Firewalls
Even though a firewall is considered a logical security measure, it deserves its own section because it is a specific objective for the Network+ exam.
A firewall is a system or group of systems that controls the flow of traffic between two networks. The most common use of a firewall is to protect a private network from a public network such as the Internet. However, firewalls are also increasingly being used as a means to separate a sensitive area of a private network from other, less-sensitive, areas of the private network.
At its most basic, a firewall is a device (it could be a computer system or a dedicated hardware device) that has more than one network interface and manages the flow of network traffic between those interfaces. How it manages the flow and what it does with certain types of traffic depend on its configuration. Figure 12.5 shows the most basic firewall configuration.
Strictly speaking, a firewall performs no action on the packets it receives besides the basic functions just described. However, in a real-world implementation, a firewall is likely to offer other functionality, such as Network Address Translation (NAT) and proxy server services. Without NAT, any host on the internal network that needs to send or receive data through the firewall needs a registered IP address.
Although there are such environments, most people have to settle for using a private address range on the internal network and therefore rely on the firewall system to translate the outgoing request into an acceptable public network address.
The Purpose and Function of a Firewall
Although the fundamental purpose of a firewall is to protect one network from another, you need to configure the firewall to allow some traffic through. If you don't need to allow traffic to pass through a firewall, you can dispense with it entirely and completely separate your network from other networks.
A firewall can employ a variety of different methods to ensure security. A firewall can use just one of these methods, or it can combine different methods to produce the most appropriate and robust configuration. The following sections discuss the various firewall methods that are commonly used: packet filtering firewalls, circuit-level firewalls, and application gateway firewalls.
Packet-Filtering Firewalls
Of the firewall methods discussed in this chapter, packet filtering is the most commonly implemented. Packet filtering allows the firewall to examine each and every packet that passes through it and determine what to do with the packet, based on the configuration. A packet-filtering firewall deals with packets at the data-link and network layers of the Open Systems Interconnect (OSI) model. The following are some of the criteria by which packet filtering can be implemented:
IP address— By using the IP address as a parameter, the firewall is able to allow or deny traffic, based on the source or destination IP address. For example, you can configure the firewall so that only certain hosts on the internal network are able to access hosts on the Internet. Alternatively, you can configure it so that only certain hosts on the Internet are able to gain access to a system on the internal network.
Port number— As discussed in Chapter 6, “Working with TCP/IP,” the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite uses port numbers to identify what service a certain packet is destined for. By configuring the firewall to allow certain types of traffic, you can control the flow. You might, for example, open port 80 on the firewall to allow Hypertext Transfer Protocol (HTTP) requests from users on the Internet to reach the corporate Web server. You might also, depending on the application, open the HTTP Secure (HTTPS) port, port 443, to allow access to a secure Web server application.
Protocol ID— Because each packet transmitted with IP has a protocol identifier in it, a firewall is able to read this value and then determine what kind of packet it is. If you are filtering based on protocol ID, you specify which protocols you will and will not allow to pass through the firewall.
MAC address— This is perhaps the least used of the packet-filtering methods discussed, but it is possible to configure a firewall to use the hardware-configured MAC address as the determining factor in whether access to the network is granted. This is not a particularly flexible method, and it is therefore suitable only in environments where you can closely control who uses which MAC address. The Internet is not such an environment.
Circuit-Level Firewalls
Circuit-level firewalls are similar in operation to packet-filtering firewalls, but they operate at the transport layer of the OSI model. The biggest difference between a packet-filtering firewall and a circuit-level firewall is that a circuit-level firewall forwards all requests to the other network, using its own IP address rather than the IP address of the internal system that sent the request. This serves to “hide” the identity of the inside system, which is good from a security standpoint because outside users cannot see the internal network.
Application Gateway Firewalls
The application gateway firewall is the most functional of all the firewall types. As its name suggests, the application gateway firewall functionality is implemented through an application. Application gateway firewall systems can implement sophisticated rules and closely control traffic that passes through. Features of application gateway firewalls can include user authentication systems and the ability to control which systems an outside user can access on the Internal network.
EXAM TIP
The Three Firewall Methods The three firewall methods described in this chapter are often combined into a single firewall application. Packet filtering is the basic firewall function. Circuit-level functionality provides NAT, and an application gateway firewall provides proxy functionality. This is a good thing to remember for the Network+ exam.
Demilitarized Zones
An important firewall-related concept is demilitarized zones (DMZs). A DMZ is part of a network on which you place servers that must be accessible by sources both outside and inside your network. However, the DMZ is not connected directly to either network, and it must always be accessed through the firewall. The military term DMZ is used because it describes an area in which there is little or no enforcement or policing.
Using DMZs provides an extra level of flexibility, protection, and complexity to your firewall configuration. Figure 12.6 shows an example of a DMZ configuration.
Figure 12.6. A DMZ configuration.
By using a DMZ, you can create an additional step that makes it more difficult for an intruder to gain access to the internal network. In Figure 12.6, for example, an intruder who tried to come in through Interface 1 would have to spoof a request from either the Web server or proxy server into Interface 2 before it could be forwarded to the internal network. Although it is not impossible for an intruder to gain access through a DMZ, it is very difficult.
NOTE
Personal Firewalls For exactly the same reasons that a firewall is implemented on a corporate network, you should consider protecting your personal computer at home with a firewall as well. The increasing use of always-on Internet access methods such as cable means that you are just as likely to become the target of an intruder at home as you are at work. Remember that most intruders are not looking for anything in particular; they are just looking for anything. If you connect to the Internet from a computer system, you are exposing yourself to millions of other users, some of whom would love to have a look at your hard drive to see if there is anything of interest. The solution is to implement a personal firewall, of which there are now quite a few. For a relatively small amount of money, you can protect your system against all but the most determined of intruders. Even if you have nothing to hide, you should still be aware of problems such as Distributed Denial of Service attacks (DDoS), which can use your system as a host to launch an attack on another host on the Internet.
Firewalls have become common in businesses of all sizes. As the Internet becomes an ever more hostile place, firewalls and the individuals who understand them are likely to become an essential part of the IT landscape.