Firewall Basics

A firewall is a combination of software and hardware that decides what kinds of requests and what specific data packets can pass to and from a computer or a local network. Figure 7.7 illustrates a typical hardware firewall that protects an entire local-area net- work. A firewall for a personal computer is normally fully implemented by software, whereas a small network of computers often found in a home (typically consisting of 2–3 computers and a printer) may use a hardware firewall that’s built into the network’s router.

The main task of a firewall is to block certain requests for data transfer, and the firewall makes these decisions based on rules. A firewall starts with some built-in (default) rules, and its user/owner can add, delete, and modify rules. We can say that a firewall enforces an access policy through the rules, and a rule tells the firewall what

T o In ternet Firew all Router

Figure 7.7: A Firewall in a LAN.

properties of a data packet to examine and how to decide whether to let the packet through or not.

An effective firewall must be easy to adapt to the needs of any user. Such a firewall should be able to check any property of a data packet, should be able to take various actions depending on what it finds, and should do all this fast, so as not to slow down the flow of data to and from its host computer or network.

A typical firewall performs the following tasks: (1) limit incoming data, so that data coming from certain senders (or that has certain properties) will be blocked, (2) limit outgoing data, so a program will not be able to send data outside (to call home) without the owner’s knowledge, (3) generate and save a log of all its activities, especially on data packets it has blocked, and (4) do all this fast and be transparent to the user.

Examples of properties of data packets are the various fields in the header of a packet, such as device, direction, source and destination addresses, and source and destination ports. A rule may specify that all packets arriving at, say, port 5500 should be blocked, or that packets arriving from IP 192.168.1.50 should always be let in.

A firewall rule specifies a set of conditions and what action to take when a condition occurs. A complex rule can check several conditions, while a simple rule is limited to just one condition. Rules can also be hierarchical. In such a case, each rule is simple and checks one condition, but a rule can have several child rules, each checking one condition. This way, each rule is simple, but the overall performance can be complex.

In general, a rule consists of a condition and an action. A condition is a property, a relationship, and a value. For example, a condition may be destination port = 5500. If a condition is satisfied, the corresponding action is taken. Otherwise, the firewall proceeds to the next rule. In a hierarchical firewall, each condition also specifies its parent and its children (if any). In such a firewall, if a condition of a rule is met, the children of that rule will be tested one by one. If the condition is not met, then the sibling rule (the next rule on the same level) is checked. If none of the conditions of the sibling rules are met, the next rule on the previous level is checked. Figure 7.8 shows an example of a hierarchical tree of rules and the order in which they are checked.

Certain useful conditions may be unrelated to the content of any data packets. These include properties such as date, day of the week, time, parent idle time, and parent byte count. Experience gained by network administrators suggests that limiting access to certain Web sites or certain services during peak times of the day may improve overall network performance. Similarly, many restrictions on network usage may be relaxed or lifted on weekends.

186 7 Network Security 1 2 3 4 5 6 8 9 ₁₂ 13 16 15 14 11 10 7

Figure 7.8: Hierarchical Firewall Rules.

A sophisticated firewall may maintain simple statistics on the data packets that satisfy each rule. When a packet satisfies a rule, its idle time is set to zero, its match count is incremented by 1, and its byte count is incremented by the size of the packet. Such statistics can be useful to the computer owner and to the network administrator, and can also be used in rules. For example, if a rule hasn’t detected data from a certain sender within a specified idle time, the action of the rule is executed (even though no data packet has been received) and may send a probe to the sender or may alert the user that the sender isn’t responding fast enough.

Examples of actions are “delete,” to delete a data packet, “pass,” to let it through (into or out of the computer), “drop,” to drop the connection (in case of a DoS attack that tries to hang up the connection), and “log,” to log the data packet and then apply the next rule to it. (For incoming data packets, the “drop” action sends a TCP RESET command to the sender, while for an outgoing packet the same action sends a small TCP FIN packet.)

The two main components of a firewall are the gate and the choke (there can be several such pairs in a large firewall). The gate transfers or blocks the data and the choke is the filter that decides which data to block. Those familiar with firewalls like to compare the gate to a security checkpoint and the choke to a security guard.

In addition to its main task of checking conditions and executing actions, a modern firewall can perform more sophisticated operations as described below.

A modern firewall may also include rules for checking the data of a data packet, not just the fields of its header. This useful feature is referred to as content filtering. The user may instruct the firewall to block all incoming (and perhaps all outgoing) data packets that contain a certain string of characters. This can block common viruses and worms that have already been detected and analyzed. An advanced firewall should also be able to recognize ethernet hardware addresses (the so-called MAC addresses), so that the rules would be able to distinguish between outside traffic and local traffic.

Another advanced task is to limit the amount of data (the bandwidth) allocated to certain users or to certain applications. This way, a firewall can help in bandwidth management. Consider an ISP that offers cable Internet access to private users. A private user normally has one or two computers and generates a small amount of traffic, perhaps browsing, sending email, and transferring files. Also, most of this traffic should be incoming. As long as each user conforms to this pattern, the ISP can support many