Understanding Firewalls (Page 1 of 1)
Written by
Steve Lake
Posted on: May 09, 2008 at 01:38pm
Section:
Tutorials
Printer Friendly Version
Legacy URL
The
term "Firewall" originally came from the building trade and was typically a wall
made of stones or bricks that was designed to confine a fire and protect the building by
containing the fire in one place. It may not have always worked, but that was the
general concept. In today's tech world, a firewall is something entirely
different. Webster defines a firewall as "computer hardware or software that
prevents unauthorized access to private data (as on a company's local area network or
intranet) by outside computer users". In short, it stops the bad guys from
getting in, while allowing you to get out. Almost like a security guard for your
network or PC.
"But where does this security guard sit, and how does that affect my internet
connection?" you might ask. The answer is quite simple. But let me first
show you all the core pieces and parts that go into making a typical internet connection.
Sometimes it helps to have someone show you all the parts first before having them
explained to you.
As you can see in this example, there are a series of steps that your data
must take when traveling to and from the internet. You first start out with the
internet cloud. Out there can exist everything from your best friends, to the most
vile of criminals.
The next stop in the chain is your internet modem. For a large number of people,
this comes in the form of a POTS based dialup modem. If you're a high speed internet
user, you will instead have a stand alone box that is either a dedicated modem, or a
combination modem and router. It is used to convert the incompatible analog or
digital POTS signals being sent down the phone or cable lines, or through the air via
satellite to standard Ethernet signals.
The next stop in the line is your firewall. On dialup connections it can be found
on the PC that is dialing up to the internet. On high speed connections it's
typically attached somewhere to the network an in most cases is a stand alone machine.
Next up, if you're using high speed internet, will be your switch, router, or
hub. If you're using dialup, this won't be here because the modem hands off data
directly to the PC with no middleman. Only when the dialup modem is external to the
PC will you ever need one of these. External dialup modems are typically known as
web ramps and act in a similar way to the modems used for high speed internet connections.
The last item in the list is your individual PC or group of PC's. This is the
device we're ultimately trying to protect. A well protected PC is a happy PC, and a
happy PC makes a safe and happy owner. I know that sounds a bit sappy, but it's
true. How often has your PC been grumpy and it's made you grumpy too?
And that's all the pieces and parts of a firewall. Now that I've explained that,
it's time to begin understanding a firewall itself, and how it operates. Think of
your firewall like a security guard at a show or a concert. When you come to the
show, you're greeted by a series of gates. If you don't have a ticket yet, you'll be
required to enter at one of the open gates. If you try to enter through one of the
closed gates, you'll be denied access. But if you have a ticket already, and it's
one that allows you in a particular gate, you'll be allowed through, even if that gate is
closed. But you can only come through the closed gates you have tickets for.
Now as for getting a ticket, there's a catch to this. There is no body outside of
the concert selling you tickets. You must first enter the premise through an open
gate to get one. I know it sounds a bit counter productive that you have to first
enter and get a ticket in order to get permission to enter. But that's what the open
gates are for.
If one of the gates is open, and you go to it, you'll be allowed to enter. But
you can't go any further than the ticket booth. If the booth is closed, you're stuck
and you can't proceed any further. But if it's open, you can get your ticket, enter,
do what you need to, and then leave. When you return, you'll have your ticket and be
able to enter again through another gate even if the gate is closed. Now if the gate
is locked, it won't matter if you have a ticket or not, because you'll be denied access
regardless.
Now before you start wondering how this example of a concert or show ties into our
discussion of how a firewall works, let me explain this further and connect the two for
you. The guard at the concert is the firewall. The gates are ports on the
firewall. If a port is open, incoming connections are allowed to pass through the
firewall to the target computer uncontested. They might be searched for illegal
data, such as invalid packets or potentially malicious content (this is known as stateful
packet filtering), but otherwise they're left alone.
Once they reach the ticket booth (an open port on the target PC) they negotiate a
connection (the ticket). If they are successful, a connection is established
(entrance into the concert) and whatever data transactions that are necessary are
made. If communicating on the default starter port is not conducive to normal
operation, the remote PC (the might be asked to use a different port (leaving and coming
back through a different gate) through which it now has permission to enter and continue
the conversation (via the previously granted access ticket).
Therefore, the initial default port can sometimes be refereed to as the connection
port. For web servers, that would be port 80. For ftp, port 23. And so
on. On some firewalls though, there are no open gates. Everything is closed or
locked, so the only way through it is if the outside computer has permission from the
internal computer to pass through the firewall and talk to it.
Firewalls can also do more than just keep out bad guys. They can also be used to
keep those inside from getting out. This might seem counter productive to most, but
it has its uses. Say for example you're at work and employees are only allowed to
connect to a single group of approved sites, or services (ie Aim, telnet, ftp, etc), but
no others. The company firewall can be setup to prevent you from connecting to any
service or website other than those approved by the company. It can be filtered out
by IP, by port number, or even port ranges while not restricting allowed and approved
sites.
Now on the subject of stateful packet filtering, since I did mention it above, and I
know you're probably wondering by now what that is, I'll explain that next.
According to RFC 2647, stateful packet
filtering is "The process of forwarding or rejecting traffic based on the contents of
a state table maintained by a firewall." It's this "state table" that
spawns the term "stateful packet filtering". Now to break this down into
simpler terms, data travels across the internet or a network in small bundles of data
known as packets. They're the network equivalent of a shipping box with a mailing
label. The header, or label if you will, tells routers, switches, and other network
devices where to send the packet, how big it is, how to route it and more.
The rest of the packet contains the data being sent and is followed up by a small
"tail" that tells a network device that it's reached the end of the data.
It's these packets that the firewall handles, and the state table monitors. A
state table is essentially a simple database that keeps track of the "state" of
all packets going in and out through a network connection. In the case of a
firewall, it is used to monitor all network connections traveling across it, giving a
network administrator more detailed and fine grain control over what passes through their
firewall than if it was "stateless".
Firewalls also come in three generations. We've already talked about two of them,
stateful and stateless (aka packet filters). However, there is a 3rd generation of
firewall in use today that takes firewall filtering to a whole new level. These are
called "application level" firewalls. The reason they are called that is
because just simply filtering, sorting and controlling packets and connections. An
application level firewall actually "understands" certain applications and
protocols and thus has a more intimate knowledge of certain types of data or connections.
The advantage of this is that it can detect when someone's trying to sneak an unwanted
protocol through the firewall on a non-standard port.
It can also tell when a protocol is being used in a harmful or abusive way.
The idea is to prevent legitimate protocols from being used to do illegal
activities such as crash or hack a server being protected by the firewall.
But brute force, application or stateful packet filtering is only the tip of what's out
there in filtering and firewall protection. There are still three more forms of
firewall that exist which you might not know about. The first is a proxy server.
They work similar to firewalls, but instead of filtering inbound traffic from the
outside world, they filter outbound traffic from inside your network. They can
rewrite packets and connections too, allowing you to literally hide yourself from another
computer in the outside world. This is where anonymous proxy servers come from.
But that's not all they can do. The problem though with me sharing everything
is that the list of things a proxy server can do is far too long. So I'll leave that
to you to research further.
The second kind of firewall is a nat based firewall, as mentioned earlier in the
article. While it's technically not a firewall, NAT (network address translation)
does afford a user some level of protection not inherent in a normal internet connection.
NAT translates real world IP's into local area private IP's that are not routable
on the world wide web. These are typically in the range of 10.0.0.0/8,
172.16.0.0/12, or 192.168.0.0/16. Since these are not routable on the regular
internet, a "translation" is required. It's roughly the same concept as
translating from English to Russian and back again.
Since incoming connections to a NAT interface typically arrive via one master IP and
can then leave via numerous ones after translation, by default NAT has no idea where that
connection is supposed to be sent to. Thus it automatically blocks all incoming
connections to your network without restricting normal outbound or returning traffic.
It does this through stateful packet inspection similar to that used on firewalls.
To get through the NAT perimeter, you need to tell NAT that any connections coming
in from the outside on a specific port should be forwarded to a specific port and IP on
the inside. Hence the similarities to a standard firewall that NAT possesses.
Now NAT isn't a proper firewall and should never be a replacement for one, but it
does do a decent job of simple firewall type protection of your network. Hence it's
inclusion in this list as being a "type" of firewall.
The third and least used of these additional three firewall types is the Script
Firewall. In short it's not a firewall at all, but rather a script, or series of
scripts that monitors a port or set of ports for particular types of connections.
When it sees something that matches it's specific list of criteria, it will accept
the packet, process it, and then send it on to its destination. What makes it
different from a normal firewall is the "factory" approach used in script based
firewalling. When the script brings in the data, it automatically disassembles the
packet, processes any data inside according to a pre-set list of rules, reassembles the
processed packet, and sends it on its way.
So where a normal firewall would simply block or allow based on a list of rules, a
Script Firewall takes it a level farther. Since a Script Firewall is a specialized
firewall, it only monitors and filters the ports it's told to monitor, and nothing else,
and has a very narrow list of things it's allowed to do and not do. A lot of times,
this type of firewall can and is included inside of proxy servers, which in turn can be
bundled inside of standard or stateful firewalls to give a well rounded, and highly
customizable filtering system to network administrators. And for some companies or
individuals, having this level of finite control is priceless. It might seem a bit
fascist in the way that data is seemingly over managed, but in today's data intensive
world, just playing traffic cop doesn't always necessarily work anymore.
Well, that's all for my overview of firewalls. I hope this helped you understand
them better and some of the things that are out there. Firewalls are a vast and
complex world that both keeps you safe, and provides you with control of your internet
connection in ways you couldn't even begin to imagine. If you have any questions,
concerns or additions, please see us in the forums.
|
Average vistor rating: 5.0 out of 5 (6 total votes) | |
|
Latest Articles
Upcoming Shows and Cons
Announcements
This is just a reminder to everyone that we're always looking for articles for posting on our site. So if you have a Linux, Open Source or Media related article, review, tutorial, or editorial you want to post, by all means please send it to admin@raiden.net and we'll be glad to post it. Thanks.
Have you ever bought a PC or laptop preloaded with Linux?
Latest Releases
(courtesy of Distrowatch)
More
|
