Firewalls, by Paul Eddington

I just thought that I would write a short article to describe what is and is not possible with a firewall.

Let’s start with a few definitions:

Transport Protocol:
A transport protocol is an agreed format of data with which to organise packets of data so that they can be routed over a network. Examples of transport protocols are TCP, IP, UDP, IPX, SPX, Appletalk, DLC, NetBEUI, PPP, PPTP. The Internet predominantly uses TCP/IP, with small amounts of the other protocols used behind the scenes.

An interesting thing to note about transport protocols is that one packet gets wrapped in another packet and then wrapped in another packet. This process is called encapsulation. For example, when you dial the Internet from home, you are in fact placing your web request (an HTTP packet) inside a TCP packet, inside an IP packet, inside a PPP packet. With me so far?

Application Protocols:
An application protocol is an agreed format for organising data for a specific operation. For example, HTTP is the Hyper Text Transfer Protocol, that defines how web pages will be coded at one end of a transmission, and then decoded in a meaningful way at the other end. Examples of application protocols are HTTP, FTP, SMTP, POP3, IMAP4, SMB, SNA, NCP, IRC, ICQ, MSN and Gnutella. From a security point of view it is important to note that different applications (and therefore the payload of different application protocols) are capable of doing different things. Some are dangerous, some are not.

The application protocol used by an application will dictate the default port that will 'listen out’ at the receiving end and the valid verb that are possible using that application protocol. For example, FTP listens out by default on port 21 for various verbs that are valid within the ‘rules’ of FTP such as PUT and GET.

Port:
A port is a logical pigeonhole. Nothing amazing. The default ports for TCP/UDP are numbered 0-1023. Some common default port numbers are: TCP port 80 (HTTP), TCP port 20,21 (FTP), TCP port 110 (POP3), TCP port 25 (SMTP).

Note that the sending port of one machine and the receiving port of another machine do not have to be the same. For example, port 110 of one PC might be talking to port 2576 of another PC.

Proxy:
A proxy is a person who acts on your behalf - eg Helen went to the meeting as my proxy.

Proxy Server:
A proxy server is a piece of software that intercepts your request for an Internet page, and goes out onto the Internet and retreives it on your behalf, and then forwards it to you. The current proxy server product from the Microsoft stable is called Internet Security and Acceleration Server 2003 (ISA 2003).

Access Control List (ACL):
An ACL is basically a list of allowed and disallowed rules. For example, when you try to access a file on the file server that you do not have permission to view, you receive an "Access Denied" message because your username is not listed on the ACL with the appropriate permission for that object.

Packet filter:
A packet filter is a piece of software (and/or hardware) that looks at the contents of a packet to see what the packet is trying to do. If the packet is attempting an operation that is allowed by its ACL, then the packet is allowed to pass. If not, the packet is dropped. A packet filter is a simplistic type of firewall. ISA 2003 has packet filtering capabilities.

Application Layer Firewall:
Application layer firewalls are the next generation of packet filtering firewalls. Essentially what they do is analyse packets not just in isolation, but by reassembling and analyzing packet streams that make up individual application sessions, these application layer firewalls can spot odd behaviour over an entire session.

Think of it like this: imagine you are the guy who has to bleep out naughty things from going to air on a radio station. If you were a packet filter you would simply react whenever you hear any word from a pre-defined list. If you were an application layer firewall you would react to any sentence that when put into context formed an offensive remark. That’s the difference between the two.

Firewall Appliance:
A firewall appliance is a piece of hardware and software that is tailor made to interrogate packets and their contents. They are much faster and more configurable than application packet filters because they are made for the job. In that sense, they are generally considered to be harder the hack. Some popular firewall appliance vendors are Cisco, SonicWall and FireBox.

So what does the firewall do?
Righty-o. Now imagine you are in the reception area, and a courier walks in with a big number 80 on his head. You turn to him and say "Oh! Hello Mrs Web Page! You must be carrying some web traffic. According to your destination address, it is the proxy server that is waiting for you. Go straight through." Next courier has a big number 110 on his head. You smile and say "Hello Mr Email! I see that you are addressed to our mail server. He is in room 35. Go right ahead." Next courier has a big number 21 on his head. You look at him and say "Hmm. My records show that you have done some naughty things in the past. Would you mind telling me where you have come from, and who you are here to see? (mumble mumble anonymous address mumble mumble). Well sir, as your source or destination addresses do not appear on my ACL, I'm afraid I cannot let you in."

Essentially, a firewall (with application layer intelligence) only allows certain interfaces to run certain transport protocols to transport certain application protocols to run on certain ports from certain source addresses to certain destination addresses to perform certain operations. If that operation has been allowed, then the packet (or stream of packets) can traverse the firewall from one interface to another interface. If not, then the packet (or session) is dropped.

So there you have it. That's firewalls.

And now a final word from Shaun Hackett:

"Just because it is a firewall, there is no need to set fire to it."

Thank you Shaun. That is very good advice.

Paul Eddington

KB Keywords: firewall stateful inspection Cisco SonicWall FireBox DMZ demilitarised demilitarized zone application layer intelligence CCSE