Chapter 14

How Firewalls Work


All intranets are vulnerable to attack. Their underlying TCP/IP architecture is identical to that of the Internet. Since the Internet was built for maximum openness and communication, there are countless techniques that can be used to attack intranets. Attacks can involve the theft of vital company information and even cash. Attacks can destroy or deny a company's computing resources and services. Attackers can break in or pose as a company employee to use the company's intranet resources.

Firewalls are hardware and software combinations that block intruders from access to an intranet while still allowing people on the intranet to access the resources of the Internet. Depending on how secure a site needs to be, and on how much time, money, and resources can be spent on a firewall, there are many kinds that can be built. Most of them, though, are built using only a few elements. Servers and routers are the primary components of firewalls.

Most firewalls use some kind of packet filtering. In packet filtering, a screening router or filtering router looks at every packet of data traveling between an intranet and the Internet. See Chapter 13 for more information on filtering.

Proxy servers on an intranet are used when someone from the intranet wants to access a server on the Internet. A request from the user's computer is sent to the proxy server instead of directly to the Internet. The proxy server contacts the server on the Internet, receives the information from the Internet, and then sends the information to the requester on the intranet. By acting as a go-between like this, proxy servers can filter traffic and maintain security as well as log all traffic between the Internet and the network.

Bastion hosts are heavily fortified servers that handle all incoming requests from the Internet, such as FTP requests. A single bastion host handling incoming requests makes it easier to maintain security and track attacks. In the event of a break in, only that single host has been compromised, instead of the entire network. In some firewalls, multiple bastion hosts can be used, one for each different kind of intranet service request.

How Firewalls Work

Firewalls protect intranets from any attacks launched against them from the Internet. They are designed to protect an intranet from unauthorized access to corporate information, and damaging or denying computer resources and services. They are also designed to stop people on the intranet from accessing Internet services that can be dangerous, such as FTP.

  1. Intranet computers are allowed access to the Internet only after passing through a firewall. Requests have to pass through an internal screening router, also called an internal filtering routeror choke router. This router prevents packet traffic from being sniffed remotely. A choke router examines all pack-ets for information such as the source and destination of the packet.1
  2. The router compares the information it finds to rules in a filtering table, and passes or drops the packets based on those rules. For example, some services, such as rlogin, may not be allowed to run. The router also might not allow any packets to be sent to specific suspicious Internet locations. A router can also block every packet traveling between the Internet and the internal network, except for e-mail. System administrators set the rules for determining which packets to allow in and which to block.
  3. When an intranet is protected by a firewall, the usual internal intranet services are available-such as e-mail, access to corporate databases and Web services, and the use of groupware.
  4. Screened subnet firewalls have one more way to protect the intranet-an exterior screening router, also called an exterior filtering router or an access router. This router screens packets between the Internet and the perimeter network using the same kind of technology that the interior screening router uses. It can screen packets based on the same rules that apply to the internal screening router and can protect the network even if the internal router fails. It also, however, may have additional rules for screening packets specifically designed to protect the bastion host.
  5. As a way to further protect an intranet from attack, the bastion host is placed in a perimeter network-a subnet-inside the firewall. If the bastion host was on the intranet instead of a perimeter network and was broken into, the intruder could gain access to the intranet.
  6. A bastion host is the main point of contact for connections coming in from the Internet for all services such as e-mail, FTP access, and any other data and requests. The bastion host services all those requests-people on the intranet contact only this one server, and they don't directly contact any other intranet servers. In this way, intranet servers are protected from attack. Bastion hosts can also be set up as proxy servers. See Chapter 15 for more information about proxy servers and Chapter 16 for more information about bastion hosts.