Firewall design

By D. Brent Chapman, Unix Insider |  Security

September 27, 2001, 3:15 PM

The need for firewalls no longer seems to be in
question today. As the Internet and internal corporate networks
continue to grow, such a safeguard has become all but mandatory. As a
result, network administrators increasingly need to know how to
effectively design a firewall. This article explains the basic
components and major architectures used in constructing firewalls.

The "right solution" to building a firewall is seldom a single
technique; it's usually a carefully crafted combination of techniques
to solve different problems. Which problems you need to solve depend on
what services you want to provide your users and what level of risk
you're willing to accept. Which techniques you use to solve those
problems depend on how much time, money, and expertise you have
available.

Some protocols (such as Telnet and SMTP) lend themselves to
packet filtering. Others (such as., FTP, Archie, Gopher, and
WWW) are more effectively handled with proxies. (We devote an entire
chapter of our book Building Internet Firewalls to describing
how to handle specific services in a firewall environment.) Most
firewalls use a combination of proxying and packet filtering.


Before we explore various firewall architectures, let's discuss two
major approaches used to build firewalls today: packet
filtering and proxy services.

Packet filtering

Packet filtering systems route packets between internal and external
hosts, but they do it selectively. They allow or block certain types of
packets in a way that reflects a site's own security policy. The type of router used in a packet filtering firewall is
known as a screening router.

As we discuss in Chapter 6 of our book, every packet has a set
of headers containing certain information. The main information is:


  • IP source address
  • IP destination address
  • Protocol (whether the packet is a TCP, UDP, or ICMP packet)
  • TCP or UDP source port
  • TCP or UDP destination port
  • ICMP message type

In addition, the router knows things about the packet that aren't
reflected in the packet headers, such as:


  • The interface the packet arrives on
  • The interface the packet will go out on

The fact that servers for particular Internet services reside at
certain port numbers lets the router block or allow certain types of
connections simply by specifying the appropriate port number (such as TCP
port 23 for Telnet connections) in the set of rules specified for
packet filtering. (Chapter 6 in our book describes in detail how you
construct these rules.)

Here are some examples of ways in which you might program a screening
router to selectively route packets to or from your site:

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

How to completely uninstall Flash on MacBooks?
0 answers
What is the best way to sett up an aquatic center wireless network
0 answers
What drives you crazy when you watch a movie that depicts programmers?
0 answers
More questions
Ask a Question