Understanding the fundamental concepts of a firewall is critical to building secure firewall architecture. In this part one of a two part series on Firewalls and Firewall architecture, you will learn what firewalls are, how they work, and the type of devices that are available to you.
Basic concepts of a
To understand what a firewall is, one can simply imagine it in biological terms as the organ of a human known as skin. Skin does not actually kill foreign hostile bodies, it simply obstructs them. In a human for example, the loss of more than 50% of skin will result in death, simply because the immune system cannot repel invaders from such a large and exposed surface area. The same can be said of firewalls which unlike IDS (Intrusion Detection Systems) can not actually detect hostile invaders but simply limits their access to your sensitive internal servers. Properly designed and deployed, a firewall operates as a shield around your network just as skin on a human.
A firewall functions by acting on traffic based on it’s policy. A policy is comprised of a set of rules. A rule is an action taken on traffic that fit a certain criteria. A single rule is comprised of four basic elements:
Source, destination, and Service
are the criteria
that determine whether the action
is taken or not. If the traffic matches
the criteria, then the action is taken, other wise the firewall will skip to
the next rule. Additionally, each of the
three criteria can typically be stored as an object on the firewall and those
objects can be more easily used and managed.
For example, the HTTP service
is comprised of TCP port 80, while the L2TP VPN service
requires both UDP port 500 and 1701. In
the case of HTTP traffic, the action
is almost always set to “permit” when the source
is internal and the destination is external, which
in layman terms simply mean that anyone inside the company can surf the external
World Wide Web. Any source
to any destination on any service on the other hand should have the action set to “drop” in any secure firewall
Types of firewalls:
Packet filtering (AKA Access Control Lists) commonly found on routers and even operating systems like Windows NT and 2000 Server can be thought of as the crudest form of a firewall. Although Packet filtering meets the definition of a simple firewall, their application is highly limited and is generally too crude to be deployed as a firewall of any sort. The next evolution of firewall technology is stateful packet inspection, which goes beyond just interpreting rules on the initial traffic, but what each rule implies for returning traffic through out the entire TCP/IP session. HTTP web traffic for example is not as straight forward as it may seem. Everyone knows about port 80 and how a client goes to a web server on TCP port 80, but rarely do people know what happens on the response traffic from the web server. In reality, although a client goes to a Web Server on TCP port 80, the Web Server talks back to the client on the client source port, which is probably some dynamic TCP port above 1024. Well this leaves us to wonder, if only port 80 is open on the firewall and all other inbound traffic is disallowed by default, how is the web page you requested going to come through the firewall on some high TCP port like 4538. This is where a packet filtering “firewall” would fall flat on it’s face. A stateful packet inspection firewall knows that because the internal client going out on port 80 is expecting return traffic on 4538 from a certain server, it will allow the incoming traffic on that specific port from that specific server to the original requester. This is exactly why I don’t recommend the use of packet filtering in Windows Servers. It has some usefulness in routers if you are simply trying to limit access from certain sources to certain destinations, but do not attempt to use it to limit the service because it doesn’t track sessions nor can it be scaled to more than a hand full of routers.
Today, stateful packet inspection
is the most popular form of firewalls, but the rise of broadband in homes and
small businesses has given rise to the use of NAT devices. Although a NAT is technically not a firewall,
the very nature of how it works makes it very similar to stateful
packet inspection in the sense that it tracks source ports, destination ports,
and sessions. Just like stateful packet inspection firewalls, NAT has the same
capability of blocking all inbound traffic yet allowing inbound traffic that
was initiated by an internal host with an outbound request. Although not a substitute for a real stateful firewall in the enterprise, NAT is an excellent
choice for home broadband users because it provides basic protection and allows
many to share a single IP address.
Today, all “residential gateways” for home broadband uses NAT.
Firewalls come in many shapes and form. Although technically everything is ultimately software, it is generally accepted to call anything that runs on a specially designed OS stored on flash media hardware based, and any thing that runs on a general purpose OS stored on a hard drive software based. The dominant firewall platforms in the enterprise are Checkpoint Firewall-1 and Cisco PIX. NetScreen comes in a distant third but is rapidly gaining market share with their gigabit ASIC solutions while many other vendors provide their software and hardware firewalls. On a more recent development, all of the major enterprise players now support trunking. Cisco in February 2003 just announced that they are adding support for trunking and VLANs. This means that on a single gigabit Ethernet card interface, one can have as many virtual interfaces as the wish. Additionally, these enterprise solutions support stateful failover, which means you don’t even loose a single session if the primary firewall were to fail.
Checkpoint software, an Israeli based firm is one of the earlier players in the game. They specialize in their Firewall-1 software that runs on Windows, Linux, and Unix platforms. A significant percentage of Firewall-1 deployments run on Nokia-Checkpoint “appliances”. Nokia is their primary hardware partner and they provide what is basically a dual Pentium 3 system with some special hot pluggable Ethernet 10/100 or Gigabit cards running a “hardened” version of Free BSD UNIX. The Checkpoint firewall-1 software runs on top of this specialized UNIX PC. Checkpoint Firewall-1 handles it’s own system logging and Checkpoint also sells a more comprehensive set of tools to analyze those logs. Checkpoint does not dump to a syslog server but you can export the logs to text delimited file although this export process is excruciatingly slow. On the administration side, system maintenance and installation requires significant training and you probably need certified Nokia/Checkpoint engineers for those tasks. How ever, routine administration can probably be performed by mid-level administrators with Checkpoint’s GUI. As for the effects on your wallet, understand that you pay twice for the primary and backup Nokia hardware “appliance” and you have to pay a third and a fourth time for the primary/secondary Checkpoint software if you want firewall redundancy. Then to keep your hardware current, you must also annually pay four times for the maintenance contracts, two on hardware and two on software. Bottom line, the Nokia/Checkpoint platform is highly priced and highly respected within the enterprise.
Cisco PIX falls into the hardware category. It runs on a specialized OS running Cisco’s PIX firewall software. Although the system runs on a 1 GHz Pentium 3 system, the entire OS and Firewall software fits into 16 Megabytes of non-volatile flash memory. Cisco also require a full fledged certified PIX engineer to do software upgrades and troubleshooting, but they have added a graphical interface such that a mid-level administrator can do routine administration. Logging is handled by dumping log information to a syslog server (purchased separately but inexpensive), which in turn can dump to an ODBC connection to a SQL database of some sort. Once in the database, it is relatively simple to create reports with standard reporting tools like Microsoft Access or Crystal Reports. One of the most appealing things about PIX is that it has per-interface based policies. This means that one huge policy with 100 rules isn’t applied to every interface on the firewall and only a subset of them is applied to each interface. Not only does this make it very fast, but very flexible in the way you that you can set a unique policy for each interface. On Checkpoint and most other firewalls, one massive policy is applied to each and every interface, which is slow and inflexible. As for it’s cost, PIX is reasonably priced to buy and maintain. Although you pay around the same as Nokia for a comparable PIX, the second PIX you buy for failover is only 1/3 the price! Even better, you don’t need any additional software to buy or maintain because the PIX hardware is bundled with the PIX software. Bottom line, the PIX platform is reasonably priced and provides high performance for the enterprise network.
NetScreen is a relative
newcomer. They offer a new breed of
firewalls that use high performance gigabit ASIC (Application Specific
Integrated Circuit) engines and have recently gained quit a bit of market share. The company provides a good solution with
relatively simple administration and powerful hardware. Features like the use of standard compact
flash cards are a welcome addition to the hardware firewall market. Other players like SonicWall
also have a role in the small business segment while large software companies
like Symantec and Network Associates make their software firewalls that protect
the network and the desktop.
Recently, a new category of firewalls called “Personal firewalls” have arrived to protect every desktop and notebook. You can buy or get free ones with limited functionality from Tiny Software or Zone Labs. How ever, one of the most ubiquitous firewalls around is probably the one built in to Windows XP called ICF (Internet Connection Firewall). Although many may scoff at the idea of using Microsoft’s ICF, it is in fact a simple and effective solution. ICF is a stateful packet inspecting firewall and is perfect for protecting your Desktops and Notebooks while using dialup, public Wi-Fi networks, and public Ethernet connections. Although the ICF policy is limited to inbound rules only, only the most security conscious would be worried about limiting outbound initiated sessions. Truth be told, the only reason you need outbound protection on your personal computer is if your system has already been compromised. It is in my opinion that you should prevent system compromise in the first place by deploying enterprise wide system patching and virus scanning on all gateways and hosts. Additionally, ICF is one of the friendliest firewalls around with it’s tight integration into Windows XP and it’s support for UPnP. UPnP capable voice applications for example work seamlessly without any effort and inbound rules are created for you automatically (to enable or disable) if you want services like remote desktop or a personal PPTP/L2TP server. For a more thorough look at personal firewalls, you can refer to this article dedicated to personal firewalls.
I’ve given you brief introduction to firewalls and how they basically work. Although there is a lot more to how a firewall actually works, a basic understanding of the concepts in this article is critical for any network engineer or administrator to understand. In part two of this article, I will show you how to build enterprise firewall architectures.