Firewall

Chapter 10

Firewall
Contents
• Various Generations of Firewalls
• FAQ.

Objectives
After completion of this module you will be able to know:

• The different Generations of Firewalls

• Why firewall is needed?
• Answers for FAQ

130 Prepared by RGM TTC, Chennai

 Firewall

Firewall
In its most basic terms, a firewall is a system designed to control access between two
networks.

There are many different kinds of firewalls—packet filters, application gateways, or

proxy servers. These firewalls can be delivered in the form of software that runs on an
operating system, like Windows or Linux. Or, these firewalls could be dedicated
hardware devices that were designed solely as firewalls.

10.1 Understand the evolution of firewalls

Learn how firewalls have progressed from simple packet filtering to more sophisticated
application-level filtering.

Webopedia.com defines a firewall as “a system designed to prevent unauthorized access

to or from a private network.” Although technically accurate, this definition tells us only
what a firewall does and doesn’t address the more important question of how it does it.
For administrators who are continually focused on keeping their networks secure, it is
helpful to take a closer look at the way firewalls function and how they have evolved in
recent years to better protect our corporate networks.

10.1.1 First-generation firewalls: Packet filtering

10.1.1.1 Static packet filters

One of the simplest and least expensive forms of firewall protection is known as static
packet filtering. With static packet filtering, each packet entering or leaving the network
is checked and either passed or rejected depending on a set of user-defined rules. Dealing
with each individual packet, the firewall applies its rule set to determine which packet to
allow or disallow. You can compare this type of security to the Gate-keeper at a club who
allows people over 21 to enter and turns back those who do not meet the age rule
requirements. The static packet filtering firewall examines each packet based on the
following criteria:

131 Prepared by RGM TTC, Chennai

 Firewall

• Source IP address
• Destination IP address
• TCP/UDP source port
• TCP/UDP destination port

For example, to allow e-mail to and from an SMTP server, a rule would be inserted into
the firewall that allowed all network traffic with a TCP source and destination port of 25
(SMTP) and the IP address of the mail server as either the source or destination IP
address. If this were the only filter applied, all non-SMTP network traffic originating
outside of the firewall with a destination IP address of the mail server would be blocked
by the firewall.

Many people have asked the question, “Is a router with an access list a firewall?” The
answer is yes, a packet filter firewall can essentially be a router with packet filtering
capabilities. (Almost all routers can do this.) Packet filters are an attractive option where
your budget is limited and where security requirements are deemed rather low.

But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing,
where an intruder tries to gain unauthorized access to computers by sending messages to
a computer with an IP address indicating that the message is coming from a trusted host.
Information security experts believe that packet filtering firewalls offer the least security
because they allow a direct connection between endpoints through the firewall. This
leaves the potential for a vulnerability to be exploited. Another shortcoming is that this
form of firewall rarely provides sufficient logging or reporting capabilities.

10.1.1.2 Stateful packet inspection

Within the same generation of static packet filtering firewalls are firewalls known as
stateful packet inspection firewalls. This approach examines the contents of packets
rather than just filtering them; that is, it considers their contents as well as their addresses.
You can compare this to the security screener at an airport. A ticket validates that you

132 Prepared by RGM TTC, Chennai

 Firewall

must be traveling from your source to your destination; however, your carry-on contents
must be checked to get to your final destination.

These firewalls are called stateful because they can permit outgoing sessions while
denying incoming sessions. They take into account the state of the connections they
handle so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked. By using
something known as session or intelligent filtering, most stateful inspection firewalls can
effectively track information about the beginning and end of network sessions to
dynamically control filtering decisions. The filter uses smart rules, thus enhancing the
filtering process and controlling the network session rather than controlling the individual
packets.

Basic routers typically do not perform stateful packet inspections unless they have a
special module. A dedicated firewall device or server (with software) is usually required
when the level of security demands stateful inspection of data in and out of a network.
Although stateful packet inspection offers improved security and better logging of
activities over static packet filters, it has its drawbacks as well. Setting up stateful packet
examination rules is more complicated and, like static packet filtering, the approach
allows a direct connection between endpoints through the firewall.

10.1.2 Second-generation firewalls: Proxy services

The next generation of firewalls attempted to increase the level of security between
trusted and untrusted networks. Known as application proxy or gateway firewalls, this
approach to protection is significantly different from packet filters and stateful packet
inspection. An application gateway firewall uses software to intercept connections for
each Internet protocol and to perform security inspection. It involves what is commonly
known as proxy services. The proxy acts as an interface between the user on the internal
trusted network and the Internet. Each computer communicates with the other by passing
all network traffic through the proxy program. The proxy program evaluates data sent

133 Prepared by RGM TTC, Chennai

 Firewall

from the client and decides which to pass on and which to drop. Communications
between the client and server occur as though the proxy weren't there, with the proxy
acting like the client when talking with the server, and like the server when talking with
the client. This is analogous to a language translator who is the one actually directing and
sending the communication on behalf of the individuals.

Many information security experts believe proxy firewalls offer the highest degree of
security because the firewall does not let endpoints communicate directly with one
another. Thus, vulnerability in a protocol that could slip by a packet filter or stateful
packet inspection firewall could be caught by the proxy program. In addition, the proxy
firewall can offer the best logging and reporting of activities.

Of course, this security solution is far from perfect. For one thing, to utilize the proxy
firewall, a protocol must have a proxy associated with it. Failure to have a proxy may
prevent a protocol from being handled correctly by the firewall and potentially dropped.
Also, there is usually a performance penalty for using such a firewall due to the
additional processing for application-level protocols.

10.1.3 Firewalls evolved: The third generation

The newest generation of firewalls may be defined as state-of-the-art perimeter security

integrated within major network components. These systems alert administrators in real
time about suspicious activity that may be occurring on their systems. Although it's a lot
to swallow, this new generation of firewall has evolved to meet the major requirements
demanded by corporate networks of increased security while minimizing the impact on
network performance. The requirements of the third generation of firewalls will be even
more demanding due to the growing support for VPNs, wireless communication, and
enhanced virus protection. The most difficult element of this evolution is maintaining the
firewall's simplicity (and hence its maintainability and security) without compromising
flexibility.

134 Prepared by RGM TTC, Chennai

 Firewall

The most recent category of firewalls attempting to meet this demand performs what has
been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate the
redundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach
screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to
known bit patterns of friendly packets before deciding whether to pass the traffic.
Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the first
glimpse of this new definition of a firewall. Among the products that use this new
technology are Check Point’s FireWall-1, Elron Software’s Internet Manager, and
SonicWall’s line of access security products.

10.2 Frequently Asked Questions

Why would you want a firewall?

Firewalls will protect your network from unwanted traffic. Many times, the unwanted
traffic is harmful traffic from hackers trying to exploit your network. You want a firewall
to protect your network, just as you want locks on your door and windows at your home.

Is a proxy server a firewall?

A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and
performs some action on your behalf. A proxy server performs network transactions on
your behalf. The most common use for this is a Web-proxy server. A Web-proxy will take
requests from users’ Web browsers, get the Web pages from the Internet, and return them
to the user’s browser. Many times, a proxy server also performs authentication to see who
is requesting the Web pages and also logs the pages that are requested and the user they
are from.

135 Prepared by RGM TTC, Chennai

 Firewall

What is NAT?
NAT is Network Address Translation. NAT is usually used to translate from
real/global/public Internet addresses to inside/local/private addresses. These private
addresses are usually IP addresses: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

NAT provides some security for your network as you do not have a real Internet IP
address and your network, usually, cannot be accessed from the Internet without some
outbound connection first being created from your private/inside network.

However, you still need a firewall to protect your network as NAT only hides your
network but doesn’t really stop any packets from entering your network.

Do firewalls stop Viruses, Trojans, Adware, and Spyware?

No, in general, firewalls do not stop Viruses, Trojans, Adware, or Spyware. Firewalls,
usually, only protect your network from inbound traffic from an outside (Internet)
network. You still need antivirus software, anti-adware and anti-spyware software
applications to protect your system when it does go out on the Internet.

How do I know that my firewall is really protecting my network?

Just like any security system, a firewall should, periodically, be tested. To test a firewall,
you could have a professional security-consulting company do a security vulnerability
scan. However, this is usually something you can do yourself. To do this, you could use a
port-scanner or a more advanced tool like a vulnerability assessment tool (such as Retina,
Saint, or ISS).

What are the different types of firewalls?

The different types of firewalls are:
Packet filter – A packet filter looks at each packet entering the network and, based on its
policies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a
basic firewall that works in this way.

136 Prepared by RGM TTC, Chennai

 Firewall

Stateful packet filter – A stateful packet filter also has rules; however, it keeps track of
the TCP connection state so it is able to monitor the “conversations” as they happen on
the network. It knows the normal flow of the conversations and knows when the
conversations are over. Thus, it more intelligently is able to permit and deny packets
entering the network. Because of this, a stateful packet filter (stateful firewall) is much
more secure than a regular packet filter.
Application gateway – An application gateway is a system that works for certain
applications only. It knows the “language” that that application/protocol uses and it
monitors all communications. An example would be a SMTP gateway.
Proxy Server – A proxy server performs network transactions on your behalf. The most
common use for this is a Web-proxy server. A Web-proxy will take requests from users’
Web browsers, get the Web pages from the Internet, and return them to the user’s
browser.

What do VPNs have to do with firewalls?

Virtual Private Networks (VPN) are used to encrypt traffic from a private network and
send it over a public network. Typically, this is used to protect sensitive traffic as it goes
over the Internet. Many times, you will have a VPN encryption device combined with a
firewall as the private network traffic that is being encrypted also needs to be protected
from hackers on the public network.

If I have a firewall, do I have a DMZ?

No, you do not necessarily have a DMZ (De-Military Zone) if you have a firewall. A
DMZ is a network that is semi-protected (not on the public network but also not on the
fully-protected private network). Many hardware firewalls create a DMZ for public mail
servers and Web servers. Most small networks or homes do not have DMZ networks.
Most medium-to-large corporate networks would have a DMZ.

What are IDS and IPS? Also, what do they have to do with firewalls?
An Intrusion Detection System (IDS) monitors for harmful traffic and alerts you when it
enters your network. This is much like a burglar alarm.

137 Prepared by RGM TTC, Chennai

 Firewall

An Intrusion Prevention System (IPS) goes farther and prevents the harmful traffic from
entering your network.

IDS/IPS systems recognize more that just Layer 3 or Layer 4 traffic. They fully
understand how hackers use traffic to exploit networks and detect or prevent that harmful
traffic on your network.

Today, many IDS/IPS systems are integrated with firewalls and routers.

What is a DoS attack and will a firewall protect me from it?

A Denial of Service (DoS) attack is something that renders servers, routers, or networks
incapable of responding to network requests in a timely manner.

Firewalls can protect your network and its servers from being barraged by DoS traffic
and allow them to respond to legitimate requests, thus, allowing your company to
continue its business over the network.

How do you configure, monitor, and control a firewall?

As there are many different types of firewalls, there are also many different types of
firewall interfaces. You could have a command line interface (CLI), a Web-based
interface, or some other proprietary program that is used to configure the firewall.

For example, with Cisco PIX firewalls, you can configure them with the CLI interface
(called PixOs), or the PIX Device Manager (PDM), a Java-based interface that works
with a Web browser.

How do I know what firewall I should use?

The size of the firewall you choose is usually based on the volume of traffic your network
links receive or the bandwidth of your network links. You also must take into

138 Prepared by RGM TTC, Chennai

 Firewall

consideration other things for which you might be using the firewall, such as VPN, IDS,
and logging.

What are some new features to look for in firewalls?

Firewalls, today, are offering more and more features built into the firewall. Some of
them are: intrusion prevention, hardware-based acceleration, and greater recognition of
applications (moving up the OSI model towards layer 7).

How can I configure an inexpensive firewall?

There are a wide variety of firewalls available today. Perhaps the most basic firewall is
the personal PC firewall, such as that built into Windows XP. Next come more advanced
PC software firewalls, like ZoneAlarm Pro or BlackICE. There are midrange firewall
solutions like Microsoft ISA or hardware firewalls. Next on the scale are large Cisco PIX
or Checkpoint firewalls used for large businesses or Internet Service Providers.

139 Prepared by RGM TTC, Chennai