Firewalls
Firewalls
In computer terms, a firewall is a boundary system that sits between two networks and enforces a security policy that determines what information is allowed to pass between them. The networks in question are typically a corporate, or private, local area network (LAN) and the public Internet. The security policy can be very simple, allowing most communication to pass through, or can be very complex, allowing only specifically designated traffic from specifically designated hosts to cross the boundary.
A firewall acts like a security guard that monitors all incoming and outgoing traffic and makes decisions about whether or not certain traffic is allowed. These decisions are based on the security policy. Under the simplest, least restrictive security policy, everything is allowed except that which is explicitly denied. Under the most complex, most restrictive policy, everything is denied except that which is explicitly allowed. What this means in practical terms is that a firewall may be relatively simple to configure and manage, or it can be very complex and time-consuming to maintain.
Firewalls can be implemented at the network, transport, or application layers of the TCP/IP Protocol Suite. The level of sophistication that a security policy can enforce depends on the layer at which the firewall is implemented. The TCP/IP protocol suite, sometimes referred to as the DoD (Department of Defense) model, divides the network into four layers. From the bottom up, they are the physical or hardware layer, which describes the way networks are connected together; the network layer, which defines the addresses of the network and its hosts (computers that are part of the network, whether workstations or servers) and manages the routing of packets between networks; the transport layer, which provides end-to-end communication between services and establishes the reliability of the connection between networks and hosts; and the application layer, which is responsible for the actual services provided by a network such as e-mail, authentication method, and file transfer capability.
Network Layer Firewalls
At the network layer, a firewall controls access by examining the addresses or ports that the data packet is coming from or going to. This is the most
basic type of firewall and is called a packet filtering firewall. Not only can packets be filtered based on the IP address of a host, they can also be filtered based on the port number of the service desired. For example, a security policy for a packet filtering firewall might be configured to allow all incoming packets from any address only if they are destined for SMTP (Simple Mail Transfer Protocol) port 25, which is the service that processes e-mail. This would allow the network to accept incoming e-mail from anywhere on the Internet. But anyone trying to access the FTP (File Transfer Service) that operates on port 21 would be denied.
On the other hand, if it was determined that a network called "spam-me.com" was sending unwanted e-mail, the security association could be extended to deny any incoming packets from that specific network, while still allowing SMTP traffic from all other networks. At this layer, the firewall does no analysis of the data contained in the packets, nor does it provide any ability to hide the addresses of the internal systems on outgoing packets. A packet filtering firewall is the least effective of all the types of firewalls available.
Transport Layer Firewalls
For firewalls at the transport layer, the decisions made by the security policy can be more complex and therefore offer more security. Sometimes referred to as circuit level or proxy firewalls, these types of firewalls can verify
the source and destination of the communicating devices before opening the connection. After that initial verification, it is assumed that all further communication is allowed until the session is closed.
With this type of firewall, the addresses for the internal or private network can be hidden behind the address of the device providing the proxy service. The result is that only the address of the firewall is made public, preventing unauthorized individuals or hosts from knowing too much about the private network. The hiding of the internal addresses is called Network Address Translation (NAT) and is the feature most commonly implemented on firewalls at this level. This type of firewall can also provide proxy port IDs for network services, so that on the private network, common service destination ports can be changed but the sources trying to communicate with those services are unaware of the change.
As an example, incoming e-mail destined for the firewall's IP address and Port 25 is transparently routed to a host with a different IP address that may even have the SMTP service assigned to a port other than Port 25. This effectively hides the e-mail server so intruders can not find it. But even if they do discover the address of the mail server, they would still need to discover the port number to which the service has moved. This makes the job of attacking the mail server much more difficult.
Application Layer Firewalls
Firewalls that operate at the application layer offer the most security of all possible configurations. Sometimes called Stateful Packet Filtering firewalls, these devices can perform an analysis on the contents of an individual data packet in order to do a more thorough job determining what is to be allowed or denied. For example, if the firewall allowed incoming Hypertext Transfer Protocol (HTTP) packets to be passed to the network, a malicious user could hide a Trojan Horse in a web page. A Trojan Horse is a malicious program hidden inside of a program that the network accepts as harmless. In this case, it could be an applet embedded in a web page. When the web page reaches its destination, the applet is released and causes harm to the network or host. A simple Packet Filtering Firewall would let the packet in because it appears to be on the allowed list but the Stateful Packet Filtering Firewall would look inside the packet and see that there is an embedded application and choose to deny that packet entry to the network.
Regardless of which layer the firewall functions at, the actual firewall can be either a software solution or a dedicated appliance. There is typically degradation in performance when running a firewall as software on a computer that runs other applications. Also, the firewall is typically exposed to the Internet so the computer and its other applications will be exposed as well. Dedicated appliances generally offer the most secure solution as a firewall, and provide the best performance. But they are more costly and can be more complicated to configure. Software or hardware, application, transport or network layer, no matter the type or level of implementation, a firewall is a necessary part of today's networking technology to provide a measure of security and privacy for data and the people who use it.
Bibliography
Blacharski, Dan. Network Security in a Mixed Environment. Foster City, CA: IDG Books Worldwide, Inc., 1998.
Strebe, Matthew, and Charles Perkins. Firewalls 24seven, 2nd ed. San Francisco: Sybex Books, 2002.
