by June 16, 2001 0 comments

Simply put, a firewall is a device, software or hardware based, which can control the flow of network traffic between two networks. A good firewall is important for an organization to prevent hackers from getting into the network, and to control what its employees can access from outside. In this In Depth story, we answer some questions on firewalls and test the effectiveness of two hardware firewalls–Secure PIX Firewall 506 and Sonicwall SOHO2 Firewall–for the SOHO segment

What are firewalls?

Our firewall test setup

PCQ Labs tested two firewalls that are suitable for the SOHO segment with small- or medium-sized networks. This is how we did it. The specific results for each firewall are described separately in the reviews that follow. 

To test the hardware firewalls, we created two networks on completely different subnets, and placed the firewall between them. One network was considered the private network, similar to any organizational network, consisting of several client machines and a server running various Web services like HTTP, and FTP. The other network was considered the public network, having several servers running various services like HTTP, SMTP, and FTP. This gave us a setup that was completely under our control, giving us the flexibility of being able to check the firewall for any kind of attack. 

We first set up the firewall with its default settings, and checked whether it was ready for use. All the clients were set to use the firewall as their default gateway. Ideally, a firewall should by default, block all packets coming from the external network to the private one, and allow all packets going out from the private network. To check this, we tried various attacks from the external network to break in, ranging from port scanners, Denial of Service attacks, the ping of death, and brute- password attacks. These are the most common forms of attacks, which any good firewall should be able to block

A firewall should also have the capability to control the flow of traffic either way. It should be able to control the kind of services users on the private network are able to access on the public network such as the Internet. As all services would use some port number, a firewall should be able to block any port. So for instance, if you don’t want users on your network to be able to do multimedia streaming, the firewall should be able to block ports that use that service. Similarly, a firewall should also be able to allow select services from outside to come inside. Suppose you have a machine on your internal network running a remote-control application like pcAnywhere. You want to be able to provide access to this service from the outside. The firewall should be able to allow this sort of a rule to be created. Of course, once this rule is defined, the machine running pcAnywhere or any other application should be free from any vulnerability. Otherwise, it could jeopardize your whole network. 

This was one of the things we checked out in the firewalls we tested. For this, we first mapped one IP address on the internal network with an IP address used to access the external network. Basically, we used NAT (Network Address Translation) to translate all requests coming from the internal IP address to the external one. So, if the machine on the private network had an IP address, we mapped it with a hypothetically valid external IP address, say This way, if anybody tried to access this external IP address from the outside, it would see the machine on the private network. Once this was done, we set up rules on the firewall to access specific services on the internal server. 

Many firewalls today provide additional features like content filtering and VPN support. Plus, many entry-level firewalls also provide Web-browser based control, making them very easy to configure. Though not essential, browser-based control makes a firewall configuration independent of sticking to just one client. 

A firewall is a piece of software or hardware, which stands between two entities and controls access between them. These entities can be your private network on one side and a public network like the Internet, on the other side. They can control what kind of traffic can flow across and protect your network from hackers. There are two kinds of firewalls: application filtering and packet filtering.

Who needs a firewall?

You need a firewall if you have a network (called a trusted network), which is connected to any other network (called an untrusted network), which does not belong to you (like the Internet). You may also need a firewall if you have to set up controlled access between two or more networks owned by you. If you have a large WAN which uses the Internet as its backbone, you may want to protect your networks with firewalls. 

I just browse the Internet from my desktop machine. Do I need a firewall?

You may need a firewall even if you are browsing the Internet from a single desktop computer at home. If you use Internet applications like ICQ, and if these applications have some weaknesses or bugs, an anonymous person can exploit this to bring your computer down or compromise your privacy. If you are one of those who blindly accept files from anonymous people (maybe when chatting), you may unknowingly accept a file that can be an installer of a service that may continuously run on a port, and through which the sender can connect to your computer and issue commands to do whatever he wants to on your machine. This is how a popular Trojan called Back Orifice works. For home computers, there are personal-firewall software like Norton Personal Firewall, BlackIce, ZoneAlarm, VirusMD, and Conseal PC Firewall. These can be configured to deny any foreign connection to your desktop computer. 

What is an application-proxy firewall?

An application-proxy firewall is implemented in proxy servers. Anyone wanting to access anything outside the trusted network must go through the proxy server. The proxy firewall will grant or block access depending on a set of rules. The rules can be based on the user login name, source, and destination machine’s IP addresses, protocol in use like TCP, UDP, ICMP, port address. An application proxy can block or allow access to application-specific data. For example, you can block MP3 and video files. 

What is a packet-filtering firewall?

A packet-filtering firewall controls access based on information in the packet header. As you may know, data that has to be transmitted across the network is broken down into small chunks called packets. Each packet has a header and a part of the original data, called its content. The header consists of information like the source, destination, port, and number of the packet in the sequence. 

How is a packet-filtering firewall different from an
application-proxy firewall?

An application-proxy firewall is implemented in proxy servers while a packet-filtering firewall is usually implemented in routers. An application-proxy firewall works on the application layer while a packet- filtering firewall works on the network layer. An application-proxy firewall can thus block application-specific data while a packet-filtering firewall cannot. An application-proxy firewall sits in-between the trusted and untrusted networks, and does not allow a direct connection between them. When access is granted, the proxy establishes a connection with the untrusted machine on behalf of the trusted machine. A packet-filtering firewall allows a direct connection. 

Can firewalls scan viruses?

No, virus scanning is not the intended function of a firewall. It only looks at the header information or the file (or application) type to allow or block access. To check for virus patterns, all the data packets must be assembled into the original file and then the file must be checked for the virus pattern. A basic firewall is not meant to look inside the file data for virus patterns. A network virus scanner behind the firewall can do this best. 

What is the recommended setup for a firewall?

The setup of a firewall largely depends on the physical and logical layout of your network. Broadly speaking, there are two types of firewall setups: Dual Homed and DeMilitarized Zone (DMZ). 

What is a Dual Homed firewall setup?

In a Dual Homed setup, one firewall stands between the trusted and untrusted networks. It has two interfaces, internal for the trusted, and external for the untrusted network. These interfaces can be network cards on the same machine or ports on a router. All packets that have to traverse between these two networks must go through the firewall. So, a packet coming from the untrusted network will first land at the external interface. The firewall will then compare it against the pre-defined access rules. If allowed access, the firewall will route the packet to the private network through the internal interface. The machine on which the firewall is setup is called a Bastion host. In this setup the Bastion host presents a single point of attack. Anyone who can break into the Bastion host can access your private network. So the Bastion host must have a robust security policy.

What is DMZ?

The DMZ setup is used when you have a private network, which must be shielded from the Internet, but at the same time you want to provide some services like Web access or e-mail facilities to the public through the Internet. In such a case, the Web, mail, and news servers must be allowed comparatively lenient access, but the machines in your private network must be protected by strict access-control rules. Thus the public servers reside in an area called the demilitarized zone. This area is surrounded by two firewalls (as shown in the diagram). The first firewall, F1, provides lenient access-control rules so that people across the Internet can access the public servers. But the second firewall, F2, defines strict access-control rules. If, by chance, anyone exploits a hole in the firewall F1 and gains privileged access to the machines hosting the public services, the person will still be retarded by the strong rules defined by firewall F2.

Can my Internet gateway act as a firewall?

A gateway is the interface between two networks–the private and the public network (the Internet), and that’s all it is. A gateway does not define any access policies for the data packets flowing across it. It cannot block a port scan, which may reveal all the services running on your network. Moreover, Trojans like Back Orifice publish their presence by broadcasting packets. So, there must be something to block these packets, which cannot be done using a gateway. Most Internet gateways use NAT (Network Address Translation) to give an external (public) IP to a machine on your private network. That’s how machines on an internal network access the Internet. However, the reverse is also possible if somebody sitting outside knows your public IP. A firewall is, therefore, needed to restrict this kind of access. 

How’s a hardware firewall different from a software one?

A software firewall requires a machine, maybe a PC, to run. This machine will need an OS and will typically have two network interfaces. Therefore, configuring it requires some effort as you have to install the OS, configure the two network interfaces for the firewall, etc. An important point here is that if the OS or any other service it is running has some bugs, then it may be an open invitation for a hacker. So it becomes important to patch the OS against any vulnerability and stop all the services that are not required. 

On the other hand, a hardware firewall doesn’t require a separate machine to run on. It’s a small box that can be just plugged into your network and is ready for customized configuration.

Anil Chopra and Shekhar Govindarajan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.