Enforcing the Ground Rules


Parents get to enforce ground rules all the time. Imagine that a kid wants to get permission from a parent to go somewhere or play with someone. "Can I go to Billy's house to play?" the kid asks. His parent replies, "No, Billy's dad leaves his R-rated video tapes lying around, and I don't want you and Billy to be tempted to watch them while his parents aren't home. But Billy can come over here to play." The parent knows what's safe and what isn't and enforces the rules.

Now that Fred knows what he does and doesn't want to happen in his network, he can enforce the rules with a firewall. The network engineer configures the firewall with a set of rules that tell it what's legal and what isn't. Then the firewall allows some packets to pass through it and discards others to enforce the rules.

To enforce the rules, the firewall needs to be in the path that is used for forwarding packets to and from the Internet. Figure 18-4 shows one typical topology.

Figure 18-4. Putting Up a Wall Between the Dangerous Folks and Your Network


The only new icon in the figure is the icon that Cisco uses to represent its firewall product, called a PIX Firewall. Regardless of the model or brand of firewall, the firewall forwards the packets that enter and exit the Internet connection. The firewall behaves like a router in that it forwards IP packets. But because the firewall sees all the packets passing over the Internet connection, the firewall can decide whether each packet should or shouldn't be allowed, based on the rules set up for the network. A network engineer would have to configure the firewall to tell it the information included in Table 18-1. The firewall will simply pass what is allowed and discard what is not.

Ways to Watch Your (Network) Neighborhood

When watching out for strangers in the neighborhood, some parentsparticularly momscan get a reputation of knowing everything that the kids are up to. Children the world over often wonder how moms can somehow know what they are doing even when the parents aren't watching. It's like moms have another set of eyes in the backs of their heads. Of course, moms really just know human nature, so they can look for signs that somebody might be up to something, such as when a normally boisterous little boy is suddenly quiet for a few minutes.

A firewall acts a little like a mom who lives at the entrance of the neighborhood. Not only does the firewall watch the traffic entering the network, but it also knows the nature of the traffic that should be allowed to flow through it.

One of the more important things that a firewall must do is to recognize when a host is initiating a new flow. For instance, Fred allows clients in his network to initiate a new flow to an Internet-based web server, but Internet clients can't initiate a flow to Fred's internal servers or to other internal user hosts inside Fredsco's network. So it's pretty important that the firewall be able to figure out who's initiating the new flow.

A firewall knows what to expect with many network flows, particularly those that use TCP. With TCP, a firewall can easily identify who's initiating a flow. In TCP lingo, a flow is the equivalent of a TCP connection. The host that is initiating the TCP connection sends the first TCP segment, and there's something unique about that first segment. All the firewall has to do is look for TCP segments that have that unique characteristic to figure out when a new TCP connection, or flow, is being created. Figure 18-5 shows a view of the three TCP segments that are used to create a TCP connection.

Figure 18-5. TCP Connections and Well-Known Ports


Before an application can use TCP to send data, TCP creates a TCP connection. The first TCP segment that is used to create a TCP connection sets the SYN flag bit (short for synchronize) to binary 1. TCP headers include a set of flag bits in the header, such as the SYN flag, and those flags are used for functions like this three-way connection establishment. For instance, the second segment has both the SYN and the ACK bits set, which is what TCP protocols define as the correct flags to be set in the second TCP segment in the three-segment TCP connection establishment flow.

Figure 18-5 shows an Internet-based client (C3) sending a segment with the SYN bit set to http://www.fredsco.com. The firewall, seeing that segment, knows that C3 is initiating the connection. How? Well, the only TCP segment that has the SYN bit set, and only the SYN bit, is the first segment sent between a pair of hosts. So, the first segment in the figure is indeed the first segment of a new TCP connection. To identify who sent the packet, all the firewall has to do is look at the source IP address of the packet. The firewall can also look at the destination IP address to know who's the receiver of the TCP connectionin this case, 1.1.1.1.

Firewalls also need to know what application protocol is in use. Back in Chapter 9, "Choosing Shipping Options When Transporting Goods over the (Network) Roadway," you read about how each server uses a well-known TCP or UDP port number. That way, when a client such as C3 wants to browse the http://www.fredsco.com website, the client can use a destination port number of 80the well-known port number for HTTP.

Deciding When to Stop the Traffic

Based on the facts in this short section, a firewall can look at a packet, figure out who's the initiator (client) of the connection, and determine which protocol (well-known port) is being used. Knowing those facts, the firewall can apply the rules about what is and isn't allowed.

Figure 18-6 shows an example of how a firewall thinks when it sees the first packet in a new connection. In fact, it's the same TCP connection shown in Figure 18-5.

Figure 18-6. Allowing the TCP Connection from Figure 18-5


When C3 first sends the IP packet with the initial TCP segment, the firewall notices that the segment has the SYN bit set. The firewall then considers the interface in which the packet arrivedin this case, the interface connecting the firewall to the Internet. In firewall lingo, that's called the outside interface because it's outside the network that the firewall is trying to protect. The firewall also notices that the segment had destination port 80 in it, which is used for HTTP.

The firewall then looks at the rules that the network engineer configured for it. It appears that HTTP (port 80) traffic from the Internet (meaning from the "outside") to that web server (IP address 1.1.1.1, on the inside interface) is indeed allowed. In other words, clients on the Internet should be allowed to hit www.fredsco.com because that server is intended for customer use. So, the firewall passes this packet and all subsequent packets that are part of this single TCP connection.

The firewall uses similar logic to stop packets that should not be allowed. Imagine that C3 tries to open a browser to go to int.fredsco.com, one of Fredsco's internal web servers, whose IP address is 1.1.1.2. Figure 18-7 outlines the logic.

Figure 18-7. Disallowing a TCP Connection to an Inside Web Server


The firewall's rules, shown at the bottom of the figure, tell it two types of connections that can be initiated from the outside to the inside. This new connection does not match either of those rules. So, the firewall discards the IP packet, which prevents the TCP connection from ever being completed. Because a TCP connection must be completed before any application data can be sent, there will never be HTTP application messages sent between the server and the client; in fact, not even this initial TCP segment reaches server 1.1.1.2. The server is completely unaware that C3 tried to reach it.

Safe Places Outside of Your Neighborhood (Network)

It could be that you live near a park, and most parents in the neighborhood let their kids hang out at the park. It's a public place, so it's not as safe as being at home, but it might be safe enough.

Likewise, many networks create the equivalent of a safe public park with their firewalls. Firewalls act like routers in that they forward packets based on the destination IP address. Like routers, a firewall typically has at least two physical interfaces, and like a router, a firewall can have more than two interfaces. Outside interfaces connect to the Internet, which is considered relatively unsafe. The inside interface connects to the internal network, which is relatively safe. In firewall lingo, a third interface might be connected to another LAN, called a demilitarized zone (DMZ), which is somewhere between the inside and outside interfaces in terms of safety. Figure 18-8 shows the general idea.

Figure 18-8. A Safe but Potentially Risky Place: The DMZ


When using a DMZ, the flows that are allowed are the same as before, but the location of the servers that are accessible from the Internet has changed. The Internet-accessible servers have been placed on a different LAN. Because of that, a strong rule can be configured on the firewall: Absolutely no TCP connections can be initiated from the outside (Internet) to the inside (the internal network). The only flows that are allowed to be initiated into Fred's internal network are the ones to the servers in the DMZ. By using a DMZ, the firewall creates a stronger, more secure set of security rules.




Computer Networking first-step
Computer Networking First-Step
ISBN: 1587201011
EAN: 2147483647
Year: 2004
Pages: 173
Authors: Wendell Odom

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net