Firewall Technologies
This section focuses on the technologies used in various firewalls and how they work.
The firewall taxonomy in Figure 2-1 shows the general types of firewalls. This section
focuses more on the underlying technologies that devices that fall into those types utilize.
In some cases, one technology discussed here can fall into multiple types in the taxonomy
tree. The focus is on a wide range of firewall technologies, including the following:
Personal firewalls
Packet filters
Network Address Translation (NAT) firewalls
Circuit-level firewalls
Proxy firewalls
Stateful firewalls
Transparent firewalls
Virtual firewalls
N
ow, you might be thinking, "Wait, I thought there were three firewall products:
software based, appliance based, and integrated." The firewall technologies discussed in
this section may be used by any of the three basic physical firewalls. Indeed, these
technologies simply allow us to define a firewall in a more granular fashion. So, for
example, an appliance firewall can be further quantified as a stateful firewall. Each of
these technologies is examined and discussed to provide you with an understanding of the
differences between these technologies, and by extension the firewall devices that utilize
these technologies. Each section focuses predominantly on the operation of the firewall in
its function as a network security device. Discussion of the redundancy capabilities,
performance, and management of specific firewalls is not covered. This section provides
a brief introduction to some specific firewalls that subsequent chapters cover in greater
detail.
Personal Firewalls
Personal firewalls are designed to protect a single host. They can be viewed as a hardened
shell around the host system, whether it is a server, desktop, or laptop. Typically,
personal firewalls assume that outbound traffic from the system is to be permitted and
inbound traffic requires inspection. By default, personal firewalls include various profiles
that accommodate the typical traffic a system might see. For example, ZoneAlarm has
low, medium, and high settings that allow almost all traffic, selected traffic, or nearly no
traffic, respectively, through to the protected system. In a similar vein, IPTableswhich
you can set up as a personal firewall as well as in a network firewall roleduring the setup
of the Linux system, enables the installer to choose the level of protection for the system
and the customization for ports that do not fall into a specific profile.
One important consideration with personal firewalls is centralized management. Some
vendors have identified that a significant barrier to deployment of personal firewall on
every end system is the need for centralized management so that policies can be
developed and applied remotely to end systems and have developed such capabilities
within their products. Large enterprises are hesitant to adopt this personal firewall
technology for their systems because of the difficulty of maintaining a consistent firewall
policy across the enterprise.
Packet Filters
Packet filters are network devices that filter traffic based on simple packet characteristics.
These devices are typically stateless in that they do not keep a table of the connection
state of the various traffic flows through them. To allow traffic in both directions, they
must be configured to permit return traffic. Simple packet filters include Cisco IOS
access lists as well as Linux's ipfwadm facility to name a few. Although these filters
provide protection against a wide variety of threats, they are not dynamic enough to be
considered true firewalls. Their primary focus is to limit traffic inbound while providing
for outbound and established traffic to flow unimpeded. Example 2-1 shows a simple
access list for filtering traffic. This list is based on the network example in Figure 2-2.
The access list is applied to the inbound side of the filtering device that connects the LAN
to the Internet.
Figure 2-2. Simple Access List Sample Network
[View full size image]
Example 2-1. Simple Access List
access-list 101 permit icmp any 192.168.185.0 0.0.0.255 echo-reply
access-list 101 permit icmp any 192.168.185.0 0.0.0.255 ttl-exceeded
access-list 101 permit tcp any 192.168.185.0 0.0.0.255 established
access-list 101 permit udp any host 192.168.185.100 eq 53
access-list 101 permit udp any eq 123 192.168.185.0 0.0.0.255
N
ote that inbound return traffic for DNS (53/UDP) and NTP (123/UDP) are explicitly
stated toward the end of the filter list, as are Internet Control Message Protocol (ICMP)
echo-reply and Time-To-Live (TTL)-exceeded responses. Without these statements, these
packets would be blocked even though they are in response to traffic that originated in
the protected LAN. Finally, note the following rule:
access-list 101 permit tcp any 192.168.185.0 0.0.0.255 established
This rule is required to allow return traffic from any outside system back to the
192.168.185.0/24 subnet as long as the return traffic has the TCP ACK flag set. Packet
filters typically do not have any stateful capabilities to inspect outbound traffic and
dynamically generate rules permitting the return traffic to an outbound flow. Figure 2-3
shows a simple packet-filtering firewall.
Figure 2-3. Packet-Filtering Firewall
NAT Firewalls
A distinct firewall that existed for a short period is the Network Address Translation
(NAT) firewall. In today's firewall market, NAT is a part of almost every firewall product
available. From the lowliest SOHO firewall such as the Linksys BEFSX41 to the high-
end enterprise PIX 535, NAT is now a function of a firewall. NAT firewalls
automatically provide protection to systems behind the firewall because they only allow
connections that originate from the inside of the firewall. The basic purpose of NAT is to
multiplex traffic from an internal network and present it to a wider network (that is, the
Internet) as though it were coming from a single IP address or a small range on IP
addresses. The NAT firewall creates a table in memory that contains information about
connections that the firewall has seen. This table maps the addresses of internal systems
to an external address. The ability to place an entire network behind a single IP address is
based on the mapping of port numbers on the NAT firewall. For example, consider the
systems shown in Figure 2-4.
Figure 2-4. NAT Firewall
[View full size image]
The hosts on the "inside" of the NAT firewall (192.168.1.1 and 192.168.1.2) are both
trying to access the web server 10.100.100.44. Host 192.168.1.1 opens up TCP port 3844
and connects to the web server 10.100.100.44 at TCP port 80. Host 192.168.1.2 opens
TCP port 4687 and connects to the web server 10.100.100.44 at TCP port 80. The NAT
firewall is configured to translate the entire 192.168.1.0/24 network to the single IP
address 172.28.230.55. When the firewall sees the outbound connections, it rewrites the
IP layer information in the traffic and replaces 192.168.1.1 and 192.168.1.2 with the
single IP address 172.28.230.55. Internally, the NAT firewall maintains a table that keeps
track of the traffic flows and translates both 192.168.1.1 and 192.168.1.2 to the IP
address 172.28.230.55. It does this by means of network sockets that uniquely identify a
given connection. For the example shown in Figure 2-4, there are two unique sockets:
192.168.1.1:3844 and 192.168.1.2:4687. When this traffic is seen by the firewall, the
N
AT process replaces the 192.168.1 network addresses with the 172.28.230.55 address.
Table 2-1 shows this process.
Table 2-1. Network Address Translation
Source IP Source
Port
NAT IP NAT
port
Destination
IP
Destination
Port
192.168.1.1 3844 172.28.230.55 3844 10.100.100.44 80
192.168.1.2 4687 172.28.230.55 4687 10.100.100.44 80
192.168.1.1 4687 172.28.230.55 63440 10.100.100.44 80
The last entry in the table shows what a NAT firewall does when a specific source port is
already taken by a previous connection. In this case, the client 192.168.1.1 is attempting
to make a second connection to the web server 10.100.100.44. The client opens a
connection on TCP port 4687; however, TCP port 4687 on the NAT firewall is already