and Firewall Security Systems
A firewall is, by definition, a system
of one or more devices developed to implement the access control policy of the
network. Firewalls can be implemented in hardware devices, software features, or
a combination of both. In the simplest scenario, a firewall could be the access
router running a firewall feature set for a telecommuter, home user, small
business network, or smaller branch office when they connect to the Internet.
Router and firewall features are often built into the devices used to connect to
DSL or cable services.
In larger implementations, the firewall might refer to multiple
devices and technologies working together to protect the organization from the
outside world, and within the network to provide internal security for specific
network segments. As you learned in the preceding two chapters, even protecting
a single perimeter connection often includes two or more devices working
together to provide multiple layers of defense. This avoids the single point of
failure that might expose the organization’s digital resources to catastrophic
While a single device might be a firewall, it could also be just a
part of a larger system that is the firewall. For clarity, using the terms
“firewall device” and “firewall system” might be helpful. A firewall device could be a router running a firewall feature
set, in addition to its other activities, or it could be a dedicated appliance
like a PIX box.
Whether working between Internet users and an organization’s
internal networks or providing internal security within the company network,
firewalls examine all messages passing through and blocks those that don’t meet
the specified security criteria. For our purposes, we can divide firewall
techniques into three categories:
Stateful packet filter
In practice, many firewalls incorporate two or more of these
Packet filters are access control
lists that look at each packet entering or leaving the network. They accept or
reject the packet, based on user-defined rules. As you saw earlier, ACLs can
base these decisions on any or all of the following criteria:
Source IP address
Destination IP address
Packet filtering can be fairly effective and is generally
transparent to users. While recognizing the usefulness of ACL Layer 3 and Layer
4 filtering in many cases, it’s important to recognize the following limitations
in a situation where you might consider relying exclusively on them.
Because application layer information isn’t used or stored,
each new packet session must be fully tested.
Without stateful capabilities, ACLs can’t deal with port
number changes or multiple session channels required by some applications.
Fragmented packets will be forwarded, even if the initial
packet was denied, thus allowing certain types of DoS attacks.
Complex ACLs can be difficult to configure and
ACLs can be susceptible to IP address spoofing.
A proxy server stands between the internal network and the
outside networks. An internal user wanting to browse a web site creates a
session with the proxy server that typically requires authentication. This
connection to the proxy might or might not be invisible to the internal user.
The proxy can then compare the requested destination URL and/or IP address
against a list of blocked sites. Assuming the site isn’t on the blocked list,
the proxy then establishes a session with the destination. The proxy continues
to work as a relay between the user and the outside world. Then, the proxy can
apply application layer filtering against any packets. This hides the internal
user from the external site and affords a level of content protection. This
enhanced screening comes at the cost of reduced end-to-end performance.
Other features some proxies can provide include storing downloaded
content, which can then be forwarded to the next interested user. This creates a
perception of faster network performance and reduces traffic across WAN links
(caching). Many proxies can create detailed access logs, making it possible for
network administrators to review and add URLs to the blocked list.
Common problems in using proxy filtering include the
Slower end-to-end performance on true connections to the
Because proxies are typically servers, any vulnerabilities
inherent in that server operating system (OS) could be well known to hackers and
A proxy can provide a single point of failure, effectively
blocking access to the outside world.
Stateful packet filtering systems
provide a best-of-both-worlds solution that offers greater performance and
reduced exposure to attack. By storing complete session state information for
each session based on Layer 3, Layer 4, and application layer information, the
device can provide more intelligent filtering than packet filters and faster
performance than proxy filters.
PIX devices use stateful packet filtering to establish and
secure TCP and UDP connections, as well as many common applications. This
stateful decision-making allows PIX devices to deal with port number changes or
multiple session channels required by some applications.