What is a Firewall?
A firewall is a piece of software or hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. If you are a home user or small-business user, using a firewall is the most effective and important first step you can take to help protect your computer.
Different Types of Firewalls
Different firewalls use different techniques. Most firewalls use two or more of the following techniques:
Packet Filters:
A packet filter looks at each packet that enters or leaves the network and accepts or rejects the packet based on user-defined rules. Packet filtering is fairly effective and transparent, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Application Gateway:
An application gateway applies security mechanisms to specific programs, such as FTP and Telnet. This technique is very effective, but it can cause performance degradation.
Circuit-layer Gateway:
This technique applies security mechanisms when a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection is established. After the connection has been established, packets can flow between the hosts without any further checking.
Proxy Server:
A proxy server intercepts all messages that enter and leave the network. The proxy server effectively hides the true network addresses.
Application Proxies:
Application proxies have access to the whole range of information in the network stack. This permits the proxies to make decisions based on basic authorization (the source, the destination and the protocol) and also to filter offensive or disallowed commands in the data stream. Application proxies are "stateful," meaning they keep the "state" of connections inherently. The Internet Connection Firewall feature that is included in Windows XP is a "stateful" firewall, as well as, the Windows Firewall. The Windows Firewall is included with Windows XP Service Pack 2 (SP2).
What does a firewall do?
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.
What can't a firewall do?
A firewall cannot prevent individual users with modems from dialling into or out of the network, bypassing the firewall altogether. Employee misconduct or carelessness cannot be controlled by firewalls. Policies involving the use and misuse of passwords and user accounts must be strictly enforced. These are management issues that should be raised during the planning of any security policy but that cannot be solved with firewalls alone.
The arrest of the Phonemasters cracker ring brought these security issues to light. Although they were accused of breaking into information systems run by AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom, Southwestern Bell, and Sprint Corp, the group did not use any high tech methods such as IP spoofing (see question 10). They used a combination of social engineering and dumpster diving. Social engineering involves skills not unlike those of a confidence trickster. People are tricked into revealing sensitive information. Dumpster diving or garbology, as the name suggests, is just plain old looking through company trash. Firewalls cannot be effective against either of these techniques.
Who needs a firewall?
Anyone who is responsible for a private network that is connected to a public network needs firewall protection. Furthermore, anyone who connects so much as a single computer to the Internet via modem should have personal firewall software. Many dial-up Internet users believe that anonymity will protect them. They feel that no malicious intruder would be motivated to break into their computer. Dial up users who have been victims of malicious attacks and who have lost entire days of work, perhaps having to reinstall their operating system, know that this is not true. Irresponsible pranksters can use automated robots to scan random IP addresses and attack whenever the opportunity presents itself.
How does a firewall work?
There are two access denial methodologies used by firewalls. A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it meets certain criteria. The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another. Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports. They may also use complex rule bases that analyse the application data to determine if the traffic should be allowed through. How a firewall determines what traffic to let through depends on which network layer it operates at. A discussion on network layers and architecture follows.
Desktop Firewall
Any software installed on an operating system to protect a single computer, like the one included with Windows XP, is called a desktop or personal firewall. This type of firewall is designed to protect a single desktop computer. This is a great protection mechanism if the network firewall is compromised.
Software Firewall
This type of firewall is a software package installed on a server operating system which turns the server into a full fledged firewall. Many people do not consider this the most secure type of firewall as you have the inherit security issues of the underlying operating system. This type of firewall is often used as an application firewall. This means the firewall is optimized to protect applications such as web application and email servers. Software firewalls have complex filters to inspect the content of the network traffic to insure that type of traffic is properly formatted. This type of firewall is usually (but not always) behind hardware firewalls (explanation to follow).
Hardware Firewall
A hardware firewall is a dedicated hardware device with a proprietary operating system or a stripped down operating system core. These firewalls include network routers with additional firewall capabilities. These firewalls are designed to handle large amounts of network traffic. Hardware firewalls are often placed on the perimeter of the network to filter the internet noise and only allow pre-determined traffic into the network. Sometimes hardware firewalls are used in conjunction with software firewalls so the hardware firewall filters out the traffic and the software firewall inspects the network traffic. When hardware firewalls are bombarded with bogus network traffic they drop the unwanted traffic only letting in the right traffic. This not only protects the software firewall but allows the software firewall only has to inspect proper network traffic thus the combination optimizes the network throughput.
Network-Level Firewalls
The first generation of firewalls (c. 1988) worked at the network level by inspecting packet headers and filtering traffic based on the IP address of the source and the destination, the port and the service. Some of these primeval security applications could also filter packets based on protocols, the domain name of the source and a few other attributes.
Network-level firewalls are fast, and today you'll find them built into most network appliances, particularly routers. These firewalls, however, don't support sophisticated rule-based models. They don’t understand languages like HTML and XML, and they are capable of decoding SSL-encrypted packets to examine their content. As a result, they can’t validate user inputs or detect maliciously modified parameters in an URL request. This leaves your network vulnerable to a number of serious threats.
Circuit-Level Firewalls
These applications, which represent the second-generation of firewall technology, monitor TCP handshaking between packets to make sure a session is legitimate. Traffic is filtered based on specified session rules and may be restricted to recognized computers only. Circuit-level firewalls hide the network itself from the outside, which is useful for denying access to intruders. But they don't filter individual packets.
Application-Level Firewalls
Recently, application-level firewalls (sometimes called proxies) have been looking more deeply into the application data going through their filters. By considering the context of client requests and application responses, these firewalls attempt to enforce correct application behavior, block malicious activity and help organizations ensure the safety of sensitive information and systems. They can log user activity too. Application-level filtering may include protection against spam and viruses as well, and be able to block undesirable Web sites based on content rather than just their IP address.
If that sounds too good to be true, it is. The downside to deep packet inspection is that the more closely a firewall examines network data flow, the longer it takes, and the heavier hit your network performance will sustain. This is why the highest-end security appliances include lots of RAM to speed packet processing. And of course you'll pay for the added chips.
Stateful Multi-level Firewalls
SML vendors claim that their products deploy the best features of the other three firewall types. They filter packets at the network level and they recognize and process application-level data, but since they don't employ proxies, they deliver reasonably good performance in spite of the deep packet analysis. On the downside, they are not cheap, and they can be difficult to configure and administer.