CHAPTER 3: Network Devices 126
Firewalls
A firewall protects a secure internal network from a public insecure network.
Firewalls are devices or software that has the ability to control the traffic
that’s sent from an external network, such as the Internet, to an internal
network or local computer. As we’ll see later in this chapter, the features
that are provided by a firewall will vary depending on the type you choose
for your network.
The most common implementation today is the use of a firewall between
an organization’s internal network and the Internet. Firewalls can be very
complex because they provide more features that just packet filtering. They
can also provide multiple layers of protection, including actually scanning
the information stored in the packets to search for malicious data. They use
advanced techniques to monitor connections, to log potential intrusions,
and to act upon these incidents.
Firewall Architecture
A firewall is a combination of techniques and technologies used to con-
trol the flow of data between networks. A firewall enables all traffic to pass
through to each network; however, it compares the traffic to a set of rules
that determine how the traffic will be managed. If the traffic matches the
rules for acceptable data, the traffic is passed on to the network. If the
rule specifies that the data be denied, the traffic cannot continue and will
be bounced back. Although some implementations may do this differently,
the same basic functionality is used.
NOTES FROM THE FIELD…
Monitoring Traffic Through Firewalls
As Internet access has become a more common fix-
ture in organizations, so has monitoring the Web sites
visited by personnel in those organizations. Firewalls
are used to prevent unauthorized access to the inter-
nal network from the Internet, but also enable organi-

zations to monitor what their employees are accessing
on the Internet. Companies can check the firewall
logs to determine what sites an employee visited, how
long they spent there, what files they downloaded,
and other information that the employee may consider
private.
Companies may also stipulate the privacy of client
information, or those with a presence on the Web may
include or create a separate policy that deals with the
privacy of a visitor to their Web site. In terms of actual
clients (those people with whom a company does
business), the policy should state the level of privacy
a client can expect. This may include the protection of
client information, including information on sales, credit
card numbers, and so forth. In the case of police, this
might include information on a person’s arrest record
that can’t be concealed under the Public Information
Act and open records laws, personal information, and
other data. For both clients and visitors to Web sites, a
company may stipulate whether information is sold to
third parties that may send you advertisements, spam,
or phone solicitations.
Network Devices 127
Dual-Homed Host Firewalls
A dual-homed firewall consists of a single computer with two physical net-
work interfaces. This computer acts as a gateway between two networks.
The server’s routing capability is disabled so that the firewall can handle all
traffic management. Either an application-level proxy or circuit-level firewall
is run to provide data transfer capability; you must be careful not to enable
routing within the network operating system or you will bypass your firewall

software. Figure 3.6 shows a dual-homed host firewall configuration.
Screened Host Firewalls
Screened host firewall configurations are considered by many to be
more secure than the dual-homed firewall. In this configuration, you place
a screening router between the gateway host and the public network. This
enables you to provide packet filtering before the packets reach the host com-
puter. The host computer could then run a proxy to provide additional secu-
rity to this configuration. As packets travel into the internal network, they
only know of the computer host that exists. Figure 3.7 shows an illustration
of a screened-host configuration.
Screened Subnet Firewalls
A screened subnet firewall configuration takes security to the next level by
further isolating the internal network from the public network. An addi-
tional screening router is placed between the internal network and the fire-
wall proxy server. The internal router handles local traffic while the external
router handles inbound and outbound traffic to the public network. This pro-
vides two additional levels of security. First, by adding a link internally, you
FIGURE 3.7
A Screened Host Firewall.
FIGURE 3.6
A Dual-Homed Host
Firewall.
CHAPTER 3: Network Devices 128
can protect the firewall host from an attack by an internal source. Second, it
makes an external attack much more difficult because the number of links is
increased. Figure 3.8 shows the screened subnet firewall configuration.
Firewall Types
There are three basic categories of firewalls: packet level, application level,
and circuit level. Each uses a different security approach, thus providing
different advantages and disadvantages. One additional feature that was dis-

cussed earlier is encryption services. Most firewalls provide some sort of
cryptographic services for data transfers.
When you have a complete understanding of the features and type of
security that is needed from a firewall, you can then determine the imple-
mentation that bests fits the environment.
Packet Level Firewall
A packet level firewall is usually a form of screening router that examines
packets based upon filters that are set up at the network and transport layers.
You can block incoming or outgoing transfers based on a TCP/IP address or
other rules. For example, you may choose to not allow any incoming IP con-
nections, but enable all outgoing IP connections. You can set up rules that
will enable certain types of requests to pass while others are denied. Rules can
be based on source address, destination address, session protocol type, and
the source and destination port. Because this works at only three layers, it is
a very basic form of protection. To properly provide security to the network,
all seven layers must be protected by a full-featured conventional firewall.
Application Level Firewall
The application level firewall understands the data at the application level.
Application layer firewalls operate at the application, presentation, and
session layers. Data at the application level can actually be understood and
monitored to verify that no harmful information is included. An example
of an application level firewall is an Internet proxy or mail server. Many
uses are available through some form of proxy; however, these functions are
usually very intensive to provide security at that level. In addition, clients
FIGURE 3.8
A Screened Subnet
Firewall.
Network Devices 129
must be configured to pass through the proxy to use it. Proxy servers are
also used to mask the original origin of a packet. For example, an Internet

proxy will pass the request on; however, the source listed in the packet is
the proxy server address. The overall server doesn’t just filter the packets,
it actually takes in the original and retransmits a new packet through a dif-
ferent network interface.
Circuit Level Firewall
A circuit level firewall is similar to an application proxy except that the secu-
rity mechanisms are applied at the time the connection is established. From
then on, the packets flow between the hosts without any further checking
from the firewall. Circuit level firewalls operate at the transport layer.
Firewall Features
As firewalls have evolved, additional feature sets have grown out of or been
added to these implementations. They are used to provide faster access and
better security mechanisms. As encryption techniques have improved, they
are being incorporated more into firewall implementations. Also, caching is
being provided for services such as the World Wide Web. This enables pages
to be cached for a period of time, which can dramatically speed up the user
experience. New management techniques and technologies such as virtual
private networks (VPNs) are now being included as well.
Content filtering is another major feature of a firewall. Because of the
possible damage a Java applet, JavaScript, or ActiveX component can do to
a network in terms of threatening security or attacking machines, many
companies filter out applets completely. Firewalls can be configured to fil-
ter out applets, scripts, and components so that they are removed from
the Hypertext Markup Language (HTML) document that is returned to
a computer on the internal network. Preventing such elements from ever
being displayed will cause the Web page to appear differently from the way
its author intended, but any content that is passed through the firewall will
be more secure.
DMZ
DMZ is short for demilitarized zone and is a military term used to signify

a recognized safe area between two countries where, by mutual agreement,
no troops or war-making activities are allowed. There are usually strict
rules regarding what is allowed within the zone. In computer security, the
DMZ is a neutral network segment where systems accessible to the public
Internet are housed, and which offers some basic levels of protection against
attacks.
CHAPTER 3: Network Devices 130
The creation of these DMZ segments is usually done in one of two
ways:
Layered DMZ implementation
Multiple interface firewall implementation
In the first method, the systems are placed between two firewall devices
with different rule sets, which allows systems on the Internet to connect to
the offered services on the DMZ systems, but prevents them from connect-
ing to the computers on the internal segments of the organization’s network
(often called the protected network). Figure 3.9 shows a common installa-
tion using this layered approach.
As shown in Figure 3.10, the second method is to add a third inter-
face to the firewall and place the DMZ systems on that network segment.
This allows the same firewall to manage the traffic between the Internet, the
DMZ, and the protected network. Using one firewall instead of two lowers
the costs of the hardware and centralizes the rule sets for the network, mak-
ing it easier to manage and troubleshoot problems. Currently, this multiple
interface design is the preferred method for creating a DMZ segment.
In either case, the DMZ systems offer some level of protection from the
public Internet while they remain accessible for the specific services they
provide to external users. In addition, the internal network is protected by
a firewall from both the external network and the systems in the DMZ.
FIGURE 3.9
A Layered DMZ

Implementation.
Network Devices 131
Because the DMZ systems still offer public access, they are more prone to
compromise and thus they are not trusted by the systems in the protected
network. This scenario allows for public services while still maintaining a
degree of protection against attack.
The role of the firewall in all of these scenarios is to manage the traffic
between the network segments. The basic idea is that other systems on the
Internet are allowed to access only the services of the DMZ systems that have
been made public. If an Internet system attempts to connect to a service not
made public, the firewall drops the traffic and logs the information about the
attempt (if configured to do so). Systems on a protected network are allowed
to access the Internet as they require, and they may also access the DMZ
systems for managing the computers, gathering data, or updating content. In
this way, systems are exposed only to attacks against the services that they
offer and not to underlying processes that may be running on them.
FIGURE 3.10
A Multiple Interface
Firewall DMZ
Implementation.
Test Day Tip
DMZs can be a difficult topic to initially understand. In reviewing information about how
they work, try to remember that the DMZ is a “no man’s land” that provides a separation
between your LAN and an external WAN like the Internet.
CHAPTER 3: Network Devices 132
ACLs
ACLs are access control lists, which are used to control access to specific
resources on a computer. An ACL resides on a computer and is a table with
information on which users have specific rights to files and folders on the
machine. The operating system uses this attribute of the file or folder to

determine whether a user is allowed or denied specific privileges to the
object. By using the ACL you can provide users of the network with the
rights they need to access these files or folders. However, in doing so, it is
advisable that you only provide users with the minimum amount of access
required by users to perform their jobs.
Proxy Server (Caching Appliances)
A proxy server is a server that performs a function on behalf of another
system. In most cases this is a system that is acting as a type of gateway
between the Internet and a company network. The employees who wish to
access the Internet will perform actions as they normally would with their
browser, but the browser will submit the request to the proxy server. The
proxy server will then transmit the request on the Internet and receive the
results. The results will then be sent to the original requester. A nice feature
of the proxy server is that the Web pages that are not encrypted will be saved
in a cache on the local hard disk. If another user requests the same page, the
proxy server will not request the page from the Internet, but retrieve it from
the hard disk. This saves quite a bit of time by not having to wait on Internet
requests, which may be coming from an overburdened Web server.
The proxy server can cache information going both ways; because it can
cache requests going out, it can also act as a proxy for Internet users making
requests to the company Web server. This can help keep traffic minimized
on the company network.
Another feature of the proxy server is that it can act as the physical gate-
way between the Internet and company network by filtering out specific infor-
mation, especially if you use the proxy server to act as a proxy between the
Internet and the company Web server. Filtering can be configured for allowing
or not allowing packets if they meet one or more of the following specified cri-
teria: specific port, direction of transfer, or source or destination of packets.
Tunnels and Encryption
Tunneling is used to create a virtual tunnel (a virtual point-to-point link)

between you and your destination using an untrusted public network as
the medium. In most cases, this would be the Internet. When establishing
a tunnel, commonly called a VPN (which we’ll discuss in the next sec-
tion), a safe connection is being created between two points that cannot be
Network Devices 133
examined by outsiders. In other words, all traffic that is traveling through
this tunnel can be seen, but cannot be understood by those on the out-
side. All packets are encrypted and carry information designed to provide
authentication and integrity. This ensures that they are tamperproof and
thus can withstand common IP attacks, such as the man-in-the-middle
(MITM) and packet replay. When a VPN is created, traffic is private and
safe from prying eyes.
VPNs
A VPN provides users with a secure method of connectivity through a public
internetwork such as the Internet. Most companies use dedicated connec-
tions to connect to remote sites, but when users want to send private data
over the Internet they should provide additional security by encrypting the
data using a VPN.
When a VPN is implemented properly, it provides improved wide-area
security, reduces costs associated with traditional WANs, improves produc-
tivity, and improves support for users who telecommute. Cost savings are
twofold. First, companies save money using public networks (such as the
Internet) instead of paying for dedicated circuits (such as point-to-point T1
circuits) between remote offices. Second, telecommuters do not have to pay
long-distance fees to connect to Remote Access Service (RAS) servers. They
can simply dial into their local ISPs and create a virtual tunnel to the office.
A tunnel is created by wrapping (or encapsulating) a data packet inside
another data packet and transmitting it over a public medium. Tunneling
requires three different protocols:
 Carrier Protocol The protocol used by the network (IP on the Inter-

net) that the information is traveling over.
 Encapsulating Protocol The protocol (PPTP, L2TP, IPSec., Secure
Shell [SSH]) that is wrapped around the original data.
 Passenger Protocol The original data being carried.
Essentially, there are two different types of VPNs: site-to-site and remote
access.
Site-to-Site VPN
Site-to-site VPNs are normally established between corporate offices that
are separated by a physical distance extending further than a normal LAN.
VPNs are available in software (such as Windows network operating sys-
tems) and hardware (firewalls such as Nokia/Checkpoint and SonicWALL)
implementations. Generally speaking, software implementations are easier
CHAPTER 3: Network Devices 134
to maintain. However, hardware implementations are considered more
secure, because they are not impacted by operating system vulnerabilities.
For example, suppose Company XYZ has offices in Boston and Phoenix.
As shown in Figure 3.11, both offices connect to the Internet via a T1 con-
nection. They have implemented VPN-capable firewalls in both offices, and
established an encryption tunnel between them.
The first step in creating a site-to-site VPN is selecting the protocols to
be used. Common protocols associated with VPN are Point-to-Point Tunnel-
ing Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), SSH, and IP Secu-
rity (IPSec). PPTP and L2TP are used to establish a secure tunnel connection
between two sites.
Once a tunnel is established, encryption protocols are used to secure data
passing through the tunnel. As data is passed from one VPN to another, it
is encapsulated at the source and unwrapped at the target. The process of
establishing the VPN and wrapping and unwrapping the data is transparent
to the end user.
Most commercially available firewalls come with a VPN module that can

be set up to easily communicate with another VPN-capable device. Micro-
soft has implemented site-to-site VPN tools on the Windows 2003 plat-
form using either RRAS or the newest rendition of Microsoft’s proxy server,
Microsoft ISA Server 2006.
Whichever product or service is chosen, it is important to ensure that
each end of the VPN is configured with identical protocols and settings.
FIGURE 3.11 A Site-to-Site VPN Established Between Two Remote Offices.
Network Devices 135
Remote Access VPN
A remote access VPN, known as a private virtual dial-up network (PVDN),
differs from a site-to-site VPN in that end users are responsible for estab-
lishing the VPN tunnel between the workstation and their remote office.
An alternative to connecting directly to the corporate VPN is connecting
to an enterprise service provider (ESP) that ultimately connects to the cor-
porate VPN.
In either case, users connect to the Internet or an ESP through a point
of presence (POP) using their particular VPN client software (Figure 3.12).
Once the tunnel is set up, users are forced to authenticate with the VPN
server, usually by username and password.
A remote access VPN is a great solution for a company with sev-
eral employees working in the field. The remote access VPN allows these
employees to transmit data to their home offices from any location. RRAS
offers an easy solution for creating a remote access VPN.
FIGURE 3.12 A Remote-Access VPN Solution Using Regular Internet POPs.