Types of Firewalls

A variety of classification methods are used to categorize firewalls, but the most commonly used classification scheme breaks them down into the following categories:

• Packet filtering firewalls

• Circuit layer firewalls

• Application layer firewalls

Some firewalls support only one of these features. Most advanced firewall products, such as Microsoft ISA Server or Check Point's Firewall-1 product, support all of these features. Firewalls become more complex to configure, and cost more, as the number of features increase.

Packet Filtering

The simplest type of firewall is the packet-filtering device. Packet filters inspect only the IP header and make allow and deny determinations—based on the source and destination IP address included in the IP header. If the source and destination IP addresses match an allow filter, the packet is passed through the packet-filtering firewall. If the source and/or destination IP address matches a deny filter, the packet is dropped (see Figure 5.1).

Packet filters also include a directional component. The direction of the packet is evaluated, in addition to the source and destination IP addresses. A particular source and destination may be denied in one direction, but allowed in the opposite direction.

For example, suppose we want to allow all external network clients access to a Web server on our private network. To allow incoming packets through the packet filtering router, you need to create the following packet filter:

Direction: Inbound
Source IP Address: Any
Destination IP address: IP Address of the Web server

This packet filter allows packets from any network client that arrive at the interface making the packet-filtering decisions to be passed to the IP address of the Web server. This works fine for getting requests into the Web server, but is insufficient to allow responses from the Web server to be sent to the external network client that made the request. That's because Web server replies go in the outbound direction, as covered in the next paragraph.

You need to create a second packet filter to solve this problem. This additional packet filter enables the Web server to respond to the computer that made the request. The following packet filter allows you to do this:

Direction: Outbound
Source IP Address: IP address of the Web server
Destination IP Address: Any

As you can see, this type of packet filter is somewhat porous. It allows the Web server to communicate with any destination address on the Internet. This obviously isn't required, because all we want to do is enable the Web server to respond to computers that make a request. Simple packet filters cannot fulfill this requirement.

To solve this problem, we need to use more sophisticated filtering. A more advanced form of packet filtering is sometimes referred to as circuit layer filtering. We discuss circuit layer filtering in the next section.

Circuit Layer Filtering

Simple IP packet filtering schemes are limited to inspecting just the IP header of incoming and outgoing communications. Circuit layer filtering also inspects the IP header, but in addition to inspecting the IP header, a circuit layer filter can also inspect the Transport layer header.

The two protocols in the TCP/IP protocol suite responsible for Transport layer duties are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). TCP and UDP include ports that are used to create a circuit between the source and destination computers (see Figure 5.2). Ports are identified by a number, and different network services receive requests on different port numbers. For example, the FTP protocol uses port number 21 to establish the FTP control channel, whereas the HTTP protocol uses port number 80.

The next step in the circuit layer filtering process is to form a socket. A socket is defined by a protocol (TCP or UDP), a port (TCP or UDP port number), and an IP address (destination IP address). When a connection is successfully established, a socket is created and a circuit is complete.

Note that two sockets are created to establish a working connection between two computers: a source socket at the source host, and a destination socket at the destination host.

Circuit layer filtering gives us more control over inbound and outbound packet transfers. Let's take another look at our packet-filtering firewall using circuit layer filters.

We want to allow incoming requests to our internal network Web server. This means that the incoming packets will need to be passed through the firewall. To do this, create the following packet filter:

Direction: Inbound
Source IP Address: Any
Source Port Number: TCP 1025-65535

Note the source port number actually reflects a range of ports. This range is often referred to as the ephemeral or high port range. Most network client applications assign themselves a response port from the ephemeral port range. This prevents the clients from self-assigning ports in the “well-known” port range from 0 through 1024, and thus prevents such temporary port assignments from conflicting with well-known network services.

Destination IP Address: IP address of the Web server
Destination Port Number: TCP port 80

This circuit layer packet filter gives us much more control over what packets are allowed through the firewall, and subsequently allowed into the internal network and Web server. Instead of all packets being allowed to reach the internal network Web server, only packets destined to the Web server's TCP port 80 are allowed. If someone tries to make a connection to the Web server's TCP port 21 (FTP control channel port number), the firewall drops the request because the packet filter is designed to pass packets destined only to the Web server's TCP port 80.

If you want to allow the Web server to return a response to the sending computer, another packet filter must be created. The packet filter resembles the following:

Direction: Outbound
Source IP address: IP address of the Web server
Source Port Number: TCP 80
Destination IP Address: Any
Destination Port Number: 1025-65535

The circuit layer packet filters are better equipped to filter out traffic because the TCP/UDP port numbers are used in making the decision to pass or drop a packet. However, there are still problems with the packet filter we created in that it permits any destination IP address, and is not specifically set up to respond only to the machine that makes the initial request for service. The Web server can connect to any machine's high port number. Although we have added a layer of protection by ensuring that outbound requests must source from the Web server's TCP port 80, from a security standpoint, it would be even better to allow outbound connections to only those machines that have made requests to that Web server's TCP port 80.

To implement this level of control, we need a packet-filtering device that is aware of a connection's state. Such packet-filtering devices are referred to as stateful, or dynamic packet filters.

Dynamic Packet Filtering

All our previous examples show static packet filtering. Static packet filters are configured to allow inbound and outbound access to a predefined IP address (or group of IP addresses) and port number (or groups of ports). Dynamic packet filters are aware of the state of a particular connection and keep track of that connection. This allows a much higher level of granularity and control.

To get a better idea of how dynamic packet filters work, let's look at what takes place when an Internet host attempts to connect to the internal network Web server.

The Internet host sends a request to TCP port 80 on the Web server's IP address. The firewall in front of the Web server intercepts this packet and examines the destination IP address, the source IP address, the destination port number, and the source port number. The firewall passes the packet to the internal network Web server.

When the firewall makes a decision to forward the packet to the Web server, it makes a note of the source IP address and port number of the Internet host that sent the request and places this information in a state table.

The packet arrives at the Web server and the Web server responds from its TCP port 80 to the high-number port of the Internet host that made the request. The firewall intercepts the response and examines the packet's source and destination IP address and its source and destination port numbers. It compares this information with the information contained in its state table. If the information in the state table confirms that the response from the internal network Web server is to the machine that sent the request, the firewall passes the packet. If the stateful firewall isn't able to confirm that the packet returned by the Web server is destined for the host that requested it, the packet is dropped.

To allow incoming requests to the internal network Web server, the dynamic packet filter is as follows:

Direction: Inbound
Source Port: Dynamic
Source IP Address: Any
Destination Port: TCP 80
Destination IP Address: IP address of the Web server

A major advantage of the dynamic packet-filtering device is that you do not need to create a packet filter to allow a response. The dynamic packet-filtering device automatically allows responses from the server to be sent to the client that made the request. The packet filter that allows the request is created dynamically. The filter stays open long enough for the communication between the Internet host and the Web server to complete their communications, and then closes after the communications are complete.

Dynamic packet filtering has the advantage of allowing filters to be open on the firewall only as long as they are required. Instead of opening a large number of filters on high ports to allow internal network servers to respond to external client requests, dynamic filters allow the response ports to be open only as long as is required to complete the conversation. Another advantage is that not only are these outbound response ports open for a limited period of time, they are also limited to a specific destination IP address. This allows responses only to those clients that make a valid request for service.

Most firewalls on the market today perform some sort of state-aware or dynamic packet filtering. Managing a firewall without dynamic packet filtering can become quite complex because you need to create and manage a larger number of packet filters.

Application Layer Inspection

The most advanced firewall products are able to evaluate all headers in a packet, including those for the Application layer. Application layer firewalls are often referred to as proxy servers because not only do these Application layer firewalls examine the contents of a packet, but the firewall also re-creates that packet and sends it on behalf of the machine that sent the original message.

Application layer firewalls are able to make allow or deny decisions based on information contained in the Application layer header.

This provides the highest level of protection for your corporate network because the contents of a packet can be inspected for suspect information.

For example, a Web Proxy server is able to inspect the HTTP header and data. The data portion of the HTTP packet may contain material that you do not want to allow into your organization. The Web Proxy server can evaluate the data portion of the HTTP packet for keywords or file attachments and block access to the Web page based on the rules you configure.

Another example is SMTP Application layer inspection. When a firewall is able to examine the contents of the data portion of the SMTP packet, decisions to allow or deny the packet can be made based on the packet contents. Like HTTP messages, SMTP messages may contain words or file attachments that are deemed unacceptable to the organization. The offending email message can be quarantined or dropped—depending on how the Application layer firewall is configured.

The Application layer firewall is able to reconstruct entire messages that span multiple packets. The Application layer components can then make allow or deny decisions based on complete message contents.

Firewalls that combine packet filtering, circuit filter, and Application layer filtering provide the highest level of functionality possible. These firewalls also tend to be the most expensive products.

Network Address Translation (NAT)

Network Address Translation (NAT) allows multiple internal network clients to access the Internet via a single interface on the NAT server that is connected to the Internet. Although NAT alone probably shouldn't be considered a firewall feature, it is often a core component of most firewall technologies and it does serve to protect the corporate network to a certain degree.

A NAT device accepts packets from the computer and replaces the source address with its own address. Most NAT devices also perform port translation so that the NAT device also changes the source port on the packet. It is this replacement of the original source IP address and port number that allow the NAT device to provide Internet access for many machines by using only a single IP address on its own external interface.

For example, you send a request from your computer to a Web server on the Internet. Your machine is behind a NAT device. Your IP address is 192.168.1.1 and a source port number 5555 is assigned to the packet. The NAT device intercepts the packet and replaces the source address of the packet with the IP address of its own external interface, which is 222.222.222.1 and it also changes the source port number to 7777. After making the changes to the packet, the NAT device places an entry in its NAT table so that it knows where to forward the packet after the Internet Web server replies.

The Internet Web server sends its response to 222.222.222.1 port 7777. The NAT device checks the NAT table to see what internal client made a request that caused it to open port 7777 on its external interface for that particular Internet Web server. It then sends the packet back to the internal network client.

NAT devices provide a layer of security because packets cannot be directly routed from the Internet to internal network hosts that use private network IDs. Three network IDs are defined for only private network use and are not routable on the Internet and are described in RFC 1918. These are

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

Internet routers are configured to drop packets with a destination IP address in the private network ID range. Therefore, Internet intruders are not able to send packets to clients on your internal network under normal circumstances. This security advantage provided by NAT applies only if the Internet intruder seeks to initiate a new connection to your internal network located behind the NAT device. If an internal network client behind a NAT device initiates a connection to an external network client, the Internet intruder could get through the NAT.

Most firewalls include built-in NAT capabilities because few networks can afford, or obtain at any cost, a public IP address for all their internal network clients. Any public IP addresses an organization is able to obtain are typically used on the external interfaces of firewalls and on Bastion host computers sitting on DMZ segments.

Web Caching Firewalls

We briefly touched upon the subject of Web caching firewalls earlier during our discussion of Application layer firewalls. However, a Web caching firewall does more than just inspect Application layer headers. The Web caching firewall is able to store Web objects in a cache located on the firewall and deliver those objects to internal network users.

Web caching firewalls are able to reduce the amount of traffic on the external interface of the firewall by returning Web pages to users from its cache, rather than sending the request to the Internet Web server.

For example, suppose a user visits the Web site www.microsoft.com. The Web page is retrieved by the Web caching firewall and is placed in the firewall's Web cache. After the Web page is placed in the cache, it is returned to the user making the request.

When a second user requests the Web page at www.microsoft.com, the firewall checks its cache to see whether there is a copy of the page still in the Web cache. If there is a copy of the page in the cache, the Web caching firewall returns the page in the cache to the client making the request. No request is sent to the Internet Web server because the request can be served from cache. This saves bandwidth on the external interface of the firewall for other corporate uses.

Although many firewalls include Web caching features, the Web cache itself cannot be considered a security feature. The cache does not add security to the Web pages, and does not provide any special protection from Internet intruders.

Integrated Intrusion Detection System (IDS)

A few firewalls include built-in intrusion detection systems (IDS). An intrusion detection system is a component that can analyze the entries in the firewall logs and compare those entries with known and sometimes unknown exploits. If a positive match is made, the firewall administrator can be contacted via email, phone, or pager.

Intrusion detection systems are fairly complex and are typically either plug-ins or standalone products. Some firewall products, such as Microsoft ISA Server 2000, include some rudimentary IDS features that allow them to detect some common network intrusions. For full-featured IDS, you should look into dedicated products, such as Internet Security System's products. You can find more information about Internet Security System's products at www.iss.net.