The Internet has provided the ability to connect any computer, anywhere, to any other computer, anywhere. It is great fun to surf the vast internet visiting one website after another (effectively connecting with one computer after another) in search of useful information, entertainment, connecting people, and doing a variety of things. However, being connected to the internet also has associated risks from perpetrators who are out there to cause damage. Any computer or device connected to the Internet that is not properly protected is vulnerable to a variety of malicious intrusions and attacks. This applies to all users of cable modems, digital subscriber lines (DSL) and dial-up lines. Cable modem and DSL users are more vulnerable because both connection methods provide always on connection capability. The likelihood of a malicious person entering your computer increases significantly the longer your computer is on and connected to the Internet.
You would normally think that if you have installed an anti-virus software, you are secure. While anti-virus software does protect you from viruses, spywares and malwares, they have their own limitations. If you have a single computer to protect, you can install an anti-virus software that has an in-built personal firewall, and you are fairly secure. Off course, you need to configure your personal firewall software to block unwanted access to your computer from the outside network.
If you have a network of computers, be it a home network or an organization's network, you need to consider setting up a firewall. In this article I will provide an overview of what a firewall is, and provide a conceptual understanding of the subject. My discussions are primarily centered around small organizational networks and are more relevant for IT heads and security managers. However, as an individual too you can benefit from the knowledge you will gain.
Any small to medium sized organization would always have a number of computers that are inter-connected through a LAN (a private local area network). The organization's LAN is normally connected to the Internet via a gateway or a router, so that all users can have access to the internet for surfing and emailing purposes. It is normal for an organization's computers to work upon and store large amounts of confidential information, trade secrets, product development plans, marketing strategies, financial analysis, etc. For corporate security managers & administrators, it is a nightmare task to prevent these vital data from leaking out to the outside world. Imagine what can happen if your product plans and marketing strategies get into the hands of a competitor.
Apart from the danger of information leaking out, there is also a danger of information leaking in. In particular, viruses, worms, and other digital pests can breach security, enter your network system and destroy valuable data stored in the local computers. These are often imported by careless employees who want to play some online game or visit a pornographic site. Such websites are prime source of viruses and malware.
Hence, there is an urgent need to put in place a mechanism whereby you can allow good bits of data in and keep bad bits of data out. This is where the firewall comes in. Most organizations connect to the Internet, guarded by firewalls, that are designed to prevent unauthorized access to their private networks.
To enable you to get a quick understanding of what a firewall is – imagine a medieval castle where to fortify the castle, the ruler would have a deep moat dug all around, and a drawbridge constructed as a single point of entry and exit. The drawbridge would have a tight security to screen off unwanted entry and exit. Also, when the castle was attacked by enemies, the drawbridge was withdrawn, cutting off all intrusions. With this arrangement, rulers in the olden days were able to keep their castle well protected.
An Internet firewall can be perceived as an electronic drawbridge and works on exactly the same philosophy. An organization’s network is setup in a manner so that there is a single point of entry and exit to the Internet. A firewall, which is essentially a set of hardware devices and software, is then placed at the entry point of the organization's private network and works to screen off all unwanted access both-ways. All communication data packets from any computer inside the private network to the outside world will be routed through the firewall. Also, all data packets from any computer in the outside world to any computer within the private network will always be routed through the firewall. The organization would implement a strict policy not to permit anyone to connect through any other means that may bypass this arrangement, such as a direct dial-up wireless modem. Thus the organization will need to focus only on fortifying the firewall, which will singly control access between the two networks.
A firewall imposes restrictions on incoming and outgoing packets to and from the private network. All the traffic, whether incoming or outgoing, must pass through the firewall, and only authorized traffic is allowed to pass through it. The firewall creates checkpoints (also known as choke points) between the internal private network and the public Internet. The firewall can create choke points based on IP source and TCP port number. Using tunnel mode capability, a firewall can be used to implement a virtual private network (VPN). A firewall can also limit network exposure by completely hiding information about the internal network system from the public Internet.
The firewall blocks all unauthorized communication between the machines within the organization and the outside world. Since, all data traffic are routed though the firewall, it must have sufficient computational power to examine all incoming and outgoing packets, without affecting data transmission speeds.
As we have mentioned earlier, the philosophy is that Instead of trying to make all computers of an organization's network secure, one computer (with the help of a set of hardware devices and software) is made very secure by logically embedding within a firewall. This is referred as a Bastion Host.
To permit safe access, the firewall uses two logical barriers. The outer barrier blocks all incoming traffic except those destined for services on the bastion host that the organization chooses to make available to the outside world, and also those destined for computers on the inside network that are connected to the bastion host. The inner barrier blocks all outgoing traffic except those destined for a server on the bastion host.
The devices that make up a firewall are essentially gateways, routers and filters. Their inter-connection arrangement vary from one firewall design to another.
The adjacent image depicts a typical firewall design where routers having packet filtering capability have been employed as Inner and Outer barriers. The firewall in this configuration has two components -
Simpler configurations also exist, but the advantage of this design is that every packet must transit two filters and an application gateway to go in or out. No other route exists. Each packet filter is a standard router equipped with extra functionality that allows every incoming and outgoing packet to be inspected. Packets meeting pre-defined acceptance criteria are forwarded normally. Packets that do not meet the acceptance criteria, are dropped. In this arrangement, the packet filter on the inside network checks outgoing packets and the one on the outside network checks incoming packets. Packets crossing the first hurdle go to the application gateway for further examination. The point of putting the two packet filters on different networks is to ensure that no packet gets in or out without having to pass through the application gateway. There is no path around it.
Packet filters are typically driven by tables configured by the system administrator. These tables list sources and destinations that are acceptable, sources and destinations that are blocked, and default rules about what to do with packets coming from or going to other machines.
The dominant network protocols in use on the Internet, viz. TCP, IP, and UDP, carry certain control information which can be used to restrict access to hosts within the organizational network. The IP packet header contains the network addresses of both the sender and recipient of the packet. Further, the TCP and UDP protocols provide the notion of a port, which identifies the endpoint of a communications path. In the common case, a source or destination consists of an IP address and a port number. Port numbers indicate which service is desired. For example, port no. 23 is for Telnet, port no. 79 is for Finger, port no. 119 is for USENET news, and port no. 80 is for normal web service.
In some instances, it may be desirable to deny access to a specific TCP or UDP port, or even to certain hosts or entire network altogether. For instance, a rule can be defined to block incoming packets on port no. 79 from all IP addresses. Yet another rule can be added to block incoming packets on port no. 23 from all IP addresses. In this way, no one from the outside world will be able to log in via Telnet, or look up people using the unix Finger daemon. The firewall administrator can define yet another rule to block all outgoing packets on port no. 119. Thus, the organization will be spared from having employees spending all day reading USENET news.
Blocking outgoing packets is trickier because although most sites stick to the standard port naming conventions, they are not mandated to do so. Furthermore, for certain important services, such as FTP (File Transfer Protocol), port numbers are assigned dynamically.
The second part of the firewall mechanism is the application gateway. Rather than just looking at raw packets, the gateway operates at the application level. A mail gateway, for example, can be set up to examine each message going in or coming out. For each message it makes a decision to forward through or discard it based on the message header fields, message size, or even the content (e.g., at a military installation, the presence of words like nuclear or bomb might require some special action to be taken). Firewall installations normally have more than one application gateway, one for each specific type of service.
We have explained one type of firewall configuration or arrangement here. However, several types of firewall configurations exist, each having their own advantages and disadvantages. Below is a list of some commonly used configurations:
Essentially, which configuration is adopted by an organization would depend upon the relative importance of the following factors:
Other factors such as cost, corporate policy, existing network technology, staffing, and organizational politics may also come into play and may influence the technical considerations.
CEO, Computer Solutions
Rajeev Kumar is the primary author of How2Lab. He is a B.Tech. from IIT Kanpur with several years of experience in IT education and Software development. He has taught a wide spectrum of people including fresh young talents, students of XLRI, industry professionals, and govt. officials.
Rajeev has founded Computer Solutions & WebServicesWorldwide.com, and has hands-on experience of building variety of web applications and portals, that include - SAAS based ERP & e-commerce systems, independent B2B, B2C, Matrimonial & Job portals, and many more.