Concept

The most commonly accepted network protection is a barrier—a firewall between the corporate network and the outside world (untrusted network). The term firewall can mean many things to many people, but basically it is a method of placing a device—a computer or a router—between the network and the Internet to control and monitor all traffic between the outside world and the local network.

Typically, the device allows insiders to have full access to services on the outside while granting access from the outside only selectively, based on log-on name, password, IP address or other identifiers as shown in figure below:-

                                   

                                                          Fig: Firewall-secured Internet Connection

Generally speaking, a firewall is a protection device to shield vulnerable areas from some form of danger. In the context of the Internet, a firewall is a system—a router, a personal computer, a host, or a collection of hosts—set up specifically to shield a site or subnet from protocols and services that can be abused from hosts on the outside of the subnet. A firewall system is usually located at a gateway point, such as a site's connection to the Internet, but can be located at internal gateways to provide protection for smaller collection of hosts or subnets.

Firewalls come in several types and offer various levels of security. Generally, firewalls operate by screening packets and/or the applications that pass through them, provide controllable filtering of network traffic, allow restricted access to certain applications, and block access to everything else. The actual mechanism that accomplishes filtering varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one to block incoming traffic and the other to permit outgoing traffic. Some firewalls place a greater emphasis on blocking traffic, and others emphasize permitting traffic.

In short, the general reasoning behind firewall usage is that, without a firewall, network security is a function of each host on the network and all hosts must cooperate to achieve a uniformly high level of security. The larger the subnet, the less manageable it is to maintain all hosts at the same level of security. As mistakes and lapses in security become more common, break-ins can occur not as the result of complex attacks, but because of simple errors in configuration and inadequate passwords.

Types of Firewall

Firewalls range from simple traffic logging systems that record all network traffic flowing through the firewall in a file or database for auditing purposes to more complex methods such as IP packet screening routers, hardened fire-wall hosts, and proxy application gateways. The simplest firewall is a packet- filtering gateway or screening router. Configured with filters to restrict packet traffic to designated addresses, screening routers also limit the types of services that can pass through them.

More complex and secure are application gateways. They are essentially PCs or UNIX boxes that sit between the Internet and a company's internal network to provide proxy services to users on either side. For example, a user who wants to FTP in or out through the gateway would connect to FTP software running on the firewall, which then connects to machines on the other side of the gateway. Screening routers and application gateway firewalls are frequently used in combination when security concerns are very high.

IP Packet Screening Routers:

This is a static traffic routing service placed between the network service provider's router and the internal network. The traffic routing service may be implemented at an IP level via screening rules in a router or at an application level via proxy gateways and services. Figure below shows a secure firewall with an IP packet screening router.

                   

                                                  Fig: Secure firewall with IP packet screening router

The firewall router filters incoming packets to permit or deny IP packets based on several screening rules. These screening rules, implemented into the router are automatically performed. Rules include target interface to which the packet is routed, known source IP address, and incoming packet protocol (TCP, UDP, ICMP). ICMP stands for Internet Control Message Protocol, a network management tool of the TCP/IP protocol suite.

Although properly configured routers can plug many security holes, they do have several disadvantages. First, screening rules are difficult to specify, given the vastly diverse needs of users. Second, screening routers are fairly inflexible and do not easily extend to deal with functionality different from that preprogrammed by the vendor. Lastly, if the screening router is circumvented by a hacker, the rest of the network is open to attack.

Proxy Application Gateways:

A proxy application gateway is a special server that typically runs on a firewall machine. Their primary use is access to applications such as the World Wide Web from within a secure perimeter as shown in figure below. Instead of talking directly to external WWW servers, each request from the client would be routed to a proxy on the firewall that is defined by the user. The proxy knows how to get through the firewall. An application-Level proxy makes a firewall safely permeable for users in an organization, without creating a potential security hole through which hackers can get into corporate networks. The proxy waits for a request from inside the firewall, forwards the request to the remote server outside the firewall, reads the response, and then returns it to the client. In the usual case, all clients within a given subnet use the same proxy. This makes it possible for the proxy to execute efficient caching of documents that are requested by a number of clients. The proxy must be in a position to filter dangerous URLs and malformed commands.

                             

                                                          Fig: Proxy servers on the World Wide Web

Hardened Firewall Hosts: A hardened firewall host is a stripped-down machine that has been configured for increased security. This type of firewall requires inside or outside users to connect to the trusted applications on the firewall machine before connecting further. Generally, these firewalls are configured to protect against unauthenticated interactive log-ins from the external world. This, more than anything, helps prevent unauthorized users from logging into machines on the network.

The hardened firewall host method can provide a greater level of audit and security, in return for increased configuration cost and decreased 'level of service (because a proxy needs to be developed for each desired service).