Fire Wall
Fire Wall
Fire Wall
Biwu Yang
East Carolina University, USA
Abstract
Firewall is a critical technology in protecting enterprise network systems and individual
hosts. Firewalls can be implemented through a specific software application or as a dedicated
appliance. Depending on the security policies in an organization, several firewall
implementation architectures are available, each with its advantages and disadvantages.
Therefore, a thorough understanding of firewall technology, its features and limitations, and
implementation considerations is very important in the design and implementation of
effective firewall architecture in an organization. This chapter covers the life cycle of firewall
design, selection, and implementation.
Introduction
The function of a firewall is to provide network access regulations, that is, to determine what
traffic is allowed and what traffic is not allowed based on network security policies adopted
by an organization. Similar to a router, a firewall device is situated inline of the network
traffic path, with one interface to receive incoming data packets and another interface to
forward the data packets. However, different from a router, a firewall does not need to make a
decision for a best path to forward the data packets. It either allows the packets to go through
or drop them.
The decision to allow data packets to go through or not is made by examining various
characters of the incoming packets. Depending on the feature and capacity of a firewall, the
characters that can be used to make the decision include the source and destination IP
addresses, the destination TCP and/or UDP ports specified in a packet, the application layer
protocol used, the time of a day, etc.
Firewall filtering criteria is implemented by firewall rules. Firewall rules are defined based
on security policies developed and adopted by an organization. An organization defines its
information technology policies to meet their business goals and need. Security policies are
part of the general information technology policies. Some security policies are simple to
implement and some are difficult. Yet, not all security policies can be implemented through
firewall technology. For example, a user access policy may require that network
administrators must change their administration password every 30 days; this policy will not
be implemented effectively through a firewall device. On the other hand, a security policy to
specify that data packets initiated from outside network is not allowed into the internal
network unless it is a response to a request initiated by a host in the internal network can be
effectively implemented on the firewall at the perimeter network of the organization.
Depending on the security needs and policies, firewall can be implemented as a dedicated
device, sometime called firewall appliance, or software solution, which is implemented on a
regular computer. Also there are several designs in firewall architectures. For example, a
perimeter firewall is typically situated between the outside network (untrusted side) of an
organization and the internal network (trusted side). In addition, firewall devices are also used
to protect critical network services, such as a server farm, where the key servers are located.
In the design of a firewall architecture, several factors must be considered, including the
location and selection of firewall devices, the impact of network traffic and throughput, the
firewall device management, etc.
Type of Firewalls
Firewalls can be classified as software solution and dedicated hardware solution. In the early
days, firewalls were software solutions.
As a software solution, a firewall is designed as an application to be installed on a regular
computer. The computer would have at least two network interface cards (NIC) installed, one
connects to the outside network and the other connects to the internal network, as
illustrated in Figure 1. The computer is termed dual homed host. More NICs can be used if
the firewall is designed to connect to multiple internal networks.
Figure 1. Dual Homed Host in a Network
applications use well known TCP and/or UDP ports, the firewall administrator can set up
rules to watch for the protocol types and the ports used, in conjunction with the source and
destination IP address to filter incoming packets according to security policies.
Table 1. OSI Model and TCP/IP Protocol Suite
OSI Model
Application
Presentation
Session
Transport
Network
Data link
Data link
Physical
Physical
Figure 2 shows that a router performs packet filtering. The router may use a filtering table as
shown in Table 2, to filter incoming packets.
Figure 2. The Router Performs Packet Filtering for Incoming Packets
Source IP
Source Port
Destination IP
Destination Port
Action
Serial 0
134.25.2.8
any
198.31.7.12
80
allow
Serial 0
any
any
198.31.7.1
23
drop
Serial 0
any
any
198.31.7.254
any
drop
Ethernet 0
any
any
126.34.12.7
80
allow
Ethernet 0
any
any
173.25.41.2
any
drop
Ethernet 0
198.31.7.5
any
198.31.7.1
22
allow
In this example, incoming packets can come from the external network (from the Serial 0
interface) or from the internal network (from the Ethernet 0 interface). These filtering rules
are specified and incoming packets are filtered based on these rules:
1. 1. An external host with IP of 134.25.2.8 is allowed to access an internal web server at
198.31.7.12
2. 2. Any external hosts are not allowed to access the device with the IP of 198.31.7.1
using Telnet
3. 3. External hosts are not allowed to access the internal device with the IP of
198.31.7.254
4. 4. Internal hosts are allowed to access an external web server at 126.34.12.7
5. 5. Internal hosts are not allowed to connect to an external host with the IP of
173.25.41.2
6. 6. An internal host with IP of 198.31.7.5 can connect to the device with the IP of
198.31.7.1 using SSH
A packet filtering firewall treats each passing packet individually, that is, it does not consider
whether a packet is a part of an already established communication.
Application Firewall
Application firewall is considered as second generation firewall (Whitman & Mattord, 2004).
While the packet filtering firewall uses the information at network layer and transport layer
headers, it does not inspect the application layer content of incoming packets. However,
sometime the information in the upper layer needs to be inspected to verify the legitimacy of
a packet. For example, a company may restrict the employee to use web browser to visit
approved web sites only, such as their partner web sites. In this case, merely inspect a packet
with TCP port 80 is insufficient, application layer information, the URL, must be also
checked. This can be accomplished by using an application firewall.
Application firewall is termed in several other names, including application-level firewall,
application gateway firewall, and proxy firewall. It is typically a dedicated computer with
specific filtering software installed. Application firewall works on layers 3, 4, 5, and 7 of the
OSI model. Upon receiving a packet, the application firewall strips off headers and trailers
until the message itself (i.e., the application layer data). It can recognize the characteristics of
certain applications protocols, such as FTP, HTTP, SSH, Telnet, etc. It can monitor the traffic
with known characteristics so it will recognize the type of traffic even if both ends of an
application use non-standard transport layer ports. The application gateway firewall can
detect abnormal application behaviors so that it may stop the communication by an
application.
The application gateway firewall is also called proxy firewall or proxy server, in that it sits
between the clients and remote applications, such that it hides the internal hosts from outside
networks.
A proxy server typically works with another firewall device because it is so specifically
designed to just handle filtering a few particular applications. As shown in Figure 3, internal
hosts are configured on their web browsers to use the proxy server in order to access remote
web sites. The router is configured with a rule that it will drop all web traffic initiated from
the internal hosts, except those from the proxy server. When the proxy server receives packets
from internal hosts, it examines the destination URL in the message, if it is a valid request, it
will repackage the packet using its own IP and MAC address and send it forward to the
router. In other words, it sends the request on behalf of the internal host. Since the router is
configured to accept web traffic initiated from the proxy server, it will forward the web
request. When a web response returns, the router forward the packet to the proxy server, the
proxy server examines the message (application layer information) and verify it is indeed a
response to the request, it will then repackage it and sends to the internal host, again using its
IP and MAC address.
Figure 3. Proxy Firewall
A proxy server can also be used to protect internal network resources while allowing requests
from external networks. As shown in Figure 4, the domain name of the web service provided
by the web server is configured on the proxy server, thus the web requests from external hosts
are sent to the proxy server. The proxy server checks the content of the message and forwards
it to the web server if the request is valid. The return message is sent from the web server to
the proxy server and then it is forwarded to the external client.
Figure 4. Proxy Server to Protect the Internal Web Server
The proxy server protects the web server by shielding it from direct access from external
network. In addition, a proxy server can store the recent served content in its memory cache.
When it receives a request from a client, it checks the cache first. If the requested information
is in the cache, it will send it to the client immediately. Thus proxy server enhances the
performance of web service.
Proxy firewalls provide functions that a regular firewall would not cover, such as user-based
access control and port forwarding. If a proxy server is used for internal network hosts to
access remote servers, with user-based access control, it can grant or deny a connection based
on user authentication mechanism. On the other hand, if a proxy server is used for
teleworkers to access corporate servers, the port forwarding feature can be used to further
protect the servers by allowing connection from an irregular port (not a well-known port).
Thus only clients who know the particular port can access the servers. For example, if a
randomly selected TCP port 1567 is configured to connect to a web server, a user must
specify this port in the URL when connect to the proxy server; it will then forward the request
to the internal web server with port 80.
The major limitation of proxy firewall is that they are specially designed to filter a particular
application layer protocol. When another application layer protocol is to be filtered, the proxy
server needs a major reconfiguration effort. Also, when a server faces large amount of
requests, if the proxy server cannot provide sufficient performance, it might become the
bottleneck.
In modern network security design, these servers that provide important information and need
to be accessed from the Internet, such as web server and DNS server, are located in a
demilitarized zone (DMZ). The DMZ network is isolated from the internal network and
therefore its access can be separately controlled. An HTTP proxy server, if necessary, should
also be located in DMZ.
Stateful Inspection Firewall
Statefull inspection firewall is considered as third generation firewall (Whitman & Mattord,
2004). Stateful firewall gets its name because this type of firewall performs stateful packet
inspection (SPI). SPI firewall works on layers 3, 4, and 5 of the OSI model. It keeps a state
table about the packets transmitted. Unlike packet filtering firewall which treats incoming
packets individually, a stateful firewall keeps track of packets passing by and checks if
incoming packets belongs to an already established connection. It uses the information to
determine the state of connection. The state information includes IP addresses, the
transportation protocol (TCP or UDP), TCP header (for example, SYN, RST, ACK, and FIN),
etc. It adds the efficiency of packets inspection, once a connection is established, subsequent
incoming packets that belong to the same connection will be allowed to pass without further
inspection against firewall rules.
Most communications have a state, a state of either open or closed. If an application uses
TCP as the transport layer protocol, the TCP uses 3-way handshake to establish a connection
before data is transmitted (Forouzan, Behrouz A. 2010). It also has a proper mechanism to
close the connection. After the TCP connection is established, the state during the data
communication is open until it is closed. For applications using UDP as the transport layer,
there is no connection state, since it is connectionless protocol, in this case, the firewall will
keep a record of transmission to be used for SPI. Figure 5 shows the connection
establishment and termination of a TCP session.
Figure 5. TCP Connection Establishment and Termination Process
Before an application in the client can start sending data using TCP protocol, TCP protocol
will first establish the connection. This is done through a 3-way handshaking process.
1. 1. The client sends a SYN segment to the server.
2. 2. The server sends back a SYN+ACK segment. This SYN+ACK segment has dual
purposes. The SYN part is to open a connection in the opposite direction, from the
server to the client. The ACK part is to acknowledge the SYN segment sent by the
client.
3. 3. The client sends an ACK segment in response to the SYN+ACK segment sent by
the server.
At this point, the connection between the client and the server is established and data can be
transmitted among them. The state is established.
When data transmission is completed, another 3-way handshaking process for connection
termination takes place.
1. 1. The client sends a FIN segment to the server.
2. 2. The server sends back a FIN+ACK segment. The FIN part is to initiate the closing
of the connection in the opposite direction, from the server to the client. The ACK
part is to acknowledge the FIN segment sent by the client.
3. 3. The client sends an ACK segment in response to the FIN+ACK segment sent by the
server.
At this point, the connection between the client and the server is closed. The state is closed.
A SPI firewall keeps track of the communication status by a state table. The state table will
track the source and destination IP addresses, TCP ports, and the status. Figure 6 shows an
example of state table in a SPI firewall during a connection for a client in the internal
network to access an external web server.
Figure 6. State Table in a SPI Firewall
In this example, the rule in the firewall blocks incoming traffic from external network unless
it is in response to a request initiated from a host in the internal network.
The internal client initiates the 3-way handshaking by sending a SYN segment to the external
web server. In the packet, it contains the destination IP address of 143.24.35.7 and destination
port of 80, as well as the source IP address of 198.33.7.8 and source port of 53034, a
randomly selected port number.
The SPI firewall examines the packet and record these four pieces of information in the state
table, and mark the status as OK. When a SYN+ACK segment (from the web server)
arrives as an IP packet, the firewall will compare these four pieces of information contained
in the packet with its state table. If it matches, it will let the packet enter the internal network.
Once the connection is established, a SPI firewall will allow traffics to pass from the
internal hosts to external network. However incoming packets from external network will be
compared with the state table, if it is part of an existing connection (matching the four pieces
of information), it will let it pass. Otherwise, the packet is dropped.
An attacker may send a SYN+ACK segment to the internal host trying to get a TCP RST
segment. In a situation without the firewall, the internal host will send a TCP RST segment to
indicate it is not a valid SYN+ACK segment. However, the packet that carries a TCP RST
segment includes its IP address and port number, thus the attacker will gather the information
of internal hosts. Also, an attack might send multiple SYN+ACK packets in a very short
period. If the host is busy to respond with TCP RST segment, the attacker might achieve the
Denial of Service attack, especially if the target internal host is a server. With SPI firewall,
since the incoming SYN+ACK segment does not match with the state table, the packet is
simply dropped.
For connectionless protocols, such as UDP, a SPI firewall handles the traffic in a similar way
in that it keeps a track of a UDP session in the state table. When an internal host initiates a
UDP based request, the state table will keep the connection information of type of protocol
(UDP in this case), source and destination IP addresses, and source and destination UDP
ports. Incoming packets will be compared with the information in the state table. If it
matches, then it is considered a part of the UDP connection and is allowed to enter, otherwise,
it will be dropped.
Advanced SPI implementation can handle applications that require port-switching and
multiple ports opening, such as FTP, streaming video, videoconferencing (H.323), etc.
In FTP communication, the protocol uses TCP port 21 as a control channel and uses another
TCP port, usually dynamically assigned, to transfer data. Figure 7 shows an FTP connection
process.
Figure 7. Passive FTP Data Transfer
The client and the server first establish a connection with the server.
1. 1. The client sends an open request to the server, with a randomly chosen TCP port
P (54033 in the example) as source port and port 21 as destination port, which is the
control port that the FTP server listens for requests.
2. 2. The FTP server sends back a response and the connection is open.
At this point, the state table in SPI firewall will record the information, as shown in the first
row in Figure 7.
After the client and the FTP server establish a connection the data transfer can take place.
1. 1. The client issues a PSV command, which asks the server to select a port for data
transfer.
2. 2. The server responds with a random chosen port (45001 in the example) for data
transfer.
3. 3. The client can now issue data command, with the source port of P+1 (54034) and
destination port 45001.
At this point, the SPI firewall notices the connection initiated by the internal host and save
the information in the state table. The returning data packets from the server will be allowed
to pass because they match the information in the state table.
FTP can operate in two modes, active and passive. This example shows the FTP session in
passive mode. In passive FTP mode, the client asks the FTP server to select a port for data
transfer, and then issue a command from the client to the server. Since this communication is
initiated from the internal network, the firewall will allow the packets go out and the
returning packets in since they belong to an established connection.
However, in active FTP, the process is a little different:
1. 1. The client issues PORT command to let the server know which port the client will
use for the data transfer. The source port could be port P+1 (54034 in the example)
and the destination port is port 21.
2. 2. The server will send a response (code 150) to the client to indicate that the server is
ready for data transfer. The source port is TCP port 20 (a well known data port for
FTP) and the destination port is the port specified at step 1. To the firewall, this is a
new connection initiated from the external network, it will block this packet.
Passive FTP mode is considered safe, especially to the firewall at the client side.
Most multimedia serves uses these dual connection model, one for the control channel and
another for data transfer. Some applications may even use multiple data channels, such as
H.323 videoconferencing. By understanding the operation features of various applications,
SPI firewalls can support those applications with complex communication type.
Network Address Translation
Network address translation (NAT) technology was developed to slow down the exhaustion
of IPv4 address space. With the exponential growth of World Wide Web sites and more and
more services being offered through the World Wide Web, the requests for unique IP
addresses have been increasingly demanding. In fact, the IPv4 address space was exhausted
on February 1, 2011 (IPv4 Address Report. n.d.). However, the Internet still operates
normally thanks to the NAT technology.
This technology involves modifying the IP address information in the IP datagram header
before transmitting the data across a router. In particular, organizations take advantage of
private IP address blocks to hide their internal network behind a router. Table 3 lists the IP
address blocks reserved to be used for private networks.
Table 3. IP Blocks for Private Network
Block
Number of addresses
10.0.0.0/8
16,777,216
172.16.0.0/12
1,048,576
192.168.0.0/16
65,536
169.254.0.0/16
65,536
As shown in Figure 8, an organization uses the NAT technology to translate the IP addresses
assigned to the internal network, the private IP address block 192.168.1.0/24 in the figure, to
global IP addresses so that the packets can be forwarded to the Internet. From the internal
network, all outgoing packets go through the router, where the source IP address in the IP
header is replaced with a global (also called public) IP address. For the returning traffic, the
router replaces the destination IP address with its original private IP address. The router keeps
a translation table so that it knows which address pair has been assigned during the
transmission.
Figure 8. NAT is used between the Internal and External Networks
3. 3. Dynamic NAT with Port Address It is called network address and port translation
(NAPT) or port address translation (PAT). This technology is developed to address the
limitation of the global IP address pool issue in the Dynamic NAT. This technique
allows one global IP address to be shared by many internal hosts for address
translation by adding another parameter, the transport layer port number. By assigning
different port numbers, the router will be able to distinguish which internal host
requested external services. Table 4 shows an example of NAPT. In this example, the
router keeps a translation table, as shown in Table 4, which has five columns. When
three hosts, with IP addresses of 192.168.1.56, 192.168.1.67, 192.168.1.78, wants to
connect to the same web server, the router modifies source IP address in the IP header
and the source port address in the TCP datagram. In this example, all three internal
hosts shared the same global IP address but with different source TCP port. When
responses from the web server are received by the router, it will check the TCP
destination port address contained in a response packet and determine which internal
host should receive the packet by consulting the translation table.
Table 4. NAPT translation table
Private Address Private Port Global Address External Port
Transport Protocol
192.168.1.56
49200
198.32.7.8
80
TCP
192.168.1.67
49201
198.32.7.8
80
TCP
192.168.1.78
49202
198.32.7.8
80
TCP
Allow incoming requests for the services it provides. For example, if it is a web
server, HTTP and HTTPS requests should be allowed. This can be achieved by
checking TCP ports 80 and 443.
Block incoming requests for the services it do not provide. For example, if the server
does not provide FTP service, all FTP requests should be dropped.
Filter incoming requests for those services that are available for certain network only.
For example, if a FTP server is setup for internal user access only, then the FTP
requests from the hosts on the internal network are allowed while the FTP requests
initiated from external network are blocked. An FTP may require username and
password to get in. However, if those requests can be filtered upon reaching the
server, it will reduce the risk of external attackers trying to crack the username and
password to the FTP server. This can be achieved by checking the source IP address
and TCP port 21 for FTP service.
Watch for outgoing traffic, stop or disable services that send information out without
permission. If a service cannot be stopped, then block the outgoing traffic.
There are many products of host-based firewall available on market for client computers. By
default, most of them allows for packets to leave the computer and examines incoming
packets. If an incoming packet is in response to a request initiated by the computer, it will
allow it to pass; otherwise, it will prompt the user either to allow or deny it. These behaviors
can be configured to meet desired needs.
The host-based firewall products for personal computers (also called personal firewalls) are
now available with bundled of other features such as antivirus, antispyware, anti-spam,
identity protection, etc. Customers who purchase one product can get protection from several
aspects of security concerns.
Security Policies and Firewall
Whitman & Mattord (2003, p. 192) pointed out Management from all communities of
interest, including general staff, information technology, and information security, must
consider policies as the basis for all information security planning, design, and implement.
An organization should develop information security policies to ensure the information
technology infrastructure, network resources, and corporate data as well as employee data are
well protected. A policy is not a detail how to manual, rather it should provide framework
that identifies the important asset and provides instruction on how to protect it. Policies
support the mission, vision, and strategic planning of an organization. The realization and
execution of policies are further defined by standards and procedures, and implemented with
proper technologies. Security policy is typically an integrated component of the broader
Information Technology Policy that should include other components, such as acceptable use
policy, change policy, management policy, etc.
Security policies specify what defines security and what should be done about the security at
a high and broad level. For example, a major content in a security policy is access control,
which defines who can access a particular network resource, when the access is granted, what
access permission should be given, etc. Simply state, if an attacker cannot access a network
resource, it cannot be harmed. The security policy should provide guidelines for proper and
valid network access, how policies are enforced, incidence reporting, and procedures to
mitigate network threats, etc.
A comprehensive set of security policies is important and critical for developing standards
and procedures. Standards are statements in more detail to describe what action should be
taken to comply with policies. The procedures and guidelines are detailed steps implemented
to comply with the policies. For example, if the password policy (a sub policy of the general
security policy) specifies that access to network device for device management must be
authenticated. The standards may contain following statements:
Password should be at least 8 characters long and contains certain level of complexity.
Password must be changed every 30 days and new password cannot be the same as
any of 3 previously used password.
Each individual who has the privilege and the need of accessing network devices for
management purpose must register and create a strong password.
Password must be changed every 30 days. A password change reminder will be sent
via email when a password reaches 25 days old. This reminder will be sent every day
afterwards until day 30. The account will be suspended if the password reaches 30
days without change. A password reset procedure must follow to reactivate a
suspended account.
Password history of 3 is kept so a user cannot use any of the previous 3 passwords in
order to renew a password.
Servers that provide services to public community in the Internet should be protected
yet are available to the InternetWith firewall device, a Demilitarized Zone (DMZ)
could be created which is separate from the internal network. Requests to these
servers can be filtered when they enter the DMZ. The filtering criteria can be
specifically managed for DMZ.
Critical network resources need special protectionIn the network design, those
critical network resources, such as database server and mission critical service servers
can be located in an area called server farm. Firewalls can be used to protect the
server farm by filtering incoming packets and allowing only those requests that meet
the security criteria to pass. The server farm design could effectively protect the
critical network resources from potential attacks from external networks as well as
internal networks.
On the other hand, some policy may not be suitable for enforcement through firewall devices.
For example, if an access control policy specifies that a computer must have antivirus
software installed with latest virus definition updates before it can access to the internal
network cannot be implemented through the firewall technology. Another example might be
that an access control policy specifies that account password of network administrators must
be changed every 30 days.
Therefore the network security personnel should review and analyze security policies to
determine which policies should be implemented on firewalls.
Firewall Architecture
Firewall Devices
As discussed above, firewall function can be implemented as an application or in a dedicated
device. Several factors determine the selection and implementation of a firewall technology.
CostWhile the cost may not be a determining factor, it is always a sensitive issue.
Software solution tends to be less expensive compared with dedicated firewall
devices; however, the application software has to work with the host operating
system. Its performance largely depends on the performance of the host.
FeaturesThe modern firewall products offer several security functions in the bundle.
In addition to regular firewall function, more and more products offer VPN and
Intrusion Detection (IDS) or Intrusion Prevention (IPS) functions in the product. With
these features bundled together, a dedicated device can provide multiple aspects of
protections for an organization. However, the needs of network security protection
must be carefully evaluated as what features are required, what features are nice to
have, and whether a bundled product provides efficient and effective protection versus
multiple single function devices.
The firewall has two interfaces, one towards the perimeter router and is designated as
outside network and the other towards the internal network and is designated as internal
network. The firewall filters incoming packets against the firewall rules. Incoming packets
from both directions can be filtered. The advantage is the configuration and management for
the single firewall is relatively easy. It can effectively protect the internal network when
statefull packet inspection is used. For example, a security policy of Incoming packets from
the Internet will not be allowed to pass until they are in response to requests initiated from
hosts in the internal network can be implemented with this architecture. The limitation of
this architecture is that once packets pass the firewall, there is no filtering to them anymore.
This architecture cannot effectively protect critical internal network resources such as a
server farm because it does not filter packets in the internal network unless a packet passes
through the firewall. This architecture is suitable for a small office/home office (SOHO)
which contains a small number of workstations in the internal network.
Single Firewall with More Than Two Interfaces
A more complex single firewall deployment requires three or more interfaces on the firewall
device. In addition to the outside network and internal network interfaces, additional
interfaces can be used to connect to separate networks that possess unique characteristics.
One example is the use of DMZ network, as shown in Figure 11.
Figure 11. One Firewall with Three Interfaces (DMZ network)
The term DMZ comes from the military term Demilitarized Zone. In network design, a DMZ
is a network where network resources are provided for public access. Such network resources
might include web servers that provide information for public access and a DNS server to
resolve domain names of hosts inside the organization. Access to a DNS server by the
Internet hosts is necessary if the organization hosts it is own domain space. Since these
servers need to be accessed from outside network, the security rules must be set differently
compared with access requests toward the internal network. With a separate physical
network, it will be easier to set the appropriate rules just for DMZ. An example firewall rule
set might include:
HTTP and HTTPS traffic with specific destination address for the web server is
allowed into DMZ.
DNS traffic (both UDP and TCP) with specific destination address for the DNS server
is allowed into DMZ.
DNS traffic initiated from the DNS server is allowed to leave DMZ.
With focused targets, this rule set clearly defines what traffic can get in and leave DMZ.
When the DMZ servers are equipped with host-based firewall they are well protected.
Another example of a separate physical network could be the extranet services, as shown in
Figure 12. Extranet can be defined as A public-private website or portal, secured or
HTTP and HTTPS traffic with specific source and destination IP addresses are
allowed into the extranet network. The source IP address should be the network of
selected business partner network.
Returning HTTP and HTTPS traffic is allowed to leave the extranet network.
This rule set is very close to the one for DMZ, except that the source IP addresses in the
incoming packets can be filtered. Incoming network traffic not from the known partner
networks will be dropped.
Double Firewall Architecture
While it seems a single firewall can accommodate the needs for separate physical networks,
however, if the network infrastructure is complex and consists of internal network, DMZ
network, and extranet network, the firewall could become the bottleneck for the network
traffic flow.
Double firewall architecture will help divide the traffic monitoring and filtering process. With
double firewall architecture, each firewall can focus on protecting certain part of the
enterprise network. For example, as shown in Figure 13, the Firewall A can focus on
monitoring and filtering network traffic towards DMZ and Extranet service networks; it can
just let traffic towards the internal network go through without filtering. The Firewall B can
focus on monitoring and filtering network traffic towards the internal network. Hence the
incoming traffic monitoring and filtering load are distributed between the Firewall A and the
Firewall B.
Figure 13. Double Firewall Architecture
contains critical information of the organization. Statistics also shows that security attacks
initiated from the internal network are rising (Waxer, Cindy, 2007). Thus the server farm may
warrant additional protection through a separate firewall, Firewall C, as shown in Figure 14.
The rule set might include:
Figure 14. Firewall to Protect Server Farm
Traffic with specific source addresses and destination IP address with transport layer
ports is allowed into the server farm. The source IP address should be the network of
the internal network. The transport layer ports identify the application services
provided by the servers.
With this rule set, only internal network hosts can access to the server farm for the services
provided by the server farm. Requests from external networks are blocked since their needs
are covered by the services either in DMZ or Extranet networks.
Firewall Implementation Considerations
Effective firewall implementation consists of iteration of several phases including security
needs analysis, design and selection, implementation, testing, and maintenance.
While the focuses are on the security, other aspects related to the information infrastructure
should also be considered, including:
resilience of key network infrastructure and network services, such as fault tolerance,
backup and disaster recovery plan
type of firewall, software solution versus firewall appliance, packet filtering versus
stateful inspection, network based firewall, host based firewall, etc.
fault tolerance
Since a firewall situates in the data pathway, it could become a bottleneck if its performance
cannot accommodate the traffic flow. To assess the network performance and identify
potential bottleneck, a network performance baseline should be established. The baseline
should indicate the performance data of firewall devices in a normal network load condition.
The baseline can be used to compare with the current operation of network to identify
possible bottleneck. The baseline should also be refreshed whenever the network operation
characteristics change, for example, adding significant number of computer workstations or
new server services are deployed.
In addition to selecting a firewall device with sufficient performance capacity, other measures
might help solve the performance issue. For example, double firewall architecture will
distribute the packets monitoring and filtering between two firewall devices. Another
example is the use of a separate VPN server.
To secure remote access for their employees, many organizations deploy virtual private
network (VPN) technology. With VPN solution, legitimate users can establish secure tunnels
with the internal network of the organization since the communication is authenticated and
encrypted. The modern design of firewall appliance includes several other functions, such as
VPN server, Intrusion Detection System, and Intrusion Prevention System. With these
bundled features, an organization can deploy a firewall appliance after the perimeter router
and provide multiple security related services. An example could be that a firewall appliance
serves as a firewall and a VPN server. This approach makes the design of firewall
architecture to be simple. Teleworkers can establish a secure VPN connection to the
organization network through the same firewall appliance. However, the extra function as a
VPN server may impact the firewall performance if the demand of VPN connection
increases. In this case, a separate VPN server device can be deployed to relieve the VPN role
of the firewall appliance. As shown in Figure 15, a VPN server is placed parallel to the
firewall device. When a teleworker initiates a VPN connection request, the VPN server will
handle the connection request. Once the VPN connection is authenticated and negotiated, the
VPN connection is established and traffic through the established VPN tunnel is allowed to
enter the internal network bypass the firewall device.
Figure 15. VPN Server Deployment
Maintenance
Firewall device monitoring and maintenance is a critical aspect of firewall operation. It may
take some time for the network to be stabilized after a new firewall architecture design is
implemented. Once the network is stabilized, a baseline of network traffic and firewall device
performance should be established. Some maintenance measures should be considered,
including:
firewall audit
Network condition can change over times after a firewall architecture is deployed. Such
changes include more computer servers and workstations are added to the network; more
server services are added; some server services may no longer be needed, etc. Therefore,
testing should also be conducted periodically after the firewall architecture is deployed. This
is usually termed as auditing. With the same purpose, auditing is trying to find out if the
firewall architecture is still performing as it is designed. Auditing can include checking the
loggings of firewall device and performing actual testing. Audits should be performed
periodically so that the status of the firewall architecture can be verified in a normal interval
and problems can be identified and corrected in a timely fashion.
Like any other information systems in an organization, firewall solution is a continuous
process from planning, needs analysis, design and selection, implementation, testing, and
maintenance. An organization should recognize the nature of the system and make the
security a major component of the strategic information technology plan.
Conclusion
Firewall is a critical security component in protecting the network infrastructure and network
resources in an organization. Well designed firewall architecture can effectively monitor and
filter network traffics so that only legitimate packets are allowed into and out of the corporate
internal network. In designing a firewall architecture, information technology personnel need
to assess and evaluate the network access needs, the weakness and vulnerability of current
network access control policy, and impacts to the network; then design and select firewall
solution that can address the needs, weakness, and vulnerability appropriately. Once the
design is verified, implementation plan should be developed to make sure the implementation
can be carried out smoothly and successfully. Once the implementation is in place, ongoing
monitoring and maintenance is critical to make sure the firewall design meets the
organizations information security goals and expectations.
REFERENCES
Clemmer, L. (May 5, 2010). The Top Five Firewall Security Tips. In Bright Hub, retrieved
from http://www.brighthub.com/computing/smb-security/articles/40618.aspx
Tett, M. (June 29, 2009). The best firewall is.... In ZDNET, retrieved from
http://www.zdnet.com.au/the-best-firewall-is-339296782.htm?omnRef=http%3A%2F
%2Fwww.all-internet-security.com%2Ftop_10_firewall_software.html
Waxer, C. (April 12, 2007). The Top 5 Internal Security Threats. In ITSECURITY. Retrieved
from http://www.itsecurity.com/features/the-top-5-internal-security-threats-041207/.
Whitman, M. E., & Mattord, H. J. (2003). Principles of Information Security . Boston, MA:
Course Technology.
Whitman, M. E., & Mattord, H. J. (2004). Management of Information Security. Boston, MA:
Course Technology. Further Readings Ciampa, M. (2009). Security+ Guide to Network
Security Fundamentals (3rd ed.). Boston, MA: Course Technology.
Whitman, M. E., Mattord, H. J., Austin, R., & Holden, G. (2008). Guide to Firewalls and
Network Security . Boston, MA: Course Technology.
Key Terms AND Definitions
Demilitarized Zone (DMZ): A separate network from the enterprise internal network to host
servers that provide resources to general Internet community, typically web server and DNS
server.
Firewall: software application or dedicated hardware device to filter network traffic.
Network Address Translation: Technique to convert outgoing IP packets from the internal
private IP address to external public IP address.
Packet Filtering: Also called stateless packet filtering, a packet filtering technique by
inspecting incoming packets individually.
Proxy Server: a server forwarding the requests from clients to another host on behalf of the
clients.
Server Farm: A network area inside a corporate network where enterprise servers are
centrally located.
Stateful Packet Inspection (SPI): Packet inspection technology that keeps state of network
connection with information at the transport layer, incoming packets are examined to see if
they belong to an existing connection.
Virtual Private Network (VPN): A secure network between two private networks by
establishing an encrypted tunnel through the public Internet.