Firewalls work along a communication pathway. This can be the gateway point of a network, a chokepoint within a network, a point-of-zone transition, or on a host. In these locations, the firewall interrupts the traffic flow to inspect packets or sessions. If the traffic is authorized, it continues to its destination. If the traffic is not authorized, it is blocked and dropped.

When one thinks of a firewall, one generally pictures some sort of hardware, when in fact it is more accurate to think of the firewall as a function. There are really two broad types of firewall implementations: bump-in-the-wire and bump-in-the-stack. The bump-in-the-wire (FIGURE 5-4) is a separate hardware firewall implementation, and the bump-in-the-stack (FIGURE 5-5) is a firewall that is implemented via software.

Firewalls operate on a bastion host basis (FIGURE 5-6). This is most obvious in the case of hardware firewalls, but it is true of host software firewalls, as well. A bastion host firewall stands guard along the pathway of potential attack, positioned to take the brunt of any attack. A firewall acts as the vanguard, as the front line of defense against any attack. A bastion host can also be called a sacrificial host.

In the case of a host software firewall, the firewall will attempt to prevent all malicious interactions to and from the host. In the event that the firewall is compromised, it usually disconnects the system from the network. Although this is a form of denial of service (DoS), it is often a preferred fail-safe/fail-secure response over defaulting to an open unrestricted and unfiltered connection. This is especially true if the connection is directly to the Internet.

If the firewall is able to rebuff an attack, then the resources are secure. If the firewall fails due to the attack, it prevents any further communication with the resources behind it. Think of a firewall as a dead-man switch. If the firewall fails or goes offline, so does the connection it was filtering.

The most common function of a firewall is to screen or filter traffic. The firewall checks any packet received on its interface against its rule set to determine whether to forward or drop the packet. As you read earlier, firewalls typically function on a deny by default/allow by exception security policy.

The firewall performs most traffic filtering based on information in a packet or segment header. This can include the IP address of the source and destination, as well as the source and destination port. Some firewalls can also filter or block specific protocols or certain uses of protocols. For example, a firewall could block all streaming media protocols and block just the Internet Control Message Protocol (ICMP) type 3 (destination unreachable) and 11 (timeout exceeded).

Firewalls differentiate between networks or subnets. A firewall serves as a clear and distinct boundary between one network area and another. By positioning a firewall between network divisions or subnets, the network designer and security administrators are using traffic management and control for traffic attempting to cross that intersection. Firewalls serve as boundary devices both on the edge of networks facing the Internet, as well as internally between different divisions within an organization.

Open and unrestricted internal communications might sound like a good idea, but in practice such traffic causes severe degradation of overall infrastructure performance and stability. By preventing—or at least limiting—communications between certain divisions of an organization, traffic efficiency increases. Additionally, traffic control and management decrease risk.

For example, by blocking communications between the programming group’s network and the production network, unapproved versions of software cannot be accidentally loaded to the production network. Additionally, blocking general access to the accounting subnet, the research and development subnet, the DMZ, and the extranet from the production network protects against data leakage, spread of malicious code, and other forms of fraud and abuse.

Firewalls can act as a general filter for malicious activity or as a one-way sieve. As a general filter, a firewall will allow all normal benign traffic to pass through. This is the type of firewall used to protect a DMZ or differentiate subnets within a LAN. A general filter firewall works to stop malicious activities.

A general filter firewall can allow communication using any protocol on any port or limit communications to specific protocols and ports (amongst other limitations). If only a few specific resources hosted behind the firewall are to be accessed by external users, the firewall can allow access to those specific internal systems based on IP address and port but block all other inbound requests.

A sieve firewall will only allow traffic to originate from the private or trusted side. A sieve firewall will allow nonmalicious responses to return from the public or less-trusted side, but it will generally block or prevent any initiation or inbound communication request from the outside. A sieve firewall typically protects a private LAN or an extranet.

Firewalls can support special inbound authorized connections with the LAN. One type of specialized content is virtual private network (VPN) links from telecommuters. This is an important feature for an extranet, as well, since VPN access is often the only method to reach hosted resources through the Internet.

Firewalls can provide port-forwarding services. Port forwarding is a form of static reversal of network translation. In traditional or dynamic network address translation (NAT), external entities cannot initiate communications with internal systems; any packet received by the outside interface of the NAT system will not find a matching mapping in the translation table, and will therefore be considered invalid and dropped.

With port forwarding, a translation mapping is coded so that an external IP address and port combination are fixed and redirect traffic to a specific internal system, even if the internal system uses a private IP address. The combination of an IP address and a port number is known as a socket. In FIGURE 5-7, the external port 208.40.235.38:8081 is forwarded to an internal server’s port at 192.168.5.74:80. Port forwarding can also be called static NAT, traffic forwarding, service redirection, reverse proxy, and “punching a hole through the firewall.”

Managing and controlling traffic is a primary concern and function of firewalls. Only authorized communications are allowed; everything else is blocked. The act of determining what to allow and what to block depends on the filtering features of the firewall. These include packet inspection, connection or state management, stateful inspection, and others. (A state is a logical connection between a client and a resource server.) These filtering concepts are defined later in this chapter.

In addition, firewalls can block or filter outbound traffic. This function can block spoofed traffic or anything with an invalid IP address as the destination or source. Specific protocols or ports can be blocked as well. And, of course, specific domain names or destination addresses can be blocked.

Firewalls can also filter based on content. The firewall can intercept specific content in a packet leaving the network before it reaches the outside. This could result in the packet being discarded, an entire connection being dropped, or the packet being edited to remove the blocked content and replace it with something else. Content filtering can focus on domain name, URL, filename, file extension, or keywords in the content.

Another capability of firewalls is the ability to filter based on encryption. A firewall can allow encryption without restriction. Or, a firewall can be set to block encryption on some ports and not others. Firewalls can also block encryption from and to all internal IP addresses except for servers, VPN devices, and RAS/NAS.

Firewalls can perform intermediary functions between hosts where network administrators deem direct communication too risky. This is the basic function of a proxy. A proxy firewall positioned along a communication path can hide the identity of one or both endpoints of a communication from the participants. In most cases, proxy services hide the identities of internal systems from external entities.

Firewalls can perform address conservation through the use of an address conversion or translation system. NAT is the most common translation service supported by networks. NAT translates between internal addresses and public external addresses. NAT allows a private network to use RFC 1918 private IP addresses. This, in turn, provides additional security, since Internet hosts cannot address an RFC 1918 system directly.

Because perfect security products do not exist, you must rely on monitoring to watch for attempts (and any successes) to breach or violate security. Security is locking things down to the best of your ability, and then watching for attempts to breach your defenses. Lock, then watch. Firewalls are no exception. If a proposed firewall product is unable to record a log of its actions and network activities, you need to seek out a different firewall product. Remember the time-tested business adage: “You get what you inspect, not what you expect.”

Firewalls can log events. Firewalls can be set to record any action into a log file. In addition, firewalls can record the content of any malicious traffic into a log file. Additionally, any abnormal network activity, performance levels, and traffic statistics can be listed in a log file. Logging events is an invaluable feature of a firewall.

Through the combination of all these features, functions, and capabilities, firewalls provide consistent, reliable protection for an organization’s computer and electronic resources. But firewalls are not perfect and should not be the sole security component of a network infrastructure. They are only one element—although an essential one—of a network security strategy.