How Firewalls Work
What is a firewall?
A firewall around a computer or network is like the wall around a castle or city. It protects the computer or network by limiting points of access and providing criteria that must be met before being allowed to enter.
In the physical world, a guard might make decisions based on where a person is trying to go, where they came from, or both before admitting them. A firewall functions analogously, looking at each packet of data to determine where it came from and where it is going, or both, and deciding if the packet should be accepted and allowed to continue on its way or if it should be denied or dropped. As in the real world, a denied packet is turned from the gate and sent back to where it came from. Unlike the real world, a dropped packet just ceases to exist.
A firewall may be implemented as a hardware device (such a Linksys or Netgear firewall you can buy in an electronics store) or in software, such as the Windows Firewall or the MacOS Firewall. Unix and Linux users may be familiar with the iptables firewall.
What is a firewall policy or ruleset?
A firewall determines what packets should be accepted, denied, or dropped based on its policy. Most firewalls only accept or drop; denying a packet is possible but rare. Denying packets is often skipped because the denied packet will use up more bandwidth on its return trip, and because the originating system will assume that if it doesn’t hear back from the remote system that the packet has been dropped and act appropriately (try again or give up).
When someone decides to implement a firewall they generally have a good idea what it should do. For example, the firewall should allow traffic to come to my web server but should deny all other traffic. This statement is an example of a firewall policy. The person implementing this policy in the firewall, sometimes known as a firewall administrator, will translate this policy into a series of technical statements called a ruleset that tells the hardware or software what to do.
Firewalls have a default setting, and that default setting is generally to deny all traffic. The Windows Firewall behaves in this way. Windows users who have activated the Windows firewall may be familiar with getting a dialogue box asking if it is okay to permit an application to accept a connection on the network. If permitted, the Windows Firewall software adds a rule to the ruleset indicating that traffic to that application is to be permitted. Through the Windows Firewall control panel you can add and remove rules from the firewall.
Writing a Firewall Rule
The Windows Firewall Control Panel and other graphical user interfaces like it attempt to hide the complexity of writing a firewall rule. At Boston University, the IS&T security staff can assist you with writing rules for Unix or Linux firewall software that tends to lack the more simple graphical interface, or where you need assistance in creating a policy that is more complex than the interface allows.
A very brief summary is that most traffic that will reach your firewall will be Internet Protocol (IP) traffic using one of the three major Transport Layer protocols: TCP, UDP, or ICMP. All three types have a source address and a destination address that designate the computer that sent or is to receive a packet of data uniquely. Both TCP and UDP also have port numbers, a number between 0 and 65,535 that helps identify the application that initiated the connection. For example, most web servers use TCP port 80, so a packet headed for a web server should have the destination address of the web server and a destination port number of 80. ICMP does not use port numbers, but instead has a type code that identifies what the purpose of the packet is. ICMP is generally used for debugging network problems or informing systems of a problem. If you’ve ever used the ping command, you’ve generated ICMP packets.
You may also wish to know that TCP packets have flags that indicate the the state of a connection between two hosts. These flags have names like SYN, FIN, ACK, and RST. A packet that is meant to initiate a connection will have only the SYN flag. All subsequent communication between two systems would have the ACK flag. Firewalls can be configured to look for packets that have only the SYN flag set and treat them as new connections where packets with an ACK flag are presumed to be part of an existing connection. There are security implications to this because the sender of a packet can control what flags are present, but it can be an effective first pass at identifying new versus existing connections.
There is a lot to know about network communications and writing complicated firewall rules may require learning something about it. We have provided some references for people who wish to learn more.
- An overview of how firewalls work from howstuffworks.com
- Some additional information about firewalls from Princeton University
- Microsoft’s explanation of the TCP three-way handshake
- The OSI 7-layer model according to wikipdeia
- A discussion of abnormal IP traffic types on SecurityFocus.com
What is the difference between a host-based firewall and a network-based firewall?
A host-based firewall is installed on an individual computer to protect it from activity occurring on its network. The policy may affect what traffic the computer accepts from the Internet, from the local network, or even from itself.
A network-based firewall is implemented at a specified point in the network path and protects all computers on the “internal” side of the firewall from all computers on the “external” side of the firewall. Network-based firewalls may be installed at the perimeter, or edge, of a network to protect a corporation from hosts on the Internet, or internally to protect one segment of the community from another, such as separating corporate and residential systems, or research systems from martketing systems. A network-based firewall cannot protect one computer from another on the same network, or any computer from itself.
What is a stateful firewall?
A stateful firewall is more than a sentry at the border that inspects each packet as it passes. To be a stateful, a firewall also keeps a historical record of traffic and thus can make more complex decisions about whether or not a packet under scrutiny should be accepted.
For example, in the TCP Three Way Handshake, the first packet from a client to a server must have only the SYN flag set. The server’s first response will have the SYN and ACK flags set (also known as a SYN-ACK packet). The client’s third packet, and all subsequent packets will not have the SYN flag set. Knowing how the protocol works, a stateful firewall can determine that a SYN-ACK packet is being inspected for which there was no SYN packet and reject it. Stateful firewalls can also create internal state records for UDP sessions and handle other types and kinds of traffic. These firewalls tend not to be as lightweight as non-stateful firewalls, but can manage far more complex rules.
What is an application firewall?
An application firewall is a special firewall that is specifically coded for the type of traffic it is inspecting. The most widely developed application firewall is the web application firewall. A web application firewall is less concerned with source and destination addresses, and focuses on the actual data in the packet to see if the requests being sent to a web server, and the replies issued from the web server, meet its rules. For example, a web application firewall may have a rule that says a requested URL may not be more than 256 characters long. When a packet is found that has a longer URL in the request field it can be dropped without giving it to the web server.