Learn how firewalls have progressed from simple packet filtering to more sophisticated application-level filtering.
Webopedia.com defines a firewall as “a system designed to prevent unauthorized access to or from a private network.” Although technically accurate, this definition tells us only what a firewall does and doesn’t address the more important question of how it does it. For administrators who are continually focused on keeping their networks secure, it is helpful to take a closer look at the way firewalls function and how they have evolved in recent years to better protect our corporate networks.
First-generation firewalls: Packet filtering
Static packet filters
One of the simplest and least expensive forms of firewall protection is known as static packet filtering. With static packet filtering, each packet entering or leaving the network is checked and either passed or rejected depending on a set of user-defined rules. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. You can compare this type of security to the bouncer at a club who allows people over 21 to enter and turns back those who do not meet the age rule requirements. The static packet filtering firewall examines each packet based on the following criteria:
- Source IP address
- Destination IP address
- TCP/UDP source port
- TCP/UDP destination port
For example, to allow e-mail to and from an SMTP server, a rule would be inserted into the firewall that allowed all network traffic with a TCP source and destination port of 25 (SMTP) and the IP address of the mail server as either the source or destination IP address. If this were the only filter applied, all non-SMTP network traffic originating outside of the firewall with a destination IP address of the mail server would be blocked by the firewall.
Many people have asked the question, “Is a router with an access list a firewall?” The answer is yes, a packet filter firewall can essentially be a router with packet filtering capabilities. (Almost all routers can do this.) Packet filters are an attractive option where your budget is limited and where security requirements are deemed rather low.
But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing, where an intruder tries to gain unauthorized access to computers by sending messages to a computer with an IP address indicating that the message is coming from a trusted host. Information security experts believe that packet filtering firewalls offer the least security because they allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. Another shortcoming is that this form of firewall rarely provides sufficient logging or reporting capabilities.
Stateful packet inspection
Within the same generation of static packet filtering firewalls are firewalls known as stateful packet inspection firewalls. This approach examines the contents of packets rather than just filtering them; that is, it considers their contents as well as their addresses. You can compare this to the security screener at an airport. A ticket validates that you must be traveling from your source to your destination; however, your carry-on contents must be checked to get to your final destination.
These firewalls are called stateful because they can permit outgoing sessions while denying incoming sessions. They take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked. By using something known as session or intelligent filtering, most stateful inspection firewalls can effectively track information about the beginning and end of network sessions to dynamically control filtering decisions. The filter uses smart rules, thus enhancing the filtering process and controlling the network session rather than controlling the individual packets.
Basic routers typically do not perform stateful packet inspections unless they have a special module like the firewall IOS feature in Cisco routers. A dedicated firewall device or server (with software) is usually required when the level of security demands stateful inspection of data in and out of a network. Although stateful packet inspection offers improved security and better logging of activities over static packet filters, it has its drawbacks as well. Setting up stateful packet examination rules is more complicated and, like static packet filtering, the approach allows a direct connection between endpoints through the firewall.
Second-generation firewalls: Proxy services
The next generation of firewalls attempted to increase the level of security between trusted and untrusted networks. Known as application proxy or gateway firewalls, this approach to protection is significantly different from packet filters and stateful packet inspection. An application gateway firewall uses software to intercept connections for each Internet protocol and to perform security inspection. It involves what is commonly known as proxy services. The proxy acts as an interface between the user on the internal trusted network and the Internet. Each computer communicates with the other by passing all network traffic through the proxy program. The proxy program evaluates data sent from the client and decides which to pass on and which to drop. Communications between the client and server occur as though the proxy weren't there, with the proxy acting like the client when talking with the server, and like the server when talking with the client. This is analogous to a language translator who is the one actually directing and sending the communication on behalf of the individuals.
Many information security experts believe proxy firewalls offer the highest degree of security because the firewall does not let endpoints communicate directly with one another. Thus, a vulnerability in a protocol that could slip by a packet filter or stateful packet inspection firewall could be caught by the proxy program. In addition, the proxy firewall can offer the best logging and reporting of activities.
Of course, this security solution is far from perfect. For one thing, to utilize the proxy firewall, a protocol must have a proxy associated with it. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall and potentially dropped. Also, there is usually a performance penalty for using such a firewall due to the additional processing for application-level protocols.
Firewalls evolved: The third generation
The newest generation of firewalls may be defined as state-of-the-art perimeter security integrated within major network components. These systems alert administrators in real time about suspicious activity that may be occurring on their systems. Although it's a lot to swallow, this new generation of firewall has evolved to meet the major requirements demanded by corporate networks of increased security while minimizing the impact on network performance. The requirements of the third generation of firewalls will be even more demanding due to the growing support for VPNs, wireless communication, and enhanced virus protection. The most difficult element of this evolution is maintaining the firewall's simplicity (and hence its maintainability and security) without compromising flexibility.
The most recent category of firewalls attempting to meet this demand performs what has been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate the redundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to known bit patterns of friendly packets before deciding whether to pass the traffic. Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the first glimpse of this new definition of a firewall. Among the products that use this new technology are Check Point’s FireWall-1, Elron Software’s Internet Manager, and SonicWall’s line of access security products.
Whatever generation of firewall you currently use or are considering, the most important thing is to match the product with the specific security requirements of your organization. You don’t want to pay for more than you need or end up with less protection than your organization demands. You may find it helpful to take a look at the list of ICSA-certified firewalls in your evaluation process.