.
Basic routers typically do not perform stateful packet inspections unless they have a
special module. A dedicated firewall device or server (with software) is usually required
when the level of security demands stateful inspection of data in and out of a network.
Although stateful packet inspection offers improved security and better logging of
activities over static packet filters, it has its drawbacks as well. Setting up stateful packet
examination rules is more complicated and, like static packet filtering, the approach
allows a direct connection between endpoints through the firewall.
The next generation of firewalls attempted to increase the level of security between
trusted and untrusted networks. Known as application proxy or gateway firewalls, this
approach to protection is significantly different from packet filters and stateful packet
inspection. An application gateway firewall uses software to intercept connections for
each Internet protocol and to perform security inspection. It involves what is commonly
known as proxy services. The proxy acts as an interface between the user on the internal
trusted network and the Internet. Each computer communicates with the other by passing
all network traffic through the proxy program. The proxy program evaluates data sent
from the client and decides which to pass on and which to drop. Communications
between the client and server occur as though the proxy weren't there, with the proxy
acting like the client when talking with the server, and like the server when talking with
the client. This is analogous to a language translator who is the one actually directing and
sending the communication on behalf of the individuals.
Many information security experts believe proxy firewalls offer the highest degree of
security because the firewall does not let endpoints communicate directly with one
another. Thus, vulnerability in a protocol that could slip by a packet filter or stateful
packet inspection firewall could be caught by the proxy program. In addition, the proxy
firewall can offer the best logging and reporting of activities.
Of course, this security solution is far from perfect. For one thing, to utilize the proxy
firewall, a protocol must have a proxy associated with it. Failure to have a proxy may
prevent a protocol from being handled correctly by the firewall and potentially dropped.
Also, there is usually a performance penalty for using such a firewall due to the
additional processing for application-level protocols.
The most recent category of firewalls attempting to meet this demand performs what has
been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate the
redundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach
screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to
known bit patterns of friendly packets before deciding whether to pass the traffic.
Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the first
glimpse of this new definition of a firewall. Among the products that use this new
technology are Check Point’s FireWall-1, Elron Software’s Internet Manager, and
SonicWall’s line of access security products.
What is NAT?
NAT is Network Address Translation. NAT is usually used to translate from
real/global/public Internet addresses to inside/local/private addresses. These private
addresses are usually IP addresses: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
NAT provides some security for your network as you do not have a real Internet IP
address and your network, usually, cannot be accessed from the Internet without some
outbound connection first being created from your private/inside network.
However, you still need a firewall to protect your network as NAT only hides your
network but doesn’t really stop any packets from entering your network.
Stateful packet filter – A stateful packet filter also has rules; however, it keeps track of
the TCP connection state so it is able to monitor the “conversations” as they happen on
the network. It knows the normal flow of the conversations and knows when the
conversations are over. Thus, it more intelligently is able to permit and deny packets
entering the network. Because of this, a stateful packet filter (stateful firewall) is much
more secure than a regular packet filter.
Application gateway – An application gateway is a system that works for certain
applications only. It knows the “language” that that application/protocol uses and it
monitors all communications. An example would be a SMTP gateway.
Proxy Server – A proxy server performs network transactions on your behalf. The most
common use for this is a Web-proxy server. A Web-proxy will take requests from users’
Web browsers, get the Web pages from the Internet, and return them to the user’s
browser.
What are IDS and IPS? Also, what do they have to do with firewalls?
An Intrusion Detection System (IDS) monitors for harmful traffic and alerts you when it
enters your network. This is much like a burglar alarm.
An Intrusion Prevention System (IPS) goes farther and prevents the harmful traffic from
entering your network.
IDS/IPS systems recognize more that just Layer 3 or Layer 4 traffic. They fully
understand how hackers use traffic to exploit networks and detect or prevent that harmful
traffic on your network.
Today, many IDS/IPS systems are integrated with firewalls and routers.
Firewalls can protect your network and its servers from being barraged by DoS traffic
and allow them to respond to legitimate requests, thus, allowing your company to
continue its business over the network.
For example, with Cisco PIX firewalls, you can configure them with the CLI interface
(called PixOs), or the PIX Device Manager (PDM), a Java-based interface that works
with a Web browser.
consideration other things for which you might be using the firewall, such as VPN, IDS,
and logging.