Additional Firewall Security Considerations
This section addresses some specific topics regarding security and discusses some of the issues surrounding them.
File Transfer Protocol (FTP) Port
Many sites today choose to block incoming TCP sessions originated from the outside world while allowing outgoing connections. The trouble with this is that blocking incoming connections kills traditional FTP client programs because these programs use the PORT command to tell the server where to connect to send the file. The client opens a control connection to the server, but the server then opens a data connection to an effectively arbitrarily chosen port number (> 1023) on the client.
Fortunately, there is an alternative to this behavior that allows the client to open the data socket, which allows you to have the firewall and FTP, too. The client sends a PASV command to the server, receives back a port number for the data socket, opens the data socket to the indicated port, and finally sends the transfer.
In order to implement this, the standard FTP client program must be replaced with a modified one that supports the PASV command. Most recent implementations of the FTP server already support the PASV command. The only trouble with this idea is that it breaks down when the server site has also blocked arbitrary incoming connections.
Source files for a modified FTP program that works through a firewall are now available via anonymous FTP at ftp.cisco.com. The file is /pub/passive-ftp.tar.Z. This is a version of BSD 4.3 FTP with the PASV patches. It works through a firewall router that allows only incoming established connections.
There are a number of nonstandard services available from the Internet that provide value-added services when connecting to the outside world. In the case of a connection to the Internet, these services can be very elaborate and complex. Examples of these services are World Wide Web (WWW), Wide Area Information Service (WAIS), Gopher, and Mosaic. Most of these systems are concerned with providing a wealth of information to the user in some organized fashion and allowing structured browsing and searching.
Most of these systems have their own defined protocol. Some, such as Mosaic, use several different protocols to obtain the information in question.
Use caution when designing access lists applicable to each of these services. In many cases, the access lists will become interrelated as these services become interrelated.
Specially Designed Firewalls
This chapter concentrated on security from a router-centric point of view. However, the truth is that in addition to router security, many organizations are deploying firewall security. Not only does a firewall provide you with a very tight degree of control, it has the added benefit of enabling the use of both Network Address Translation (NAT) and Demilitarized Zones (DMZs).