Firewall Concepts
In this section, we altercate the abstraction and analogue of firewalls and attending at the
different types of firewalls and some added architectural aspects such as network
interfaces, abode translation, and VPNs.
What Is a Firewall?
The appellation firewall comes from the bricks-and-mortar architectural world. In
buildings, a firewall is a bank congenital from heat- or fire-resistant actual such as
concrete that is advised to apathetic the advance of blaze through a structure. In the
same way, on a arrangement a firewall is advised to stop crooked cartage from
traveling from one arrangement to another.The best accustomed deployment of firewalls
occurs amid a trusted arrangement and an untrusted one, about the
Internet. Figure 1.3 depicts this agreement and shows the bound router that
terminates a consecutive affiliation from the Internet account provider (ISP). In the
past, it was absolutely rather accustomed for Internet-connected organizations to have
no firewalls, instead artlessly relying on the aegis of their host systems to protect
www.syngress.com
18 Chapter 1 • Introduction to Aegis and Firewalls
their data. As networks got larger, it became bulky and chancy to try to
adequately defended anniversary and every host, abnormally accustomed the ever-increasing
hacker threat.
More and added sites, however, are additionally deploying firewalls into their internal
networks, to abstracted zones of criticality. One archetype is putting a firewall
between the bulk administering subnet and the blow of the organization’s network.
In this case, the aggregation aegis activity could accept defined that the payroll
data and systems are sensitive, that few (if any) advisers alfresco the
department charge to admit admission into it, and that bulk advisers need
outbound admission to added bounded arrangement assets as able-bodied as the Internet.
Firewall systems accept absolutely acquired over the years. Originally, firewalls
were hand-built systems with two arrangement interfaces that forwarded traffic
between them. However, this was an breadth for experts only, acute significant
programming abilities and arrangement administering talent. Recognizing a charge in this
area, the aboriginal somewhat bartering firewall was accounting by Marcus Ranum
(working for TIS at the time) in the aboriginal 1990s. It was alleged the Firewall
Toolkit, or fwtk for short. It was an appliance proxy architecture (definitions of firewall
types are in the afterward section) that intermediated arrangement connections
from users to servers.The ambition was to abridge development and deployment of
firewalls and abbreviate the bulk of custom firewall architecture that would otherwise
be necessary.The now accustomed Gauntlet firewall artefact acquired from the
original fwtk, and TIS was acquired by Arrangement Associates, Inc. Added vendors
got into the firewall market, including Check Point, Defended Computing,
Symantec, and of course, Cisco.
www.syngress.com
Figure 1.3 Typical Firewall Placement
Internal LAN
Internet
Border router
Firewall
Introduction to Aegis and Firewalls • Chapter 1 19
RBC Capital Markets estimated in a 2002 abstraction that in 2000 the firewall
market globally represented US$736 million, with an anniversary advance amount of 16
percent over the afterward bristles years.This shows that not anybody has deployed
a firewall yet, that added companies are deploying them internally, and that there
is advancing backup activity.
Next, let’s attending at the types of firewalls and analyze their functionalities.
Types of Firewalls
Although the aboriginal fwtk acclimated a proxy-type design, added types of firewalls use
a abundant altered approach. Afore we attending at these, anamnesis the Open Systems
Interconnect (OSI) archetypal (see Figure 1.4).
Using this archetypal as a reference, we can analyze how the types of firewalls
operate and accomplish abreast decisions about which blazon of firewall is appropriate
for a accurate need.
www.syngress.com
Deploying a Firewall
For absolutely some time, it was accustomed for companies to anticipate that once
they deployed a firewall, they were secure. However, firewalls are just
one basal in an activity aegis strategy. They are generally
good at what they do (filtering traffic), but they cannot do everything.
The attributes of ambit aegis has additionally changed; abounding companies no
longer charge outbound-only traffic. Abounding enterprises now accord with
much added circuitous environments that accommodate business accomplice connections,
VPNs, and complicated e-commerce infrastructures. This complexity
has apprenticed huge increases in firewall functionality. Best firewalls
now abutment assorted arrangement interfaces and can ascendancy traffic
between them, abutment VPNs, and accredit defended use of complicated
application protocols such as H.323 for videoconferencing. The risk,
however, is that as added and added functionality is added to the firewall,
holes adeptness appear in these features, compromising candor and security.
Another accident is that these appearance will exact a achievement penalty,
reducing the firewall’s adeptness to focus on cartage filtering.
So the bulletin is this: Try to use your firewall to the minimum
extent accessible so it can focus on its amount function, and you can better
manage the aegis accident of the added functions by alive them to other
systems to handle the load.
Configuring & Implementing…
20 Chapter 1 • Introduction to Aegis and Firewalls
Packet Filters
In its best basal form, a packet clarify makes decisions about whether to advanced a
packet based alone on advice begin at the IP or TCP/UDP layers; in effect,
a packet clarify is a router with some intelligence. However, a packet clarify only
handles anniversary packet individually; it does not accumulate clue of TCP sessions.Thus, it
is ailing able to ascertain spoofed packets that appear in through the outside
interface, assuming to be allotment of an absolute affair by ambience the ACK banderole in
the TCP header. Packet filters are configured to acquiesce or block cartage according
to antecedent and destination IP addresses, antecedent and destination ports, and blazon of
protocol (TCP, UDP, ICMP, and so on). Figure 1.5 shows how analysis only
goes as far as the carriage layer—for example,TCP.
So why would you use a packet filter? The primary account is speed. Aback it
does not accept to do any analysis of appliance data, a packet clarify can operate
nearly as fast as a router that is assuming alone packet acquisition and forwarding.
As we will see, however, the packet clarify abstraction has been improved.
www.syngress.com
Figure 1.4 The OSI Model
Presentation
Session
Transport
Network
Data link
Physical
Application
TCP, UDP, etc.
IP, ICMP, etc.
Ethernet, Token Ring, etc.
Copper or optical media, or wireless
FTP, Telnet, HTTP, etc.
Figure 1.5 Packet Clarify Abstracts Flow
Presentation
Session
Transport
Network
Data link
Physical
Application
Inspection
done here
Introduction to Aegis and Firewalls • Chapter 1 21
Stateful Analysis Packet Filters
The abstraction of stateful analysis came about in an accomplishment to advance on the capability
and aegis of approved packet filters while still capitalizing on their inherent
speed. A packet clarify with stateful analysis is able to accumulate clue of arrangement sessions,
so aback it receives an ACK packet, it can actuate its angary by
matching the packet to the agnate admission in the affiliation table.An
entry is created in the affiliation table aback the firewall sees the aboriginal SYN
packet that begins the TCP session.This admission is again looked up for succeeding
packets in the session. Entries are automatically timed out afterwards some configurable
timeout period.
Statefulness can additionally be activated to UDP advice in a bogus fashion,
which commonly has no abstraction of state. In this case, the firewall creates an entry
in the affiliation table aback the aboriginal UDP packet is transmitted.A UDP packet
www.syngress.com
Spoofing
The appellation antecedent abode bluffing refers to an antagonist advisedly modifying
the antecedent IP abode of a packet in an accomplishment to ambush packet filters
or firewalls into cerebration that the packet came from a trusted network
so that it will canyon the packet through. It additionally serves the accessible benefit
of ambuscade the antecedent of the advance packets. The antagonist can additionally undermine
any admission controls that are based alone on the antecedent IP address.
If the antecedent IP acclimated is that of an absolute host, however, the absolute owner
of that abode will accept any replies to the attacker’s packets and will
reject them with a TCP reset, aback they do not bout an absolute session
in its tables. An antagonist will about use bluffing aback he or she just
wants to admit some activity after defective to see a reply, as in a
reflection DoS advance such as smurf, area a ping is beatific to a broadcast
address appliance the antecedent IP of the advised DoS target.
More complicated attacks appliance IP bluffing are possible, particularly
where the antagonist is aggravating to accomplishment UNIX assurance relationships.
This is how Kevin Mitnick attacked Tsutomu Shimomura’s systems on
Christmas Day, 1994. Although Mitnick succeeded in his advance while
coming over the Internet, this blazon of bluffing advance alone works on an
internal arrangement these canicule (unless the victim has no firewall and is
running old software).
Developing & Deploying…
22 Chapter 1 • Introduction to Aegis and Firewalls
from a beneath defended arrangement (a response) will alone be accustomed if a corresponding
entry is begin in the affiliation table. If we move up to the appliance layer,
we can see added use for statefulness for protocols such as FTP. FTP is a bit
different in that the server that the user connects to on anchorage 21 will admit a data
connection aback on anchorage 20 aback a book download is requested. If the firewall has
not kept clue of the FTP ascendancy affiliation that was initially established, it will
not acquiesce the abstracts affiliation aback in.This abstraction additionally applies to abounding of the
newer multimedia protocols such as RealAudio and NetMeeting.
Stateful analysis packet filters abide the acceleration kings of firewalls and are
the best adjustable area new protocols are concerned, but they are sometimes less
secure than appliance proxies. Check Point FireWall-1 and the Cisco PIX are
the arch examples of this blazon of firewall.
Application Proxies
As their name implies, appliance proxy firewalls act as intermediaries in network
sessions.The user’s affiliation terminates at the proxy, and a agnate separate
connection is accomplished from the proxy to the destination host. Connections
are analyzed all the way up to the appliance band to actuate if they are
allowed. It is this appropriate that gives proxies a college akin of aegis than
packet filters, stateful or otherwise. However, as you adeptness imagine, this additional
processing extracts a assessment on performance. Figure 1.6 shows how packet processing
is handled at the appliance band afore it is anesthetized on or blocked.
One potentially cogent limitation of appliance proxies is that as new
application protocols are implemented, agnate proxies charge be developed
to handle them.This agency that you could be at the benevolence of your bell-ringer if
there is a hot new video multicasting technology, for example, but there is no
proxy for it.
www.syngress.com
Figure 1.6 Appliance Proxy Abstracts Flow
Presentation
Session
Transport
Network
Data link
Physical
Application
Inspection
done here
Introduction to Aegis and Firewalls • Chapter 1 23
NOTE
Modern proxy-based firewalls generally accommodate the adeptness to configure
generic proxies for IP, TCP, and UDP. Although not as defended as proxies
that assignment at the appliance layer, these configurable proxies generally allow
for casual of newer protocols.
Examples of proxy-based firewalls accommodate Gauntlet from Defended Computing
(acquired from Arrangement Associates) and Symantec Raptor (also accepted as
Enterprise Firewall).