A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications.
A firewall is generally a separator and protector between one thing and another. Traditionally used in building to help contain fires and prevent their rapid spread, the modern firewall is a computer running software allowing it to filter information passing through. A firewall can work at several layers of the network - at the highest level, application, and at the lowest usually the data link layer (MAC hardware address).
Most firewalls operate at the network and transport layer. They examine the TCP/IP data packet and then usually make a decision based on the IP it came from, the IP it is going to, the port it came from, the port it is going to, or any combination of these. You can also look at the header options and block based on those. Rules typically follow the lines of "let anything connect to the mail server on port 25" or "block access from anywhere to any port from 1 to 1024." Firewalls working at the application level can filter based on content, checking for viruses, keywords and so on.
At Metronet Systems, Inc. we have the knowledge and the ability to install, setup and configure the right Firewall for your business based on your current, future needs and budget.
There are three types of Firewall Technologies in use today and we can use one or several types together because each has strengths and weaknesses.
Packet Filtering
Perhaps the most common and easiest to employ for small, uncomplicated sites. However, it suffers from a number of disadvantages and is less desirable as a firewall than the other example firewalls discussed later in this chapter.
Working at the network layer of the OSI stack, Packet Filtering Routers make simple deny or permit choices depending on the network address of the packet and a number of rules defined by the administrator.
Packet filtering is fast, transparent (no changes are required at the client), flexible and cheap (most routers will provide packet filtering capabilities, and so no additional hardware or software is required for most sites). Unfortunately, configuration is notoriously difficult, leading to an increased risk of configuration errors and thus security loopholes.
A Packet Filtering Router usually can filter IP packets based on some or all of the following fields:
* Source IP address
* Destination IP address
* TCP/UDP source port
* TCP/UDP destination port
Basically, we install a Packet Filtering Router at the Internet (or any subnet) gateway and then configure the packet filtering rules in the router to block or filter protocols and addresses. The site systems usually have direct access to the Internet while all or most access to site systems from the Internet is blocked. However, the router could allow selective access to systems and services, depending on the policy.
Packet filtering rules are complex to specify and usually no testing facility exists for verifying the correctness of the rules. Some routers do not provide any logging capability, so that if a router's rules still let dangerous packets through, the packets may not be detected until a break-in has occurred.
Most routers available today provide Packet Filtering Firewall capabilities. Other solutions are based on computers running Unix/Linux/FreeBSD O/S and act as Packet Filtering Firewall.
Proxy Servers
These are application-specific firewalls. While they are more secure than Packet Filtering Firewalls they are slower than Stateful Inspection Firewalls. In an application proxy firewall, two TCP connections are established: one between the packet source and the firewall, another between the firewall and the packet destination. Application proxies intercept arriving packets on behalf of the destination, examine application payload, then relay permitted packets to the destination. Proxies necessarily involve more protocol stack overhead than inspecting packets at the network layer. Furthermore, because a unique proxy is required for each application, proxy firewalls can be less flexible and slower to upgrade than Stateful Inspection Firewalls. On the other hand, proxy implementations can offer very granular application-level control (for example, blocking FTP transfers involving filenames ending in ".exe"). Instead of IP addresses or ports, specific proxies for applications such as Telnet or FTP services are set up on the firewall, which examines and checks traffic according to the policies set for these applications.
Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data. This lowers bandwidth requirements and decreases the access to the same data for the next user. It also gives unquestionable evidence of what was transferred.
There are two types of proxy servers:
* Application Proxies - that do the work for you.
* SOCKS Proxies - that cross wire ports.
Application Proxy
The best example is a person telneting to another computer and then telneting from there to the outside world. With an Application Proxy server the process is automated. As you telnet to the outside world the client sends you to the proxy first. The proxy then connects to the server you requested (the outside world) and returns the data to you.
Because proxy servers are handling all the communications, they can log everything they (you) do. For HTTP (web) proxies this includes every URL they (you) see. For FTP proxies this includes every file you download. They can even filter out "inappropriate" words or language from the sites you visit or scan for viruses.
Application Proxy servers can authenticate users. Before a connection to the outside world is made, the server can ask the user to login first. To a web user, this would make every site look like it required a login.
SOCKS Proxy
A SOCKS Proxy server is a lot like an old switchboard. It simply cross wires your connection through the system to another outside connection.
Most SOCKS server only work with TCP type connections. Like filtering firewalls they don't provide for user authentication. They can however record where each user was connected.
Stateful Inspection
A relative newcomer to firewall technologies. A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and UDP "pseudo" sessions. Each entry records the session's source and destination IP address and port numbers, and the current TCP sequence number. Entries are created only for those TCP connections or UDP streams that satisfy a defined security policy; packets associated with these sessions are permitted to pass through the firewall. Sessions that do not match any policy are denied, as are any packets received that do not match an existing table entry.
Stateful inspection is more secure than packet filtering because it opens smaller "holes" through which traffic can pass. For example, instead of permitting any host or program to send any kind of TCP traffic on port 80, a stateful inspection firewall ensures that packets belong to an existing session. Furthermore, it can authenticate the user when the session is established, it can determine whether the packets really carry HTTP, and it can enforce granular constraints at the application layer (e.g., filtering URLs to deny access to black-listed sites).
Stateful inspection doesn't just examine the IP packets themselves but also takes into account information derived from past communications and from other applications. A stateful inspection firewall examines all the communications layers to make sure they comply with a security policy.
