Firewalls in Theory and Practice

This article is going to make certain assumptions about your degree of technical literacy. If you don't know what a router is, or subnets or services, don't worry, I intend to get around to writing about all of it sooner or later. For now, read on anyway if it's not too frustrating, or come back when I've explained more.

Firewalls are important today both because the Intrenet is no longer the friendly place it once was, and because companies that are paying for resources don't like to see their employees squander them on non-essential tasks. Firewalls address these issues in multiple ways, most basically by denying services to the outside world, and limiting access and even possibly requiring authentication and/or authorization for local users.

A firewall is, most simply, a router. It ties IP networks together. I have implemented firewalls that were nothing more than a little Cisco with a NAT'ing feature set and ACL's. NAT'ing is Network Address Translation. It allows IP addresses to be changed as they pass through the routing device. It is functionally impenetrable. Unless the device itself is compromised, it is impossible to attack NAT'ed addresses. ACL's are Access Control Lists. They are very effective as far as they go. They simply allow or deny specific services from one side of the device to the other.

Some of the more involved and powerful features of many firewalls are encrypted tunnels and stateful inspection. Encrypted tunnels are often referred to as Virtual Private Networks and are involved enough that I will devote another article to them. Stateful inspection is completely open-ended as far as complexity is concerned but it is very easy to describe. Some vendors call it application intelligence and that's a simple way to think about it; the firewall understands what's going on at the application layer. It usually has heuristics for what normal behavior should look like, http transactions for example, and can make the standard sort of drop/log decisions or possibly much more complicated behavior. Operating at the application layer allows it to participate in that higher level conversation, after all.

So, I hope your remaining questions about firewalls are pretty subjective at this point. Why do you want one, what will you do with it, do you need VPNs, stateful inspection, redundancy or layer two intelligence? O, there's another article or two I need to write...