Becta | Technical paper | Firewalls

Firewalls

With the explosive growth of the Internet and the move to broadband connectivity, security has become a concern for network administrators and private individuals. Even organisations without specific secrets or secure information to hide can find themselves the target of attacks, which can result in loss of data or services. There are many hacking tools available on the Internet that require little skill or knowledge to use.

This technical paper is designed to expose some of the most common network security problems and suggest possible solutions. It offers both a basic introduction to firewalls and a more detailed look at the underlying technology. As such, it will be of interest to diverse audiences with a wide range of technical knowledge. Those looking to protect single or non-networked computers should utilise a small, dedicated firewall/router, or run specialist software to control access. The network solutions detailed below are not appropriate for scaling down to protect individual machines.

What is a firewall?

A firewall is a means of controlling and analysing data passing between two networks. It can be thought of, by analogy, as a border checkpoint or roadblock where the credentials of traffic wishing to enter are examined and 'undesirables' are turned away. For greatest leverage, therefore, firewalls are usually placed at the point of connection between the two networks.

A firewall can help to:

  • prevent malicious users on the Internet from accessing data or services on a private network
  • defend the private network against 'attack'
  • control access from the Internet to ensure that only certain services on the private network (for example, web servers) are available to external users
  • hide the private network from the Internet
  • control access between two parts of a private network (for example to prevent classroom users from having access to office/administrative facilities)
  • allow some forms of internet access and deny others (for instance, to allow web browsing but deny the use of streaming audio or internet relay chat).

In addition, although this is not their primary function, firewalls can:

  • protect your network from attempts to exploit well-known insecurities in web browsers and other client software (by denying access to that software)
  • provide some measure of protection against certain forms of computer virus such as 'worms' and 'trojans' (see section on 'Viruses' for more information); although this is the role of a dedicated virus checker, it may run on the same hardware as the firewall.

How does a firewall work?

Firewalls protect the local network in a number of ways.

Masquerading and network address translation

With masquerading, data is broken down into packets, or 'chunks', which each have a header containing their intended destination. All the headers are rewritten by the border router or firewall so that they appear to have originated at that point. The router/firewall also records the details of the outgoing request so that the incoming reply can be 'de-masqueraded' – re-addressed to the correct computer on the internal network. In this scenario, only the router or firewall requires one of the increasingly limited numbers of public IP addresses.

Since all data traffic to and from the internal network appears to have come from only one computer, it is extremely difficult for an attacker to enumerate the contents of the internal network or to address any machine but the firewall/router directly. All internet connection sharing software and devices compatible with a private subnet have this function. However, behind the masquerading machine the network is open.

Packet filtering

Packet filtering firewalls are fast and inexpensive devices with two network connections through which all packets are made to pass: one to the internal network which they protect and one to the external network (most likely the Internet). The packet filter examines every packet header and checks it against a set of rules that enable restrictions based on source, destination, direction and service (HTTP, FTP, POP3, SMTP, etc). A well-configured packet filter can be used to prevent external access to the protected network and to block the use of services to internal users (such as IRC – internet relay chat).

The most recent generation of packet filters (known as 'stateful') intercept a stream of packets, determine the 'state' of the connection and enter details in a dynamic state table. Using these tables, the firewall keeps track of all the connections passing through it and ensures that all packets are part of a valid, established connection, rather than simply allowing all single packets according to its basic ruleset.

Most networks contain routers, many of which can be configured to act as packet filters with varying degrees of sophistication. Failing this, packet filters can be constructed from inexpensive hardware – for example, otherwise obsolete PCs with two network cards.

However, since only a packet's header (and not the data it carries) is analysed, packet filters do not protect against attacks directed at an application. A packet filter configured to allow incoming data from external web servers in response to requests from the internal network would allow traffic through the firewall whatever its contents. This issue is addressed by application proxies.

Application proxy firewalls

Proxy firewalls operate on the application layer rather than the network (packet) layer. Computers on the internal network pass their requests to the proxy which receives the data. A connection is never made from outside to inside the firewall – the proxy appears to be the source of all external data.

By being aware of the application layer, proxies can, for instance, tell the difference between a web page containing Java and a web page without. Access to external resources can be controlled, and dangerous or 'undesirable' data can be rejected even if it is part of an authorised connection.

However, since the proxy must inspect all traffic at the application level, performance is much reduced compared with a packet filter, even on comparatively powerful computing platforms. Proxy firewall rulesets can be complex and hard to manage. In addition, since not all proxy software is aware of all applications, it may be necessary to provide a number of different proxies or plug-in modules.

To address the performance issues associated with proxy firewalls, a hybrid of the proxy and the packet filter has been developed. These 'adaptive' or 'dynamic' proxy firewalls analyse the first part of a connection at the application layer. However, once the firewall has enough information to verify that the connection passes its ruleset, it hands it down to a packet filtering component operating at the network layer which builds a dynamic table. Packets that are found to be part of a valid, established session are allowed to pass through the much faster packet filtering component, while new connections first undergo much more rigorous analysis by the proxy.

Where are firewalls used in educational establishments?

Below are some examples of how firewalls are used in educational situations.

A small primary school with shared modem/ISDN

Situation:A small network of six computers sharing a modem or ISDN connection.

Possible solution:Assuming that no remote access is needed and that the administrative network is separate, a good solution here would be to purchase a firewall appliance which would act as router and packet filter. Some appliances provide proxy/cache capabilities and might be used to increase cost-effectiveness.

Secondary school with 2Mb leased line

Situation: A secondary school with a significant number of PCs connected to a new Windows 2000 server.

Possible solution: Effective packet filtering rules should be added to the existing router. If the existing hardware does not allow this, then a purpose-built packet filtering router or separate firewall appliance should be purchased. Seek advice from the ISP as it may provide these services.

Large college with broadband or permanent internet connection

Situation:An FE college with many computers and a fast link (perhaps 34Mbps) to a WAN such as JANET.

Possible solution:A dedicated packet filter should be installed, reinforced by a powerful proxy firewall running on a good specification server. While these could be constructed and configured in the institution, the school may have needs that are complex enough to justify the expense of a commercial firewall suite from a reputable and trusted vendor. When dealing with a very large network it would be advisable to consult a network security specialist.

Do I need a firewall?

The risks to which a network is exposed vary enormously depending on such factors as:

  • type of internet connection employed
  • duration of on-line sessions (if the connection is intermittent)
  • type of operating systems used
  • type, vendor and version of server and client programs installed
  • level of security awareness on the part of the network's users
  • type of network infrastructure employed.

You should definitely consider utilising a firewall if:

  • your network is connected in any way to the Internet or to another wide area network. If data within your network is valuable, confidential or subject to the Data Protection Act (1998), then it may be legally negligent not to have such protection in place
  • you use Windows SMB file sharing on your network – shared files are vulnerable to examination, alteration and deletion by unauthorised outsiders
  • you run intranet web and FTP servers on your network. Without firewall protection those servers are vulnerable to abuse or defacement by outsiders. (Common abuses include the defacement of web pages (see [ for examples) and the use of unsecured FTP servers for the storage of pirate software and/or obscene materials.

It is a widespread misconception that internet service providers maintain firewalls that remove the need for additional security on the part of their users. ISPs need to provide a very wide range of services to their customers – a requirement which is not compatible with a high degree of security. Where an ISP does maintain a firewall, it is more likely to be configured to protect its own web sites and administrative areas from abuse.

Even when an ISP does deploy a firewall for the benefit of its customers, it can only achieve so much. In one example, users of a cable modem network, who were otherwise shielded from Windows SMB file-sharing vulnerabilities by the ISP's firewall, discovered that the 4,000 or so other users on their portion of the cable network were still able to treat their files as common property.

The positioning of firewalls is a vital component of their effectiveness – the best place for them is at the borders of your network.

What restrictions will having a firewall place on me?

When configuring firewalls, best practice dictates that a 'default deny' policy is followed. This means that any connection of whatever type will be rejected unless it is explicitly allowed for in the firewall's ruleset. When users attempt to connect to external resources using 'new' protocols, the chances are that they will fail to function. These new protocols need to be vetted, approved and added to the firewall ruleset.

If proxy firewalls are used, browsers and other client software will normally need to be reconfigured to access them. Since most applications are now 'proxy aware', this is a reasonably trivial task. In addition, high security settings regarding Java and ActiveX controls may prevent users from browsing certain web sites. It is usually possible, however, to make exceptions within the rules in the case of web sites which carry such code but are considered both necessary and trustworthy. Firewalls also complicate remote access to your network.

How do I allow access to my network?

Connections originating from the outside onto your network are likely to fall into one of two categories: authenticated or anonymous. If, for example, you wish to allow access to a public web server, the chances are that you will wish anyone to be able to view the pages held on it. If, on the other hand, you wish some users to be able to access files on the internal network, or for system administrators to be able to use remote administration tools, their access will need to be carefully authenticated and their connections guarded against various forms of hijack or interception.

De-militarised zone: A de-militarised zone (DMZ) is an area of a network situated in a lower security zone and separated from the rest of the network by at least one layer of protection. It is kept apart from the rest of the network so that an attacker cannot exploit its necessary weakness and compromise other machines in the private network. Servers kept in a DMZ should be secured as strongly as possible, and connections to them from the internal network should be undertaken as if they were going to any other host on the Internet.

Virtual private networking: Virtual private networking (VPN) is currently the best technique for providing secure remote access to private networks. VPNs rely on very strong encryption to authenticate connections to a private network and to guard the data in transit. More secure and cost-effective than other forms of remote access such as dial-in modems, VPNs are often used to provide access for technicians and home workers, but have also been used to create low-cost, semi-permanent network connections between geographically separate locations. VPNs are low cost because they use the internet infrastructure to communicate between local user and remote network, thus incurring charges only for local dial-up access to the Internet.

When a VPN is created, the connection is first authenticated by an exchange of digital certificates. Subsequent data is encrypted before passing across the Internet to create, in effect, a virtual private cable. However, when the network to be accessed does not have a permanent internet connection, it is extremely difficult for the client to determine which network address it should be connecting to.

What risks won't be covered by firewall protection?

A firewall is a vital component of any secure network, but in order to be fully effective it should be part of a documented and regularly reviewed security policy. Further resources dealing with the issue of security policies and their creation can be found at [

Malicious insiders: Technical experts believe that malicious users on the internal network cause the vast majority of network security incidents. Since they already have access to the network, a border firewall can, at best, limit their activities regarding connections to the outside. It is often the restrictions imposed by the firewall which provoke the malicious user and the firewall itself is frequently the first system to come under attack. For this reason, it is vital that the firewall's internal interface and the method by which it is administered be properly secured.

The installation of 'password sniffers' (tools which attempt to monitor network traffic for password sequences) or 'keystroke recorders' are common opening gambits for malicious internal users. Consequently, the use of applications such as telnet, which send passwords unencrypted, should be strongly discouraged and the institution should enforce a 'strong password' policy. A good starting point to investigate strong password techniques and effective documentation is [

A strong password policy will place restrictions on format. Sensible restrictions might include:

  • a minimum length of eight characters
  • forcing the inclusion of upper and lower case characters, numerals and other symbols
  • ensuring the absence of human language and regular changing of passwords.

Network administrators can run security tools such as L0phtCrack against their password databases in order to identify users whose passwords are weak, and users should be regularly reminded that they should not write down or disclose their passwords.

E-mail abuses: Most misuses of e-mail, such as 'spoofed' (misleading) addresses and illegitimate relaying (using someone else's mail server to send out large volumes of spam) are either inherent in the e-mail system or the result of liberally configured mail server software. A packet filter configured to allow mail to be transported in both directions across the network border and a mail server configured to allow messages to be forwarded from and to anywhere can enable the system to be used to distribute unwanted mail.

Viruses: While most firewalls (except those that act as application proxies for e-mail servers) will not prevent the infection of machines on the internal network via e-mail attachments, they can greatly reduce the impact of some forms of infection. 'Trojan' viruses, for example, are programs which an attacker causes to be installed through deception. They provide the attacker with a 'back door' into the infected system. Firewalls may not be able to prevent the initial infection, but can stop the attacker gaining access to the compromised system. Well-configured packet filters have also been shown to be effective in restricting the propagation of internet worms such as 'Code Red'. The presence of a firewall should not be considered as a replacement or an alterative to good, regularly updated anti-virus software.

Denial of service: Denial of service (DoS) attacks are targeted at a network to prevent legitimate users from accessing services. Firewalls may help by catching some of the subtler varieties of DoS attack, but there is little they can do against unsophisticated brute force attacks which simply attempt to use up all of the available bandwidth on the network's connection to the Internet.

Unsecured modem access: Firewalls can only monitor the network connections that they are positioned to protect. Alternative means of connection are found with remarkable frequency in the form of unsecured modems. These modems can be legitimate (allowing contracted support technicians to maintain a server for instance) but their existence constitutes a security flaw.