Flagusa.gif (12791 bytes) Greenriv-lrg.jpg (2844 bytes)

Home of Defense In Depth (DID) Security and Disaster Recovery

Logo1.gif (2863 bytes)

Firewalls Demystified

Back      Email GreenRiver

A firewall is basically something that protects the network from the Internet. A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network.

firewall.diagram2.gif (12831 bytes)

A firewall is a system or a group of systems which guard a trusted network (The Internal Private Network from the untrusted network (the Internet.) To understand how a firewall works, firstly we need to understand how exactly data is transferred on the Internet.

NOTE: The following is a very weird, short and incomplete description of the TCP\IP protocol, I have just given a general idea of the whole data transmission process so that everyone can understand firewalls.

The TCP\IP suite is responsible for successful transfer of data across a network both the Internet and the Intranet. The TCP\IP suite is a collection of protocols which are inter-related and interdependent and act as a set of rules according to which data is transferred across the network. A protocol can be defined as a language or a standard which is followed while transfer of data takes place. Lets go through a brief explanation of how data is transferred across a network following the various components of the TCP\IP suite.

The whole process of data transmission begins when a user starts up an Internet application like the email client or a FTP client. The user types an email in his client and in this way provides data to be transferred. The email client is said to be a part of the application layer of the TCP\IP stack. Now this application layer (email client) provides data (the email itself) which has to be transferred to the Transmission control protocol or TCP which constitutes the Transfer Layer of TCP\IP. TCP breaks down the data i.e. the email into smaller chunks called packets and hands over the responsibility to the Internet Protocol or IP which forms the invisible network layer. This Internet Protocol adds some various info to each packet to ensure that the packet knows for which computer it is meant for and which port or application it is going to meet and from where it has come.

An IP datagram contains:

  1. A header which contains the Source and Destination IP, Time to live info and also the protocol used. There is also a header checksum present.
  2. Remaining part contains the data to be transferred.

TCP breaks data into smaller packets and IP adds the source and destination IP's to the packets. When the data reaches the other server IP hands the packets to TCP again which re assembles the packets. Port numbers are also used to ensure that the packets know to which application it need to go to. So, basically we can conclude that a successful transmission of data across a network relies on the source and destination IP and also the ports.

A firewall to relies on the source and destination IP and also the ports to control the packet transfer between the untrusted network and the trusted network.

Firewalls can be classified into 3 types:

1. Packet Filter Firewalls

2. Application proxy Firewalls

3. Packet Inspection Firewalls

Packet Filter Firewalls

They are the earliest and the most criticized firewalls, which nowadays are not easily found. They are usually Hardware based i.e. Router Based (a router is a piece of device which connects two networks together.) Whenever a Packet Filter Firewall receives a packet for permission to pass through, it compares the header information i.e. the source and destination IP address, and port number with a table of predefined access control rules If the header information matches, then the packet is allowed to pass else the packet is dropped or terminated. They are not popular due to the fact that they allow direct contact between the untrusted system and the trusted private system.

Such Firewalls can be fooled by using techniques like IP Spoofing in which we can change the source IP such that the firewall thinks that the packet has come from a trusted system which is among the list of systems which have access through the firewall.

Application proxy Firewalls

It was widely believed that the earlier type of firewalls were not secure enough as they allowed the untrusted systems to have a direct connection with the trusted systems. This problem was solved with the use of Proxy servers as firewalls. A proxy server which is used as a firewall are called application proxy servers.

This kind of a proxy firewall examines what application or service (running on ports) a packet is meant for and if that particular service is available only then is the packet allowed to pass through and if the service is unavailable then the packet is discarded or dropped by the firewall. Once this is done, the firewall extracts the data and delivers it to the appropriate service. There is not direct connection between the untrusted systems with the trusted systems as the original data sent by the untrusted system is dropped by the firewall and it personally delivers the data.

Packet Inspection Firewalls

It can be also known as an extension of the Packet Filter Firewall. It not only verifies the source and destination IP's and ports, it also takes into consideration or verifies that content of the data before passing it through. There are two ways in which this kind of a firewall verifies the data to be passed:

State and Session.

In case of state inspection, an incoming packet is allowed to pass through only if there is a matching outward-bound request for this packet. This means that the incoming packet is allowed to pass through only if the trusted server had requested for it or had sent an invitation for it. In case of session filtering, the data of the incoming is not verified, but instead the network activity is traced and once a trusted system ends the session, no further packets from that system pertaining to that session are allowed to pass through. This protects against IP spoofing to a certain extend.

Such firewalls can also be configured beforehand to act according to pre defined rules when it is attacked. It can also be configured to disconnect from the Internet in case of an attack.

All along you will come across many Firewalls on various systems, basically a firewall can be established or setup in two ways:

1. Dual-homed gateway

2. Demilitarized zone (DMZ)

In a dual homed gateway firewall, there is a single firewall with 2 connections, one for the trusted network and the other for the untrusted network.

In the case of a Demilitarized Firewall or a DMZ there are two firewalls, each with two connections, but there is a slight difference in the case of a DMZ setup.

In the case of a DMZ setup, there are two firewalls, the first having two connections, one leading to the untrusted network and the other leading to the host systems like the email server or the FTP server etc.

These host systems can be accessed from the untrusted network. These host systems are connected with the internal private trusted systems through another firewall. Thus there is no direct contact between the untrusted network and the trusted internal network. The area or region between the two firewalls is termed as the demilitarized zone.

In the case of a Dual Homed Gateway the untrusted network is connected to the host systems (email and FTP servers etc) through a firewall and these host systems are connected to the internal private network. There is no second firewall between the host systems and the internal private trusted network.

The basic structure of the DMZ setup declares it to be a more secure system as even if an attacker gets through the first firewall, he just reaches the host systems, while the internal network is protected by another firewall.

Do Firewalls provide enough Security for my Network?

The answer is a simple no. There is no such thing that a firewall is enough to fulfill or satisfy all your security concerns. Yes it does protect the trusted systems from the untrusted ones, but they are definitely not enough for all your security needs. We need to protect our systems to secure the company data. The most common methods used to break into networks are brute force password cracking and social engineering. A firewall in no way can prevent such occurrences.

Although providing safety to the network to a large extend, a firewall is still not able to protect the company data from Viruses and Trojans, although some firewalls do provide for scanning everything being downloaded, the rate at which new HTML, Java and other viruses are propping up, it is becoming very difficult for firewalls to detect all viruses. Anyway firewalls provide no physical protection to the networks. It also provides no protection from fire, tornadoes etc. Yet another shortcoming is the fact that if the attacker is able to break into a trusted system which is provided access by the firewall, then he can easily gain access to the data at your network, as the firewall will think that he is actually the trusted party.

Ankit Fadia