Previous | Table of Contents | Next |
A packet-filtering router usually depends on access rulesthat is, rules you set up within the router software itself. A packet filter usually has a rule set that starts with least common and works its way up to most common. Whats a rule set? Typically, a rule set looks something like a routing table but includes sockets as well as addresses. Any packet that comes in is compared against rule 1, then rule 2, all the way to the end. If at any time it matches up against a rule, processing stops. For example, for my 192.168.1.0 network, the rules might be as follows:
This means that anybody within my 192.168.1.0 network (provided they come in on router interface 0) can connect to anything they darn well please. If condition 1 was not true, then condition 2 would apply, which denies everything. This is probably the most common firewall configuration: Allow certain sockets (or all sockets) from the inside to go to the outside and disallow all other connections (for example, connections from the outside).
The most effective packet-filtering routers will have a filter on which interface the packet comes in on, in addition to what IP address the packet is from. This helps eliminate packet spoofing, where a packet claims to be from a certain network, but actually is not.
A complex rule set results in confusion and possible misconfiguration. If youre configuring a rule set, you should keep it simple.
You should know that certain applications (such as active FTP) will ask the destination station to initiate a connection back to the requesting workstation, even though its a TCP application. Its sort of like Hey Fred, find out when the movie is, then call me back.Under many firewall configurations, this is prohibited, because it means the firewall has to be configured so that a random workstation from the outside can initiate a connection to a random workstation on the inside. Might as well use a colander rather than a firewall!
You can usually get around this type of application problem by using a different mode of the applicationfor instance, passive FTP, where only the requesting workstation makes connections. Most browsers default to passive FTP, but not all standalone FTP clients do.
Theres usually no logging or accounting on a packet-filtering firewall, although most firewalls will record errors. Here, troubleshooting is very similar to router troubleshooting, with ping, traceroute, and lists of the routing tables and rule sets being your best friends. As with routing problems, symptoms of packet-filtering firewall problems include the inability to reach a host on the other side; unlike a router, though, the symptom of a packet-filtering firewall problem might be the inability to reach a service on the other side.
Newer firewalls that dont care whether theyre good routersthat are more interested in being bang-up firewallswill do all sorts of new tricks. Some of them will perform network address translations (NATs), which enable you to tell the outside world that youre a different address than you really are. This means that if you change Internet Service Providers, you dont have to change your IP numbers, which is nifty. (It used to be that only proxy servers were good for this, because they use two different routing domains anyway, but the firewall vendors have caught up.)
Stateful Multi-Level Inspection is a really neat technology, too. It allows UDP sockets in on a contextual basisthat is, it reads your note to Jenny and then accepts a note back from Jenny only if it seems as though the contents of that note are relevant to what you sent. This requires a very specialized firewall and is very application specific. If the firewall doesnt know Jenny, it cant determine whether the note she sent back to you is real. These firewalls typically come preconfigured with rules for common applications such as Telnet, email, FTP, and so on. If youre having problems using an unusual application through an SMLI firewall, check with the firewall vendor to see how to get support.
Lets dig a little deeper into the theory behind a proxy server. Think of the proxy server as a receptionist for a spy organization that has two sets of phones: the internal organization telephone (the red phone) and the outside worlds phone system. The outside phone system is not directly usable by any of the other agents in the spy agency; they must give a message to the receptionist, who will order out for pizza, arrange for third-party hit men, and so on. The spy organization has it this way so that its circuits are not directly connected to the public telephone networkand a good thing, too! It doesnt mean the receptionist is incorruptible, but at least hes within the organization, fairly trustable, very accountable for his actions, and, of course, easily monitored, because hes the only point of communication between the organization and the outside world.
The important thing to remember is that there are two different types of phone calls, because the receptionist hangs up one line (the red phone) and picks up the outside phone to relay the information on a different call. As such, there are two different routing domains (the two phone systems) involved. Though this sounds mysterious, it really isntall it means is that two sets of networks (the red phone and the outside worlds phone system) are prevented from talking to each other because the router doesnt share a common network between the two networks (see Figure 15.1).
Figure 15.1 A typical proxy server setup.
Are there still rules involved as to who may call in or out? Definitely. Similar to a packet-filtering firewall, proxy servers typically have a default policy of deny everything but the following, and you define what is allowed. For example, lets say the company executives all reside on network 4 in Figure 15.1. They have ruled that only they may have Internet access, so the only explicit rule that you would set would be this:
All other traffic, say from network 3, would be denied.
Previous | Table of Contents | Next |