|Building a Firewall: What you need to know before setting up a firewall, Part 2|
In general, a firewall is a device or set of devices that restricts access between a trusted and untrusted network. Most often, firewalls protect a trusted corporate network from the untrusted Internet. You might also use firewalls to protect a sensitive corporate subnet from a more public subnet.
Firewalls should be the base component of your physical infrastructure; without them, you have nothing to provide an overall layer of security for your network.
Firewalls have evolved over the years. While functionality has remained the same, usability and product packaging have greatly improved. A few examples of advancement include:
In addition, firewall performance has increased with network speed to provide full wire performance. If you have a 100MB Fast Ethernet network, your firewall should be able to keep pace with your network traffic. Some high-end firewall products even support Gigabit networks.
Packet filters are application-independent and examine each packet at the network layer. This means packet filters deliver high performance and scalability; however, they are the least secure type of firewall. Because they are not application-aware, they cannot understand the context of a given communication, making them more easily fooled by hackers.
A router with packet-filtering capability is a screening router. Because a screening router functions at the network level, you can control your network traffic without making changes to your applications.
To understand how packet filtering works, consider the difference between an ordinary router and a screening router:
An ordinary router looks at the destination address of each packet and selects the best way it knows to send the packet to its destination. The decision on how to handle the packet is based solely on its destination, and there are two possibilities: The router either knows how to send the packet and it does so, or it does not and returns the packet to its source.
A screening router, on the other hand, examines packets more closely. In addition to determining whether or not it can route a packet toward its destination, a screening router also determines whether or not it should, a decision determined by your security policy and enforced by the screening router through Access Control Lists (ACLs).
It is possible for only a screening router to sit between your internal network and the Internet, but this places an enormous responsibility on the screening router. In addition to performing all routing and routing decision-making, it is a single point of failure and the only protection for your network. What happens if the router gets overloaded or attacked? If overloaded, the router can either stop functioning -- creating a denial of service -- or start allowing all traffic to pass to your internal network, providing absolutely no protection from attack.
A screening router is most often used in conjunction with a firewall to filter unwanted traffic before it hits the firewall, especially packets with spoofed IP addresses. Using a screening router often improves the performance of a firewall because it has less traffic to deal with.
Packet filter functionality
Furthermore, a packet filter cannot analyze specific services. It can permit or deny a service, but it cannot protect individual operations within a service. A few examples of ways you might configure a packet filter to selectively route packets to or from your site include:
To better understand how packet filters function, let's examine the use of FTP over a packet filter. Here are a couple of basics about the operation of FTP that you need to understand before we begin:
You have two choices for your packet filter configuration with FTP connections. You can either leave the entire upper range (greater than 1023) of ports open and allow the file transfer session to take place over the dynamically allocated port -- but expose your internal network -- or you can shut down the entire upper range of ports to secure the internal network and block all services. Basically, your network is either wide open or completely closed. This trade-off between application support and security is not acceptable. The other firewall technologies provide solutions to this problem.
Proxy services sit between a user on the internal network and a service on the Internet. Instead of talking to each other directly, each system talks to a proxy. Proxies handle all the communication between users and Internet services behind the scenes. Your internal network never directly connects to the Internet.
Proxies help improve perimeter security by examining all application layers, bringing context information into the decision process. However, they do this by breaking the client/server model. Every client/server communication requires two connections -- one from the client to the firewall, and one from the firewall to the server. In addition, each proxy requires a different application process, or daemon, making scalability and support for new applications a problem.
To see how a proxy server functions, let's return to our FTP discussion. Using FTP over a proxy server requires two components: a proxy server and a proxy client. The proxy server runs on the firewall system. An FTP proxy client is a special version of a normal client program that talks to the proxy server rather than to the "real" server out on the Internet. The proxy server evaluates requests from the proxy client and decides which to approve and which to deny based on its configuration that is reflective of your security policy. If a request is approved, the proxy server contacts the real server on behalf of the client and proceeds to relay requests from the proxy client to the real server, and responses from the real server to the proxy client.
Transparency is the major benefit of proxy firewalls. To the user, a proxy server presents the illusion that the user is dealing directly with the real server. To the real server, the proxy server presents the illusion that the real server is dealing directly with a user on the proxy host (as opposed to the user's real host). Proxy firewalls effectively mask the origin address of the initiating connection and protect your network from intruders who are trying to gain as much information about your network as they can. So, the purpose of proxies is to hide your IP address and make you anonymous on the Internet. On the flip side, hackers often use proxies to hide their IP addresses when attacking a server.
The proxy server does not always just forward users' requests. The proxy server can control what users do because it recognizes network protocols and resides at the application layer. Depending on your site's security policy, requests might be allowed or refused. For example, the FTP proxy might refuse to let users export files, or it might allow users to import files only from certain sites. More sophisticated proxy servers might allow different capabilities to different hosts, rather than enforcing the same restrictions on all hosts.
Although the proxy server overcomes some of the limitations of packet filtering by bringing application-layer awareness to the decision process, it does so with an unacceptable performance penalty. Because proxy servers are software applications that create a new connection for every communication, processing is slow and does not scale well for large environments. Additionally, each service needs its own proxy. New protocols, services, and technologies cannot be used with a proxy server until the development of appropriate components.
There is some excellent software available for developing proxy components. SOCKS is a proxy construction toolkit designed to make it easy to convert existing client/server applications into proxy versions of those same applications. The Trusted Information Systems Internet Firewall Toolkit (TIS FWTK -- see Resources) includes proxy servers for a number of common Internet protocols, including Telnet, FTP, HTTP, rlogin, and X11. Many standard client and server programs, both commercial and freely available, now come equipped with their own proxy capabilities or with support for generic proxy systems like SOCKS.
Proxy servers are a good choice for high-security, low-traffic environments. High traffic environments, however, should consider the third technology: stateful inspection.
Stateful inspection provides full application-layer awareness without breaking the client/server model. With stateful inspection, the packet is intercepted at the network layer, the firewall extracts state-related information required for security decisions from all application layers, and maintains this information in dynamic state tables for evaluating subsequent connection attempts. This provides a solution that is highly secure and offers maximum performance, scalability, and extensibility.
Stateful inspection firewalls look like proxy systems from the external side because all requests appear to come from a single host (your corporate gateway), but look like packet filtering systems from the inside because internal hosts and users think they are talking directly to the external systems. They accomplish this through state tables that maintain currently active connections and through packet rewriting.
Examining an FTP connection, a stateful firewall tracks the FTP session by examining FTP application-layer data. When the client requests that the server generate the back-connection to transfer files (port greater than 1023), the firewall extracts the port number from the request. Both client and server IP addresses and both port numbers are recorded in an FTP-data pending request list. Upon attempting the FTP data connection, the firewall examines the list and verifies that the attempt is in response to a valid request. The list of connections is maintained dynamically so that only the required FTP ports are opened. As soon as the session is closed the ports are locked, ensuring maximum security. Because stateful inspection does not examine the entire packet, malformed packets can make it through the inspection, attacking servers behind the firewall. A packet's payload can contain information or commands that cause applications, like a Web server's CGI script, to die or execute arbitrary code.
Additionally, although stateful inspection has reduced the need for application proxies, some multimedia applications, such as Real Audio, have required firewall manufacturers to revise their stateful inspection engines.
Combining the best of all worlds is usually a good solution, but which firewall is best for you?
NAT is described in general terms in RFC 1631, which discusses NAT's relationship to Classless Interdomain Routing (CIDR) as a way to reduce the IP address depletion problem. NAT reduces the need for a large amount of publicly-known IP addresses by creating a separation between publicly-known and privately-known IP addresses. CIDR aggregates publicly-known IP addresses into blocks so that fewer IP addresses are wasted.
Network administrators create a NAT table on the firewall that performs the global-to-local and local-to-global IP address mapping. NAT can be statically defined or it can be set up to dynamically translate to and from a pool of IP addresses. Most firewalls let you develop tables that map:
High availability and failover
NAT and HA are two common firewall features. Many vendors develop their own features to set their product apart on the market. RapidStream, for example, has developed a feature that allows policy enforcement at the firewall by analyzing VLAN tags.
Features add an extensive amount of functionality to a firewall. Find a firewall with the features that best fit your organization.
The best firewall for you