What
is a Firewall?
A
firewall is a gateway that restricts and controls the flow of traffic between
networks, typically between an internal corporate network and the Internet.
Firewalls may also provide secure gateway services between internal networks. For
example, a military installation may have two networks, one for non-classified
general communications and another network that is connected to strategic
defense systems. A very secure firewall must be in place to ensure that only
authorized users access the defense network. In some cases, no connection may
be the most secure policy.
Castles and castle
defenses are often used as an analogy in describing firewalls. A castle is
designed to protect the people on the inside from the storming hoards on the outside.
There is a perimeter defense system that keeps attackers as far away as
possible (outer walls, moats, and so on). The castle gate is the “choke point”
through which people and supplies must pass to enter or exit the castle. It is
the most heavily defended part of the castle.
A firewall is a
“choke point” for internal networks that actively inspects and controls the
flow of traffic between networks. In the case of a proxy firewall, traffic
never flows directly between the networks. Instead, the proxy “repackages”
request and responses. No internal host is directly accessible from the
external network and no external host is directly accessible by an internal
host. Think about the people in the castle. During times of tension, they may
prefer to stay inside the castle and use proxy agents to take care of their
business on the outside.
Part of the design
of a secure Internet-connected network is to create what is called a
“demilitarized zone” or DMZ, which is a network that exists between the
protected and the unprotected network. The DMZ is protected by a perimeter
defense system, much like the outer walls and moats of a castle. Picture the
market yard of a castle. In medieval times, local townspeople and traders were
usually allowed to enter the yard with relative ease so they could deliver or
pick up goods. At night, the gates were closed and goods were brought into the
castle—usually after close inspection. Guards were posted at the gates during
the day to scrutinize all the people coming into the market yard. If known
hooligans tried to enter, they were immediately pointed in the other direction
and given the boot.
The DMZ between the
protected and unprotected network follows this analogy. Internet users can
freely enter the DMZ to access public Web servers, but screening routers exist
at the access point to filter out unwanted traffic, such as floods of packets
from hackers who are trying to disrupt operations. At the same time, the
internal private network is protected by highly secure firewalls. Within the
castle walls was the keep, a heavily fortified structure that provided the last
defense against attackers.
Interestingly, the
castle proved quite capable of withstanding attacks until the cannon came
along. In the 16th century, Essex and Cromwell overran many castles in Ireland
with little force. They simply blew the parapets off the top of castle walls to
make them indefensible, and then scaled the walls. What similar weapons will
our network defenses face? Firewalls have become quite sophisticated over the
years, but they are not an all-in-one security solution. Firewalls are just one
tool in the arsenal of security tools available to security administrators.
Note the following:
A firewall may
consist of several pieces of equipment, including a router, a gateway server,
and an authentication server.
Firewalls monitor
incoming and outgoing traffic and filter, redirect, repackage, and/or discard
packets. Packets may be filtered based on their source and destination IP
address, source and destination TCP port numbers, setting of bits in the TCP
header, and so on.
In the case of a
proxy firewall, the firewall is the endpoint of the incoming and outgoing
connection. It can perform extensive security and validation scans on the
packets it processes. The proxy runs safe, uncorrupted, and bug-free versions
of protocols and software.
Firewalls can
enforce an organization’s security policies by filtering the outgoing traffic
of internal users to ensure that it complies with usage policies.
Sophisticated
logging, auditing, and intrusion detection tools are now part of most
commercial firewalls.
RFC 2979, “Behavior
of and Requirements for Internet Firewalls,” (October 2000) describes other
firewall characteristics.
Hackers and
attackers just keep getting smarter, more aggressive, and more numerous. In
2000, China announced that it could not keep up with the United States
militarily, and threatened to wage an information war on the United States. Computer
systems at U.S. military installations are under constant attack by both
sophisticated and unsophisticated attackers. How many undetected intruders are
in those systems?
For example, an
attacker may set up an attack well in advance by using e-mail virus techniques
to plant so-called “zombie” programs on hundreds or thousands of computers
owned by innocent Internet users, many within your own network. The programs
are set to wake up at specific times and begin launching attacks against other
systems. The real attacker cannot be identified because the attacks are coming
from innocent users all over the Internet. The entire Internet can become a
weapon aimed at your private network.
Because of these
threats, firewalls are now needed in nearly every Internet connected computer,
especially those that are connected to “always-on” services, such as DSL and
cable (CATV) connections. A typical home setup is to network the parent’s and
the kid’s computers together, and share a single DSL or cable connection to the
Internet. Since the connection is always on, it has a continuous IP address
that is posted like a flag on the Internet. Hackers will eventually find the IP
address and keep coming back to examine and disrupt systems. Firewalls are
designed to protect these systems while minimizing complex setup procedures.
Credits go to Manu, G.S.O
==============================