Firewall: The Realization of a Company’s Internet and Network Access Policy
The original definition of a firewall is: “a partition made of fireproof material to prevent the spread of a fire from one part of a building or ship to another or to isolate an engine compartment, as on a plane, automobile, etc.” 1 Today, in the computer world, the term refers to any piece of hardware/software used to protect a private network from network attacks coming from external networks. It acts as a gatekeeper to keep hackers from reaching the internal network, protecting your crucial network resources from being compromised.
Many people know what a firewall does, but few understand that a firewalls needs careful configuration before it can start protecting your network.
I still remember more than 10 years ago, as I visited clients to talk about the security configuration of their network, many were proud to tell me that they had gotten firewalls installed to protect their network. (At that time, a firewall was considered advanced networking equipment!) But when I logged into their administration menu to check their firewall policies, there were none there! They didn’t know that they needed to “configure” their firewall before it would function properly.
A firewall is actually the deployment tool used carry out your network access policy. The network access policy refers to the organizational management’s intention regarding the various network access rules for both the internal employees and external visitors. Without properly configured firewall rules, a firewall’s existence is meaningless.
Take a packet-filtering firewall as an example. It works on Network and Transport Layer (TCP/IP). It hunts down filtering rules by examining the source port/destination port (Transport Layer) and IP address (IP Layer) to decide whether it will let go a particular packet in or out of your network.
For example, if your company does not allow internal employees to access ftp servers during work time, then you need to set up a firewall rule to block any access to port 20 and 21 of remote server during the office time. The following table illustrates a typical set of firewall access rules to achieve this:
The different columns’ meanings in above table are explained here:
- Direction: The direction of the packet going through the firewall, either IN or OUT, or EITHER
- Source Addr: The source address;, either internal (INT) or external (EXT)
- Dest. Addr: The destination address, either internal (INT) or external (EXT)
- Protocol: Transport Layer Packet Type, either TCP or UDP
- Source Port: The source port at the TCP layer of the sender
- Dest. Port: The destination port at the TCP layer of the receiver
- ACK set: The acknowledge flag at the Transport Layer of the Packet, either SET (Y) or DOES-NOT-MATTER (Any)
There are many cases when packet filtering rules do not work. For example, if you want to block the users’ access to particular remote web-based email services, chances are that you will not able to control this by blocking certain designated IP numbers (as filling in the Destination Address in the above packet-filtering table) since some web-based services are based on more than one sever of varying IP addresses, and thus cannot be shut down by only a set of fixed IP addresses. In this case, you need the firewall to work at higher layer.
A firewall working at higher layer provides more refined control over network access. For previous example, if you use an application-level firewall, it can screen the URLs of web-based emails access, such as www.hotmail.com for Microsoft’s email services, and does now allow it to pass through.
An application-level firewall can even zoom into the details of the applications’ data passing through – such as the authentication information, application types, and other types of information – to decide to allow or disallow a particular network connection to continue or not. It can even carry out a detailed inspection of the users’ data going through.
A proxy server is one kind of application-level firewall. I’m sure you have heard of this type of server being used in your or some other company’s network. It’s a popular device because it provides more control of the network traffic passing through. However, it also requires more firewall computation power, so it is slower in performance. It also requires modification of the internet network client to go through the proxy before it can access external network resources.
No matter which type of firewall you are deploying, you need to work out the network access policy with senior management. Otherwise, you will not know what rules you need to set up in your firewall rule table. Simply put, you’ll be installing a tool that has no idea how to protect your network.
1firewall. (n.d.). Dictionary.com Unabridged (v 1.1). Retrieved June 18, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/firewall
Tags: Packet Filtering Firewall Application-Level Firewall