Introduction:
Understanding the fundamental concepts of a firewall is critical to building secure firewall architecture.  In this part one of a two part series on Firewalls and Firewall architecture, you will learn what firewalls are, how they work, and the type of devices that are available to you.
 

Basic concepts of a firewall:
To understand what a firewall is, one can simply imagine it in biological terms as the organ of a human known as skin.  Skin does not actually kill foreign hostile bodies, it simply obstructs them.  In a human for example, the loss of more than 50% of skin will result in death, simply because the immune system cannot repel invaders from such a large and exposed surface area.  The same can be said of firewalls which unlike IDS (Intrusion Detection Systems) can not actually detect hostile invaders but simply limits their access to your sensitive internal servers.  Properly designed and deployed, a firewall operates as a shield around your network just as skin on a human.

A firewall functions by acting on traffic based on it’s policy.  A policy is comprised of a set of rules.  A rule is an action taken on traffic that fit a certain criteria.  A single rule is comprised of four basic elements:

• Source
• This is where the IP traffic is coming from and is comprised of the following
• Single IP address or multiple IP addresses
• One or more networks in the form of a network ID and subnet mask
• A combination of IP addresses and Network addresses
• Destination
• This is where the IP traffic is going to and is comprised of the following
• Single IP address or multiple IP addresses
• One or more networks in the form of a network ID and subnet mask
• A combination of IP addresses and Network addresses
• Service
• This is the type of protocol that the traffic is using and is comprised of the following
• One or more destination TCP ports
• One or more destination UDP ports
• A group or combination of destination TCP and UDP ports
• Although source port can be limited to a certain range, it is generally left wide open.  It is the destination port that is primarily specified.
• Action
• The administrator chooses from the following options if all the above three criteria match
• Reject the traffic
• Drop the traffic
• Permit the traffic
• Encrypt the traffic on IPSEC VPN capable firewalls

Source, destination, and Service are the criteria that determine whether the action is taken or not.  If the traffic matches the criteria, then the action is taken, other wise the firewall will skip to the next rule.  Additionally, each of the three criteria can typically be stored as an object on the firewall and those objects can be more easily used and managed. 

For example, the HTTP service is comprised of TCP port 80, while the L2TP VPN service requires both UDP port 500 and 1701.  In the case of HTTP traffic, the action is almost always set to “permit” when the source is internal and the destination is external, which in layman terms simply mean that anyone inside the company can surf the external World Wide Web.  Any source to any destination on any service on the other hand should have the action set to “drop” in any secure firewall policy.
  

Types of firewalls:
Packet filtering (AKA Access Control Lists) commonly found on routers and even operating systems like Windows NT and 2000 Server can be thought of as the crudest form of a firewall.  Although Packet filtering meets the definition of a simple firewall, their application is highly limited and is generally too crude to be deployed as a firewall of any sort.  The next evolution of firewall technology is stateful packet inspection, which goes beyond just interpreting rules on the initial traffic, but what each rule implies for returning traffic through out the entire TCP/IP session.  HTTP web traffic for example is not as straight forward as it may seem.  Everyone knows about port 80 and how a client goes to a web server on TCP port 80, but rarely do people know what happens on the response traffic from the web server.  In reality, although a client goes to a Web Server on TCP port 80, the Web Server talks back to the client on the client source port, which is probably some dynamic TCP port above 1024.  Well this leaves us to wonder, if only port 80 is open on the firewall and all other inbound traffic is disallowed by default, how is the web page you requested going to come through the firewall on some high TCP port like 4538.  This is where a packet filtering “firewall” would fall flat on it’s face.  A stateful packet inspection firewall knows that because the internal client going out on port 80 is expecting return traffic on 4538 from a certain server, it will allow the incoming traffic on that specific port from that specific server to the original requester.  This is exactly why I don’t recommend the use of packet filtering in Windows Servers.  It has some usefulness in routers if you are simply trying to limit access from certain sources to certain destinations, but do not attempt to use it to limit the service because it doesn’t track sessions nor can it be scaled to more than a hand full of routers.

Today, stateful packet inspection is the most popular form of firewalls, but the rise of broadband in homes and small businesses has given rise to the use of NAT devices.  Although a NAT is technically not a firewall, the very nature of how it works makes it very similar to stateful packet inspection in the sense that it tracks source ports, destination ports, and sessions.  Just like stateful packet inspection firewalls, NAT has the same capability of blocking all inbound traffic yet allowing inbound traffic that was initiated by an internal host with an outbound request.  Although not a substitute for a real stateful firewall in the enterprise, NAT is an excellent choice for home broadband users because it provides basic protection and allows many to share a single IP address.  Today, all “residential gateways” for home broadband uses NAT.
 

Firewall platforms:
Firewalls come in many shapes and form.  Although technically everything is ultimately software, it is generally accepted to call anything that runs on a specially designed OS stored on flash media hardware based, and any thing that runs on a general purpose OS stored on a hard drive software based.  The dominant firewall platforms in the enterprise are Checkpoint Firewall-1 and Cisco PIX.  NetScreen comes in a distant third but is rapidly gaining market share with their gigabit ASIC solutions while many other vendors provide their software and hardware firewalls.  On a more recent development, all of the major enterprise players now support trunking.  Cisco in February 2003 just announced that they are adding support for trunking and VLANs.  This means that on a single gigabit Ethernet card interface, one can have as many virtual interfaces as the wish.  Additionally, these enterprise solutions support stateful failover, which means you don’t even loose a single session if the primary firewall were to fail.

Checkpoint software, an Israeli based firm is one of the earlier players in the game.  They specialize in their Firewall-1 software that runs on Windows, Linux, and Unix platforms.  A significant percentage of Firewall-1 deployments run on Nokia-Checkpoint “appliances”.  Nokia is their primary hardware partner and they provide what is basically a dual Pentium 3 system with some special hot pluggable Ethernet 10/100 or Gigabit cards running a “hardened” version of Free BSD UNIX.  The Checkpoint firewall-1 software runs on top of this specialized UNIX PC.  Checkpoint Firewall-1 handles it’s own system logging and Checkpoint also sells a more comprehensive set of tools to analyze those logs.  Checkpoint does not dump to a syslog server but you can export the logs to text delimited file although this export process is excruciatingly slow.  On the administration side, system maintenance and installation requires significant training and you probably need certified Nokia/Checkpoint engineers for those tasks.  How ever, routine administration can probably be performed by mid-level administrators with Checkpoint’s GUI.  As for the effects on your wallet, understand that you pay twice for the primary and backup Nokia hardware “appliance” and you have to pay a third and a fourth time for the primary/secondary Checkpoint software if you want firewall redundancy.  Then to keep your hardware current, you must also annually pay four times for the maintenance contracts, two on hardware and two on software.  Bottom line, the Nokia/Checkpoint platform is highly priced and highly respected within the enterprise.

Cisco PIX falls into the hardware category.  It runs on a specialized OS running Cisco’s PIX firewall software.  Although the system runs on a 1 GHz Pentium 3 system, the entire OS and Firewall software fits into 16 Megabytes of non-volatile flash memory.  Cisco also require a full fledged certified PIX engineer to do software upgrades and troubleshooting, but they have added a graphical interface such that a mid-level administrator can do routine administration.  Logging is handled by dumping log information to a syslog server (purchased separately but inexpensive), which in turn can dump to an ODBC connection to a SQL database of some sort.  Once in the database, it is relatively simple to create reports with standard reporting tools like Microsoft Access or Crystal Reports.  One of the most appealing things about PIX is that it has per-interface based policies.  This means that one huge policy with 100 rules isn’t applied to every interface on the firewall and only a subset of them is applied to each interface.  Not only does this make it very fast, but very flexible in the way you that you can set a unique policy for each interface.  On Checkpoint and most other firewalls, one massive policy is applied to each and every interface, which is slow and inflexible.  As for it’s cost, PIX is reasonably priced to buy and maintain.  Although you pay around the same as Nokia for a comparable PIX, the second PIX you buy for failover is only 1/3 the price!  Even better, you don’t need any additional software to buy or maintain because the PIX hardware is bundled with the PIX software.  Bottom line, the PIX platform is reasonably priced and provides high performance for the enterprise network.

NetScreen is a relative newcomer.  They offer a new breed of firewalls that use high performance gigabit ASIC (Application Specific Integrated Circuit) engines and have recently gained quit a bit of market share.  The company provides a good solution with relatively simple administration and powerful hardware.  Features like the use of standard compact flash cards are a welcome addition to the hardware firewall market.  Other players like SonicWall also have a role in the small business segment while large software companies like Symantec and Network Associates make their software firewalls that protect the network and the desktop.
 

Personal Firewalls:
Recently, a new category of firewalls called “Personal firewalls” have arrived to protect every desktop and notebook.  You can buy or get free ones with limited functionality from Tiny Software or Zone Labs.  How ever, one of the most ubiquitous firewalls around is probably the one built in to Windows XP called ICF (Internet Connection Firewall).  Although many may scoff at the idea of using Microsoft’s ICF, it is in fact a simple and effective solution.  ICF is a stateful packet inspecting firewall and is perfect for protecting your Desktops and Notebooks while using dialup, public Wi-Fi networks, and public Ethernet connections.  Although the ICF policy is limited to inbound rules only, only the most security conscious would be worried about limiting outbound initiated sessions.  Truth be told, the only reason you need outbound protection on your personal computer is if your system has already been compromised.  It is in my opinion that you should prevent system compromise in the first place by deploying enterprise wide system patching and virus scanning on all gateways and hosts.  Additionally, ICF is one of the friendliest firewalls around with it’s tight integration into Windows XP and it’s support for UPnP.  UPnP capable voice applications for example work seamlessly without any effort and inbound rules are created for you automatically (to enable or disable) if you want services like remote desktop or a personal PPTP/L2TP server.  For a more thorough look at personal firewalls, you can refer to this article dedicated to personal firewalls.
 

Conclusion:
I’ve given you brief introduction to firewalls and how they basically work.  Although there is a lot more to how a firewall actually works, a basic understanding of the concepts in this article is critical for any network engineer or administrator to understand.  In part two of this article, I will show you how to build enterprise firewall architectures.