Lesson 3:Firewalls

The security mechanisms covered thus far in this chapter are primarily concerned with internal network security, that is, with preventing users on the same local area network (LAN) or internetwork from accessing files and other resources that they do not need. This type of security is important, but routine. There is a whole world of potential security hazards outside the private internetwork, however, and the Internet connection that most networks have today is the door through which these hazards can enter. A firewall is a hardware or software product designed to protect a network from unauthorized access by outside parties. If your network is connected to the Internet, you must have some sort of firewall to protect it because intruders can wreak havoc on the network that you have so carefully designed and constructed.

Firewalls are usually deployed to protect a private network or internetwork from unauthorized access via the Internet. However, you can also use a firewall internally to protect one section of the network from the rest of it. For example, you can use a firewall to isolate the LAN used by your company's accounting department to prevent other users from accessing confidential financial records.

After this lesson, you will be able to

• Describe how you can use packet filtering to protect a network from unauthorized access
• Understand how network address translation (NAT) enables networked computers to use unregistered Internet Protocol (IP) addresses and still participate on the Internet
• Understand how proxy servers protect networked computers at the application layer and how administrators can use them to restrict users' Internet access

Estimated lesson time: 20 minutes

A firewall is essentially a barrier between two networks that evaluates all incoming or outgoing traffic to determine whether or not it should be permitted to pass to the other network. A firewall can take many different forms and use different criteria to evaluate the network traffic it receives. Some firewalls are dedicated hardware devices, essentially routers with additional software that monitors incoming and outgoing traffic. In other cases, firewalls are software products that run on a standard computer. At one time, all firewalls were complex, extremely expensive, and used only in professional network installations. These high-end products still exist, but today you can also purchase inexpensive firewall software products designed to protect a small network or even an individual computer from unauthorized access through an Internet connection.

There are several methods that firewalls can use to examine network traffic and detect potential threats. Most firewall products use more than one of these methods and often provide other services as well. For example, one firewall product—a proxy server—not only enables users to access Web pages with complete safety, but also can cache frequently used pages for quicker retrieval by other systems. Some of the most common firewall technologies are covered in the following sections.

Packet Filtering

A packet filter is the most basic type of firewall, one that examines packets arriving over its interfaces and decides whether to allow them access to the other network based on the information found in the various protocol headers used to construct the packets. Packet filtering can occur at any one of several layers of the Open Systems Interconnection (OSI) reference model. A firewall can filter packets based on any of the following characteristics:

• Hardware addresses.  Packet filtering based on hardware addresses enables only certain computers to transmit data to the other network. This type of filtering isn't usually used to protect networks from unauthorized Internet access, but you can use this technique in an internal firewall to permit only specific computers to access a particular network.
• IP addresses.  You can use IP address filtering to permit only traffic destined to or originating from specific addresses to pass through to the other network. If, for example, you have a public Web server on your network, you can configure a firewall to admit only the Internet traffic that is destined for that server's IP address. This can prevent Internet users from accessing any of the other computers on the network.
• Protocol identifiers.  Firewalls can filter packets based on the protocol that generated the information carried within an IP datagram, such as the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), or the Internet Control Message Protocol (ICMP).
• Port numbers.  Firewalls can filter packets based on the source or destination port number specified in a packet's transport layer protocol header. This is called service-dependent filtering. These port numbers identify the application or service that generated the packet or for which the packet is destined. For example, you can configure a firewall to permit network users to access the Internet using ports 110 and 25 (the well-known port numbers used for incoming and outgoing e-mail) but deny them Internet access using port 80 (the port number used to access Web servers).

The strength of the protection provided by packet filtering is its ability to combine the various types of filters. For example, you might want to permit Telnet traffic into your network from the Internet, so that network support personnel can remotely administer certain computers. However, leaving port 23 (the Telnet port) open to all Internet users is a potentially disastrous security breach. Therefore, you can combine the port number filter with an IP address filter to permit only certain computers (those of the network administrators) to access the network using the Telnet port.

Packet filtering capabilities are usually provided with a standard router. Lesson 2: Configuring TCP/IP, in Chapter 11, "TCP/IP Configuration," explained that Windows 2000 includes its own basic packet filtering mechanism. This means that you can implement packet filters to protect your network without incurring massive additional expenses. Packet filtering usually does not have a major effect on the router's throughput, unless you create a large number of filtering rules. Remember that the router must process each packet individually against the filtering rules you create, so a very complex system of filters can conceivably slow the network down.

The main drawback of packet filtering is that it requires a detailed understanding of TCP/IP communications and the ways of the criminal mind. Using packet filters to protect your network means participating in an ongoing battle of wits with those who would infiltrate your network. Potential intruders are constantly inventing new techniques to defeat standard packet filter configurations, and you must be ready to modify your filters to counteract these techniques.

NAT

Network address translation is a network layer technique that protects the computers on your network from Internet intruders by masking their IP addresses. If you connect a network to the Internet without firewall protection of any kind, you must use registered IP addresses for your computers so that they can communicate with other computers on the Internet. However, registered IP addresses are, by definition, visible from the Internet. This means that any user on the Internet can conceivably access your network's computers and, with a little ingenuity, access any resource. The results can be disastrous. Network address translation prevents this from happening by enabling you to assign unregistered IP addresses to your computers. These addresses fall into a range of addresses specifically designated for use on private networks. These addresses are not registered to any Internet user, and are therefore not visible from the Internet, so you can safely deploy them on your network without limiting your users' access to Internet sites.

For more information about registered and unregistered IP addresses, see Lesson 2: IP Addressing, in Chapter 8, "TCP/IP Fundamentals."

After you assign these private IP addresses to the computers on your network, outside users can't see your computers from the Internet. This means that an Internet server can't send packets to your network, so your users can send traffic to the Internet but can't receive it.

To make normal Internet communications possible, the router that provides Internet access can use NAT. For example, when one of the computers on your network attempts to access an Internet server using a Web browser, the Hypertext Transfer Protocol (HTTP) request packet it generates contains its own private IP address in the IP header's Source IP Address field. When this packet reaches the router, the NAT software substitutes its own registered IP address for the client computer's private address and sends the packet on to the designated server. When the server responds, it addresses its reply to the NAT router's IP address. The router then inserts the original client's private address into the Destination IP Address field and sends the packet on to the client system. All of the packets to and from the computers on the private network are processed in this manner, using the NAT router as an intermediary between the private network and the Internet. Because only the router's registered IP address is visible to the Internet, it is the only computer that is vulnerable to attack.

A popular security solution, NAT is implemented in numerous firewall products, ranging from high-end routers used on large corporate networks to inexpensive Internet connection-sharing solutions designed for home and small business networks. In fact, the Internet Connection Sharing (ICS) feature included with the latest versions of Windows is based on the principle of NAT.

Run the NAT video located in the Demos folder on the CD-ROM accompanying this book for a demonstration of NAT.

Proxy Servers

Proxy servers are software products similar to NAT routers, except that they function at the application layer of the OSI reference model. Like a NAT router, a proxy server acts as an intermediary between the clients on a private network and the Internet resources they want to access. The clients send their requests to the proxy server, which sends a duplicate request to the desired Internet server. The Internet server replies to the proxy server, which relays the response to the client. This effectively renders the private network invisible to the Internet and also provides other features.

As mentioned earlier, proxy servers can cache the information they receive from the Internet, so that if another client requests the same information, the proxy can supply it immediately from its cache instead of issuing another request to the Internet server. Administrators can also configure proxy servers to filter the traffic they receive, blocking users on the private network from accessing certain services. For example, you can configure most Web proxy servers to permit user access only to specific Web sites.

The main problem with proxy servers is that you have to configure applications to use them, using an interface like that shown in Figure 13.9. A NAT router provides protection to the network computers while remaining essentially invisible to them, but the process of configuring a client computer to use proxies for a variety of applications can be time-consuming. However, some proxy clients and servers now have automatic detection capabilities that enable a client application to discover the proxy servers on the network and use them.

Figure 13.9  The Internet Explorer Proxy Settings dialog box

Generally speaking, proxy servers are the preferred solution when you want to impose greater restrictions on your users' Internet access, such as limiting the applications they can use to access the Internet and the sites that they are permitted to visit. Network address translation provides more general Internet access without any unusual client configuration, and still provides a similar degree of protection.

Lesson Review

1. Service-dependent packet filtering bases its decision to allow or deny access to a network based on what criterion?
   1. Port numbers
   2. IP addresses
   3. Hardware addresses
   4. Protocol identifiers
2. Which type of firewall operates at the application layer?
3. Network address translation operates at which layer of the OSI model?
   1. The data-link layer
   2. The network layer
   3. The transport layer
   4. The application layer
4. What is the main drawback to using proxy servers?
5. Where is a firewall typically located?
   1. At the boundary between your ISP's network and the Internet
   2. On your private network
   3. On the Internet
   4. At the boundary between your private network and your ISP's network

Lesson Summary

• Firewalls protect networks from outside interference by using a variety of techniques to limit the traffic passing between the internal network and the Internet.
• Packet filtering is a technique in which a router determines whether to allow network access to each packet based on the contents of its protocol headers.
• Network address translation enables the computers on a private network to use unregistered IP addresses and still access the Internet normally through a special router that modifies the contents of the IP header in each packet.
• Proxy servers are application layer products that act as intermediaries between network clients and Internet servers. Client applications must be configured to use proxy servers and administrators can configure the servers to limit users' access to specific Internet resources.