How Firewalls Work - 14 Jun 2001

Many small office/home office (SOHO) users connect to the Internet, and many have a network of computers. Any network that connects to the outside world needs protection against unauthorized use and entry, and a firewall provides that protection.

What Is a Firewall?

Located either at a network gateway server or on a specialized hardware device, a firewall is a set of related programs that protect the contents of a private network from external users and programs. Many SOHO users install firewalls to prevent outsiders from accessing private resources (e.g., confidential business data) and to control internal access to Internet resources.

Typically, a firewall works in tandem with a router program to examine each packet of data sent out on a network to determine whether to send that data to its destination. A firewall also includes or complements a proxy server. In addition to aggregating network requests so that all outgoing traffic appears to be coming from one computer instead of from several machines on the internal network, a proxy server also collects and caches all incoming network pages. Administrators often install a firewall on a specially designated computer separate from the rest of the network so that no incoming request can directly access private resources. Let's look at a few of the screening methods firewalls use.

Packet filtering. A dynamic packet filter is a firewall facility that monitors the state of active connections, using this information to determine which network packets to let through the firewall. By recording session information, such as the IP address and port numbers, a dynamic packet filter implements much tighter security than a static packet filter. For example, assume that you want to configure your firewall so that you let all your users access the Internet, but you let in only replies to users' data requests. With a static packet filter, you'd need to permanently let in replies from all external addresses, assuming that users are free to visit any site on the Internet. This kind of filter would let an attacker sneak information past the filter by making the packet look like a reply (by indicating reply in the packet header). By tracking and matching requests and replies, a dynamic packet filter can screen for replies that don't match a request. When the system records a request, the dynamic packet filter opens an inbound door just long enough to let in only the expected data. Once the system receives the reply, the filter closes the door, dramatically increasing the firewall's security capabilities.

Proxy service. You use a proxy server with a gateway server that separates the enterprise network from the outside network and with a firewall server that protects the enterprise network from outside intrusion. When a proxy server receives a user’s request for an Internet service (e.g., a Web page request), if the service passes filtering requirements, the proxy server (assuming it's also a cache server) looks in its local cache of previously downloaded Web pages. If the proxy server finds the page, it returns the page to the user without forwarding the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the Internet server returns the page, the proxy server relates the page to the original request and forwards the information to the user. The user never sees the proxy server; all Internet requests and returned responses appear to be direct with the addressed Internet server. (The proxy server is not quite invisible; it displays its IP address on all requests so that traffic can return back to it.) An advantage of using a proxy server is that its cache can serve all users. Frequently requested Internet sites are likely to be in the proxy server's cache, improving user response time. The functions of a proxy server, firewall, and cache server can exist as separate server programs or as one package. Also, different computers can contain different server programs. For example, a proxy server can be on the same machine with a firewall server, or it can be on a separate server and forward requests through the firewall.

Stateful inspection. Stateful inspection is a newer firewall screening method that doesn't examine the contents of each packet; instead, it compares certain key parts of a packet to a database of trusted information. Stateful inspection monitors information traveling from inside the firewall to the outside, looking for specific defining characteristics, and compares these characteristics with incoming information. If the comparison yields a reasonable match, the firewall lets the information go through; otherwise, it discards it. However, because stateful inspection doesn't examine the entire packet, malformed packets can penetrate this line of defense and cause problems with the servers behind the firewall. A packet's contents can contain information or commands that can cause applications to fail (e.g., Active Server Pages—ASP—or Common Gateway Interface—CGI—script on a Web server). In fact, some multimedia applications (e.g., Real Audio) require firewall manufacturers to revise their stateful inspection engines. For that reason, large companies and e-commerce and hosting sites use high-end firewalls that are hybrids, offering stateful inspection and proxy applications for specific programs. However, most SOHO applications need only a firewall with simple stateful inspection.

Using Firewalls

You can use firewalls in many ways to protect your network. Firewalls offer protection against remote log on and access by not letting someone connect to your computer and control it (e.g., viewing or accessing your files or running programs on your computer). Firewalls can also protect you against actions you run from macros. For example, some applications let you create a script of commands—a macro—that the application can run to simplify more complex procedures; however, malicious attackers can create their own macros that, depending on the application, can destroy your data or crash your computer. Firewalls also offer protection against malicious source routing. Routers typically determine the path a packet travels over a network. However, the source providing the packet can explicitly state what route the packet should follow to the destination. Attackers sometimes use this facility to make traffic appear to originate at a trusted source or even inside your network, a process called spoofing. Most firewall products disable source routing by default.

Firewall Limitations

Although firewalls can help protect your internal network from outside sources, they do have limitations. For example, firewalls can protect against the actions that Trojan horse viruses (such as Back Orifice) take once installed, but firewalls can’t prevent a virus from entering your network without add-ons. Whereas some firewalls offer limited virus protection, some are difficult to update. Some antivirus product vendors make modular plugins for firewalls that can screen email and Web traffic before it ever enters the internal network. Moreover, the virus definitions are simple to update. Basically, the plugins function like desktop product updates. You should still install antivirus software on each computer in your network. Also, as long as you accept email into your network, some spam will pass through your firewall.

The level of security you establish determines how many of these threats your firewall can stop. A common rule of thumb: Block everything first, and then begin selecting what types of traffic you’ll let in. You can also restrict traffic that travels through the firewall so that only certain types of information (e.g., email) can get through. You can buy firewall appliances that perform most of the analysis and configuration upfront (e.g., Linksys Cable/DSL router); all you need to do is plug them in. In my next column, I’ll look at a small router device that affords strong, inexpensive firewall protection for your SOHO.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.