Firewalls - Introduction

What is a firewall?
Firewalls are frequently thought of as a very complex
system that is some sort of magical, mystical.. Thing.
What is it really?
A machine that is more selective than a router that
passes data from one network to another.
Some are more complex, some are less complex, but the
fundamental point is that they implement a specific security
policy for the network traffic between two (or more) points of a
site.

Firewalls - Overview

What are the duties of a firewall?

Traditional
Firewalls used to be limited to exact and specific functions,
mainly acting as a barricade between external and internal
networks. The jobs included:

Relay Mail
Provide Domain Name Service (DNS) Capabilities, and possibly
running a split DNS environment
Filter and otherwise control all traffic flow between the outside
and the inside. A site will design a security model (what types of
connections are allowed, etc.) and have the firewall implement
this as closely as possible.

Note that the firewall in this model is placed at the permiter of

the network, and that inter-machine traffic internally is not
effected by the firewall.
2

Firewalls - Overview

What are the duties of a firewall?

Modern
As firewalls become more common and essential to networks,
they have taken on more services, in addition to the traditional
ones. These include:

Virus Protection: Many firewalls now provide automatic virus

screening for web traffic, E-Mail attachments, and other types of
connections and data transfers across the firewall.
Mobile Code Protection: In addition to more basic blocks of
mobile code (Java, *Script, ActiveX, etc.), firewall systems are
beginning to offer containment for the execution of mobile code.
These include sandbox machines isolated from the rest of the
network and restricted environments to run the Java VM within.

Firewalls - Overview

What are the duties of a firewall?

Modern
(continued)

Virtual Private Networks (VPN): As companies need to

interconnect remote offices more securely, and do not wish to
incur the cost of dedicated circuits, they turn to VPNs. A virtual
private network is an encrypted channel between network to
network (or remote client to network) that automatically encrypts
*ALL* traffic between them. This removes the problem of
running encrypted client/server solutions, and allows people to
run any software necessary. Remote users with notebooks
dialing into national providers can cryptographically authenticate
themselves to the firewall, and connect to the corporate network
with an automatically encrypted channel.

Firewalls - Overview

What are the duties of a firewall?

Modern
(continued)

Network Address Translation (NAT): The address space

limitations with IPv4 has forced the emergence of network
address translation, where internal machines to a company will
use private addresses (10.x.x.x for example) which will be
translated into a legal set of addresses at a firewall. This increases
security as all connections must be passed by the firewall, as the
addresses are not known or routable by the general Internet.
(This is also useful for home networks or for small companies.)
Intrusion Detection Systems (IDS): Firewalls are starting to be
smarter about the connections that they see, and now can keep
track of strange activity to decide if the connection should be
terminated and administrators notified.

Firewalls - Types

In general, there are two types of firewalls:

Application or Proxy Firewall
This firewall runs on top of a standard operating system
(although typically secured in some ways) and intercepts all
traffic. If the firewall is running a special proxy or application
to handle the traffic, the service will decide if the traffic should
be permitted. If the service permits the traffic, it is sent
through to the destination. In many cases, a user may first
authenticate to the proxy, and then have to authenticate to the
internal machine as well.
If no proxy is running for the service, the service decides that
the connection should not be allowed, or if the user is unable to
authenticate to the proxy, than the connection is refused by the
firewall.

Firewalls - Types

Application or Proxy - Examples

Web Proxy: Many companies use web proxies for users
to connect to the internet. Many proxies also cache, to
reduce some of the load on the network connection.
The browser will make the connection to the proxy,
which will make the connection to the web site on
behalf of the user. If successful, the information is
returned to the user.

Firewalls - Types

Application or Proxy - Examples

Telnet Proxy: A telnet proxy may behave in different
manners, depending on which direction you come
from. If the connection is coming from the internal
machines, it may be passed silently to the remote host.
However, if the connection originates from outside of
the firewall, it may be stopped by the firewall, and the
user may need to perform additional authentication
before being able to connect to the internal machine.

Firewalls - Types

The other type is:

Packet Filtering or Network Level Firewalls
These firewalls are almost (or are) completely transparent to
the users. They will analyze the source and destination
addresses, as well as the source and destination ports for each
packet. If the packet, according to the rules defined, is allowed
to pass, it is passed silently. If not, it is simply dropped and
does not make it through.
Although typically built upon standard operating systems as
well, these types of firewalls are also useful to build into
dedicated network devices, such as routers or switches.

Firewalls - Types

Network Level - Examples

Router Blocks - The most basic example are router
blocks. Routers obviously do not allow proxies to be
run, and are limited to looking at the packet
information to decide if a packet should be allowed to
pass. These are quite trivial, but also very useful for
many applications. Routers are excellent at blocking
spoofed internal packets at the edge of a network, and
any types of traffic that should definitely always be
blocked.

10

Firewalls - Types

Network Level - Examples

Commercial Firewalls: To distinguish these in general,
from router level blocks, these firewalls are typically
much more advanced. They look at packet
information, but also in many cases, will look at the
packet contents as well. Many firewalls allow access
control at the point of controlling if files can be read or
written via an FTP connection.

11

Firewalls - Types

And the third type.. (third type?)

Hybrids
Many firewalls do not explicitly fall within either category,
rather they have proxies for some types of traffic, and allow
packet filtering for other types. Many people prefer this type
of system as it has the most flexibility to fit emerging protocols,
while still allowing the fine grained control that a proxy
provides.

12

Firewalls - Pro/Con

Application Firewalls
Pros:
The proxies allow for a very fine level of control over any
connection, and content within the connection.
Typically simple (relatively) to setup and maintain.

Cons:
Any new protocol to be supported must have a proxy written
for it.
Running the proxy for each connection incurs additional
overhead, and can slow down network access.
Can have difficulty with UDP traffic and UDP-based protocols.

13

Firewalls - Pro/Con

Network Level Firewalls

Pros:
In many cases, the firewall is transparent to the end users.
The system can be very quick, since no additional programs
must be executed.
Network level firewalls can be embedded into networking
equipment to give more advanced (above router blocks)
filtering.

Cons:
The granularity of control is coarser.

14

Firewalls - Pro/Con

Hybrid
The pros and cons of a Hybrid firewall really depend
on what has been added or changed from each basic
type of system. Some attributes from each system help
to cancel out some of the Cons for the other type.

15

Firewalls - Basic Configuration

In general, firewalls are configured in one of two

ways:
Deny everything that is not expressly permitted.
Traditional application firewalls fall into this category.
Services with proxies running would be handled, while
everything else is dropped.

Permit everything that is not expressly denied.

This would be the protection gained from basic router-type
blocks.

These types are obviously fundamentally

different, with the first being generally more
secure.
16