What is a firewall?

The Word
Location,
Location,
Location
Packet
Filtering
Circuit
Relay
Application
Gateway
The tack References
(This page is not intended to present a complete description of all firewall functions, nor
is it intended to sell any product. It is meant only to convey a good basic concept of what
a firewall is to home users. If techno stuff is totally mysterious to you, brace yourself for
a little bit of strange new terminology. I've tried to define terms and to use as much plain
English as possible, in hopes you'll find it comprehensible. I invite anyone who can, to
point out errors of fact or important omissions.)
The Word
The ter! "fire wall" originally !eant, and still !eans, a fireproof wall intended to
pre#ent the spread of fire fro! one roo! or area of a $uilding to another% The &nternet is a
#olatile and unsafe en#iron!ent when #iewed fro! a co!puter'security perspecti#e,
therefore "firewall" is an e(cellent !etaphor for network security%
&n co!puter networking, the ter! firewall is not !erely descripti#e of a general idea% &t
has co!e to !ean so!e very precise things%
Location, Location, Location
The !ost i!portant aspect of a firewall is that it is at the entry point of the networked
syste! it protects% &n the case of Packet Filtering, it is at the lowest le#el, or "layer" in the
hierarchy )stack* of network processes, called the +etwork Layer or the &nternet Layer%
This !eans essentially that the firewall is the first progra! or process that recei#es and
handles inco!ing network traffic, and it is the last to handle outgoing traffic%
The logic is si!ple, a firewall must be positioned to control all incoming and outgoing
traffic% &f so!e other progra! has that control, there is no firewall%
o '' what do firewalls do?
The !ost $asic type firewall perfor!s Packet Filtering%
A second type of firewall, which pro#ides additional security, is called a Circuit
Relay%
Another and still !ore in#ol#ed approach is the Application Le#el Gateway%
Packet Filtering
All &nternet traffic tra#els in the for! of packets% A packet is a -uantity of data of li!ited
si.e, kept s!all for easy handling% When larger a!ounts of continuous data !ust $e sent,
it is $roken up into nu!$ered packets for trans!ission and reasse!$led at the recei#ing
end% All your file downloads, We$ page retrie#als, e!ails '' all these &nternet
co!!unications always occur in packets%
A packet is a series of digital nu!$ers $asically, which con#eys these things,
The data, acknowledg!ent, re-uest or co!!and fro! the originating syste!
The source &P address and port
The destination &P address and port
&nfor!ation a$out the protocol )set of rules* $y which the packet is to $e handled
/rror checking infor!ation
0sually, so!e sort of infor!ation a$out the type and status of the data $eing sent
1ften, a few other things too ' which don2t !atter for our purposes here%
&n packet filtering, only the protocol and the address information of each packet is
e(a!ined% &ts contents and conte(t )its relation to other packets and to the intended
application* are ignored% The firewall pays no attention to applications on the host or
local network and it "knows" nothing a$out the sources of inco!ing data%
Filtering consists of e(a!ining inco!ing or outgoing packets and allowing or
disallowing their trans!ission or acceptance on the $asis of a set of configura$le rules,
called policies%
Packet filtering policies !ay $e $ased upon any of the following,
Allowing or disallowing packets on the $asis of the source IP address
Allowing or disallowing packets on the $asis of their destination port
Allowing or disallowing packets according to protocol%
This is the original and !ost $asic type of firewall%
Packet filtering alone is #ery effecti#e as far as it goes $ut it is not foolproof security% &t
can potentially $lock all traffic, which in a sense is a$solute security% 3ut for any useful
networking to occur, it !ust of course allow so!e packets to pass% &ts weaknesses are,
Address infor!ation in a packet can potentially $e falsified or "spoofed" $y the
sender
The data or re-uests contained in allowed packets !ay ulti!ately cause unwanted
things to happen, as where a hacker !ay e(ploit a known $ug in a targeted We$
ser#er progra! to !ake it do his $idding, or use an ill'gotten password to gain
control or access%
An ad#antage of packet filtering is its relati#e si!plicity and ease of i!ple!entation%
Circuit Relay
Also called a "Circuit Le#el Gateway," this is a firewall approach that #alidates
connections $efore allowing data to $e e(changed%
What this !eans is that the firewall doesn2t si!ply allow or disallow packets $ut also
deter!ines whether the connection $etween $oth ends is #alid according to configura$le
rules, then opens a session and per!its traffic only fro! the allowed source and possi$ly
only for a li!ited period of ti!e% Whether a connection is #alid !ay for e(a!ples $e
$ased upon,
destination &P address and4or port
source &P address and4or port
ti!e of day
protocol
user
password
/#ery session of data e(change is #alidated and !onitored and all traffic is disallowed
unless a session is open%
Circuit Le#el Filtering takes control a step further than a Packet Filter% A!ong the
ad#antages of a circuit relay is that it can !ake up for the shortco!ings of the ultra'
si!ple and e(ploita$le 05P protocol, wherein the source address is ne#er #alidated as a
function of the protocol% &P spoofing can $e rendered !uch !ore difficult%
A disad#antage is that Circuit Le#el Filtering operates at the Transport Layer and !ay
re-uire su$stantial !odification of the progra!!ing which nor!ally pro#ides transport
functions )e%g% Winsock*%
Application Gateway
&n this approach, the firewall goes still further in its regulation of traffic%
The Application Le#el Gateway acts as a proxy for applications, perfor!ing all data
e(changes with the re!ote syste! in their $ehalf% This can render a co!puter $ehind the
firewall all $ut in#isi$le to the re!ote syste!%
&t can allow or disallow traffic according to #ery specific rules, for instance per!itting
so!e co!!ands to a ser#er $ut not others, li!iting file access to certain types, #arying
rules according to authenticated users and so forth% This type of firewall !ay also
perfor! #ery detailed logging of traffic and !onitoring of e#ents on the host syste!, and
can often $e instructed to sound alar!s or notify an operator under defined conditions%
Application'le#el gateways are generally regarded as the !ost secure type of firewall%
They certainly ha#e the !ost sophisticated capa$ilities%
A disad#antage is that setup !ay $e #ery co!ple(, re-uiring detailed attention to the
indi#idual applications that use the gateway%
An application gateway is nor!ally i!ple!ented on a separate co!puter on the network
whose pri!ary function is to pro#ide pro(y ser#ice%
As you can see, all firewalls regardless of type ha#e one #ery i!portant thing in co!!on,
they recei#e, inspect and !ake decisions a$out all inco!ing data before it reaches other
parts of the syste! or network% That !eans they handle packets and they are strategically
placed at the entry point to the syste! or network the firewall is intended to protect%
They usually regulate outgoing data as well% The types and capa$ilities of firewalls are
defined essentially $y,
Where they reside in the network hierarchy )stack*6
how they analy.e and how they regulate the flow of data )packets*6
and additional security-related and utilitarian functions they !ay perfor!%
o!e of those additional functions,
o data !ay $e encrypted4decrypted $y the firewall for secure
co!!unication with a distant network
o cripting !ay allow the operator to progra!'in any nu!$er of [Link]
capa$ilities
o The firewall !ay facilitate co!!unications $etween otherwise
inco!pati$le networks%
A rough appro(i!ation of the "stack" in a typical Win7( !achine on a household LA+
and with dial'up,