What is a network firewall?

A firewall is a system or group of systems that enforces an access control policy between
two networks. The actual means by which this is accomplished varies widely, but in
principle, the firewall can be thought of as a pair of mechanisms: one, which exists to
block traffic, and the other, which exists to permit traffic. Some firewalls place a greater
emphasis on blocking traffic, while others emphasize permitting traffic. Probably the
most important thing to recognize about a firewall is that it implements an access control
policy. If you don't have a good idea of what kind of access you want to allow or to deny,
a firewall really won't help you. It's also important to recognize that the firewall's
configuration, because it is a mechanism for enforcing policy, imposes its policy on
everything behind it. Administrators for firewalls managing the connectivity for a large
number of hosts therefore have a heavy responsibility

The need for a Firewall

The Internet, like any other society, is plagued with the kind of jerks who enjoy the
electronic equivalent of writing on other people's walls with spray paint, tearing their
mailboxes off, or just sitting in the street blowing their car horns. Some people try to get
real work done over the Internet, and others have sensitive or proprietary data they must
protect. Usually, a firewall's purpose is to keep the jerks out of your network while still
letting you get your job done.

Many traditional-style corporations and data centers have computing security policies and
practices that must be adhered to. In a case where a company's policies dictate how data
must be protected, a firewall is very important, since it is the embodiment of the
corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large
company, is not justifying the expense or effort, but convincing management that it's safe
to do so. A firewall provides not only real security--it often plays an important role as a
security blanket for management.

Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many
corporations use their firewall systems as a place to store public information about
corporate products and services, files to download, bug-fixes, and so forth. Several of
these systems have become important parts of the Internet service structure (e.g.:
UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their
organizational sponsors.

What can a firewall protect against?

• Remote login - When someone is able to connect to your computer and control it
in some form. This can range from being able to view or access your files to
actually running programs on your computer.
• Application backdoors - Some programs have special features that allow for
remote access. Others contain bugs that provide a backdoor, or hidden access,
that provides some level of control of the program.
• SMTP session hijacking - SMTP is the most common method of sending e-mail
over the Internet. By gaining access to a list of e-mail addresses, a person can
 send unsolicited junk e-mail (spam) to thousands of users. This is done quite
often by redirecting the e-mail through the SMTP server of an unsuspecting host,
making the actual sender of the spam difficult to trace.
• Operating system bugs - Like applications, some operating systems have
backdoors. Others provide remote access with insufficient security controls or
have bugs that an experienced hacker can take advantage of.
• Denial of service - You have probably heard this phrase used in news reports on
the attacks on major Web sites. This type of attack is nearly impossible to counter.
What happens is that the hacker sends a request to the server to connect to it.
When the server responds with an acknowledgement and tries to establish a
session, it cannot find the system that made the request. By inundating a server
with these unanswerable session requests, a hacker causes the server to slow to a
crawl or eventually crash.
• E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you
the same e-mail hundreds or thousands of times until your e-mail system cannot
accept any more messages.
• Macros - To simplify complicated procedures, many applications allow you to
create a script of commands that the application can run. This script is known as a
macro. Hackers have taken advantage of this to create their own macros that,
depending on the application, can destroy your data or crash your computer.
• Viruses - Probably the most well-known threat is computer viruses. A virus is a
small program that can copy itself to other computers. This way it can spread
quickly from one system to the next. Viruses range from harmless messages to
erasing all of your data.
• Spam - Typically harmless but always annoying, spam is the electronic equivalent
of junk mail. Spam can be dangerous though. Quite often it contains links to Web
sites. Be careful of clicking on these because you may accidentally accept a
cookie that provides a backdoor to your computer.
• Redirect bombs - Hackers can use ICMP to change (redirect) the path
information takes by sending it to a different router. This is one of the ways that a
denial of service attack is set up.
• Source routing - In most cases, the path a packet travels over the Internet (or any
other network) is determined by the routers along that path. But the source
providing the packet can arbitrarily specify the route that the packet should travel.
Hackers sometimes take advantage of this to make information appear to come
from a trusted source or even from inside the network! Most firewall products
disable source routing by default.

Some firewalls permit only email traffic through them, thereby protecting the network
against any attacks other than attacks against the email service. Other firewalls provide
less strict protections, and block services that are known to be problems

Generally, firewalls are configured to protect against unauthenticated interactive logins

from the ``outside'' world. This, more than anything, helps prevent vandals from logging
into machines on your network. More elaborate firewalls block traffic from the outside to
the inside, but permit users on the inside to communicate freely with the outside. The
firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single ``choke point'' where security
and audit can be imposed. Unlike in a situation where a computer system is being
attacked by someone dialing in with a modem, the firewall can act as an effective ``phone
tap'' and tracing tool. Firewalls provide an important logging and auditing function; often
they provide summaries to the administrator about what kinds and amount of traffic
passed through it, how many attempts there were to break into it, etc.

This is an important point: providing this ``choke point'' can serve the same purpose on
your network as a guarded gate can for your site's physical premises. That means anytime
you have a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A
company rarely has only an outside gate and no receptionist or security staff to check
badges on the way in. If there are layers of security on your site, it's reasonable to expect
layers of security on your network.

There are four basic methods used to protect a network from unauthorized Internet
access.

Packet Filtering

Packet Filtering is the most basic method of perimeter security. Packets are dropped or
"filtered" by a device, typically a router or a firewall when they do not meet
predetermined rules or "policies" set by the Network Administrator. Packet filters are
configured to consider the source and destination address of the packets and the type of
protocol embedded in the packet. A packet filter might be configured to drop or reject any
packets coming from the "un-trusted" or Internet side of the router that contain the
"Telnet" protocol. The Telnet protocol can be used to provide remote control of a
workstation, server or other network device. Un-restricted Telnet access from the Internet
is a major security concern

Application Proxy

An Application Proxy is a software program or device that makes software requests on

behalf of another device on the network. A typical Proxy Server is configured to perform
Internet Browser functions for a workstation on the "trusted" or internal network. The
workstation browser sends its browsing request to the Proxy Server rather than to the
destination Web server on the Internet. The Proxy then forwards the browsing request to
the destination Web server and examines the packets that are returned from the remote
Webserver. The Proxy can then examine the actual application program data contained
within the packet and reject it or pass it on to the originating workstation based on the
security policy created by the Network Administrator. A Proxy Server might be
configured to reject all inbound packets that that contain EXE or COM files. Hackers use
these common executable file types to introduce dangerous virus and worm files into a
network

Stateful Packet Inspection

A Stateful Inspection firewall keeps track of all packets associated with a specific
communication session. A typical communication session between two computers will
consist of several thousand packets, each of which is identified by a unique "source" and
"destination" address and a "sequence" number that allows all of the packets to be re-
assembled into the correct data file at the destination computer. In a typical network,
thousands of sessions may be occurring simultaneously. A Stateful Inspection firewall
keeps track of all these concurrent sessions. Each packet of data is checked to ensure that
it belongs to the proper session. Any packets that are not part of an existing session are
rejected. In addition to checking and validating the communication session by the source
and destination addresses of the machines and ensuring that all packets belong to the
proper session, the firewall further screens the packet at the "software port" level. A
software port is a unique address extension that the application software uses to
communicate with the outside world. Filtering at the software application port level
provides an additional layer of control for the Network Administrator to ensure that only
authorized transactions are allowed through the firewall.

Hybrid Solutions

Many current firewalls blend Stateful Packet Inspection with Application Proxy
technology to address a broad range of security functions.

What can't a firewall protect against?

Firewalls can't protect against attacks that don't go through the firewall. Many
corporations that connect to the Internet are very concerned about proprietary data
leaking out of the company through that route. Unfortunately for those concerned, a
magnetic tape can just as effectively be used to export data. Many organizations that are
terrified (at a management level) of Internet connections have no coherent policy about
how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel
door when you live in a wooden house, but there are a lot of organizations out there
buying expensive firewalls and neglecting the numerous other back-doors into their
network. For a firewall to work, it must be a part of a consistent overall organizational
security architecture. Firewall policies must be realistic and reflect the level of security in
the entire network. For example, a site with top secret or classified data doesn't need a
firewall at all: they shouldn't be hooking up to the Internet in the first place, or the
systems with the really secret data should be isolated from the rest of the corporate
network.

Another thing a firewall can't really protect you against is traitors or idiots inside your
network. While an industrial spy might export information through your firewall, he's just
as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are
a far more likely means for information to leak from your organization than a firewall!
Firewalls also cannot protect you against stupidity. Users who reveal sensitive
information over the telephone are good targets for social engineering; an attacker may be
able to break into your network by completely bypassing your firewall, if he can find a
``helpful'' employee inside who can be fooled into giving access to a modem pool. Before
deciding this isn't a problem in your organization, ask yourself how much trouble a
contractor has getting logged into the network or how much difficulty a user who forgot
his password has getting it reset. If the people on the help desk believe that every call is
internal, you have a problem.
Lastly, firewalls can't protect against tunneling over most application protocols to
trojaned or poorly written clients. There are no magic bullets and a firewall is not an
excuse to not implement software controls on internal networks or ignore host security on
servers. Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite simple
and trivially demonstrated. Security isn't ``fire and forget''.

VIRTUAL PRIVATE NETWORKS (VPN)

Until fairly recently, this has meant the use of leased lines to maintain a wide area
network (WAN). Leased lines, ranging from ISDN (integrated services digital network,
128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way
to expand its private network beyond its immediate geographic area. A WAN had obvious
advantages over a public network like the Internet when it came to reliability,
performance and security. But maintaining a WAN, particularly when using leased lines,
can become quite expensive and often rises in cost as the distance between the offices
increases
As the popularity of the Internet grew, businesses turned to it as a means of extending
their own networks. First came intranets, which are password-protected sites designed
for use only by company employees. Now, many companies are creating their own VPN
(virtual private network) to accommodate the needs of remote employees and distant
offices

Basically, a VPN is a private network that uses a public network (usually the Internet) to
connect remote sites or users together. Instead of using a dedicated, real-world connection
such as leased line, a VPN uses "virtual" connections routed through the Internet from the
company's private network to the remote site or employee