10.1 The Purpose of the Firewall

There are several different types of firewalls and each will be discussed in detail later in this chapter, but all serve the same purpose: to separate the public and private networks, and to prevent unwanted traffic from reaching the private network.

To understand what this means it is important to understand the structure of a firewall. A firewall consists of at least two interfaces: public and private. The public interface, generally the Internet, is the side of the firewall to which everyone has access. The private interface is the side that contains the protected data. There can be multiple private interfaces to a firewall, depending on the number of network segments that need to be isolated. The firewall uses a set of rules, applied to each interface, to determine the type of traffic that can be passed from the public to the private networks. All traffic not explicitly allowed by the rules is denied .

Firewalls can also do a lot more, which has advantages and disadvantages. There is a temptation to save money by having the firewall act as a VPN terminator, IDS, authentication server, and DNS server, as well as perform firewall services. Just like any other network device, the more services run, the greater the security risk. A firewall should not be used to run multiple services. As critical as the firewall is to the security infrastructure, anything that increases the risk of a security breach should be avoided at all costs.

A firewall is the second layer of protection within the network ( illustrated in Figure 10.1), the first being the router. The deeper a packet travels into the network, the more specific the protection gets. At the router level the concentration is on which IP addresses are going to be allowed or denied, and looking for malformed packets. The firewall is going to look at what ports are going to be allowed and denied. In addition, the firewall determines to which devices those rules apply. Firewalls are also sometimes useful for blocking smaller network segments, or individual IP addresses.

Because routers are often overworked, using the router to filter out a single IP address, or a small block, can create unnecessary load. In certain cases filtering at the router level makes sense, such as when filtering RFC 1918 IP blocks. But if it is a single host that needs to be stopped , it is usually better to do it at the firewall level.

Firewalls are useful for protecting networks from unwanted traffic. If a network has no public servers on it, then a firewall is a great tool for denying all incoming traffic that was not originated from a machine behind the firewall. A firewall can also be configured to deny all traffic except for port 53 traffic destined to the DNS server.

The strength of a firewall lies in its ability to filter traffic based on a set of rules, called a rule set, entered by the administrator. This can also be the biggest weakness of firewalls; bad or incomplete rule sets can leave openings for attackers , leaving the network insecure . Fortunately, most firewalls make it difficult ” though certainly not impossible ”to design bad rule sets.

Many administrators don't think about the firewall acting as a multiple network device. There is a lot of concern about keeping unwanted traffic from reaching the private network, but not a lot of time is devoted to keeping unwanted traffic from reaching the public network. Attention should be paid to both types of rule sets. If an attacker manages to break into a server, he or she should not be able to use that server to launch attacks against remote network devices. It is important to ensure the traffic leaving the network is as secure as the traffic entering the network.

Another consideration often overlooked by network administrators is running multiple firewalls on a network. It is important to protect traffic entering and exiting the network, but it is equally important to protect traffic traveling within the network. To protect and further segment internal traffic, administrators will often run two sets of firewalls, the first set to protect the entire network, and the second set to protect different network segments.

Multiple firewall layers also allow security administrators to better control the flow of information, especially in and out of departments that deal with sensitive information (Figure 10.2). Activities that may be permitted on the rest of the network can be restricted in more sensitive areas, without placing an undue burden on the primary firewall.