02-06-2012, 05:37 PM
Internet Firewall Tutorial
firewall-wp.pdf (Size: 137.19 KB / Downloads: 40)
What a firewall does
Computer networks are generally designed to do
one thing above all others: allow any computer
connected to the network to freely exchange
information with any other computer also
connected to the same network.
In an ideal world, this is a perfect way for a network
to operate facilitating universal communications
between connected systems. Individual
computers are then free to decide who they want
to communicate with, what information they
want to allow access to and which services they
will make available. This way of operating is
called “host based security”, because individual
computers or hosts, implement security
mechanisms. The Internet is designed in this way,
as is the network in your office.
How it Works
A Firewall disrupts free communication
between trusted and un-trusted networks,
attempting to manage the information flow
and restrict dangerous free access.
There are numerous mechanisms employed
to do this, each one being somewhere
between completely preventing packets
flowing, which would be equivalent to
completely disconnected networks, and
allowing free exchange of data, which would
be equivalent to having no Firewall.
Simpler Requests: UDP
TCP is a bit cumbersome for simple requests, so
a streamlined protocol called User Datagram
Protocol also exists. This doesn’t have the same
connection setup overhead and tends to be
used for simpler conversations which perhaps
only involve a simple information exchange,
which may be repeated if packets are lost and
things go wrong.
Determining Conversation Details
If asked to write down a security policy that we
would like our Firewall to implement in English,
it would probably look something like:
“Allow internal users to access external www
servers, but not allow external users to access
our Intranet server”.
In order to implement this policy, our Firewall
needs to be able to examine packets and
determine if they belong to either a
conversation which should be allowed, or one
which should be blocked.
Stateful Inspection
Stateful inspection takes the basic principles of packet
filtering and adds the concept of history, so that the
Firewall considers the packets in the context of previous
packets.
So for example, it records when it sees a TCP SYN packet
in an internal table, and in many implementations will
only allow TCP packets that match an existing
conversation to be forwarded to the network.
This has a number of advantages over simpler packet filtering:
• It is possible to build up Firewall rules for protocols
which cannot be properly controlled by packet
filtering (e.g. UDP based protocols).
• More complete control of traffic is possible.