Understanding Firewalls
Overview
Nations without controlled borders cannot ensure the security and safety of their citizens, nor can
they prevent piracy and theft. Networks without controlled access cannot ensure the security or
privacy of stored data, nor can they keep network resources from being exploited by hackers.
The communication efficiency provided by the Internet has caused a rush to attach private networks
directly to it. Direct Internet connections make it easy for hackers to exploit private network
resources. Prior to the Internet, the only widely available way for a hacker to connect from home to
a private network was by direct dialing with modems and the public telephony network. Remote
access security was a relatively small issue.
When you connect your private network to the Internet, you are actually connecting your network
directly to every other network that's attached to the Internet directly. There's no inherent central
point of security control—in fact, there's no inherent security at all.
Firewalls are used to create security checkpoints at the boundaries of private networks. At these
checkpoints, firewalls inspect all packets passing between the private network and the Internet and
determine whether to pass or drop the packets depending on how they match the policy rules
programmed into the firewall. If your firewall is properly configured, is capable of inspecting every
protocol you allow to pass, and contains no serious exploitable bugs, your network will be as free
from risk as possible.
There are literally hundreds of firewall products available, and there are different theories from
different security experts on how firewalls should be used to secure your network. This chapter will
explore the operation of a generic firewall in detail, outline the important features you need in a
firewall, and discuss how firewalls should be deployed in networks of any size.
Firewall Elements
Firewalls keep your Internet connection as secure as possible by inspecting and then approving or
rejecting each connection attempt made between your internal network and external networks like
the Internet. Strong firewalls protect your network at all software layers—from the Data Link layer up
through the Application layer.
Firewalls sit on the borders of your network, connected directly to the circuits that provide access to
other networks. For that reason, firewalls are frequently referred to as border security. The concept
of border security is important—without it, every host on your network would have to perform the

functions of a firewall themselves, needlessly consuming computer resources and increasing the
amount of time required to connect, authenticate, and encrypt data in local area, high speed−
networks. Firewalls allow you to centralize all external security services in machines that are
optimized for and dedicated to the task. Inspecting traffic at the border gateways also has the
benefit of preventing hacking traffic from consuming the bandwidth on your internal network.
By their nature, firewalls create bottlenecks between the internal and external networks, because all
traffic transiting between the internal network and the external must pass through a single point of
control. This is a small price to pay for security. Since external leased line connections are−
relatively slow compared to the speed of modern computers, the latency caused by firewalls can be
7
completely transparent. For most users, relatively inexpensive firewall devices are more than
sufficient to keep up with a standard T1 connection to the Internet. For businesses and ISPs whose
Internet traffic is far higher, a new breed of extremely high speed (and high cost) firewalls have− −
been developed, which can keep up with even the most demanding private networks. Some
countries actually censor the Internet using high speed firewalls.−
Firewalls function primarily by using three fundamental methods:
• Packet Filtering Rejects TCP/IP packets from unauthorized hosts and reject connection
attempts to unauthorized services.
• Network Address Translation (NAT) Translates the IP addresses of internal hosts to hide
them from outside monitoring. You may hear of NAT referred to as IP masquerading.
• Proxy Services Makes high level application connections on behalf of internal hosts in−
order to completely break the network layer connection between internal and external hosts.
You can use devices or servers that perform only one of the above functions; for instance, you
could have a router that performs packet filtering, and then a proxy server in a separate machine.
This way, the packet filter must either pass traffic through to the proxy server, or the proxy server
must sit outside your network without the protection of packet filtering. Both are more dangerous
than using a single firewall product that performs all the security functions in one place. Most
firewalls also perform two other important security services:
• Encrypted Authentication Allows users on the public network to prove their identity to the
firewall, in order to gain access to the private network from external locations.

• Virtual Private Networking Establishes a secure connection between two private networks
over a public medium like the Internet. This allows physically separated networks to use the
Internet rather than leased line connections to communicate. VPNs are also called−
encrypted tunnels.
Some firewalls also provide additional subscription based services that are not strictly related to−
security, but which many users will find useful:
• Virus Scanning Searches inbound data streams for the signatures of viruses. Keeping up
with current virus signatures requires a subscription to the virus update service provided by
the firewall vendor.
• Content Filtering Allows you to block internal users from accessing certain types of content
by category, such as pornography, hate group propaganda, pornography, hacking−
information, and pornography. Keeping up with the current list of blocked sites for a specific
category also requires a subscription.
Nearly all firewalls use these basic methods to provide a security service. There are literally
hundreds of firewall products on the market now, all vying for your security dollar. Most are very
strong products that vary only in superficial details. The remainder of this section covers the five
primary functions that most firewalls support.
Packet Filters
The first Internet firewalls were simply packet filters, and packet filtering remains one of the key
functions of today's firewalls. Filters compare network protocols (such as IP) and transport protocol
packets (such as TCP) to a database of rules and forward only those packets that conform to the
criteria specified in the database of rules. Filters can either be implemented in routers or in the
TCP/IP stacks of servers (see Figure 1.1).
8
Figure 1.1: Filtered Internet connections block undesired traffic.
Filters implemented inside routers prevent suspicious traffic from reaching the destination network,
whereas TCP/IP filter modules in servers merely prevent that specific machine from responding to
suspicious traffic. The traffic still reaches the network and could target any machine on it. Filtered
routers protect all the machines on the destination network from suspicious traffic. For that reason,
filtering in the TCP/IP stacks of servers (such as that provided by Windows NT) should only be used

in addition to router filtering, not instead of it.
Filters typically follow these rules:
• Drop inbound connection attempts but allow outbound connection attempts to pass.
• Eliminate TCP packets bound for those ports that shouldn't be available to the Internet (such
as the NetBIOS session port) but allow packets that should be available (such as SMTP) to
pass. Most filters can specify exactly which server a specific sort of traffic should go to—for
instance, SMTP traffic on port 25 should only go to the IP address of a mail server.
• Restrict inbound access to certain IP ranges.
Warning
Simple packet filters or routers with a packet filtering function that requires
opening ports above 1023 for return channels are not effective security devices.
These packet filters do not prevent internal users or Trojan horses from setting up
a service on a client station in the port range above 1024 and simply listening for
connection attempts from the outside. Firewalls (stateful inspection filters and
security proxies) only open channels for servers that have been invited back in by
a connection attempt from inside the security perimeter; choose them over simple
packet filters that can't maintain the state of a connection.
Sophisticated filters examine the states of all connections that flow through them, looking for the
telltale signs of hacking, such as source routing, ICMP redirection, and IP spoofing. Connections
that exhibit these characteristics are dropped.
Internal clients are generally allowed to create connections to outside hosts, and external hosts are
usually prevented from initiating connection attempts. When an internal host decides to initiate a
TCP connection, it sends a TCP message to the IP address and port number of the public server
(for example, to connect to Microsoft's website). In the connection
initiation message, it tells the remote server what its IP address is and on which port it is listening
for a response (for example, localhost:2050).
9
The external server sends data back by transmitting it to the port given by the internal client. Since
your firewall inspects all the traffic exchanged between both hosts, it knows that the connection was
initiated by an internal host attached to its internal interface, what that host's IP address is, and on

what port that host expects to receive return traffic. The firewall then remembers to allow the host
addressed in the connection message to return traffic to the internal host's IP address only at the
port specified.
When the hosts involved in the connection close down the TCP connection, the firewall removes the
entry in its state table (its connection memory) that allows the remote host to return traffic to the
internal host. If the internal host stops responding before closing the TCP connection (because, for
example, it has crashed), or if the protocol in question does not support sessions (for example,
UDP), the firewall will remove the entry in its state table after a programmed timeout of a few
minutes.
Operating System Filtering
You might not be aware that most versions of UNIX and Windows include packet filtering in the
TCP/IP protocol interface. You can use this filtering in addition to a strong firewall to control access
to individual servers; you can also use this filtering to provide an additional measure of internal
security inside your organization without the cost of a firewall. Just as filtering alone is not sufficient
to protect your network entirely, your operating system's internal filtering is not sufficient to create a
completely secure environment.
Security Limitations of Packet Filtering
Filtering does not completely solve the Internet security problem. First, the IP addresses of
computers inside the filter are present in outbound traffic, which makes it somewhat easy to
determine the type and number of Internet hosts inside a filter and to target attacks against those
addresses. Filtering does not hide the identity of hosts inside the filter.
Additionally, filters cannot check all the fragments of an IP message based on higher level−
protocols like TCP headers because the header exists only in the first fragment. Subsequent
fragments have no header information and can only be compared to IP level rules, which are
usually relaxed to allow some traffic through the filter. This allows bugs in the destination IP stacks
of computers on the network to be exploited, and could allow communications with a Trojan horse
installed inside the network. More modern true firewalls support rebuilding fragmented packets and
then applying firewall rules to them.
Finally, filters are not complex enough to check the legitimacy of the protocols inside the network
layer packets. For example, filters don't inspect the HTTP packets contained in TCP packets to

determine if they contain exploits that target the web browser or web server on your end of the
connection. Most modern hacking attempts are based upon exploiting these higher level services−
because firewalls have nearly eliminated successful Network layer hacking beyond the nuisance of−
denial of service attacks.− −
Variants of Windows
There are three major strains of Windows:
• 16 bit versions of Windows that run on top of MS DOS including Windows 3.0, 3.1, and− −
3.11.
• 32 bit versions of Windows that run on MS DOS including Windows 95, 98, and ME− −
10
• 32 bit versions of Windows that run on the NT Kernel, including NT 3.1, NT 3.5, NT 3.51,−
NT 4, 2000, and XP.
Throughout this book, when we use the term "Windows" we're talking about those versions based
on the NT Kernel architecture unless we state otherwise.
Do not rely upon your operating system's built in filtering alone to protect your network. You should−
use your operating system's filtering functions inside your network to establish filters to pass only
those protocols you explicitly intend to serve. This prevents software from working in ways you don't
expect and keeps Trojan horses from functioning even if they manage to get installed.
Basic OS filtering allows you to define acceptance criteria for each network adapter in your
computer for incoming connections based on the following:
• IP protocol number
• TCP port number
• UDP port number
The filtering usually does not apply to outbound connections (those originating on your server), and
is defined separately for each adapter in your system.
Note Windows 2000 supports outbound filtering; Windows NT 4 does not.
A typical server sets up services to listen on the following ports. These ports must be open through
your filter in order for these services to work correctly.
Simple TCP/IP services usually listen on the following ports:
•

Port TCP/IP Service
7 Echo
9 Discard
13 Daytime
17 Quote of the Day
19 Character Generator
Internet Servers usually listen on the following ports:
•
Port Server
21 File Transfer Protocol (FTP)
23 Telnet
70 Gopher
80 World Wide Web (HTTP)
119 Net News (NNTP)
22 Secure Shell
443 Secure HTTP (HTTPS)
11
File Servers usually listen on the following ports:
•
Port
53
135
137
139
515
530
3389
Service
Domain Name Service (DNS service, if installed)
RPC Locator Service (Windows NT only)

NetBIOS Name Service (WINS servers only)
NetBIOS Session Service (Windows network and SMB/CIFS servers only)
LPR is used by the TCP/IP print service, if installed.
Remote Procedure Call (RPC connections are used by the Windows NT
WinLogon service as well as many other high level network applications.)−
Windows Terminal Services accepts connections on this port using the RDP
protocol
Mail Servers are usually configured to listen on the following ports:
•
Port Mail Server
25 Simple Mail Transfer Protocol (Mail server to server exchanges)
110 Post Office Protocol version 3 (Server to client mail exchanges)
143 Internet Mail Access Protocol (Client access to mail server)
If you install other service software, you must make sure your server's filter is set up to listen on the
ports required by the service—otherwise the service will not work. Find out from the software
manufacturer which ports are required for that service. This does not apply to border firewalls, which
should only be configured to pass a service if you intend to provide that service to the public.
General Rules for Packet Filtering
There are two basic approaches you can take to security: Pessimistic, where you disable all access
except that which you know is necessary, and optimistic, where you allow all traffic except that
which you know is harmful. For security purposes, you should always take a pessimistic approach,
because the optimistic approach presumes that you know every possible threat in advance, which is
not possible. Consider the following general guidelines when you use packet filtering:
• Disallow all protocols and addresses by default, and then explicitly allow services and hosts
you wish to support.
• Disallow all connection attempts to hosts inside your network. By allowing any inbound
connections, you allow hackers to establish connections to Trojan horses or exploit bugs in
service software.
• Filter out and do not respond to ICMP redirect and echo (ping) messages. Drop all packets
that are TCP source routed. Source routing is rarely used for legitimate purposes.

• Drop all external routing protocol (RIP, OSPF) updates bound for internal routers. No one
outside your network should be transmitting RIP updates.
• Consider disallowing fragments beyond number zero, since this functionality is largely
obsolete and often exploited.
• Place public service hosts like web servers and SMTP servers outside your packet filters
rather than opening holes through your packet filters.
• Do not rely upon packet filtering alone to protect your network.
12
Network Address Translation
Network Address Translation (NAT) solves the problem of hiding internal hosts. NAT is actually a
network layer proxy: A single host makes requests on behalf of all internal hosts, thus hiding their
identity from the public network. Windows 2000 and XP, Linux, and many modern UNIX operating
systems provide this function as part of the operating system distribution. Windows NT does not.
NAT hides internal IP addresses by converting all internal host addresses to the address of the
firewall. The firewall then retransmits the data payload of the internal host from its own address
using the TCP port number to keep track of which connections on the public side map to which
hosts on the private side. To the Internet, all the traffic on your network appears to be coming from
one extremely busy computer.
NAT effectively hides all TCP/IP level information about your internal hosts from prying eyes on the−
Internet. Address translation also allows you to use any IP address range you want on your internal
network even if those addresses are already in use elsewhere on the Internet. This means you don't
have to request a large block of IP addresses from ARIN or reassign network numbers from those
you simply plugged in before you connected your network to the Internet.
Warning Although you can use any block of IP addresses behind a firewall with NAT, be aware that
you may encounter strange problems accessing Internet hosts that have the same public
IP address as a computer inside your network. For that reason, use the reserved
192.168.0.0 network or the 10.0.0.0 network inside your firewall to avoid these problems.
Finally, NAT allows you to multiplex a single public IP address across an entire network. Many small
companies rely upon the services of an upstream Internet service provider that may be reluctant to
provide large blocks of addresses because their own range is relatively restricted. You may want to

share a single dial up or cable modem address without telling your ISP. These options are all−
possible using network address translation.
On the down side, NAT is implemented only at the TCP/IP level. This means that information hidden
in the data payload of TCP/IP traffic could be transmitted to a higher level service and used to−
exploit weaknesses in higher level traffic or to communicate with a Trojan horse. You'll still have to−
use a higher level service like a proxy to prevent higher level service security breaches.− −
Additionally, many protocols also include the host's IP address in the data payload, so when the
address is rewritten while passing through the NAT, the address in the payload becomes invalid.
This occurs with active mode FTP, H.323, IPSec, and nearly every other protocol that relies upon−
establishing a secondary communication stream between the client and the server.
NAT is also a problem for network administrators who may want to connect to clients behind the
NAT for administrative purposes. Because the NAT has only one IP address, there's no way to
specify which internal client you want to reach. This keeps hackers from connecting to internal
clients, but it also keeps legitimate users at bay as well. Fortunately, most modern NAT
implementations allow you to create port forwarding rules that allow internal hosts to be reached.−
Proxies
NAT solves many of the problems associated with direct Internet connections, but it still doesn't
completely restrict the flow of packets through your firewall. It's possible for someone with a network
monitor to watch traffic coming out of your firewall and determine that the firewall is translating
addresses for other machines. It is then possible for a hacker to hijack TCP connections or to spoof
13
connections back through the firewall.
Application level proxies prevent this. They allow you to completely disconnect the flow of−
network level protocols through your firewall and restrict traffic only to higher level protocols like− −
HTTP, FTP, and SMTP. Application level proxies are a combination of a server and a client for the−
specific protocol in question. For example, a web proxy is a combination of a web server and a web
client. The protocol server side of the proxy accepts connections from clients on the internal
network, and the protocol client side of the proxy connects to the public server. When the client side
of the proxy receives data from the public server, the server side of the proxy application sends it to
the ultimate inside client. Figure 1.2 shows exactly how this works.

Figure 1.2: Proxy servers receive requests on the private network and regenerate them on the
public network.
Proxies straddle two networks that are not connected by routers. When a client on the protected
network makes a connection to a server on the public side, the proxy receives the connection
request and then makes the connection on behalf of the protected client. The proxy then forwards
the response from the public server onto the internal network. Proxies essentially perform a benign
man in the middle attack, and they provide a good example of how any intermediate system− − −
between you and another end system could potentially perform a more malicious sort of processing
without your permission.
Application proxies (like Microsoft Proxy Server) are unlike Network Address Translators and filters
in that the Internet client application is (usually) set up to talk to the proxy. For instance, you tell
Internet Explorer the address of your web proxy, and Internet Explorer sends all web requests to
that server rather than resolving the IP address and establishing a connection directly.
Application proxies don't have to run on firewalls; any server, either inside or outside your network,
can perform the role of a proxy. Without a firewall, you still don't have any real security, so you need
both. At least some sort of packet filter must be in place to protect the proxy server from network
layer denial of service attacks (like the infamous "ping of death"). And, if the proxy doesn't run on− −
the firewall, you'll have to open a channel through your firewall one way or another. Ideally, your
firewall should perform the proxy function. This keeps packets from the public side from being
forwarded through your firewall.
14