Evolving firewalls

• Tags:
• Evolved,
• Stateful Packet Inspection,
• Static Packet Filters,
• Protocols

Del Smith CCNA, CCA, MCSE

Published: 13 Aug 2002 12:52 BST

• 
• 
• 
• 
• 

Webopedia.com defines a firewall as "a system designed to prevent unauthorised access to or from a private network." Although technically accurate, this definition tells us only what a firewall does and doesn't address the more important question of how it does it. For administrators who are continually focused on keeping their networks secure, it is helpful to take a closer look at the way firewalls function and how they have evolved in recent years to better protect our corporate networks.

First-generation firewalls: Packet filtering

Static packet filters
One of the simplest and least expensive forms of firewall protection is known as static packet filtering. With static packet filtering, each packet entering or leaving the network is checked and either passed or rejected depending on a set of user-defined rules. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. You can compare this type of security to the bouncer at a club who allows people over 21 to enter and turns back those who do not meet the age rule requirements. The static packet filtering firewall examines each packet based on the following criteria:

• Source IP address
• Destination IP address
• TCP/UDP source port
• TCP/UDP destination port

For example, to allow e-mail to and from an SMTP server, a rule would be inserted into the firewall that allowed all network traffic with a TCP source and destination port of 25 (SMTP) and the IP address of the mail server as either the source or destination IP address. If this were the only filter applied, all non-SMTP network traffic originating outside of the firewall with a destination IP address of the mail server would be blocked by the firewall.

Many people have asked the question, "Is a router with an access list a firewall?" The answer is yes, a packet filter firewall can essentially be a router with packet filtering capabilities. (Almost all routers can do this.) Packet filters are an attractive option where your budget is limited and where security requirements are deemed rather low.

But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing, where an intruder tries to gain unauthorised access to computers by sending messages to a computer with an IP address indicating that the message is coming from a trusted host. Information security experts believe that packet filtering firewalls offer the least security because they allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. Another shortcoming is that this form of firewall rarely provides sufficient logging or reporting capabilities.

Stateful packet inspection
Within the same generation of static packet filtering firewalls are firewalls known as stateful packet inspection firewalls. This approach examines the contents of packets rather than just filtering them; that is, it considers their contents as well as their addresses. You can compare this to the security screener at an airport. A ticket validates that you must be traveling from your source to your destination; however, your carry-on contents must be checked to get to your final destination.

These firewalls are called stateful because they can permit outgoing sessions while denying incoming sessions. They take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked. By using something known as session or intelligent filtering, most stateful inspection firewalls can effectively track information about the beginning and end of network sessions to dynamically control filtering decisions. The filter uses smart rules, thus enhancing the filtering process and controlling the network session rather than controlling the individual packets.

Basic routers typically do not perform stateful packet inspections unless they have a special module like the firewall IOS feature in Cisco routers. A dedicated firewall device or server (with software) is usually required when the level of security demands stateful inspection of data in and out of a network. Although stateful packet inspection offers improved security and better logging of activities over static packet filters, it has its drawbacks as well. Setting up stateful packet examination rules is more complicated and, like static packet filtering, the approach allows a direct connection between endpoints through the firewall.

Go to section: Evolving firewalls Page 2: Second and third generation

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed