Firewall Basics -------- ------ Most of us have heard of firewalls. The idea of a machine whose purpose is to act as a sentry, blocking certain kinds of network traffic and allowing others is one most people involved in security and hacking can understand. But what exactly does a firewall -do-? How does it work, and what are its weaknesses? There are two basic types of firewall, or two ways in which a firewall can function -- it can either packet filter or proxy. Each function has its merits and flaws, and each function is best used for different reasons. The majority of what we know as firewalls use a combination of both functions. Packet Filtering ------ --------- A packet filtering firewall is the simplest type of firewall. In its most basic setup, it is a machine with two network interfaces. The firewall software operates strictly on the network layer and uses rules to determine which packets are forwarded from one interface to another by looking at the headers of each packet and determining whether or not they match the rule set. For this reason it's easy to understand that a packet filtering firewall's rule set consists of the information that can be found in a packet's headers -- in other words, a packet filtering firewall can sort packets based on the source address of the packet, the destination address of the packet, the protocol type of the packet (TCP, UDP, ICMP, etc), the source port of the packet, the destination port of the packet, flags set on the packet (SYN, ACK, FIN, RST, etc), or other such basic header information. The most common implementation of a packet filtering firewall is in the form of access lists on a router, or rules on a secured host with two network interface cards which can be used as a router. One step above standard packet filtering firewalls, but still considered part of the same architecture, are stateful packet inspection firewalls. The stateful inspection model was built off of standard packet filtering, but it adds more security checks -- it intercepts incoming packets from one interface until it has enough information from the packets it's received (using information such as TCP sequence numbers) to determine the 'state' of the connection; then, if the intercepted packets pass the rule set, they're forwarded on to the other interface. Using this information, the firewall builds dynamic state tables. It uses these tables to keep track of the connections that go through the firewall -- rather than allowing all packets that meet the rule set's requirements to pass, it allows only those packets which are part of a valid, established connection. Packet filtering firewalls are popular because they tend to be inexpensive, fast, and relatively easy to configure and maintain. Most companies already have a router on which they can set up a rule set, or can easily get a host with two network cards. Even stateful packet inspection firewalls are faster than the proxying alternative, because the examination of the packet is done on the network layer. The drawback to packet filtering firewalls lies in reduced security. Because only the packet's headers are considered, a packet filtering firewall does not protect against attacks directed at an application. For instance, if a packet filtering firewall was set to allow incoming email from the internet in general, then an attack on the SMTP service itself would pass through the firewall without problem. In other words, as long as the rule set is passed, a connection is made directly from outside the firewall to inside the firewall. To address that issue, there are proxying firewalls. Proxying -------- The fundamental difference between packet filtering and proxying lies in the fact that proxy firewalls do not route. A proxy firewall operates on the application layer and cares about the application itself -- it receives data from one interface, inspects it according to its defined rule set, and then passes the data to the other interface. A connection is never made from the outside to the inside; as far as the machines inside the firewall know, all their information is coming from the firewall. Unlike the packet filtering model, a proxy firewall truly keeps the internal and external systems separate. This is not, however, the primary reason why proxy firewalls are so attractive to organizations. Because the proxy firewall has full visibility at the application layer, it can look for far more specific pieces of information than a packet filter can; it can, for instance, tell the difference between a piece of email containing text and a piece of email containing a Microsoft Word document, or the difference between a web page using Java and a web page without. Rules can be made significantly more specific, as they can be designed around anything the firewall can see at the application level. As could be imagined, the greatest drawback to using this model is the sacrifice in speed. Since all traffic has to be inspected on the application level, a proxying firewall is significantly slower than the packet filtering alternatives. For the greatly improved security, performance suffers. This problem can be addressed by adaptive proxy firewalls. Just as stateful inspection firewalls are an enhanced version of packet filtering firewalls, the adaptive proxy (also known as dynamic proxy) architecture was developed from the standard proxy implementation. Combining the merits of both proxy and packet filtering firewalls, an adaptive proxy firewall works by analyzing the first part of a connection at the application layer, as a standard proxy firewall does; however, once the firewall has enough information to clear the traffic through the rule set, subsequent packets are passed -- filtered -- through the network layer. Similar to the case of the stateful inspection model, the firewall builds a dynamic table. Packets are inspected according to the table. Those that are considered to be a part of a valid, established session are allowed to pass with simple packet filtering; those that are considered part of a new connection are inspected on the application layer and proxied. In this way, it's always the proxy that's doing the real analysis for any connection; only after a session has been approved by the strong security of the application proxy does it pass to the weaker but faster packet filtering on the network layer. From a security standpoint, the most secure firewall is a standard proxying firewall, where all traffic is inspected on an application layer. However, that isn't always the most practical solution. A strictly proxy environment is slow and difficult to maintain. Proxies have to be written for new applications as they come out. An adaptive proxy, using a combination of proxying and packet filtering, is far more likely to be encountered. /dev/null Professional Script Kiddie