Handbook of Information Security Management:Communications Security

Previous Table of Contents Next


TYPES OF FIREWALLS

Packet Filters

The most basic type of firewall is a packet filter. It receives packets, then evaluates them according to a set of rules that are usually in the form of access control lists. The result is that packets can meet with a variety of fates — be forwarded to their destination, dropped altogether, or dropped with a return message to the originator informing him what happened. The types of filtering rules vary from one vendor’s product to another, but ones such as the following are most frequently applied:

  Source and destination IP address (e.g., all packets from source address 128.44.9.0 through 128.44.9.255 might be accepted but all other packets might be rejected)
  Source and destination port (e.g., all TCP packets originating from or destined to port 25 [the SMTP port] might be accepted, but all TCP packets destined for port 79 [the finger port] might be dropped)
  Direction of traffic (inbound or outbound)
  Type of protocol (e.g., IP, TCP, UDP, IPX, and so forth)
  The packet’s state (SYN or ACK8)
8An ACK (acknowledge) state means that a connection between hosts has already been established.

Packet-filtering firewalls provide a good way to provide a reasonable amount of protection for a network with minimum complications. Packet-filtering rules can be extremely intuitive and can thus be easy to set up. One simple but surprisingly effective rule is to “allow” all packets that are sent from a specific, known set of IP addresses, such as hosts within another network owned by the same organization or corporation. Packet-filtering firewalls also tend to have the least negative impact upon throughput rate at the gateway compared to other types of firewalls. Additionally, they tend to be the most transparent to legitimate users; if the filtering rules are set up appropriately, users will be able to obtain the access they need with little interference from the firewall.

Unfortunately, simplicity has its disadvantages. The rules that this type of firewall implements are based on port conventions. When an organization wants to stop certain service requests (e.g., telnet) from reaching internal (or external) hosts, the most logical rule implementation is to block the port (in this case, port 23) that by convention is used for telnet traffic. Blocking this port, however, does not prevent someone inside the network from allowing telnet requests on a different port that the firewall’s rules leave open. In addition, blocking some kinds of traffic causes a number of practical problems. Blocking X-Windows traffic (which is typically sent to ports 6000 to 6013) superficially would seem to provide a good security solution, because of the many known vulnerabilities in this protocol. Many types of remote log-in requests and graphical applications depend on X-Windows, however. Blocking X-Windows traffic altogether may thus restrict functionality too much, leading to the decision to allow all X-Windows traffic (which makes the firewall a less than effective security barrier). In short, firewalling schemes based on ports do not provide the precision of control that many organizations need. Furthermore, packet-filtering firewalls are often deficient in logging capabilities, particularly in providing logging that can be configured to an organization’s needs (e.g., in some cases to capture only certain events, while in other cases to capture all events), and often also lack remote administration facilities that can save considerable time and effort. Finally, creating and updating filtering rules is prone to logic errors that result in easy conduits of unauthorized access to a network and can be a much larger, more complex task than anticipated.

Like many other security-related tools, many packet filtering firewalls have become more sophisticated over time. Some vendors of packet-filtering firewalls in fact now offer programs that check the logic of filtering rules to discover logical contradictions and other errors. Some packet-filtering firewalls, additionally, offer strong authentication mechanisms such as token-based authentication. Many vendors’ products now also defend against previously successful methods to defeat packet-filtering firewalls. Network attackers can send packets to or from a disallowed address or disallowed port by fragmenting the contents. Fragmented packets cannot be analyzed by a conventional packet-filtering firewall, so the firewall passes them through, but then they are assembled at the destination host. In this manner the network attackers can bypass firewall defenses altogether. However, some vendors have developed a special kind of packet-filtering firewall that prevents these types of attacks by remembering the state of connections that pass through the firewall9. Some state-conscious firewalls can even associate each outbound connection with a specific inbound connection (and vice versa), making enforcement of filtering rules much simpler.

9Because the UDP protocol is connectionless and does not thus contain information about states, these firewalls are still vulnerable to UDP-based attacks unless they track each UDP packet that has already gone through, then determine what subsequent UDP packet sent in the opposite direction (i.e., inbound or outbound) is associated with that packet.

Many routers have packet-filtering capabilities and can thus in a sense be considered as a type of firewall. Using a packet-filtering router as the sole choke component within a gate, however, is not likely to provide sufficient security because routers are more vulnerable to attack than are firewall hosts and also because routers generally do not log traffic very well at all. A screening router is also usually difficult to administer, often requiring that a network administrator download its configuration files, edit them, and then send them back to the router. The main advantage of screening routers is that they provide a certain amount of filtering functionality with (usually) little performance overhead and minimal interference to users (who, because of these routers’ simple functionality, may hardly even realize that the screening router is in place). One option for using packet-filtering routers is to employ this type of router as the external router in a belt and suspenders topology (refer once again to Exhibit 1). The security filtering by the external router provides additional protection for the “real” firewall by making unauthorized access to it even more difficult. Additionally, the gate now has more than one choke component, providing multiple barriers against the person intent on attacking an internal network and helping compensate for configuration errors and vulnerabilities in any one of the choke components.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.