Chapter 5
Firewall Planning and Design
Misconceptions about Firewalls
Some business managers who have heard of a firewall in relation to Internet security have the notion that it is designed to
prevent all hackers, viruses, and would-be intruders from entering a computer or computer network. Their notion is not true,
however, because firewalls are designed to enable authorized traffic to pass through and block unauthorized traffic.
It is often thought that, once a firewall is deployed, you only need to let it operate on its own. The fact is that firewalls are not
perfect and work best when they are part of a multi-pronged approach to network security known as Defense in Depth (DiD).
Firewalls Explained
In general, a firewall is anything, whether hardware or software (or a combination of hardware and software), that can filter
the transmission of packets of digital information as they attempt to pass through a boundary of a network. Firewalls perform
two basic security functions:

Packet filtering: First and foremost, a firewall must be able to determine whether to allow or deny the passage of
packets of digital information, based on established security policy rules.

Application proxy: In some cases, a firewall may provide network services to users while shielding individual host
computers. This is done by breaking the IP flow (which is the traffic into and out of the network) between the
network being protected and the network outside.
Firewall Security Features
Firewalls
Logging unauthorized access
Providing a virtual private network
Authentication
Shielding hosts inside the network
Caching data
Filtering content
Firewall User Protection
For a single home user who regularly surfs the Web and uses e-mail and instant messaging, a firewall’s primary job is to keep
viruses from infecting files and prevent Trojan horses from entering the system and installing hidden openings called back
doors, which can be used for access at a later time.
Firewall Network Perimeter Security
A firewall is often said to provide “perimeter security” because it sits on the outer boundary, or perimeter, of a network. The
network boundary is the point at which one network connects to another.
1
If you have an extranet, an extended network that combines two or more LANs, the location of the “perimeter” becomes
unclear. If you maintain a VPN with a supplier or business partner, the VPN should have its own perimeter firewall because
your network boundary technically extends to the end of the VPN. Note that locating the firewall at the perimeter has one
obvious benefit: it enables you to set up a checkpoint where you can block “bad things” like viruses and infected e-mail
messages before they get inside. Another benefit is that a firewall enables you to log passing traffic, protecting the whole
network at the same time. If an attack does occur, having a security subnet at the perimeter can minimize the damage.
Firewall Components
A firewall can contain many components, including:
Packet filter
Proxy server
Firewall
Authentication system
Components Software that performs Network Address Translation (NAT)
Many firewalls make use of a bastion host, a machine that has no unnecessary services. A network that needs to connect to
the Internet might have been a bastion host and a service network. Together, they are the only part of the organization
exposed to the Internet.
Firewall Security Tasks
A firewall that does packet filtering addresses the tendency of hackers to open an attack by scanning for network addresses
and open ports. (A port is a virtual gateway on a computer through which a particular type of data is allowed to pass. Each
port is assigned a number between 0 and 65,535). Initially, a hacker uses special software to scan a series of addresses,
attempting to connect to a computer on each one. If any computer answers, it gives the hacker a target. Any gateway or router
acting as a packet filter on your network or in your firewall should be configured to reject connection requests from
computers that are not on your network.
Note that a port number combined with a computer’s IP address constitutes a network connection called a socket. Software
that is commonly used by hackers attempts to identify sockets that respond to connection requests. The sockets that respond
can be targeted to see if they have been left open or if they have security vulnerabilities that can be exploited. Some examples
include:
Protocols
Simple Mail Transport Protocol (SMTP) listens on port 25
Post Office Protocol, version 3 (POP3) listens for incoming mail on port 110
Hypertext Transport Protocol (HTTP) Web services use port 80
Restricting Access from Outside the Network
The most obvious goal of a firewall is to regulate which packets of information can enter the network. To do so, a firewall
examines each packet to determine whether it meets the necessary “authorized” criteria. The criteria might be protocols or IP
addresses on an “approved” list. Anything not on the list is excluded.
Restricting Unauthorized Access from Inside the Network
In some ways, it is relatively easy to protect a network from the Internet but more difficult to protect it from an inside attack.
You should be aware of the following possibilities:
2
Inside
Attacks
Staff who bring floppy disks that are virus-infected
Staff who access their office computers from home using remote access software that
bypasses the perimeter firewall
Social engineering
Poorly trained firewall administrators
Employees who receive e-mail messages with executable attachments
Limiting Access to External Hosts
Firewalls can selectively permit traffic to go from inside the network to the Internet or other networks to provide more
precise control of how employees inside the network use external resources. In other words, the firewall can act as a proxy
server that makes high-level application connections on behalf of internal hosts and other machines. A single firewall product
can provide both outbound packet filtering and outbound proxy services.
Protecting Critical Resources
Attacks on critical resources are becoming all too common. Worms are one type of attack. They “worm” their way into a
computer in an e-mail attachment or a downloaded file, where they then replicate themselves. They are only slightly different
than viruses, which also worm their way into a computer but then do much more destructive behavior than just replication.
Trojan horses are similar to viruses; they contain malicious code that is hidden inside supposed harmless programs.
Distributed Denial of Service (DDoS) attacks are just as harmful. They are caused when a hacker floods a server with
requests, shutting down the server and making Web sites and networks that depend on that server unreachable.
Protecting Against Hacking
Hacking, in general, is the practice of infiltrating computers or networks to steal data, cause harm, or simply claim credit for
getting inside. The impacts of this type of attack include:
Impacts of
Attack
Loss of data
Loss of time
Loss of staff resources
Loss of confidentiality
Providing Centralization
A firewall centralizes security for the organization it protects. It simplifies the security-related activities of the network
administrator, who typically has many other responsibilities. Having a firewall on the perimeter gives the network
administrator a single location from which to configure security policies and monitor arriving and departing traffic.
Enabling Documentation
Every firewall should be configured to provide information to the network administrator in the form of log files. These log
files record attempted intrusions and other suspicious activity, as well as mundane events like legitimate file accesses,
unsuccessful connection attempts, and the like.
Providing for Authentication
Authentication is the process of logging in to a server with a username and a password before being allowed access to
protected information. Only users who have registered their username and password are recognized by the server and allowed
3
to enter. The authentication process can also be performed at the firewall and can make use of encryption to protect the
usernames and passwords transmitted from client to server (or client to firewall).
Contributing to a VPN
A firewall is an ideal endpoint for a VPN, which connects two companies’ networks over the Internet. A VPN is one of the
safest ways to exchange information online.
Types of Firewall Protection
Some examples of firewall functions and the corresponding layers at which they operate include:
Layer Number
7
6
5
4
3
2
1
OSI Reference Model Layer
Application
Presentation
Session
Transport
Network
Data Link
Physical
Firewall Technology
Application-level gateway
Encryption
SOCKS proxy server
Packet filtering
NAT
N/A
N/A
Packet Filtering
Packet filters are an effective element in any perimeter security setup. In addition, they have the advantage of not taking up
bandwidth, or the capacity of network cables to convey information, the way proxy servers do.
A packet, which is sometimes called a datagram, contains two types of information: the header and the data. Packet filters use
packet headers to decide whether to block the packet or allow it to pass through a firewall. Note that your job as a system
administrator would be to configure the firewall to deny all packets that arrive from outside but contain a source IP address
that seems to be coming from within the network.
Stateless Packet-Filtering Firewalls
Stateless inspection, also called stateless packet filtering, is firewall packet inspection that ignores the state of the connection
between the internal computer and the external computer. A firewall that conducts stateless packet filtering simply blocks or
allows a packet based on the information in the header.
Stateful Packet-Filtering Firewalls
Stateful inspection, also called stateful packet filtering, is an examination of the data contained in a packet as well as the state
of the connection between internal and external computers. This information, known as the state table, is kept in a memory
location called the cache. Stateful inspection is superior to stateless inspection because it uses the connection state to make
decisions on whether to allow the traffic.
4
Packet-Filtering Rules
Some of the most general packet-filtering rules include:
Rules
Any outbound packet must have a source address that is in your internal network.
Any outbound packet must not have a destination address that is in your internal
network.
Any inbound packet must not have a source address that is in your internal network.
Any inbound packet must have a destination address that is in your internal network.
Any packet that enters or leaves your network must have a source or destination
address that falls within the range of addresses in your network.
Filter rules can affect the transmission of packets. These rules include the use of the following:
 Internet Control Message Protocol (ICMP)
 User Datagram Protocol (UDP)
 TCP filtering
 IP filtering
PAT and NAT
Each computer on the network is assigned an IP address. If that address is static, it is relatively easy for a hacker to find it and
gain access to the computer more than once. With a static, reliable IP address, a hacker can use a computer as a staging area
for launching long, sustained attacks.
Port Address Translation (PAT) and Network Address Translation (NAT) are addressing methods that make internal network
addresses invisible to outside computers. PAT and NAT hide the TCP/IP information of hosts in the network being protected
to prevent attackers from getting the address of an actual host on your internal network.
PAT and NAT function as a Network-level proxy; the proxy acts as a single host that makes requests on behalf of all internal
hosts on the network. NAT hides the identity of hosts from anyone outside of the network by converting the IP address of
internal hosts to the IP address of the firewall. To someone on the Internet or outside network, it seems like all information is
coming from a single computer.
Application Layer Gateways
Another type of firewall protection is the Application layer gateway, also known as a proxy server. This type of gateway
works at the Application layer, the top layer of the OSI model of network communications.
A complete overview of firewalls and what they do would not be complete without mentioning the following security
techniques:
Security
Techniques
Load balancing
IP address mapping
Filtering content
URL filtering
5
Firewall Categories
Firewalls can be categorized by processing mode, generation, or structure. Firewalls categorized by level of technology are
identified by generation, with the later generations being more complex and more recently developed. Firewalls categorized
by intended structure are typically divided into categories including residential-, or commercial-grade, hardware-based,
software-based, or appliance-based devices.
Processing Mode
The processing modes are: packet filtering, application gateways, circuit gateways, MAC layer firewalls, and hybrids.
Packet-Filtering Firewalls
Packet-filtering firewalls examine the header information of data packets that come into a network. The restrictions most
commonly implemented are based on a combination of:
 Internet Protocol (IP) source and destination address
 Direction (inbound or outbound)
 Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests
Simple firewall models examine one aspect of the packet header: the destination and source address. They enforce address
restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
They accomplish this through access control lists (ACLs), which are created and modified by the firewall administrators.
There are three subsets of packet-filtering firewalls:
 Static filtering
 Dynamic filtering
 Stateful inspection
Static filtering requires that the filtering rules governing how the firewall decides which packets are allowed and which are
denied are developed and installed.
Dynamic filtering allows the firewall to react to an emergent event and update or create rules to deal with the event.
While static filtering firewalls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic
packet-filtering firewall allows only a particular packet with a particular source, destination, and port address to enter through
the firewall.
Stateful inspection firewalls, or stateful firewalls, keep track of each network connection between internal and external
systems using a state table, which tracks the state and context of each packet in the conversation by recording which station
sent which packet and when.
Whereas simple packet-filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can
block incoming packets that are not responses to internal requests.
The primary disadvantage of this type of firewall is the additional processing required to manage and verify packets against
the state table, which can leave the system vulnerable to a DoS or DDoS attack.
6
Application Gateways
The application gateway, also known as an application-level firewall or application firewall, is frequently installed on a
dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router. The
application firewall is also known as a proxy server, since it runs special software that acts as a proxy for a service request.
Since the proxy server is often placed in an unsecured area of the network or in the DMZ, it—rather than the Web server—is
exposed to the higher levels of risk from the less trusted networks.
Additional filtering routers can be implemented behind the proxy server, limiting access to the more secure internal system
and thereby further protecting internal systems.
Circuit Gateways
The circuit gateway firewall operates at the transport layer. Connections are authorized based on addresses. Like filtering
firewalls, circuit gateway firewalls do not usually look at data traffic flowing between one network and another, but they do
prevent direct connections between one network and another.
They accomplish this by creating tunnels that connect specific processes or systems on each side of the firewall and then
allowing only authorized traffic, such as a specific type of TCP connection for only authorized users, in these tunnels.
MAC Layer Firewalls
While not as well known or widely referenced as the firewall approaches above, MAC layer firewalls are designed to operate
at the media access control layer of the OSI network model. This gives these firewalls the ability to consider the specific host
computer’s identity in its filtering decisions.
Using this approach, the MAC addresses of specific host computers are linked to ACL entries that identify the specific types
of packets that can be sent to each host, and all other traffic is blocked.
Hybrid Firewalls
Hybrid firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services
or of packet filtering and circuit gateways.
Alternately, a hybrid firewall system can consist of two separate firewall devices; each is a separate firewall system, but they
are connected so that they work in tandem.
Firewalls Categorized by Generation
First-generation firewalls are static packet-filtering firewalls; that is, they are simple networking devices that filter packets
according to their headers as the packets travel to and from the organization’s networks.
Second-generation firewalls are application-level firewalls or proxy servers; that is, they are dedicated systems that are
separate from the filtering router and that provide intermediate services for requestors.
Third-generation firewalls are stateful inspection firewalls, which monitor network connections between internal and external
systems using state tables.
7
Fourth-generation firewalls are dynamic packet-filtering firewalls and allow only a particular packet with a particular source,
destination, and port address to enter.
Fifth-generation firewalls are the kernel proxy, a specialized form that works under the Windows NT Executive, which is the
kernel of Windows NT.
Firewalls Structures
Firewall appliances are stand-alone, self-contained systems that frequently have many of the features of a general-purpose
computer with the addition of firmware-based instructions that increase their reliability and performance and minimize the
likelihood of their being compromised.
A commercial-grade firewall system consists of firewall application software running on a general-purpose computer.
Organizations can install firewall software on an existing general-purpose computer system, or they can purchase hardware
that has been configured to the specifications that yield optimum performance for the firewall software.
SOHO and residential-grade firewall devices, also known as broadband gateways or DSL/cable modem routers, connect the
user’s local area network or a specific computer system to the Internetworking device. The SOHO firewall serves first as a
stateful firewall to enable inside-to-outside access, and it can be configured to allow limited TCP/IP port forwarding and/or
screened subnet capabilities.
Residential-grade firewall software is installed directly on the user’s system. Some of these applications combine firewall
services with other protections such as antivirus or intrusion detection. There are limits to the level of configurability and
protection that software firewalls can provide.
Software vs. Hardware: The SOHO Firewall Debate
So which type of firewall should the residential user implement? Where would you rather defend against a hacker?
With the software option, the hacker is inside your computer, battling with a piece of software that may not have been
correctly installed, configured, patched, upgraded, or designed. If the software happens to have a known vulnerability, the
hacker could bypass it and then have unrestricted access to your system.
With the hardware device, even if the hacker manages to crash the firewall system, your computer and information are still
safely behind the now disabled connection, which is assigned a nonroutable IP address, making it virtually impossible to
reach from the outside.
Firewall Architectures
Each of the firewall devices noted earlier can be configured in a number of network connection architectures. The firewall
configuration that works best for a particular organization depends on three factors: the objectives of the network, the
organization’s ability to develop and implement the architectures, and the budget available for the function.
Although literally hundreds of variations exist, there are four common architectural implementations of firewalls:
 Packet-filtering routers
 Screened host firewalls
 Dual-homed host firewalls
 Screened subnet firewalls
8
Packet-Filtering Routers
Most organizations with an Internet connection have a router as the interface to the Internet at the perimeter between the
organization’s internal networks and the external service provider. Many of these routers can be configured to reject packets
that the organization does not allow into the network.
The drawbacks to this type of system include a lack of auditing and strong authentication and the fact that the complexity of
the access control lists used to filter the packets can grow and degrade network performance.
Screened Host Firewalls
This architecture combines the packet-filtering router with a separate, dedicated firewall, such as an application proxy server,
allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy.
The application proxy examines an application layer protocol and performs the proxy services. This separate host is often
referred to as a bastion host or sacrificial host; it can be a rich target for external attacks and should be thoroughly secured.
Dual-Homed Host Firewalls
With this approach, the bastion host contains two NICs. One NIC is connected to the external network, and one is connected
to the internal network, providing an additional layer of protection. With two NICs, all traffic must go through the firewall in
order to move between the internal and external networks.
Implementation of this architecture often makes use of NAT. NAT is a method of mapping assigned IP addresses to special
ranges of nonroutable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers.
Screened Subnet Firewalls (with DMZ)
The dominant architecture used today, the screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the
firewall device linking a single bastion host, or it can be connected to a screened subnet.
A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet-filtering
router, with each host protecting the trusted network:


Connections from the outside or untrusted network are routed through an external filtering router.
Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to
the separate network segment known as the DMZ.
 Connections into the trusted internal network are allowed only from the DMZ bastion host servers.
The screened subnet is an entire network segment that performs two functions:

It protects the DMZ systems and information from outside threats by providing a network of intermediate
security.
 It protects the internal networks by limiting how external connections can gain access to internal systems.
DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into
place to provide services that are not available to the general public.
Limitations of Firewalls
Firewalls should not be the only form of protection for a network. They should be part of an overall security plan and should
be used in conjunction with other forms of protection, including ID cards, passwords, and employee rules of conduct.
9