Firewall, Types & importance

Introduction

An organization’s network is setup in a manner so that there is a single point of entry and exit to the Internet. A firewall, which is essentially a set of hardware devices and software, is then placed at the entry point of the organization's private network and works to screen off all unwanted access both-ways. All communication data packets from any computer inside the private network to the outside world will be routed through the firewall. Also, all data packets from any computer in the outside world to any computer within the private network will always be routed through the firewall. The organization would implement a strict policy not to permit anyone to connect through any other means that may bypass this arrangement, such as a direct dial-up wireless modem. Thus the organization will need to focus only on fortifying the firewall, which will singly control access between the two networks.

The firewall in this configuration has two components -

i.            two routers that do packet filtering, and

ii.            an application gateway.

1. Packet Filters

Packet filters are typically driven by tables configured by the system administrator. These tables list sources and destinations that are acceptable, sources and destinations that are blocked, and default rules about what to do with packets coming from or going to other machines.

The dominant network protocols in use on the Internet, viz. TCP, IP, and UDP, carry certain control information which can be used to restrict access to hosts within the organizational network. The IP packet header contains the network addresses of both the sender and recipient of the packet. Further, the TCP and UDP protocols provide the notion of aport, which identifies the endpoint of a communications path. In the common case, a source or destination consists of an IP address and a port number. Port numbers indicate which service is desired. For example, port no. 23 is for Telnet, port no. 79 is for Finger, port no. 119 is for USENET news, and port no. 80 is for normal web service.

2. Application Gateway

The second part of the firewall mechanism is the application gateway. Rather than just looking at raw packets, the gateway operates at the application level. A mail gateway, for example, can be set up to examine each message going in or coming out. For each message it makes a decision to forward through or discard it based on the message header fields, message size, or even the content (e.g., at a military installation, the presence of words like nuclear or bombmight require some special action to be taken). Firewall installations normally have more than one application gateway, one for each specific type of service.

Types of Firewalls and there uses.

However, several types of firewall configurations exist, each having their own advantages and disadvantages. Below is a list of some commonly used configurations:

1.      Firewall using Screening Routers

2.      Firewall using Dual Homed Gateway

3.      Firewall using Screened Host Gateways

4.      Firewall using Screened Subnets

5.      Firewall using Hybrid Gateways

Essentially, which configuration is adopted by an organization would depend upon the relative importance of the following factors:

1.      Damage control: If the firewall is compromised, to what kinds of threats does it leave the private network exposed? If destroyed, to what kinds of threats does it leave the private network exposed?

2.      Zones of risk: How large is the zone of risk during normal operation? A measure of this is the number of hosts or routers that can be probed from the outside network.

3.      Failure mode: If the firewall is broken into, how easy is this to detect? If the firewall is destroyed, how easy is this to detect? In a post mortem, how much information is retained that can be used to diagnose the attack?

4.      Ease of use: How much of an inconvenience is the firewall?

5.      Stance: What is the underlying design philosophy of the firewall? There are principally two fundamental philosophies, one of which can be adopted – (a) Whatever is not expressly permitted is forbidden, and (b) Whatever is not expressly forbidden is permitted.

Other factors such as cost, corporate policy, existing network technology, staffing, and organizational politics may also come into play and may influence the technical considerations.