1 INTRODUCING FIREWALLS
This chapter introduces firewalls and discusses their features and benefits.
It includes the following topics:
■ Introduction to Firewalls
■ Firewall Basics
■ Types of Firewall
Introduction to A “firewall” is a device or series of devices that provide secure
Firewalls connections between computer networks. Firewalls enforce security by
either allowing or preventing access to computer networks. They serve a
dual purpose within the network. In one regard, firewalls block or permit
the entry of network traffic to a computer domain that exists behind the
firewall. In another regard, they block or permit the exit of network traffic
from a computer domain. In both scenarios, the primary function of the
firewall is to enforce a policy for access control.
Background At the onset, computer networks were safely sealed environments that
generally existed within the confines of institutions such as universities,
hospitals, and corporations. As the Internet evolved to its current state,
information became much more vulnerable as access to information
Despite the best intentions of information sharing, there is an inherent
risk of unfriendly use. Computer hackers, corporate spies, and even
innocent users can potentially enter a network through a virtual door and
cause great harm in the form of lost data, computer viruses, and the theft
of confidential and proprietary information. Because a virtual door poses
a very real danger, it is important to deploy a device that restricts traffic in
constructive and pre-determined ways.
6 CHAPTER 1: INTRODUCING FIREWALLS
In this regard, firewalls prevent unwanted users from entering their
domain, but they also serve as a virtual lobby to an organization. When
viewed as a portal or entryway to an organization, firewalls can provide a
valuable service by offering product information, electronic forms, and
corporate or organizational information. A firewall can be seen as a
company showcase, offering a glimpse of products, services, culture and
Additionally, a firewall can serve as an outbound portal to the Internet. In
this form, the firewall allows for control of outbound traffic and Internet
access from within. Not only is network security enhanced, but simple
network control is a major benefit of a well designed firewall.
Benefits The most obvious benefit of a firewall is that it provides a single source
point for traffic control. Think of it as the valve on a water main
controlling the entry and exit of all water to and from a building. This
single point of control offers network administrators a concise and easily
controlled vantage of their network and its visitors. On one side of the
firewall there is the outside world; on the other side is the secure
The same concept can work within domains of an existing network.
Networks within networks can also be separated by firewalls for the exact
same reasons; security and access. For example, legal, financial, medical,
and engineering design departments all require security and access
limitations to some degree.
Limitations Firewalls can also have limitations. A firewall is only as good as its
placement. If traffic is routed around a firewall, obviously, there is no
benefit to it. If security is the ultimate goal, then all access into and out of
the network must be governed by the firewall. This means that modems,
File Transfer Protocols, and other forms of electronic communications
must also be limited and controlled. Also, if an organization holding
highly sensitive information is connected to the Internet, the restrictions
on access may be so great that it may be more efficient not to connect at
all than to use a firewall.
Firewalls cannot protect against a user making an internal transfer of
sensitive data to the outside world. Once a user has access to sensitive
data and access to the Internet, there is nothing but the integrity of the
user and the discretion of the management to prevent such leaks.
Introduction to Firewalls 7
Along these same lines, a firewall cannot protect against malicious
authorized users. Although this may not seem to be as severe a threat,
the risk is still real. An insider who has authority can pose a serious threat
in a number of scenarios because they are safe within the realm of a
policy. Embedded firewalls can address some of these concerns provided
the insiders are identified and managed accordingly.
Firewalls cannot protect against all viruses either. Due to their complex
nature, viruses can be attached or disguised in too many ways for
firewalls to effectively block them all. Viruses are the responsibility of
good virus scanning software and network administration.
Because viruses change so frequently and vary in characteristics, there is
no way to build the necessary functionality into a device and keep it
In summary, firewalls are only as good as their design, implementation,
and maintenance. As such, policies that dictate access rules need to be
designed for control, security, and should be made with foresight and
care. A firewall is only as good as the policy that governs it.
8 CHAPTER 1: INTRODUCING FIREWALLS
Firewall Example The following example illustrates one possible configuration of a firewall
Configuration in a network. The LAN is a safe location for hosts and servers, the
Demilitarized Zone (DMZ) is a logical location for publicly accessed
servers, and a WAN connection is provided to the Internet through a
router or modem. (See “Demilitarized Zone (DMZ)”on page 11 for more
details on DMZ.).
LAN DMZ WAN
Figure 1 Firewall Example Configuration
Firewall Basics 9
Firewall Basics Specifically, a firewall is useful for the following reasons:
■ Restricting Access
■ Ensuring Security
■ Providing Public Services
Restricting Access Restricting access is a critical aspect of a firewall. In this regard, firewalls
protect against unwanted interference from outside sources. A particular
threat is this regard is a Denial of Service (DoS) attack which is carried out
by bombarding a server with unwanted traffic. Although they can take
other forms, there are three basic types of DoS attacks; those that use
TCP/IP Implementation bugs, those that find weaknesses in TCP/IP, and
those that use brute force to harm a network.
TCP/IP Implementation Bugs
The most common TCP/IP Implementation bugs are referred to as “buffer
overflow” bugs which cause a network to choke. Another type is called
“PING of Death (POD).” A PING of Death attack limits the effectiveness of
a network to handle large amounts of traffic. The PING of Death uses a
technique that combines fragments of IP packets with overlapping fields.
These fragmented packets are then reassembled and can cause a system
to crash. Although they are not as common anymore as “buffer
overflow” bugs, POD bugs can yield the same results on network
In order for a communication exchange to happen between two hosts,
an initial connection must occur that acknowledges both parties engaged
in the conversation. The initiator sends a “SYN” packet to the receiving
host. The receiving host replies with an “ACK” packet. Once the
connection is established a conversation can begin. An attack can occur
when the receiving system is flooded with SYN packets. Since each SYN
packet requires an ACK response, the server is flooded with traffic that
cannot be accommodated. The end result is a server that has run out of
Brute Force Attack
A brute force attack is basically what the name implies; an overpowering
load of traffic that absorbs the available bandwidth and consumes all
resources with broadcast storm traffic. This meaningless traffic
10 CHAPTER 1: INTRODUCING FIREWALLS
overwhelms the network resources to the point where performance is
severely hindered and the network is crippled.
Ensuring Security Security is one of the primary reasons for implementing a firewall. There
are four basic building blocks that best ensure security:
■ Authorization — By providing approval of a specific user or action, a
firewall controls the ingress and egress of network traffic.
■ Privacy — By using encryption/decryption algorithms and a Virtual
Private Network (VPN), the firewall can protect confidential
information within a network.
■ Integrity — Through careful inspection of incoming traffic based on
established authorized standards, the firewall can guarantee the
quality of the data.
■ Validation — By validating users through a pre-determined screening
process, a firewall can permit/deny network activity.
Providing Public Acting as a gatekeeper for a private network, a firewall can also control
Services access to public services for users within the network. Public services
include WWW access (HTTP traffic), email (SMTP) and external file
transfer (FTP). Access to public services can be allowed by creating a
Firewall policy to open a specific portal to the private network.
However, an open portal in a firewall can also be a security risk. Open
portals can defeat the purpose of the firewall if not managed properly.
This is controlled by imposing filters that screen protocol types and make
decisions based on pre-defined rules. It is important that outside access to
public services be governed properly.
In order to successfully deploy a firewall it is important to understand the
intent of the device. Because so much of the firewall’s purpose is directly
tied to the types of traffic it is preventing or allowing it is critical to
understand the configuration parameters. This primer serves as a guide to
help network administrators make those configuration decisions
effectively and successfully. See “Types of Firewall” on page 12.
Firewall Basics 11
Firewall Terminology The following concepts are critical to understanding the deployment of a
Demilitarized Zone (DMZ)
Drawing on a name from the military, a demilitarized zone is an area of
safety that is a buffer-zone between the Internet and the protected LAN
which is more secure than the Internet, but not as secure as the protected
LAN. A DMZ is accessible from both sides of the buffer-zone so that it is
protected from, but accessible by Internet users.
A DMZ is typically configured as a separate Ethernet port on a firewall. In
this capacity, a DMZ provides a buffer zone between the Internet and
publicly accessed servers. The benefit of a DMZ is that it keeps the private
network safe from the Internet through segmentation.
Network Address Translation (NAT)
Network Address Translation (NAT) allows multiple computers to connect
to the Internet using only one Internet Protocol (IP) address. NAT was
developed to aid in the demand for unique IP addresses which were
rapidly disappearing due to the explosive growth of the Internet.
The concept is basically one of establishing a proxy server that holds the
single IP address and administers network services to users behind the
firewall. In this capacity, the NAT server takes requests from local users
and passes them on to the web server. This is accomplished by using IP,
but within the closed environment of the Local Area Network. In short,
NAT provides the following:
■ Easy Internet access for multiple users on one site
■ Increased control of network
12 CHAPTER 1: INTRODUCING FIREWALLS
Types of Firewall There are five basic types of firewall:
■ Packet-based Firewalls
■ Application-based Firewalls
■ Stateful Inspection Firewalls
■ Combined Service Firewalls
■ Embedded Firewalls
Packet-based A packet-based firewall uses a series of filters to determine network
Firewalls access. The filters are set according to a go/no-go permission policy.
These types of firewalls use packet source and destination information
and protocol type to make their decisions. A filter that restricts Telnet
traffic from an internal network is an example of a packet filter.
Since most networks with Internet access have a router, this method can
be relatively inexpensive since most routers have some form of packet
filtering capability. However, with a go/no-go policy in place, all traffic,
both wanted and unwanted is restricted. As a result, trusted users are
often restricted due to the policies in place. These types of firewalls are
also difficult to maintain because they require manual intervention which
is costly and time consuming for network administrators.
Application-based Application-based firewalls use proxy servers to determine the user’s
Firewalls access privileges. In this capacity, the proxy performs the service based on
the request of the host. A host sends its request to the proxy which acts
on its behalf based on a series of pre-configured rules. Acting as a
gatekeeper, the proxy server provides firewall functionality by
determining whether the request is allowed or not. Application-based
firewalls can allow or restrict specific types of files.
These types of firewalls are useful and very thorough because they
examine at the application level. They are also useful in preventing Denial
of Service attacks (DoS).
Conversely, this type of firewall can be costly to maintain because of the
hardware and processing power requirements of the proxy server.
Additional hardware can cause bottlenecks and bandwidth restrictions.
Stateful Inspection Within each network there are thousands of conversations that occur
Firewalls simultaneously. Each conversation has a source and a destination address.
Types of Firewall 13
Stateful Inspection is a process that intercepts packets at the network
layer and inspects them to ensure that the conversations are legitimate
and allowed. If a session between a source and a destination is not
allowed, the session is ended and disallowed for the future. Stateful
Inspection provides security by examining that data and storing it for
comparison against future communication transactions.
Stateful Inspection firewalls offer high performance. All packets must be
part of an authorized communication session this provides a high level of
trust and security.
Historically, Stateful Inspection has proved costly, as it requires additional
software and hardware.
Combined Service Combined Service Firewalls are hybrid solutions that combine a variety of
Firewalls methods to achieve results. For example, a Combined Service Firewall
might offer Stateful Inspection and Application-based functions to the
user. These firewall types require additional hardware and software.
Embedded Firewalls Embedded Firewalls protect against insider attacks. Although the
network is protected by the external, traditional firewall, attacks from the
inside pose just as serious a threat. Embedded firewalls address this
problem using technology that employs Network Interface Cards (NICs)
and a policy server. The NIC provides the connection to the user, while the
policy server dictates the access privileges to the end host.
This type of firewall provides security for internal access as well as control
through the use of policies and privileges. Access is restricted at the
network level so that the host never sees the packet. This eliminates a
broad range of attacks against host applications and operating systems.
14 CHAPTER 1: INTRODUCING FIREWALLS
2 INTRODUCING VIRTUAL PRIVATE
One of the primary benefits of a firewall is that it allows communication
across a Virtual Private Network (VPN). This chapter discusses VPNs and
their role in the network and includes the following sections:
■ Introduction to Virtual Private Networks (VPN)
■ VPN Protocols and Concepts
■ VPN/Firewall Applications
Introduction to A Virtual Private Network (VPN) uses the resources and infastructure of
Virtual Private the Internet to establish network connectivity among remote
Networks (VPN) organizational sites while maintaining privacy and confidentiality. Within
that context, the VPN is a secure vehicle for corporations and
organizations who wish to secure their network without the high cost of
private leased lines for connectivity. In addition to the reduced cost, VPNs
provide flexibility for smaller remote sites or users who need to access a
secure organizational network safely. Firewalls are especially useful for
Virtual Private Networks since they act as an entrance that is safe and
The term most commonly associated with a VPN is tunneling. Since the
Internet is open to all, the only method for ensuring the security of
private data is to create a virtual tunnel through which data can be sent
securely. Tunnels are virtual circuits that operate over the Internet yet
allow users to encapsulate their data within secure IP packets. These
encapsulated packets offer safe transmission while protecting the source,
content, or routing paths of the packets.
16 CHAPTER 2: INTRODUCING VIRTUAL PRIVATE NETWORKS
Because the VPN resides within the context of the public Internet, it is
imperative that all of the basic functions required in a private network are
equally as effective and secure within the VPN. Specifically the following
areas of security are addressed by a VPN:
■ authentication — validates the point of origin of the connection
■ access control — allows/prevents access to an organizational
■ confidentiality — secures data transfer from public viewing
■ data integrity — ensures that data is not tampered with in transit
VPN Protocols and This section describes the major protocols used in a VPN. Additionally,
Concepts there are several concepts that are unique to VPNs and that are
IPSEC and L2TP In order to guarantee the security of safe packet transmission, it is
necessary to use secure tunneling protocols. Two tunneling protocols
used for secure data transmission are:
IPSec is a Layer 3 protocol standard that provides secure data encryption
across an IP network. IPSec encrypts the data packets and encapsulates
the entire IP packet for secure transfer across an IP network. The
encrypted packets are decrypted at the receiving end and delivered to the
intended user. The IPSec tunnel consists of a server and a client, which are
configured to encrypt and decrypt as required.
The features of IPSec are:
■ It supports IP traffic only.
■ It provides computer level authentication by a set of security policies
governed by a set of filters that determine “go” or “no-go” decisions.
■ It is used primarily in LAN-to-LAN scenarios
IPSec serves as the basis for running L2TP. In this capacity IPSec secures
the L2TP function. See “L2TP” on page 17.
VPN/Firewall Applications 17
L2TP is a combination of two protocols; Point To Point Tunneling Protocol
(PPTP) and Layer 2 Forwarding (L2F). Using these tools, L2TP encapsulates
Point To Point Protocol (PPP) packets using User Datagram Protocol (UDP)
messages. L2TP uses PPP to establish a dial-up connection through the
Internet. In this capacity L2TP provides authentication.
The features of L2TP are:
■ It is secured using IPSec.
■ It provides user level authentication.
■ It is used primarily in dial-up scenarios.
VPN/Firewall There are two main ways that VPNs interoperate with Firewalls. They are
Applications as follows:
■ Remote VPN Client
Site-to-site Scenario A typical application of this scenario is a branch or remote office
connecting in to a headquarters facility. This is very common in branch
banks, retail outlets with a central office, or in the airline industry. In this
setting, the remote branch end is connected via a local firewall which
establishes the VPN connection to the Internet. On the headquarters end,
another firewall completes the VPN by allowing traffic to be decrypted
and then delivering it to the local area network. See Figure 2
The immediate benefit of this application is lower costs. It is no longer
necessary to lease expensive private lines and since privacy is provided by
the encryption/decryption mechanism of the VPN, security is guaranteed.
This type of scenario fits most remote users requirements easily and
supplies the basic network services such as Web access (HTTP), email
(SMTP) and file transfer (FTP) capabilities.
However, despite the obvious tangible benefits, this scenario does not
work well with applications that are large or complex. An example of the
limitations of this are seen in video where a steady stream is required. Or
any application that requires real time traffic capability such as voice.
Another risk is the efficiency of the Internet. Although this is remote,
there is still a risk that is out of the control of the user.
18 CHAPTER 2: INTRODUCING VIRTUAL PRIVATE NETWORKS
Figure 2 Virtual Private Network
Remote VPN Client A remote VPN Client scenario is typically defined as the “road warrior,”
Scenario for example, a sales or company representative who travels and requires
remote access to the company network. Another application is the
work-at-home employee who requires access to the network. In this
capacity, the user typically logs in using client software on their PC that
establishes a VPN tunnel using an Internet Service Provider (ISP) as the
transport. Access to the VPN is password encrypted and protected. See
The most obvious benefits of this are cost and mobility. No longer is
location a limitation when using remote dial-in since calls can originate
locally thus sparing the cost of long distance service. Security is
guaranteed through the VPN tunnel and the cost is minimal since remote
users will dial-in using their local ISP connection. This scenario provides
access through any service provider.
The only real limitation of the remote dial-in scenario is latency. Large,
complex applications do not work well in this situation due to sharing the
Internet with multiple users because there are no real guarantees on how
long packets will take to cross the Internet
3 POLICIES AND
This chapter presents information that is critical for understanding and
configuring a firewall. Specifically this chapter includes:
■ Firewall Policies
■ Configuration Recommendations
Firewall Policies As described earlier, firewalls operate as barriers between the outside
world, the Internet, and the inside network, the intranet. By definition a
barrier does just that; it blocks. However, to be truly effective a firewall
must permit users access; to some degree. This simple concept illustrates
the trade-off of a firewall. In order to truly achieve an effective security
policy for your intranet, you must be willing to sacrifice some element of
The obvious extremes of this are complete blockage or complete access.
Since neither of those are practical or desirable, a compromise must be
established whereby limits are imposed on incoming and outgoing traffic.
That compromise is established through policies. A policy is a set of rules
that govern the ingress and egress of traffic through the firewall.
The three most common types of policy are discussed here. The first and
the one with the least amount of restriction uses a firewall to prevent
external traffic from accessing the intranet. This type of policy allows
internal users access to Internet services.
A second type of policy builds on the principles of the aforementioned
policy by restricting internal traffic to specific TCP/IP ports. In this
scenario, the firewall could allow HTTP protocol traffic (web-based), but
disallow Telnet traffic. These traffic types use different ports and prevent
internal users from connecting to unknown external services.
20 CHAPTER 3: POLICIES AND RECOMMENDATIONS
The third type of policy points all traffic through a proxy server which
allows only web-based traffic. This provides a significant amount of
control over network services and resources.
Ultimately, careful consideration must be made when implementing a
policy. Too much control severely limits traffic, services and operation.
However, too little causes the inverse; unlimited access to the intranet.
Firewalls come with default settings which generally impose good
security measures. Altering the default settings should be done with great
care. Setting a policy in place that appears to have logic and control can
actually create major holes in the network.
Configuration Aside from establishing policies there are a number of recommendations
Recommendations that should be considered when configuring a firewall or a
firewall-protected network. The following list of recommendations will
help you decide how best to deploy a firewall in your network. It is also
important to remember that a firewall should be viewed as one of many
devices or strategies that are necessary for a safe network.
■ It is best to take the most deterministic approach, that is to deny all
traffic and allow only services and resources that are absolutely
needed. This is counter to how firewalls were designed initially.
However, with the growth of the Internet and the very real threat of
unfriendly use, it is best to assume the worst and block all but that
which is necessary.
Email and web-based access are a few of the necessary functions.
Telnet, File Transfer Protocol (FTP) might be considered secondary.
■ If traffic is blocked in one direction it must be blocked in the other as
well. Conceivably, a simple query out to the Internet can generate a
response back to the intranet opening a potentially harmful hole.
Stateful Packet Inspection uses the principle that packets which
originate from the protected LAN results in packets being returned to
the protected LAN. Do not configure policies that allow incoming
connections where only outgoing connections are required.
■ A firewall should operate as economically as possible with little
overhead. Disable or remove any unnecessary applications or services
that can impair the performance and efficiency of the firewall.
■ It is best to keep the firewall configuration simple and easy to
maintain. More often than not, the default settings are sufficient.
Configuration Recommendations 21
■ Ensure that physical access to the firewall is secure. An unfriendly user
can otherwise gain access to the firewall and alter the security
■ Limit the number of proxy servers and policy rules. The more complex
the configuration, the more likely a conflict can occur. When conflicts
occur between policies, the likelihood of a hole in the network
increases. Conceivably, a well-thought out policy can be overwritten
by another and completely undermine the intent of either policy.
For example, if a policy is written that allows incoming web traffic, this
also opens a direct door from the Internet.