A firewall is, by definition, a system of one or more devices developed to implement the access control policy of the network. Firewalls can be implemented in hardware devices, software features, or a combination of both. In the simplest scenario, a firewall could be the access router running a firewall feature set for a telecommuter, home user, small business network, or smaller branch office when they connect to the Internet. Router and firewall features are often built into the devices used to connect to DSL or cable services.
In larger implementations, the firewall might refer to multiple devices and technologies working together to protect the organization from the outside world, and within the network to provide internal security for specific network segments. As you learned in the preceding two chapters, even protecting a single perimeter connection often includes two or more devices working together to provide multiple layers of defense. This avoids the single point of failure that might expose the organization’s digital resources to catastrophic losses.
While a single device might be a firewall, it could also be just a part of a larger system that is the firewall. For clarity, using the terms “firewall device” and “firewall system” might be helpful. A firewall device could be a router running a firewall feature set, in addition to its other activities, or it could be a dedicated appliance like a PIX box.
Whether working between Internet users and an organization’s internal networks or providing internal security within the company network, firewalls examine all messages passing through and blocks those that don’t meet the specified security criteria. For our purposes, we can divide firewall techniques into three categories:
Stateful packet filter
In practice, many firewalls incorporate two or more of these techniques.
Packet filters are access control lists that look at each packet entering or leaving the network. They accept or reject the packet, based on user-defined rules. As you saw earlier, ACLs can base these decisions on any or all of the following criteria:
Source IP address
Destination IP address
Packet filtering can be fairly effective and is generally transparent to users. While recognizing the usefulness of ACL Layer 3 and Layer 4 filtering in many cases, it’s important to recognize the following limitations in a situation where you might consider relying exclusively on them.
Because application layer information isn’t used or stored, each new packet session must be fully tested.
Without stateful capabilities, ACLs can’t deal with port number changes or multiple session channels required by some applications.
Fragmented packets will be forwarded, even if the initial packet was denied, thus allowing certain types of DoS attacks.
Complex ACLs can be difficult to configure and implement.
ACLs can be susceptible to IP address spoofing.
A proxy server stands between the internal network and the outside networks. An internal user wanting to browse a web site creates a session with the proxy server that typically requires authentication. This connection to the proxy might or might not be invisible to the internal user. The proxy can then compare the requested destination URL and/or IP address against a list of blocked sites. Assuming the site isn’t on the blocked list, the proxy then establishes a session with the destination. The proxy continues to work as a relay between the user and the outside world. Then, the proxy can apply application layer filtering against any packets. This hides the internal user from the external site and affords a level of content protection. This enhanced screening comes at the cost of reduced end-to-end performance.
Other features some proxies can provide include storing downloaded content, which can then be forwarded to the next interested user. This creates a perception of faster network performance and reduces traffic across WAN links (caching). Many proxies can create detailed access logs, making it possible for network administrators to review and add URLs to the blocked list.
Common problems in using proxy filtering include the following:
Slower end-to-end performance on true connections to the outside.
Because proxies are typically servers, any vulnerabilities inherent in that server operating system (OS) could be well known to hackers and easily exploited.
A proxy can provide a single point of failure, effectively blocking access to the outside world.
Stateful packet filtering systems provide a best-of-both-worlds solution that offers greater performance and reduced exposure to attack. By storing complete session state information for each session based on Layer 3, Layer 4, and application layer information, the device can provide more intelligent filtering than packet filters and faster performance than proxy filters.
PIX devices use stateful packet filtering to establish and secure TCP and UDP connections, as well as many common applications. This stateful decision-making allows PIX devices to deal with port number changes or multiple session channels required by some applications.