The security mechanisms covered thus far in this chapter are primarily concerned with internal network security, that is, with preventing users on the same local area network (LAN) or internetwork from accessing files and other resources that they do not need. This type of security is important, but routine. There is a whole world of potential security hazards outside the private internetwork, however, and the Internet connection that most networks have today is the door through which these hazards can enter. A firewall is a hardware or software product designed to protect a network from unauthorized access by outside parties. If your network is connected to the Internet, you must have some sort of firewall to protect it because intruders can wreak havoc on the network that you have so carefully designed and constructed.
Firewalls are usually deployed to protect a private network or internetwork from unauthorized access via the Internet. However, you can also use a firewall internally to protect one section of the network from the rest of it. For example, you can use a firewall to isolate the LAN used by your company's accounting department to prevent other users from accessing confidential financial records.
A firewall is essentially a barrier between two networks that evaluates all incoming or outgoing traffic to determine whether or not it should be permitted to pass to the other network. A firewall can take many different forms and use different criteria to evaluate the network traffic it receives. Some firewalls are dedicated hardware devices, essentially routers with additional software that monitors incoming and outgoing traffic. In other cases, firewalls are software products that run on a standard computer. At one time, all firewalls were complex, extremely expensive, and used only in professional network installations. These high-end products still exist, but today you can also purchase inexpensive firewall software products designed to protect a small network or even an individual computer from unauthorized access through an Internet connection.
There are several methods that firewalls can use to examine network traffic and detect potential threats. Most firewall products use more than one of these methods and often provide other services as well. For example, one firewall product—a proxy server—not only enables users to access Web pages with complete safety, but also can cache frequently used pages for quicker retrieval by other systems. Some of the most common firewall technologies are covered in the following sections.
A packet filter is the most basic type of firewall, one that examines packets arriving over its interfaces and decides whether to allow them access to the other network based on the information found in the various protocol headers used to construct the packets. Packet filtering can occur at any one of several layers of the Open Systems Interconnection (OSI) reference model. A firewall can filter packets based on any of the following characteristics:
The strength of the protection provided by packet filtering is its ability to combine the various types of filters. For example, you might want to permit Telnet traffic into your network from the Internet, so that network support personnel can remotely administer certain computers. However, leaving port 23 (the Telnet port) open to all Internet users is a potentially disastrous security breach. Therefore, you can combine the port number filter with an IP address filter to permit only certain computers (those of the network administrators) to access the network using the Telnet port.
Packet filtering capabilities are usually provided with a standard router. Lesson 2: Configuring TCP/IP, in Chapter 11, "TCP/IP Configuration," explained that Windows 2000 includes its own basic packet filtering mechanism. This means that you can implement packet filters to protect your network without incurring massive additional expenses. Packet filtering usually does not have a major effect on the router's throughput, unless you create a large number of filtering rules. Remember that the router must process each packet individually against the filtering rules you create, so a very complex system of filters can conceivably slow the network down.
The main drawback of packet filtering is that it requires a detailed understanding of TCP/IP communications and the ways of the criminal mind. Using packet filters to protect your network means participating in an ongoing battle of wits with those who would infiltrate your network. Potential intruders are constantly inventing new techniques to defeat standard packet filter configurations, and you must be ready to modify your filters to counteract these techniques.
Network address translation is a network layer technique that protects the computers on your network from Internet intruders by masking their IP addresses. If you connect a network to the Internet without firewall protection of any kind, you must use registered IP addresses for your computers so that they can communicate with other computers on the Internet. However, registered IP addresses are, by definition, visible from the Internet. This means that any user on the Internet can conceivably access your network's computers and, with a little ingenuity, access any resource. The results can be disastrous. Network address translation prevents this from happening by enabling you to assign unregistered IP addresses to your computers. These addresses fall into a range of addresses specifically designated for use on private networks. These addresses are not registered to any Internet user, and are therefore not visible from the Internet, so you can safely deploy them on your network without limiting your users' access to Internet sites.
For more information about registered and unregistered IP addresses, see Lesson 2: IP Addressing, in Chapter 8, "TCP/IP Fundamentals."
After you assign these private IP addresses to the computers on your network, outside users can't see your computers from the Internet. This means that an Internet server can't send packets to your network, so your users can send traffic to the Internet but can't receive it.
To make normal Internet communications possible, the router that provides Internet access can use NAT. For example, when one of the computers on your network attempts to access an Internet server using a Web browser, the Hypertext Transfer Protocol (HTTP) request packet it generates contains its own private IP address in the IP header's Source IP Address field. When this packet reaches the router, the NAT software substitutes its own registered IP address for the client computer's private address and sends the packet on to the designated server. When the server responds, it addresses its reply to the NAT router's IP address. The router then inserts the original client's private address into the Destination IP Address field and sends the packet on to the client system. All of the packets to and from the computers on the private network are processed in this manner, using the NAT router as an intermediary between the private network and the Internet. Because only the router's registered IP address is visible to the Internet, it is the only computer that is vulnerable to attack.
A popular security solution, NAT is implemented in numerous firewall products, ranging from high-end routers used on large corporate networks to inexpensive Internet connection-sharing solutions designed for home and small business networks. In fact, the Internet Connection Sharing (ICS) feature included with the latest versions of Windows is based on the principle of NAT.
Run the NAT video located in the Demos folder on the CD-ROM accompanying this book for a demonstration of NAT.
Proxy servers are software products similar to NAT routers, except that they function at the application layer of the OSI reference model. Like a NAT router, a proxy server acts as an intermediary between the clients on a private network and the Internet resources they want to access. The clients send their requests to the proxy server, which sends a duplicate request to the desired Internet server. The Internet server replies to the proxy server, which relays the response to the client. This effectively renders the private network invisible to the Internet and also provides other features.
As mentioned earlier, proxy servers can cache the information they receive from the Internet, so that if another client requests the same information, the proxy can supply it immediately from its cache instead of issuing another request to the Internet server. Administrators can also configure proxy servers to filter the traffic they receive, blocking users on the private network from accessing certain services. For example, you can configure most Web proxy servers to permit user access only to specific Web sites.
The main problem with proxy servers is that you have to configure applications to use them, using an interface like that shown in Figure 13.9. A NAT router provides protection to the network computers while remaining essentially invisible to them, but the process of configuring a client computer to use proxies for a variety of applications can be time-consuming. However, some proxy clients and servers now have automatic detection capabilities that enable a client application to discover the proxy servers on the network and use them.
Figure 13.9 The Internet Explorer Proxy Settings dialog box
Generally speaking, proxy servers are the preferred solution when you want to impose greater restrictions on your users' Internet access, such as limiting the applications they can use to access the Internet and the sites that they are permitted to visit. Network address translation provides more general Internet access without any unusual client configuration, and still provides a similar degree of protection.