Firewalls

References

_Practical TCP/IP_, Niall Mansfield, Addison-Wesley, 2003

Motivation: control access to a subnet

Packet filtering

Simple rules about traffic based on source and destination IP and port addresses.

fast
detailed and hence error prone
maintains no state (may be tricked)
can't handle authentication

The general approach is a list of rules, and the algorithm is first-rule-matched stops.

Reverse traffic is a problem (response to connection request initiated from the inside) since those packets will be directed to an ephemeral port. Generally requires that all ports be open to non-SYN packets.

Stateful packet inspection

"Real" firewalls maintain state. They monitor connections to know what to expect. Example:

Connection request from inside to port 80 on port 1234.
Pending connection entered into state table.
ACK from outside to port 1234.
ACK is expected and allowed to port 1234.
Unexpected packets are denied.

Firewalls and packet filters can both be programmed to allow incoming connection requests to certain ports and internal IPs. But a packet filter allows any type of packet (SYN, ACK, data) through based on this rule.

A firewall, in contrast, can filter out bogus packets that are not associated with an established connection. This defeats certain types of attacks where packets are sent without establishing a TCP connection.

UDP and ICMP

These protocols are connectionless. A smart firewall however can maintain "pseudo sessions" for this type of traffic to better filter incoming packets.

For example, a ping from the inside can be tracked so that the ICMP responses to the ping are allowed through, whereas ICMP packets that arrive but are not part of a "session" are denied.

Authentication

Firewalls can provide for user authentication. Once authenticated, access can be granted to certain internal IP/port combinations such as web or mail servers. Firewalls that maintain state can require large amounts of memory and CPU time if their traffic is heavy.

Application level gateways (ALG)

When a firewall is a piece of software that extends up through the application layer, it's called an ALG.

ALGs don't simply relay requests from outside. They take a request apart at the application protocol level and re-issue a request to a server on the inside if they are satisfied the request is safe and legitimate.

An ALG involves two distinct TCP connections: one from the outside client to the ALG, and another from the ALG to the server.

Examples:

FTP GET commands could be allowed while PUT commands are denied.
HTTP requests to certain URLs could be filtered.

De-militarized Zones (DMZ)

A firewall with a connection to 2 LANs: one the trusted internal LAN, and a second semi-trusted LAN. Both are protected by the firewall.

The semi-trusted LAN hosts servers (web, dns, etc) that the public needs to get to.

The trusted LAN hosts internal servers. Access from the semi-trusted to the trust LAN is via the firewall and is as restrictive as possible.

Features

Firewalls often combine multiple features in a single box. For example, they might offer NAT, DHCP, authentication, logging, and a hub/switch.