Threats the Firewalls Can and Cannot Protect Against

In general, packet filters allow you to close all inbound and outbound TCP ports, fully or partially block some protocols (such as the Internet Control Message Protocol, or ICMP), prevent establishment of connections to specified IP addresses, etc. Correctly configured networks must contain at least two zones: (1) the internal corporate network protected by a firewall and populated with workstations, network printers, intranet database servers, and other similar resources and (2) the demilitarized zone (DMZ), where public servers that must be accessible from the Internet are located (Fig. 23.2).

Figure 23.2: Typical structure of a local area network

A firewall configured for the highest possible security level must do the following:

• Close all ports except the ones that belong to public network services, such as HTTP, FTP, and SMTP.

• Send packets arriving to specific port only to those hosts , for which appropriate services are installed (for example, if the WWW server is installed on host A and the FTP server is installed on host B, then the firewall must block packets sent to port 80 of host B).

• Block inbound connections from the external network, which are directed into the corporate network (although, in this case, network users won't be able to work with external FTP servers in active mode).

• Block outgoing connections from the DMZ directed into the internal network (except for FTP and DNS servers, which require outgoing connections).

• Block incoming connections originating from the DMZ and directed into the internal network (if this isn't done, then the attacker who has managed to capture control over one of the public servers will easily penetrate the corporate network).

• Block the inbound connections to the DMZ originating from external network and carried out on the basis of auxiliary protocols often used for attacks. For example, this might be ICMP. It should be mentioned, however, that blocking ICMP creates serious problems (for instance, the ping utility will cease to work, and automatic determination of the preferred maximum transmission unit will become impossible ).

• Block inbound and outbound connections with ports and/or IP addresses specified by the administrator.

In practice, the tasks of a firewall consist of protecting corporate networks against curious idiots roaming over the Internet. Nevertheless, the strength of this protection is insubstantial. If clients of a corporate network use vulnerable versions of popular browsers or email clients (and most software products are vulnerable), then the attacker might lure them to some Web page infected with Trojan components or send them infected email messages with a virus payload. After a short interval, the entire local area network (LAN) will be infected. Even if outgoing connections from the corporate network are disabled (in which case internal users will be deprived of the possibility of surfing the Internet), shellcode will be capable of using already established TCP connections, through which it was sent to the host being attacked , passing the hacker control over the system (for more details, see Chapter 24 ).

A firewall also can become a target of attack because it is not free from bugs and security holes, like any sophisticated program. Bugs in firewalls are registered practically every year. Worse still, they are not patched immediately (this is especially true if the firewall is implemented at the hardware level). Curiously, poorly implemented firewalls can even weaken the system security (this relates primarily to personal firewalls, which have become exceedingly popular).