introduction
A firewall is a combination of a router and an IP packet filter. Its job is to protect a data network from bad guys. A firewall works in the network security business.
The LIC provides a web-based way of doing business. The LIC allows access from the Internet to the Internet web servers and extranet web servers. The general public must be able to access LIC web servers to do business and employees have to be able to access those LIC web servers to deal with that business. The LIC denies access to other servers to keep them safe. This is done using firewalls.
what it is
A firewall acts as a packet filter for TCP/IP traffic. The firewall filters packets depending on where it is going and what service it is destined for. Packet filtering is also known as traffic inspection.
A domestic firewall usually has three network interfaces: one connected to the Internet, one to the domestic network and one to a service DMZ, where its owner can put risky applications for Internet use, like a web server. An enterprise firewall usually has a lot more interfaces for other DMZs. The firewall acts as a network router to send packets back and forth.
Each request made by a client in the Internet that is sent to a server in the LIC arrives at the Internet firewall before it finishes its journey. The request arrives wrapped up in an IP packet. This firewall looks at the contents of the packet and makes a few decisions. The firewall decides:
- whether to throw the packet in the bin or let it continue on its way,
- which network interface to send it out of, and
- which bits of the packet to change.
It makes its decisions after reading the fields in the packet. The more complex a firewall, the cleverer its decisions, the more it costs and the slower it goes. There are three common types of firewall. A firewall's type lets you know how clever it is at reading packets, not how good at routing it is.
| LIC table: types of firewall | |
|---|---|
| type | description |
| packet filtering |
This type of firewall uses a list of rules to check each new request that arrives in an IP packet. Some network routers can also filter packets. They are very fast and cheap. There is a fancy kind of packet filtering firewall called a circuit-level firewall. Once the conversation starts the firewall does not do any more checking. It only checks the very first packet when the circuit is established. |
| stateful inspection | These firewalls do packet filtering and keep track of every connection. They check the order of things such as the TCP three way handshake and catch any weirdness such as packets passing through in the wrong order. |
| application |
These are the most complex. They are programmed to understand higher level protocols, such as changing their rules to cope with FTP transfers and reading HTTP requests stored inside TCP packets. They do a lot more checking. They control the conversation between a client and a server and may make changes, such as allowing different types of packets through temporarily or blocking dangerous looking packets. |
A firewall comes in many shapes and sizes. It may be a network appliance (a specialised computer dedicated to one job) or an application that needs a general purpose computer to run on. A firewall appliance with a lot of interfaces looks like a network switch because it has so many sockets on the front. This is sometimes called a multi-homed firewall.
packet filtering
A request arrives contained in a packet of data called an IP (Internet Protocol) packet. This packet is wrapped around another packet called the TCP (Transmission Control Protocol) packet. The TCP packet contains the request and port numbers. A port number is a number between 1 and 65,536. This port number is a code for an Internet service. A web browser sends requests to ports 80 (HTTP) and 443 (HTTPS).
| LIC topology: a request wrapped up in packets |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
The firewall needs to read both these packets to get this information so it first does a bit of decoding. The firewall reads the "from" address and "to" address from the IP packet. The packet filter then extracts the TCP packet and reads the "from" and "to" port numbers. It guesses what service it is destined for using these numbers. The firewall does not bother reading the request.
firewall rules
The firewall has a list of rules that tell it what to allow and what to deny. When the firewall receives a packet it starts with the first rule and sees if the packet's details match. If they do then the firewall does the action and is finished. If not it moves onto the next rule and tries to match the packet. These rules are created by a network administrator. The six rules in the table below allow a web browser to view the web site at address 5.6.7.8. The rules allow requests from both the Internet and the enterprise network. The rules allow ports 80 and 443 so the web browser URLs http://5.6.7.8/ and https://5.6.7.8/ both work. Any attempt to use another port is suspicious so the firewall does not let the packet pass and writes a message in a log file.
| LIC table: firewall rules that protect "5.6.7.8" | ||||||
|---|---|---|---|---|---|---|
| rule | from address | from port | to address | to port | action | log |
|
1
|
Any Internet address | Any port | 5.6.7.8 | 80 | allow | no |
|
2
|
Any enterprise network address | Any port | 5.6.7.8 | 80 | allow | no |
|
3
|
Any Internet address | Any port | 5.6.7.8 | 443 | allow | no |
|
4
|
Any enterprise network address | Any port | 5.6.7.8 | 443 | allow | no |
|
5
|
Any Internet address | Any port | 5.6.7.8 | Any port | deny | yes |
|
6
|
Any enterprise network address | Any port | 5.6.7.8 | Any port | deny | yes |
The firewall checks the packet's information against its list of what combination of addresses and services are allowed. Allowed packets are passed to the router which sends them into the LIC and denied packets are thrown away. The firewall does the same type of thing in the other direction, from the LIC to the Internet, so it restricts access both in and out of the LIC.
A network administrator often needs to provide access from customers to a new web site. This involves editing firewall rules to:
- allow an IP address and
- hide secret LIC IP addresses using NAT (network address translation).
routing
The router part of the firewall directs the allowed packets to the right areas. A firewall has an interface where a request arrives and another interface where the request is sent onto its destination. It might have several more interfaces connected to different destinations: a company may have a firewall that is connected to to a DMZ, an accounts department, a marketing department, an administration department and so on.
what it isn't
Much to do with fire or a wall.
where it is
Firewalls in the LIC are actually not single computers: they are pairs of computers. Each pair is configured as a high availability pair providing resilient, secure access into and out of the DMZs. If one breaks down people can still get to web sites because the other keeps on working.
history
In the early 1980s the first packet filters were created by Department of Defence research projects. Circuit-level firewalls appeared a few years later and application-level firewalls in the early 1990s.
A firewall used to be a collection of computers in a perimeter network. Now all the work is done by one computer.
