Contents: Firewall advances Firewall technologies Hybrid firewalls Firewall features The best firewall for you Resources About the author Rate this article Related content: What you need to know before setting up a firewall, Part 1 Subscriptions: dW newsletters dW Subscription (CDs and downloads)

Amanda Andress (mandy@arcsec.com)
CEO and Founder, ArcSec Technologies, Inc.
01 Apr 2001

Mandy's first article on firewalls helped you get to know your needs and put your security policies in place. In this, her second article on firewalls, Mandy focuses on the technologies available on the market today and some key decisions that need to be made throughout the selection process. The three main firewall technologies are: packet filter, proxy, and stateful inspection. Mandy reviews the pros and cons of each technology, as well as their advances, hybrids, features, and customization.

In general, a firewall is a device or set of devices that restricts access between a trusted and untrusted network. Most often, firewalls protect a trusted corporate network from the untrusted Internet. You might also use firewalls to protect a sensitive corporate subnet from a more public subnet.

Firewalls should be the base component of your physical infrastructure; without them, you have nothing to provide an overall layer of security for your network.

Firewall advances
Early firewalls were primarily software-based, difficult to configure, and costly to manage. They used command-line interfaces and each system required separate management.

Firewalls have evolved over the years. While functionality has remained the same, usability and product packaging have greatly improved. A few examples of advancement include:

• Software-based firewalls have given way to "plug-and-play" hardware appliances.
• Hybrid firewalls that include stateful inspection and application proxies are the norm.
• It is now possible to manage firewalls remotely via Web browsers or centralized management applications.
• Integrated products offer both firewall and virtual private networking (VPN) functionality.
• Vendors also offer personal and server/host resident firewalls.
• Firewall solutions are now available as managed services.

In addition, firewall performance has increased with network speed to provide full wire performance. If you have a 100MB Fast Ethernet network, your firewall should be able to keep pace with your network traffic. Some high-end firewall products even support Gigabit networks.

Firewall technologies
The three main firewall technologies are: packet filter, proxy, and stateful inspection. Each technology has pros and cons, and I will discuss these in the following sections. Modern firewalls often use a hybrid of these technologies.

Packet filtering
Packet filtering systems selectively route packets between trusted and untrusted networks. They allow or deny packets based on a site's security policy. With proper installation, a packet filter will be almost transparent to users.

Packet filters are application-independent and examine each packet at the network layer. This means packet filters deliver high performance and scalability; however, they are the least secure type of firewall. Because they are not application-aware, they cannot understand the context of a given communication, making them more easily fooled by hackers.

Screening router
Historically, implementation of packet filters has been on routers, filtering on user-defined content of a packet such as IP addresses. A few components of a TCP/IP packet that can be filtered include:

• Source address
• Destination address
• Source port
• Destination port

A router with packet-filtering capability is a screening router. Because a screening router functions at the network level, you can control your network traffic without making changes to your applications.

To understand how packet filtering works, consider the difference between an ordinary router and a screening router:

An ordinary router looks at the destination address of each packet and selects the best way it knows to send the packet to its destination. The decision on how to handle the packet is based solely on its destination, and there are two possibilities: The router either knows how to send the packet and it does so, or it does not and returns the packet to its source.

A screening router, on the other hand, examines packets more closely. In addition to determining whether or not it can route a packet toward its destination, a screening router also determines whether or not it should, a decision determined by your security policy and enforced by the screening router through Access Control Lists (ACLs).

It is possible for only a screening router to sit between your internal network and the Internet, but this places an enormous responsibility on the screening router. In addition to performing all routing and routing decision-making, it is a single point of failure and the only protection for your network. What happens if the router gets overloaded or attacked? If overloaded, the router can either stop functioning -- creating a denial of service -- or start allowing all traffic to pass to your internal network, providing absolutely no protection from attack.

A screening router is most often used in conjunction with a firewall to filter unwanted traffic before it hits the firewall, especially packets with spoofed IP addresses. Using a screening router often improves the performance of a firewall because it has less traffic to deal with.

Packet filter functionality
Packet filters have a few issues that do not make them ideal as a sole perimeter security device, such as difficulty checking and filtering User Datagram Protocol (UDP) packets. They also do not have alerting and auditing applications, so when the router filters out a packet, it cannot alert the administrator.

Furthermore, a packet filter cannot analyze specific services. It can permit or deny a service, but it cannot protect individual operations within a service. A few examples of ways you might configure a packet filter to selectively route packets to or from your site include:

• Block all incoming connections from systems outside the corporate network except for incoming SMTP connections so you can receive e-mail.
• Block all connections to or from specific systems or IP addresses you distrust.

To better understand how packet filters function, let's examine the use of FTP over a packet filter. Here are a couple of basics about the operation of FTP that you need to understand before we begin:

• The initial FTP connection from the client to the FTP server occurs over port 21.
• The actual transfer of files occurs on a random port above 1023.

You have two choices for your packet filter configuration with FTP connections. You can either leave the entire upper range (greater than 1023) of ports open and allow the file transfer session to take place over the dynamically allocated port -- but expose your internal network -- or you can shut down the entire upper range of ports to secure the internal network and block all services. Basically, your network is either wide open or completely closed. This trade-off between application support and security is not acceptable. The other firewall technologies provide solutions to this problem.

Proxy
At the opposite end of the spectrum from packet filters lie proxy firewalls that function at the application layer. A proxy takes requests for Internet services (such as FTP and Telnet) and forwards them to the actual services. The proxies provide replacement connections and act as gateways. Subsequently, proxies are sometimes known as application-level gateways.

Proxy services sit between a user on the internal network and a service on the Internet. Instead of talking to each other directly, each system talks to a proxy. Proxies handle all the communication between users and Internet services behind the scenes. Your internal network never directly connects to the Internet.

Proxies help improve perimeter security by examining all application layers, bringing context information into the decision process. However, they do this by breaking the client/server model. Every client/server communication requires two connections -- one from the client to the firewall, and one from the firewall to the server. In addition, each proxy requires a different application process, or daemon, making scalability and support for new applications a problem.

To see how a proxy server functions, let's return to our FTP discussion. Using FTP over a proxy server requires two components: a proxy server and a proxy client. The proxy server runs on the firewall system. An FTP proxy client is a special version of a normal client program that talks to the proxy server rather than to the "real" server out on the Internet. The proxy server evaluates requests from the proxy client and decides which to approve and which to deny based on its configuration that is reflective of your security policy. If a request is approved, the proxy server contacts the real server on behalf of the client and proceeds to relay requests from the proxy client to the real server, and responses from the real server to the proxy client.

Transparency is the major benefit of proxy firewalls. To the user, a proxy server presents the illusion that the user is dealing directly with the real server. To the real server, the proxy server presents the illusion that the real server is dealing directly with a user on the proxy host (as opposed to the user's real host). Proxy firewalls effectively mask the origin address of the initiating connection and protect your network from intruders who are trying to gain as much information about your network as they can. So, the purpose of proxies is to hide your IP address and make you anonymous on the Internet. On the flip side, hackers often use proxies to hide their IP addresses when attacking a server.

The proxy server does not always just forward users' requests. The proxy server can control what users do because it recognizes network protocols and resides at the application layer. Depending on your site's security policy, requests might be allowed or refused. For example, the FTP proxy might refuse to let users export files, or it might allow users to import files only from certain sites. More sophisticated proxy servers might allow different capabilities to different hosts, rather than enforcing the same restrictions on all hosts.

Although the proxy server overcomes some of the limitations of packet filtering by bringing application-layer awareness to the decision process, it does so with an unacceptable performance penalty. Because proxy servers are software applications that create a new connection for every communication, processing is slow and does not scale well for large environments. Additionally, each service needs its own proxy. New protocols, services, and technologies cannot be used with a proxy server until the development of appropriate components.

There is some excellent software available for developing proxy components. SOCKS is a proxy construction toolkit designed to make it easy to convert existing client/server applications into proxy versions of those same applications. The Trusted Information Systems Internet Firewall Toolkit (TIS FWTK -- see Resources) includes proxy servers for a number of common Internet protocols, including Telnet, FTP, HTTP, rlogin, and X11. Many standard client and server programs, both commercial and freely available, now come equipped with their own proxy capabilities or with support for generic proxy systems like SOCKS.

Proxy servers are a good choice for high-security, low-traffic environments. High traffic environments, however, should consider the third technology: stateful inspection.

Stateful inspection
Stateful inspection is an extension of packet filtering and is often referred to as dynamic packet filtering. With stateful inspection, packet filtering rules are modified "on the fly" by the firewall in response to certain events. For example, an outgoing UDP packet might cause the creation of a temporary rule to allow a corresponding, answering UDP packet back in. It also extends packet filtering by providing extensions for authentication and filtering at the application level (functionality much more precise than the filtering that's possible with traditional packet filter firewalls).

Stateful inspection provides full application-layer awareness without breaking the client/server model. With stateful inspection, the packet is intercepted at the network layer, the firewall extracts state-related information required for security decisions from all application layers, and maintains this information in dynamic state tables for evaluating subsequent connection attempts. This provides a solution that is highly secure and offers maximum performance, scalability, and extensibility.

Stateful inspection firewalls look like proxy systems from the external side because all requests appear to come from a single host (your corporate gateway), but look like packet filtering systems from the inside because internal hosts and users think they are talking directly to the external systems. They accomplish this through state tables that maintain currently active connections and through packet rewriting.

Examining an FTP connection, a stateful firewall tracks the FTP session by examining FTP application-layer data. When the client requests that the server generate the back-connection to transfer files (port greater than 1023), the firewall extracts the port number from the request. Both client and server IP addresses and both port numbers are recorded in an FTP-data pending request list. Upon attempting the FTP data connection, the firewall examines the list and verifies that the attempt is in response to a valid request. The list of connections is maintained dynamically so that only the required FTP ports are opened. As soon as the session is closed the ports are locked, ensuring maximum security. Because stateful inspection does not examine the entire packet, malformed packets can make it through the inspection, attacking servers behind the firewall. A packet's payload can contain information or commands that cause applications, like a Web server's CGI script, to die or execute arbitrary code.

Additionally, although stateful inspection has reduced the need for application proxies, some multimedia applications, such as Real Audio, have required firewall manufacturers to revise their stateful inspection engines.

Hybrid firewalls
Packet filtering, stateful inspection, and proxy servers each provide valuable functionality for a corporate firewall. To capitalize on these advantages (and minimize the disadvantages of each technology), vendors began developing hybrid firewalls, usually combining proxy services with stateful inspection. Hybrid firewalls provide the following functionality:

• Screen all connection attempts
• Extract and maintain extensive "state" information
• Make intelligent security/traffic decisions
• High performance and scalability
• Complete transparency

Combining the best of all worlds is usually a good solution, but which firewall is best for you?

Firewall features
Many firewalls today also come equipped with special features, such as Network Address Translation (NAT) and high-availability/failover. Most vendors provide these additional features in their base product, but some require you to purchase an additional license or module.

NAT
NAT is the translation of an IP address used within one network to a different IP address known within another network. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security because each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request (stateful inspection).

NAT is described in general terms in RFC 1631, which discusses NAT's relationship to Classless Interdomain Routing (CIDR) as a way to reduce the IP address depletion problem. NAT reduces the need for a large amount of publicly-known IP addresses by creating a separation between publicly-known and privately-known IP addresses. CIDR aggregates publicly-known IP addresses into blocks so that fewer IP addresses are wasted.

Network administrators create a NAT table on the firewall that performs the global-to-local and local-to-global IP address mapping. NAT can be statically defined or it can be set up to dynamically translate to and from a pool of IP addresses. Most firewalls let you develop tables that map:

• A local IP address to one global IP address statically
• A local IP address to any of a rotating pool of global IP addresses that a company may have
• A local IP address plus a particular TCP port to a global IP address or one in a pool of them
• A global IP address to any of a pool of local IP addresses on a round-robin basis

High availability and failover
Most high-end firewalls provide high-availability (HA) capabilities. With the growing reliability on Internet services for revenue generation, you do not want a faulty firewall to cost you money. HA gives you the opportunity to run two firewalls side-by-side. If one system fails, the second one kicks in almost immediately. Some HA solutions even maintain state so the user will never know what happened. Also, some HA solutions provide clustering capabilities that allow you to increase your total throughput by using multiple firewalls.

NAT and HA are two common firewall features. Many vendors develop their own features to set their product apart on the market. RapidStream, for example, has developed a feature that allows policy enforcement at the firewall by analyzing VLAN tags.

Features add an extensive amount of functionality to a firewall. Find a firewall with the features that best fit your organization.

The best firewall for you
A stateful inspection firewall will provide enough security and perimeter protection for most companies. For large companies, e-commerce and hosting sites, a hybrid firewall will add a few extra security measures that may be required for your environment. Generally, packet filter firewalls are best served as screening routers.

Resources

• SecurityFocus.com is the premiere Web site for security information. It's a site "dedicated to furthering discussion on the topic of computer security," offering numerous types of free information.
  
  
• The System Administration, Networking, and Security (SANS) Institute is a cooperative research and education organization. This is a great security resource with system and security alerts and news updates.
  
  
• Security Risk Associates is a good source for developing an effective security policy. They recommend approaching security policies step-by-step, often beginning with an assessment of your current position, followed by the identification of needed changes for compliance, and then planning and implementation.
  
  
• The Trusted Information Systems Internet Firewall Toolkit (TIS FWTK) is a set of programs and configuration practices designed to facilitate the building of network firewalls.
  

Rate this article This content was helpful to me: Strongly disagree (1) Disagree (2) Neutral (3) Agree (4) Strongly agree (5) Comments?

developerWorks > Security >