Networking For Dummies
Book image
Explore Book Buy On Amazon
Firewalls employ four basic techniques to keep unwelcome visitors out of your network. The following article describes these basic firewall techniques.

Packet filtering

A packet-filtering firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that you set up. If the packet passes the test, it’s allowed to pass. If the packet doesn’t pass, it’s rejected.

Packet filters are the least expensive type of firewall. As a result, packet-filtering firewalls are very common. However, packet filtering has a number of flaws that knowledgeable hackers can exploit. As a result, packet filtering by itself doesn’t make for a fully effective firewall.

Packet filters work by inspecting the source and destination IP and port addresses contained in each TCP/IP packet. TCP/IP ports are numbers that are assigned to specific services that help to identify for which service each packet is intended. For example, the port number for the HTTP protocol is 80. As a result, any incoming packets headed for an HTTP server will specify port 80 as the destination port.

Port numbers are often specified with a colon following an IP address. For example, the HTTP service on a server whose IP address is 192.168.10.133 would be 192.168.10.133:80.

Literally thousands of established ports are in use. Table 20-1 lists a few of the most popular ports.

Some Well-Known TCP/IP Ports
Port Description
20 File Transfer Protocol (FTP)
21 File Transfer Protocol (FTP)
22 Secure Shell Protocol (SSH)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name Server (DNS)
80 World Wide web (HTTP)
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
137 NetBIOS Name Service
138 NetBIOS Datagram Service
139 NetBIOS Session Service
143 Internet Message Access Protocol (IMAP)
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
389 Lightweight Directory Access Protocol (LDAP)
396 NetWare over IP
443 HTTP over TLS/SSL (HTTPS)
The rules that you set up for the packet filter either permit or deny packets that specify certain IP addresses or ports. For example, you may permit packets that are intended for your mail server or your web server and deny all other packets. Or, you may set up a rule that specifically denies packets that are heading for the ports used by NetBIOS. This rule keeps Internet hackers from trying to access NetBIOS server resources, such as files or printers.

One of the biggest weaknesses of packet filtering is that it pretty much trusts that the packets themselves are telling the truth when they say who they’re from and who they’re going to. Hackers exploit this weakness on a network by using a hacking technique called IP spoofing, in which they insert fake IP addresses in packets that they send to your network.

Another weakness of packet filtering is that it examines each packet in isolation, without considering what packets have gone through the firewall before and what packets may follow. In other words, packet filtering is stateless. Rest assured that hackers have figured out how to exploit the stateless nature of packet filtering to get through firewalls.

In spite of these weaknesses, packet filter firewalls have several advantages that explain why they’re commonly used:

  • Packet filters are very efficient. They hold up each inbound and outbound packet for only a few milliseconds while they look inside the packet to determine the destination and source ports and addresses. After these addresses and ports have been determined, the packet filter quickly applies its rules and either sends the packet along or rejects it. In contrast, other firewall techniques have a more noticeable performance overhead.
  • Packet filters are almost completely transparent to users. The only time a user will be aware that a packet filter firewall is being used is when the firewall rejects packets. Other firewall techniques require that clients and/or servers be specially configured to work with the firewall.
  • Packet filters are inexpensive. Most network routers include built-in packet filtering.

Stateful packet inspection (SPI)

Stateful packet inspection (SPI), is a step up in intelligence from simple packet filtering. A firewall with SPI looks at packets in groups rather than individually. It keeps track of which packets have passed through the firewall and can detect patterns that indicate unauthorized access.

In some cases, the firewall may hold on to packets as they arrive until the firewall has gathered enough information to make a decision about whether the packets should be authorized or rejected.

Stateful packet inspection was once found only on expensive, enterprise-level routers. Now, however, SPI firewalls are affordable enough for small- or medium-sized networks to use.

Circuit-level gateway

A circuit-level gateway manages connections between clients and servers based on TCP/IP addresses and port numbers. After the connection is established, the gateway doesn’t interfere with packets flowing between the systems.

For example, you could use a Telnet circuit-level gateway to allow Telnet connections (port 23) to a particular server and prohibit other types of connections to that server. After the connection is established, the circuit-level gateway allows packets to flow freely over the connection. As a result, the circuit-level gateway can’t prevent a Telnet user from running specific programs or using specific commands.

Application gateway

An application gateway is a firewall system that’s more intelligent than a packet-filtering, stateful packet inspection, or circuit-level gateway firewall. Packet filters treat all TCP/IP packets the same. In contrast, application gateways know the details about the applications that generate the packets that pass through the firewall.

For example, a web application gateway is aware of the details of HTTP packets. As a result, it can examine more than just the source and destination addresses and ports to determine whether the packets should be allowed to pass through the firewall.

In addition, application gateways work as proxy servers. Simply put, a proxy server is a server that sits between a client computer and a real server. The proxy server intercepts packets that are intended for the real server and processes them. The proxy server can examine the packet and decide to pass it on to the real server, or it can reject the packet. Or the proxy server may be able to respond to the packet itself, without involving the real server at all.

For example, web proxies often store copies of commonly used web pages in a local cache. When a user requests a web page from a remote web server, the proxy server intercepts the request and checks to see whether it already has a copy of the page in its cache. If so, the web proxy returns the page directly to the user. If not, the proxy passes the request on to the real server.

Application gateways are aware of the details of how various types of TCP/IP servers handle sequences of TCP/IP packets, so they can make more intelligent decisions about whether an incoming packet is legitimate or is part of an attack. As a result, application gateways are more secure than simple packet-filtering firewalls, which can deal with only one packet at a time.

The improved security of application gateways, however, comes at a price. Application gateways are more expensive than packet filters, both in terms of their purchase price and in the cost of configuring and maintaining them. In addition, application gateways slow down the network performance because they do more detailed checking of packets before allowing them to pass.

Next-generation firewall

Many modern firewalls use the term next generation to describe new types of advanced threat-protection intelligence that are designed to watch for types of packet behavior that indicates the likelihood of malicious attack. A firewall that includes these new protections is called a next-generation firewall, usually abbreviated NGFW.

A next generation firewall performs all the functions of a standard firewall and more. Using a technique called deep packet inspection, next-generation firewalls look beyond the surface of data packets as they enter your network to find threats that simpler types of firewalls would overlook. Next generation firewalls can often stop malware before it ever gets into your network.

Want more tips to optimize your network? Avoid these ten big network mistakes.

About This Article

This article is from the book:

About the book author:

Doug Lowe is the bestselling author of Networking For Dummies and Networking All-in-One Desk Reference For Dummies. His 50+ books include more than 30 in the For Dummies series. He has demystified everything from Microsoft Office and memory management to client/server computing and creating web pages.

This article can be found in the category: