Firewall Basics
-------- ------

Most of us have heard of firewalls.  The idea of a machine whose purpose
is to act as a sentry, blocking certain kinds of network traffic and
allowing others is one most people involved in security and hacking can
understand.  But what exactly does a firewall -do-?  How does it work, and
what are its weaknesses?

There are two basic types of firewall, or two ways in which a firewall can
function -- it can either packet filter or proxy.  Each function has its
merits and flaws, and each function is best used for different reasons.
The majority of what we know as firewalls use a combination of both
functions.


Packet Filtering
------ ---------

A packet filtering firewall is the simplest type of firewall.  In its most
basic setup, it is a machine with two network interfaces.  The firewall
software operates strictly on the network layer and uses rules to
determine which packets are forwarded from one interface to another by
looking at the headers of each packet and determining whether or not they
match the rule set.  For this reason it's easy to understand that a packet
filtering firewall's rule set consists of the information that can be
found in a packet's headers -- in other words, a packet filtering firewall
can sort packets based on the source address of the packet, the
destination address of the packet, the protocol type of the packet (TCP,
UDP, ICMP, etc), the source port of the packet, the destination port of
the packet, flags set on the packet (SYN, ACK, FIN, RST, etc), or other
such basic header information.  The most common implementation of a packet
filtering firewall is in the form of access lists on a router, or rules on
a secured host with two network interface cards which can be used as a
router.

One step above standard packet filtering firewalls, but still considered
part of the same architecture, are stateful packet inspection firewalls.
The stateful inspection model was built off of standard packet filtering,
but it adds more security checks -- it intercepts incoming packets from
one interface until it has enough information from the packets it's
received (using information such as TCP sequence numbers) to determine the
'state' of the connection; then, if the intercepted packets pass the rule
set, they're forwarded on to the other interface.  Using this information,
the firewall builds dynamic state tables.  It uses these tables to keep
track of the connections that go through the firewall -- rather than
allowing all packets that meet the rule set's requirements to pass, it
allows only those packets which are part of a valid, established
connection.

Packet filtering firewalls are popular because they tend to be
inexpensive, fast, and relatively easy to configure and maintain.  Most
companies already have a router on which they can set up a rule set, or
can easily get a host with two network cards.  Even stateful packet
inspection firewalls are faster than the proxying alternative, because the
examination of the packet is done on the network layer.

The drawback to packet filtering firewalls lies in reduced security.
Because only the packet's headers are considered, a packet filtering
firewall does not protect against attacks directed at an application.  For
instance, if a packet filtering firewall was set to allow incoming email
from the internet in general, then an attack on the SMTP service itself
would pass through the firewall without problem.  In other words, as long
as the rule set is passed, a connection is made directly from outside the
firewall to inside the firewall.  To address that issue, there are
proxying firewalls.


Proxying
--------

The fundamental difference between packet filtering and proxying lies in
the fact that proxy firewalls do not route.  A proxy firewall operates on
the application layer and cares about the application itself -- it
receives data from one interface, inspects it according to its defined
rule set, and then passes the data to the other interface.  A connection
is never made from the outside to the inside; as far as the machines
inside the firewall know, all their information is coming from the
firewall.  Unlike the packet filtering model, a proxy firewall truly keeps
the internal and external systems separate.

This is not, however, the primary reason why proxy firewalls are so
attractive to organizations.  Because the proxy firewall has full
visibility at the application layer, it can look for far more specific
pieces of information than a packet filter can; it can, for instance, tell
the difference between a piece of email containing text and a piece of
email containing a Microsoft Word document, or the difference between a
web page using Java and a web page without.  Rules can be made
significantly more specific, as they can be designed around anything the
firewall can see at the application level.

As could be imagined, the greatest drawback to using this model is the
sacrifice in speed.  Since all traffic has to be inspected on the
application level, a proxying firewall is significantly slower than the
packet filtering alternatives.  For the greatly improved security,
performance suffers.  This problem can be addressed by adaptive proxy
firewalls.

Just as stateful inspection firewalls are an enhanced version of packet
filtering firewalls, the adaptive proxy (also known as dynamic proxy) 
architecture was developed from the standard proxy implementation.
Combining the merits of both proxy and packet filtering firewalls, an
adaptive proxy firewall works by analyzing the first part of a connection
at the application layer, as a standard proxy firewall does; however, once
the firewall has enough information to clear the traffic through the rule
set, subsequent packets are passed -- filtered -- through the network
layer.  Similar to the case of the stateful inspection model, the firewall
builds a dynamic table.  Packets are inspected according to the table.
Those that are considered to be a part of a valid, established session are
allowed to pass with simple packet filtering; those that are considered
part of a new connection are inspected on the application layer and
proxied.  In this way, it's always the proxy that's doing the real
analysis for any connection; only after a session has been approved by the
strong security of the application proxy does it pass to the weaker but
faster packet filtering on the network layer.

From a security standpoint, the most secure firewall is a standard
proxying firewall, where all traffic is inspected on an application layer.
However, that isn't always the most practical solution.  A strictly proxy
environment is slow and difficult to maintain.  Proxies have to be written
for new applications as they come out.  An adaptive proxy, using a
combination of proxying and packet filtering, is far more likely to be
encountered.


/dev/null
Professional Script Kiddie