Firewalls in Theory and Practice

This article is going to make certain assumptions about your degree of technical literacy. If you don't know what a router is, or subnets or services, don't worry, I intend to get around to writing about all of it sooner or later. For now, read on anyway if it's not too frustrating, or come back when I've explained more.

Firewalls are important today both because the Intrenet is no longer the friendly place it once was, and because companies that are paying for resources don't like to see their employees squander them on non-essential tasks. Firewalls address these issues in multiple ways, most basically by denying services to the outside world, and limiting access and even possibly requiring authentication and/or authorization for local users.

A firewall is, most simply, a router. It ties IP networks together. I have implemented firewalls that were nothing more than a little Cisco router with a NAT'ing feature set and ACL's. NAT'ing is Network Address Translation. It allows IP addresses to be modified as they pass through the routing device. It is functionally almost impenetrable. Unless the device itself is compromised, it is next to impossible to attack NAT'ed addresses. ACL's are Access Control Lists. They are very effective as far as they go. They simply allow or deny specific services from one side of the device to the other (and may log attempts too).

Some of the more complex and powerful features of many firewalls are encrypted tunnels and stateful inspection. Encrypted tunnels are often referred to as Virtual Private Networks and are involved enough that I will devote another article (or two) to them. Stateful inspection is completely open-ended as far as complexity is concerned but it is very easy to describe. Some vendors call it application intelligence and that's a simple way to think about it; the firewall understands what's going on at the application layer. It usually has heuristics for what normal behavior should look like, http transactions for example, and can make the standard sort of drop/log decisions or possibly much more complicated behavior. Operating at the application layer allows it to participate in that higher level conversation, after all.

And then there's the concept of "host-based" firewalls. Personally, I don't much believe in them. That is to say, I absolutely believe in using iptables, ZoneAlarm or whatever TCP/IP ACL manager you deem appropriate for your hosts. But I'd also seriously consider whether you need to be running all those services you're "firewalling". And I call them TCP/IP ACL managers, because I'm picky about semantics. If you're not forwarding packets, then what exactly is that ACL firewalling?

So, I hope your remaining questions about firewalls are pretty subjective at this point. Why do you want one, what will you do with it, do you need VPNs, stateful inspection, redundancy or layer two intelligence? Or just 'host-based'? O, there's another article or two I need to write...

Here's a few.