2.1 The Concept of Firewall
A firewall is not simply a router, host system, or collection of systems that provides security to a network. Rather, a firewall is an approach to security; it helps implement a larger security policy that defines the services and access to be permitted, and it is an implementation of that policy in terms of a network configuration, one or more host systems and routers, and other security measures such as advanced authentication in place of static passwords. The main purpose of a firewall system is to control access to or from a protected network (i.e., a site). It implements a network access policy by forcing connections to pass through the firewall, where they can be examined and evaluated.A firewall system can be a router, a personal computer, a host, or a collection of hosts, set up specifically to shield a site or subnet from protocols and services that can be abused from hosts outside the subnet. A firewall system is usually located at a higher-level gateway, such as a site's connection to the Internet, however firewall systems can be located at lower-level gateways to provide protection for some smaller collection of hosts or subnets.
2.2 The Firewall Components
The primary components (or aspects) of a firewall are: a.Network
Policy:There are two levels of network policy that directly influence the
design,installation and use of
a firewall system. The higher-level policy is an issue-specific, network
access policy that defines those services
that will be allowed or explicitly denied from the restricted network,
how these services will be used, and the
conditions for exceptions to this policy. The lower-level policy describes
how the firewall will actually go about
restricting the access and filtering the services that were defined in
the higher level policy. The following sections
describe these policies in brief.
b.Advanced
Authentication:Advanced authentication measures such as smartcards, authentication
tokens, biometrics,
and software-based mechanisms are designed to counter the weaknesses of
traditional passwords.
c.Packet
Filtering:IP packet filtering is done usually using a packet filtering
router designed for filtering packets as
they pass between the router's interfaces. A packet filtering router usually
can filter IP packets based on some or all
of the following fields: source IP address,destination IP address,TCP/UDP
source port, and TCP/UDP destination
port.
d.Application
Gateways:To counter some of the weaknesses associated with packet filtering
routers, firewalls need
to use software applications to forward and filter connections for services
such as TELNET and FTP. Such an
application is referred to as a proxy service, while the host running the
proxy service is referred to as an
application gateway. Application gateways and packet filtering routers
can be combined to provide higher levels of
security and flexibility than if either were used alone. [6].
2.3 The Different Types of Firewalls
Now that the basic components of firewalls have been examined, some examples of different firewall configurations are provided to give a more concrete understanding of firewall implementation. Conceptually, there are two types of firewalls: 1.Network Level Firewalls:generally make their decisions
based on the source, destination addresses and ports in
individual IP packets[5]. Here
we list three examples:
Packet Filtering Firewall: Normally
it's a packet filtering router.The packet filtering firewall is perhaps
most common
and easiest to employ for small, uncomplicated
sites. However, it suffers from a number of disadvantages:
a.There is little or no logging capability,
thus an administrator may not easily determine whether the router has been
compromised or is
under attack.
b.Packet filtering rules are often difficult
to test thoroughly, which may leave a site open to untested vulnerabilities.
c.If complex filtering rules are required,
the filtering rules may become unmanageable.
d.Each host directly accessible from
the Internet will require its own copy of advanced authentication measures.
Figure 1.Packet Filtering Firewall
Screened host firewall: The screened
host firewall combines a packet-filtering router with an application gateway
located on the protected subnet side
of the router. The application gateway needs only one network interface.
The
application gateway's proxy services
would pass TELNET, FTP, and other services for which proxies exist, to
site systems. The router filters or
screens inherently dangerous protocols from reaching the application gateway
and site
systems. It rejects (or accepts) application
traffic according to the following rules:
a.Application traffic from Internet
sites to the application gateway gets routed.
b.All other traffic from Internet
sites gets rejected.
c.The router rejects any application
traffic originating from the inside unless it came from the application
gateway.
Figure 2.Screened Host Firewall[5].
Screened subnet firewall: In screened
subnet firewall, two routers are used to create an inner screened subnet.
This
subnet houses the application gateway,
however it could also house information servers, modem pools, and other
systems that require carefully-controlled
access.
Figure 3.Screened Subnet Firewall[5].
2.Application Level Firewalls: generally are hosts
running proxy servers, which permit no traffic directly between
networks, and which perform elaborate
logging and auditing of traffic passing through them. Since the proxy
applications are software components
running on the firewall, it is a good place to do lots of logging and access
control. Application level firewalls
can be used as network address translators, since traffic goes in one "side"
and
out the other, after having passed
through an application that effectively masks the origin of the initiating
connection.
Having an application in the way
in some cases may impact performance and may make the firewall less transparent.
Here is an example:
Dual homed gateway firewall:A
dual homed gateway is a highly secured host that runs proxy software. It
has two
network interfaces, one on each network,
and blocks all traffic passing through it.
Figure 4. Dual Homed Gateway Firewall[5].
3.The Future of Firewalls
The Future of firewalls lies someplace between network level firewalls and application level firewalls[5].It is likely that network level firewalls will become increasingly "aware" of the information going through them, and application level firewalls will become increasingly "low level" and transparent. The end result will be a fast packet-screening system that logs and audits data as it passes through. Increasingly, firewalls (network and application layer) incorporate encryption so that they may protect traffic passing between them over the Internet. Firewalls with end-to-end encryption can be used by organizations with multiple points of Internet connectivity to use the Internet as a "private backbone" without worrying about their data or passwords being sniffed.References
[1] Bellovin,S.M. , Security Problems in the TCP/IP Protocol Suite , 4.8.1992, [referred 16.9.1999]<http://www.gta.com/Media/text/SB-TCP-IP.pdf>
[2] Chapman,D. Brent , Network (In) Security Through IP Packet Filtering, 1992, [referred 16.9.1999]
<http://www.zeuros.co.uk/generic/resource/firewall/library/net_insec_pkt_filt.ps>
[3] Cheswick,William.R. & Bellovin,Steven M. , Firewalls and Internet Security: Repelling the Wily Hacker, 1993, [refered 17.19.1999]
<http://www.hut.fi/Units/Library/Information/dep.html
[4] Gelb Organization, The Firewall, 1998, [refered 16.9.1999]
<http://www.gelb.com/CHAPTER1.HTM>
[5] Ranum, Marcus J. & Curtin ,Matt , Internet Firewalls Frequently Asked Questions, 26.5.1998, [referred 16.9.1999]
<ftp://ftp.greatcircle.com/pub/firewalls/FAQ.html>
[6] Wack,John P. &Carnahan, Lisa J. , Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, 9.2.1995, [referred 16.9.1999]
<http://csrc.ncsl.nist.gov/nistpubs/800-10/>
Further Information
A Network FirewallA short introduction to Internet firewall. This article is old but some basic conceptions can still be used today.
A
Toolkit and Methods for Internet Firewalls
This article gives us a brief view to the
demand for Internet firewalls and reliable tools from which to build them.
Computer
System and Network Security
A thick book about Internet firewall and network
security. It gives us a very detailed theory background.
Firewall
A company's homepage, including a brief introduction
to the concept of firewall and some products to solve this problem.
Internet
Firewalls and Introduction
A brief introduction to internet firewall,
short but useful.
Internet
Firewalls and Network Security
A thick book about Internet firewall and network
security. It gives us a very detailed theory background.
Proceedings
of the Internet Society Symposium on Network and Distributed System Security
A brief introduction on how to perform a secure
external access to the network.
Thinking
About Firewalls
This paper describes some of the considerations
and tradeoffs in designing firewalls. A vocabulary for firewalls and their
components is offered, to provide a common ground for discussion.
Tutorial
Computer and Network Security
A thick book about Internet firewall and network
security. It gives us a very detailed theory background.