Chapter 3
Fundamentals of Firewalls
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Explain how firewalls work.
Evaluate firewall solutions.
Differentiate between packet filtering and stateful packet filtering.
Differentiate between application gateway and circuit gateway.
Understand host-based firewalls and router-based firewalls.
Introduction
The first two chapters of this book discussed threats to network security and ways to defend against those threats. This and the following two chapters will address security devices. One of the most fundamental devices used to implement network security is the firewall. This is a key part of any security architecture. In fact, other systems such as the proxy server, intrusion prevention systems (IPS), and intrusion detection systems (IDS) work in conjunction with the firewall and are to some extent dependent upon the firewall.
Most people have a general idea of what a firewall is. In this chapter we will examine firewalls in detail so you will have a deeper understanding of them. We will also look at some firewall products.
This chapter will explore the basics of how firewalls work to provide a basis for evaluating which firewall is most appropriate in a given situation.
What Is a Firewall?
A firewall is a barrier between your computer or your internal network and the outside world or the Internet. Sometimes we would also refer to this separation as the area behind the DMZ (demilitarized zone) and the public-facing side of the DMZ. A particular firewall implementation might use one or more of the methods listed here to provide that barrier.
Packet filtering
Stateful packet filtering
User authentication
Client application authentication
At a minimum a firewall will filter incoming packets based on parameters such as packet size, source IP address, protocol, and destination port. Figure 3-1 shows the essentials of the firewall concept.
FIGURE 3-1 Basic firewall operations
As you may already know, both Linux and Windows (this includes every Windows version since XP through the Windows 10 and the server editions) ship with a simple firewall built into the operating system. Norton and McAfee both offer personal firewall solutions for individual PCs. These firewalls are meant for individual machines. There are more advanced solutions available for networks. In an organizational setting, you will want a dedicated firewall between your network and the outside world. This might be a router that also has built-in firewall capabilities. (Cisco Systems is one company that is well-known for high quality routers and firewalls.) Or, it might be a server that is dedicated solely to running firewall software. There are a number of firewall solutions that you can examine. Selecting a firewall is an important decision. This chapter will give you the essential skills necessary for you to be able to select the appropriate firewall for your network.
FYI: High-Speed Home or Small Office Connections
With the growing popularity of cable, DSL (Digital Subscriber Line), and FIOS (FiOS is purported to be a Gaelic word that means “knowledge”) connections for homes and small offices, more emphasis is being placed on securing computer systems in these locations. A general reference to this classification of design is called a Small Office and Home Office (SOHO) facility. Very inexpensive router-based firewalls for your high-speed Internet connection are available. Consumers can also purchase a router that is separate from the DSL or cable router or one that includes the functions of the cable or DSL router with the firewall. The following websites provide more information about these:
Linksys: https://www.linksys.com/
Home PC Firewall Guide: www.firewallguide.com
Broadband Guide: www.firewallguide.com/broadband.htm
Types of Firewalls
Packet filtering firewalls are the simplest and often the least expensive type of firewalls. Several other types of firewalls offer their own distinct advantages and disadvantages. The basic types of firewalls are
Packet filtering
Application gateway
Circuit level gateway
Stateful packet inspection
Packet Filtering Firewall
The packet filtering firewall is the most basic type of firewall. In a packet filtering firewall, each incoming packet is examined. Only those packets that match the criteria you set are allowed through. Many operating systems, such as Windows clients (such as Windows 8 and 10) and many Linux distributions, include basic packet filtering software with the operating system. Packet filtering firewalls are also referred to as screening firewalls. They can filter packets based on packet size, protocol used, source IP address, and many other parameters. Some routers offer this type of firewall protection in addition to their normal routing functions.
Packet filtering firewalls work by examining a packet’s source address, destination address, source port, destination port, and protocol type. Based on these factors and the rules that the firewall has been configured to use, they either allow or deny passage to the packet. These firewalls are very easy to configure and inexpensive. Some operating systems, such as Windows 10 and Linux, include built-in packet filtering capabilities. Chapter 4, “Firewall Practical Applications,” discusses specific firewall products in detail. Here is a brief summary of some commonly used packet filtering products:
Firestarter: This is a free packet filtering application for Linux available at www.fs-security.com. This software is installed on a Linux machine designed to be used as your network firewall.
Avast Internet Security: This product is inexpensive and is available for Windows only. You can find this product at https://www.avast.com/en-us/f-firewall.
Zone Alarm Firewall: This product is reasonably priced and effective. You can find out more at https://www.zonealarm.com/software/firewall.
Comodo Firewall: This is a commercial firewall product that works with Windows clients. It includes both firewall and antivirus functionality. You can find out more about this product at https://personalfirewall.comodo.com/.
There are a few disadvantages to the screening/packet filtering firewall solution. One disadvantage is that they do not actually examine the packet or compare it to previous packets; therefore, they are quite susceptible to either a ping flood or SYN flood. They also do not offer any user authentication. Because this type of firewall looks only at the packet header for information, it has no information about the packet contents. It also does not track packets, so it has no information about the preceding packets. Therefore, if thousands of packets came from the same IP address in a short period of time, a screened host would not notice that this pattern is unusual. Such a pattern often indicates that the IP address in question is attempting to perform a DoS attack on the network.
To configure a packet filtering firewall, simply establish appropriate filtering rules. A set of rules for a given firewall would need to cover the following:
What types of protocols to allow (FTP, SMTP, POP3, etc.)
What source ports to allow
What destination ports to allow
What source IP addresses to allow (you can block certain IP addresses if you wish)
These rules will allow the firewall to determine what traffic to allow in and what traffic to block. Because this sort of firewall uses only very limited system resources, is relatively easy to configure, and can be obtained inexpensively or even for free, it is frequently used. Although it is not the most secure type of firewall, you are likely to encounter it frequently.
Packet Filtering Rules
Unfortunately in many real world networks there are so many different applications sending different types of packets that setting up proper rules for packet filtering can be more difficult than you might think. On a simple network with only a few servers running a small number of services (perhaps a web server, an FTP server, and an e-mail server), configuring packet filtering rules can, indeed, be rather simple. In other situations it can become quite complicated.
Consider the wide-area network connecting multiple sites in geographically diverse regions. When you set up a packet filtering firewall in this scenario, you need to be aware of any application or service that uses network communications of any type, on any machine, in any of the sites your WAN connects to. Failure to take these complexities into account can result in your firewall blocking some legitimate network service.
Stateful Packet Inspection
The stateful packet inspection (SPI) firewall is an improvement on basic packet filtering. This type of firewall will examine each packet, denying or permitting access based not only on the examination of the current packet, but also on data derived from previous packets in the conversation. This means that the firewall is aware of the context in which a specific packet was sent. This makes these firewalls far less susceptible to ping floods and SYN floods, as well as being less susceptible to spoofing. SPI firewalls are less susceptible to these attacks for the following reasons:
They can tell whether the packet is part of an abnormally large stream of packets from a particular IP address, thus indicating a possible DoS attack in progress.
They can tell whether the packet has a source IP address that appears to come from inside the firewall, thus indicating IP spoofing is in progress.
They can also look at the actual contents of the packet, allowing for some very advanced filtering capabilities.
SPI firewalls are an improved version of the packet filtering firewall. Most quality firewalls today use the stateful packet inspection method; when possible, this is the recommended type of firewall for most systems. In fact most home routers have the option of using stateful packet inspection. The name stateful packet inspection derives from the fact that in addition to examining the packet, the firewall is examining the packet’s state in relationship to the entire IP conversation. This means the firewall can refer to the preceding packets as well as those packets’ contents, source, and destination. As you might suspect, SPI firewalls are becoming quite common. We will examine several of them in Chapter 4. The following is a list of some well-known products:
SonicWall (www.sonicwall.com/) makes a number of different SPI firewall products for various sized networks, in different price ranges. It is a well-known vendor of firewall products.
Linksys (www.linksys.com/) makes a number of small office/home office firewall router products that use SPI technologies. These are very inexpensive and easy to configure.
Cisco (www.cisco.com) is a very well-known and highly respected vendor for many different types of network products, including router based firewalls that use SPI technology.
FYI: Stateless Packet Filtering
Stateful packet inspection is clearly the preferred method. The natural follow-up question is: What about stateless packet filtering? This term is not generally used by security professionals; it merely denotes the standard packet filtering method.
Application Gateway
An application gateway (also known as application proxy or application-level proxy) is a program that runs on a firewall. This type of firewall derives its name from the fact that it works by negotiating with various types of applications to allow their traffic to pass the firewall. In networking terminology, negotiation is a term used to refer to the process of authentication and verification. In other words, rather than looking at the protocol and port the packet is using, an application gateway will examine the client application and the server-side application to which it is trying to connect. It will then determine if that particular client application’s traffic is permitted through the firewall. This is significantly different from a packet filtering firewall, which examines the packets and has no knowledge of what sort of application sent them. Application gateways enable the administrator to allow access only to certain specified types of applications, such as web browsers or FTP clients.
When a client program, such as a web browser, establishes a connection to a destination service, such as a web server, it connects to an application gateway, or proxy. The client then negotiates with the proxy server in order to gain access to the destination service. In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This process actually creates two connections. There is one connection between the client and the proxy server and another connection between the proxy server and the destination.
Once a connection is established, the application gateway makes all decisions about which packets to forward. Since all communication is conducted through the proxy server, computers behind the firewall are protected.
With an application gateway, each supported client program requires a unique program to accept client application data. This sort of firewall allows for individual user authentication, which makes them quite effective at blocking unwanted traffic. However, a disadvantage is that these firewalls use a lot of system resources. The process of authenticating client applications uses more memory and CPU time than simple packet filtering.
Be aware that having a unique logon for each user is probably not the ideal solution for sites with a great deal of public traffic, such as an e-commerce site. On sites such as this, you want to attract a high volume of traffic, mainly from new customers. New visitors to your site will not have a logon ID or password. Making them go through the process of setting up an account just to visit your website will likely turn off many potential customers. However, this can be an ideal solution for a corporate network.
Application gateways are also susceptible to various flooding attacks (SYN flood, ping flood, etc.) for two reasons. The first potential cause of a flooding attack may be the additional time it takes for an application to negotiate authenticating a request. Remember that both the client application and the user may need to be authenticated. This takes more time than simply filtering packets based on certain parameters. For this reason, a flood of connection requests can overwhelm the firewall, preventing it from responding to legitimate requests. Application gateways may also be more susceptible to flooding attacks because once a connection is made, packets are not checked. If a connection is established, then that connection can be used to send a flooding attack to the server it has connected to, such as a web server or e-mail server. This vulnerability is mitigated somewhat by authenticating users. Provided the user logon method is secure (appropriate passwords, encrypted transmission, etc.), the likelihood that someone can use a legitimate connection through an application gateway for a flooding attack is reduced.
Chapter 4 discusses specific firewall implementations; however, a brief summary of a few application gateway products is provided here:
Akamai has a robust application gateway, available at https://content.akamai.com/us-en-pg9554-gartner-magic-quadrant.html.
WatchGuard Technologies offers several firewall solutions (www.watchguard.com/).
Cloudflare also provides an application gateway, specifically a web application firewall: https://www.cloudflare.com/lp/waf-a.
Circuit Level Gateway
Circuit level gateway firewalls are similar to application gateways but are more secure and generally implemented on high-end equipment. These types of firewalls also employ user authentication, but they do so earlier in the process. With an application gateway, first the client application is checked to see if access should be granted, and then the user is authenticated. With circuit level gateways, authenticating the user is the first step. The user’s logon ID and password are checked, and the user is granted access before the connection to the router is established. This means that each individual, either by username or IP address, must be verified before any further communication can take place.
Once this verification takes place and the connection between the source and destination is established, the firewall simply passes bytes between the systems. A virtual “circuit” exists between the internal client and the proxy server. Internet requests go through this circuit to the proxy server, and the proxy server delivers those requests to the Internet after changing the IP address. External users only see the IP address of the proxy server. Responses are then received by the proxy server and sent back through the circuit to the client. It is this virtual circuit that makes the circuit level gateway secure. The private secure connection between the client application and the firewall is a more secure solution than some other options, such as the simple packet filtering firewall and the application gateway.
While traffic is allowed through, external systems never see the internal systems. The differences between the application gateway and the circuit level gateway are shown in Figure 3-2.
FIGURE 3-2 Application gateway vs. circuit level gateway
While highly secure, this approach may not be appropriate for some communication with the general public, such as e-commerce sites. This type of firewall is also difficult to configure because each client must be set up to have a circuit connection with the firewall.
pfSense is an open source firewall project (https://www.pfsense.org/). The source code for this firewall can be downloaded, compiled, and run in a network host-based configuration. The fact that this is open source and can be modified by the organization using it makes it an attractive choice for organizations that have sufficiently experienced staff programmers.
Hybrid Firewalls
As you will see later in this chapter and Chapter 4, there are a growing number of manufacturers creating hybrid firewalls. These are firewalls that use a mix of approaches, rather than a single approach. This sort of mixed approach is often even more effective than any of the pure approaches.
One very powerful firewall approach is a design that uses both a circuit level gateway and stateful packet filtering. Such a configuration has the best firewall methods combined into a single unit. In Chapter 4, we will examine some real-world examples of hybrid solutions.
Blacklisting/Whitelisting
Many firewalls also support the use of blacklisting or whitelisting. Blacklisting is a security approach wherein users are allowed to visit any website, or Internet resource, except those on the prohibited list. That list is a blacklist. This is very permissive. Users are only prevented from visiting the sites on those specific lists.
Whitelisting involves blocking users from visiting any website or Internet resource except those on an approved list. That list is the whitelist. Whitelisting is far more restrictive. However, it is also more secure. The problem with blacklisting is that it is impossible to know and list every website that users should not visit. No matter how thorough the blacklist is, it will allow traffic to some sites it should not. Whitelisting is far more secure, because all sites are blocked by default (blocking by default is also known as implicit deny) unless they are on the whitelist.
Implementing Firewalls
Administrators must be able to evaluate implementation issues to achieve a successful security solution for their systems. Understanding the type of firewall means knowing how the firewall will evaluate traffic and deciding what to allow and what not to allow. Understanding the firewall’s implementation means understanding how that firewall is set up in relation to the network it is protecting. The most widely used configurations include:
Network host-based
Dual-homed host
Router-based firewall
Screened host
Host-Based
In the host-based (sometimes called network host-based) scenario the firewall is a software solution installed on an existing machine with an existing operating system. The most significant concern in this scenario is that, no matter how good the firewall solution is, it is contingent upon the underlying operating system. In such a scenario, it is absolutely critical that the machine hosting the firewall have a hardened operating system. Hardening the operating system refers to taking several security precautions including:
Ensuring all patches are updated
Uninstalling unneeded applications or utilities
Closing unused ports
Turning off all unused services
Operating system hardening is covered in greater depth in Chapter 8, “Operating System Hardening.”
In the network host-based implementation, you install the firewall software onto an existing server. Sometimes, the server’s operating system may come with such software. It is not at all uncommon for administrators to use a machine running Linux, configure its built-in firewall, and use that server as a firewall. The primary advantage to this option is cost. It is much cheaper to simply install firewall software onto an existing machine, and use that machine as your firewall.
In Practice
DMZ
More and more organizations are opting to use DMZs. A DMZ is a demilitarized zone. A DMZ is created using two separate firewalls. One firewall faces the outside world, or the Internet, and the other faces the inside, or corporate network. It allows for an additional layer of protection between Internet-facing services and back-end corporate resources.
Typically, web servers, e-mail servers, and FTP servers are located inside the DMZ. Domain controllers, database servers, and file servers are located inside the corporate network. This means that if a hacker should breach the security of the first firewall she would only be able to affect the web server or e-mail server. She would not be able to get directly at the corporate data. Getting at that data would require the hacker to break through the security of yet another firewall.
This sort of arrangement is the preferred method, regardless of what type of firewall you use. Often administrators choose to use a weaker and cheaper firewall, such as a simple packet filtering firewall, on the outer side of the DMZ. They then use a much more rigorous firewall such as a stateful packet filtering on the inner side of the DMZ. If an intrusion-detection system (these are discussed in detail in Chapter 5, “Intrusion-Detection Systems”) is used on the outer firewall, then any breach of that firewall is likely to be detected long before the hacker can successfully breach the inner firewall. This is also one reason why media stories abound about hackers defacing websites, but stories of hackers actually getting at sensitive data are much less common.
Many router vendors now offer a single box that implements a DMZ. They do this by creating two firewalls in one device, so you can buy a single appliance that implements the entire DMZ. The router has a port for the external connection (that is, Internet), another port for the DMZ, and then the remaining ports are for the internal network. Figure 3-3 shows a DMZ.
Dual-Homed Hosts
A dual-homed host is a firewall running on a server with at least two network interfaces. This is an older methodology. Most firewalls today are implemented in actual routers, rather than servers. The server acts as a router between the network and the interfaces to which it is attached. To make this work, the automatic routing function is disabled, meaning that an IP packet from the Internet is not routed directly to the network. The administrator can choose what packets to route and how to route them. Systems inside and outside the firewall can communicate with the dual-homed host, but cannot communicate directly with each other. Figure 3-4 shows a dual-homed host.
The dual-homed host configuration is simply an expanded version of the network host firewall implementation. That means it is also contingent on the security of the underlying operating system. Any time a firewall is running on a server of any kind, the security of that server’s operating system becomes even more critical than normal.
This option has the advantage of being relatively simple and inexpensive. The primary disadvantage is its dependency on the underlying operating system.
FIGURE 3-4 The dual-homed host
Router-Based Firewall
Administrators can implement firewall protection on a router. In fact, even the simplest, low-end routers today have some type of firewall included. In larger networks with multiple layers of protection, this is often the first layer of protection. Although various types of firewalls can be implemented on a router, the most common type uses packet filtering. Users of a broadband connection in a home or small office can get a packet filtering firewall router to replace the basic router provided by the broadband company.
In many cases this solution is also ideal for the firewall novice. A number of vendors supply router-based firewalls that can be preconfigured by the vendor based on the customer’s needs. The customer can then install it between her network and external Internet connection. Also, most of the more widely known brands (Cisco, 3Com, etc.) offer vendor-specific training and certifications in their hardware, making it relatively easy to find qualified administrators or to train current staff.
Another valuable way to implement router-based firewalls is between subsections of a network. If a network is divided into segments, each segment needs to use a router to connect to the other segments. Using a router that also includes a firewall significantly increases security. If the security of one segment of the network is compromised, the rest of the network is not necessarily breached.
Perhaps the best advantage to router-based firewalls is the ease of setup. In many cases the vendor will even configure the firewall for you, and you simply plug it in. Most home-based routers today, such as those from Linksys, Belkin, or Netgear, have a built-in firewall. And in fact virtually all higher-end routers include firewall capability.
Screened Hosts
A screened host is really a combination of firewalls. In this configuration, a combination of a bastion host and a screening router is used. The combination creates a dual firewall solution that is effective at filtering traffic. The two firewalls can be different types. The bastion host (see the following FYI) might be an application gateway and the router packet screener (or vice versa). This approach (shown in Figure 3-5) gives the advantages of both types of firewalls and is similar in concept to the dual-homed host.
FIGURE 3-5 Screened host
The screened host has some distinct advantages over the dual-homed firewall. Unlike the dual-homed firewall, the screened host needs only one network interface and does not require a separate subnet between the application gateway and the router. This makes the firewall more flexible but perhaps less secure because its reliance on only one network interface card means that it might be configured to pass certain trusted services to the application gateway portion of the firewall and directly to servers within the network.
The most significant concern when using the screened host is that it essentially combines two firewalls into one. Therefore any security flaw or misconfiguration affects both firewalls. When you use a DMZ there are physically two separate firewalls, and the likelihood of any security flaw being propagated to both is low.
A bastion host is a single point of contact between the Internet and a private network. It usually will only run a limited number of services (those that are absolutely essential to the private network) and no others. The bastion host is often the packet filtering firewall that is between the network and the outside world.
In addition to these firewall configurations, there are also different methods for how the firewall examines packets. Packet filters work at the network layer of the OSI model and simply block certain packets based on criteria such as protocol, port number, source address, and destination address. For example, a packet filter might deny all traffic on ports 1024 and up, or it might block all incoming traffic using the tFTP protocol. Ports are, of course, at the transport layer. Incoming and outgoing filters can dictate what information passes into or out of the local network.
The screening router adds security by allowing you to deny or permit certain traffic from the bastion host. It is the first stop for traffic, which can continue only if the screening router lets it through.
In Practice
Utmost Security
Organizations that want the utmost level of security often use multiple firewalls. The perimeter of the network may actually have two firewalls, perhaps a stateful packet inspecting firewall and an application gateway, one following the other (the order will determine how they are configured). This enables the organization to get the benefit of both types of firewalls. This type of configuration is not as common as it should be, but it is used by some organizations.
One common multiple-firewall scenario is the use of screened firewall routers separating each network segment. The network will still have a perimeter firewall blocking incoming traffic, but it will also have packet filtering separating each network segment. This means that if an attack breaches the perimeter, not all network segments will be affected.
For the highest possible level of firewall protection, the ideal scenario is to have the dual-perimeter firewall, to use packet screening on all routers, and then to have individual packet filtering firewalls (such as those built into some operating systems) on every server and perhaps even on individual workstations. Such a configuration can be expensive to set up and difficult to maintain, but it would provide an extremely robust level of firewall protection. Figure 3-6 shows a possible configuration with multiple firewalls. In this image each workstation has its own operating system firewall configured and running.
Selecting and Using a Firewall
There is a variety of commercial firewall products from which you can choose. Many software vendors offer a basic packet filtering solution. Major antivirus software vendors (including those previously mentioned in this chapter) often offer the firewall software as a bundled option with their antivirus software. Other companies, such as Zone Labs, sell firewall and intrusion-detection software. The major manufacturers of routers and switches such as Cisco also offer firewall products.
The amount of security necessary for a particular system is always difficult to pinpoint. A bare minimum recommendation is to have a packet filtering firewall/proxy server between your network and the Internet—but that is a bare minimum. As a rule of thumb, administrators should buy the most robust firewall that the budget allows. Chapter 4 examines some of the more widely used firewall solutions in detail. But remember, that is just a rule of thumb. A better approach is to conduct a risk analysis, which you will see how to do in Chapter 11, “Security Policies,” and Chapter 12, “Assessing System Security.”
Using a Firewall
The first rule in using a firewall is to configure it properly. Chapter 4 covers some of the more widely used firewall solutions and how to configure them. Thoroughly reading and understanding all documentation and manuals pertinent to your firewall solution is essential. Administrators should also consider the services of a consultant to assist in the initial setup and configuration. In addition, product-specific training is often available from the firewall vendor.
Firewalls are also excellent tools when attempting to ascertain what has happened after a security incident occurs. Almost all firewalls, regardless of type or implementation, log the various activities that occur on them. These logs can provide valuable information that can assist in determining the source of an attack, methods used to attack, and other data that might help either locate the perpetrator of an attack or at least prevent a future attack using the same techniques.
Given the number of devices on a network, it is common to consolidate logs. A Security Information and Event Manager (SIEM) is a common way to do this. There is also a protocol, syslog, just for communicating log information. An SIEM will consolidate not only firewall logs, but other logs such as IDS logs as well.
Reviewing the firewall logs in order to check for anomalous activities should be a part of every organization’s IT staff routine. Intrusion detection systems, which are covered in Chapter 5, can help a great deal with notifying the network administrator when anomalies occur, particularly anomalies that might indicate a potential attack. However, even with an IDS, it is still a good idea to periodically review the logs.
A study of the firewall logs during normal activity over a period of time will establish a baseline. That baseline should show average number of incoming and outgoing packets per hour, minute, and day. It should also identify the types of packets (for example, 73% of incoming packets are HTTP packets destined for your web server). Defining normal activity on a firewall helps administrators notice abnormal activity, should it occur.
Using Proxy Servers
A proxy server is often used with a firewall to hide the internal network’s IP address and present a single IP address (its own) to the outside world. A proxy server is a server that sits between a client application, such as a web browser, and a real server. Proxy servers prevent hackers from seeing the IP addresses of internal machines, knowing how many machines are behind the proxy server, or learning anything about the network configuration. Proxy servers also provide a valuable control mechanism because most proxy servers log all outgoing traffic. This enables network administrators to see where employees go on the Internet. A proxy server normally runs as software on the same machine as your firewall.
The proxy server is configured to redirect certain traffic. For example, incoming traffic using the HTTP protocol is usually allowed through the proxy server but is redirected to the web server. That means that all outgoing and incoming HTTP traffic first goes through the proxy server. A proxy server can be configured to redirect any traffic you want. If an e-mail server or FTP server is on the network, all incoming and outgoing traffic for that network will run through the proxy server.
Using a proxy server means that when a machine inside the network visits a website, the website will only detect that the proxy server visited it. In fact, if dozens of different machines on the network visit a site that logs the IP addresses of incoming connections, they will all be logged with the same IP address—that of the proxy server. For the most part this sort of proxy server has been supplanted by network address translation, which we will examine in the next section. However, the term proxy server is still used, but with a different application. Now proxy servers work with the firewall to filter things such as web content. They allow a network administrator to block certain sites and to record all the websites a given user visits.
This hiding of the network is a very valuable service because knowledge of internal IP addresses can be used to execute certain forms of attack. For example, IP spoofing is contingent upon knowing the IP address of some internal server. Hiding those IP addresses is an important step in network security. It can also be very useful to know where employees go on the Internet. Proxy servers track such information, and many network administrators use this to restrict employees from using the company Internet connection for illicit purposes. This can also be a useful tool for stopping attacks. An employee who visits hacker websites might be a potential security risk. They may elect to try some of the techniques they read about on the network. Administrators can also detect potential industrial espionage. An employee who spends a lot of time on a competitor’s website might be considering a job change and might consider taking valuable data with him.
The WinGate Proxy Server
A number of proxy server solutions are available. Some are commercial products, while others are open source. In order to help you understand proxy servers better, we will examine one such product. WinGate is an inexpensive commercial product that also offers a free trial download (available at www.wingate.com). This product has all of the standard features of a proxy server including:
Internet connection sharing
Hiding internal IP addresses
Allowing virus scanning
Filtering of sites
The free download option makes it ideal for students. You can use the 30-day trial version to learn how the proxy server works, without incurring any expense. The installation routine is simple, and the product has an easy-to-use graphical user interface.
Of course, there are other proxy server solutions you can find, and many of them are quite good. This one is being shown because it is:
Easy to use
Inexpensive
Available as a free download
WinGate is also a good solution outside the classroom. The ability to filter certain websites is quite attractive to many companies. One way companies reduce abuse of system resources is by blocking sites they don’t want employees to use. The ability to also scan for viruses is valuable in any setting.
NAT
For many organizations, proxy servers have been superseded by a newer technology known as network address translation (NAT). Today what we call proxy servers don’t do what proxy servers originally did (i.e., translate a private IP address into a public IP address). First and foremost, NAT translates internal addresses and external addresses to allow communication between network computers and outside computers. The outside sees only the address of the machine running NAT (often the firewall). From this perspective it is functioning exactly like a proxy server.
NAT also provides significant security because, by default, it allows only connections that are originated on the inside network. This means that a computer inside the network can connect to an outside web server, but an outside computer cannot connect to a web server inside the network. You can make some internal servers available to the outside world via inbound mapping, which maps certain well-known TCP ports (80 for HTTP, 21 for FTP, etc.) to specific internal addresses, thus making services such as FTP or websites available to the outside world. However, this inbound mapping must be done explicitly; it is not present by default.
As you will see in subsequent chapters, NAT is frequently offered as a part of another product, such as a firewall. Unlike proxy servers, it is less likely to be found as a stand-alone product. However, Chapter 4 shows several firewall solutions that include a network address translation functionality feature.
Summary
It is absolutely critical that any network have a firewall and NAT between the network and the outside world. There are a number of firewall types and implementations to consider. Some are easy to implement and inexpensive. Others may be more resource intensive, difficult to configure, or more expensive. Organizations should use the most secure firewall that their circumstances allow. For some firewalls, vendor-specific training may be essential for proper configuration of the firewall. A poorly configured firewall can be as much of a security hazard as having no firewall at all.
We have examined the various types of firewalls (packet screening, application gateway, circuit level gateway, and stateful packet inspection) as well as the implementations (network host-based, router-based, dual-homed, and screened). Understanding how a firewall works is essential for selecting an appropriate solution for a network’s security needs.
Test Your Skills
MULTIPLE CHOICE QUESTIONS
1. Which of the following are four basic types of firewalls?
A. Screening, bastion, dual-homed, circuit level
B. Application gateway, bastion, dual-homed, screening
C. Packet filtering, application gateway, circuit level, stateful packet inspection
D. Stateful packet inspection, gateway, bastion, screening
2. Which type of firewall creates a private virtual connection with the client?
A. Bastion
B. Dual-homed
C. Application gateway
D. Circuit level gateway
3. Which type of firewall is considered the most secure?
A. Dual-homed
B. Stateful packet inspection
C. Circuit level gateway
D. Packet screening
4. What four rules must be set for packet filtering firewalls?
A. Protocol type, source port, destination port, source IP
B. Protocol version, destination IP, source port, username
C. Username, password, protocol type, destination IP
D. Source IP, destination IP, username, password
5. What type of firewall requires individual client applications to be authorized to connect?
A. Screened gateway
B. Stateful packet inspection
C. Dual-homed
D. Application gateway
6. Why might a proxy gateway be susceptible to a flood attack?
A. It does not properly filter packets.
B. It does not require user authentication.
C. It allows multiple simultaneous connections.
D. Its authentication method takes more time and resources.
7. Why might a circuit level gateway be inappropriate for some situations?
A. It has no user authentication.
B. It blocks web traffic.
C. It requires client-side configuration.
D. It is simply too expensive.
8. Why is an SPI firewall less susceptible to spoofing attacks?
A. It examines the source IP of all packets.
B. It automatically blocks spoofed packets.
C. It requires user authentication.
D. It requires client application authentication.
9. Why is an SPI firewall more resistant to flooding attacks?
A. It automatically blocks large traffic from a single IP.
B. It requires user authentication.
C. It examines each packet in the context of previous packets.
D. It examines the destination IP of all packets.
10. What is the greatest danger in a network host-based configuration?
A. SYN flood attacks
B. Ping flood attacks
C. IP spoofing
D. Operating system security flaws
11. Which of the following is an advantage of the network host-based configuration?
A. It is resistant to IP spoofing.
B. It is inexpensive or free.
C. It is more secure.
D. It has user authentication.
12. Which of the following can be shipped preconfigured?
A. Stateful packet inspection firewalls
B. Network host-based firewalls
C. Router-based firewalls
D. Dual-homed firewalls
13. Which of the following solutions is actually a combination of firewalls?
A. Screened firewalls
B. Router-based firewalls
C. Dual-homed firewalls
D. Bastion host firewalls
14. It should be routine for someone in the IT security staff to
A. Test the firewall by attempting a ping flood
B. Review firewall logs
C. Reboot the firewall
D. Physically inspect the firewall
15. A device that hides internal IP addresses is called
A. Screened host
B. Bastion firewall
C. Proxy server
D. Dual-homed host
16. What is the most important security advantage to NAT?
A. It blocks incoming ICMP packets.
B. It hides internal network addresses.
C. By default it blocks all ICMP packets.
D. By default it only allows outbound connections.
EXERCISES
Don’t use live systems for labs.
With all exercises you should use only lab computers specifically set up for the purpose of experimentation. Never perform these lab exercises on live systems.
EXERCISE 3.1: Turning On Windows Firewall
Note: This exercise requires access to a machine with Windows 7, 8, or 10.
1. Go to Start, choose Settings, and click Control Panel. Or type control panel into the Search box.
2. Click Systems and Security.
3. Click Windows Firewall. From this screen you can turn the firewall on or off, and configure firewall rules.
Note: This exercise requires access to a Linux machine. Given the various Linux distributions, it is not possible to list step-by-step instructions for all of them here.
1. Use the web to find the firewall documentation for your particular Linux distribution.
The following sites might help you:
http://www.linuxfromscratch.org/blfs/view/6.3/postlfs/firewall.html
https://www.networkcomputing.com/careers/your-iptable-ready-using-linux-firewall/885365766
2. Use those instructions to turn on and configure your Linux firewall.
EXERCISE 3.3: Free Firewalls
There are many commercial firewall solutions, but free solutions are also available. In this exercise you should:
1. Find one of them on the web. The following websites might be useful to you:
https://www.zonealarm.com/software/free-firewall
https://www.pandasecurity.com/security-promotion. This is a free trial of a commercial product.
2. Download and install it.
3. Configure it.
EXERCISE 3.4: Free Proxy Servers
There are a number of proxy servers that are available for free (or at least offer a free trial version) on the web. The following websites should help you locate one:
AnalogX Proxy: www.analogx.com/contents/download/network/proxy.htm
Free Downloads Center: http://www.proxy4free.com/
1. Download your chosen proxy server.
2. Install it.
3. Configure it according to vendor specifications.
PROJECTS
PROJECT 3.1: The Cisco Firewall
Using web resources or documentation to which you have access, look up the detailed specifications of the Cisco Firepower NGFW. Determine what type of firewall it is and what implementation it is. Also note any specific advantages or disadvantages.
PROJECT 3.2: ZoneAlarm Firewalls
Using web resources or documentation to which you have access, look up the detailed specifications of the Zone Labs Check Point Integrity firewall. Determine what type of firewall it is and what implementation it is. Also note any specific advantages or disadvantages. The following websites will probably be useful to you:
http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm
www.checkpoint.com/products/integrity/
PROJECT 3.3: Windows 10
Using web resources or documentation to which you have access, look up the detailed specifications of the Windows 10 Firewall. Determine what type of firewall it is and what implementation it is. Also note any specific advantages or disadvantages.