Firewall is a physical or a logical device, which isolates the traffic between it's interfaces, inspects it and controls the flow of traffic. A simple firewall has two interfaces Inside and Outside.
The following figure shows a simple firewall.
Each interface is assigned a logical security level 0 to 100, by default inside interface having value 100 and outside interface value will be 0. Traffic flow without any restriction from High value interface to low value interface until explicitly denies. If multiple interfaces are each assigned an arbitrary security level, as shown in picture
A firewall is usually presented as a symbol of diode, an electronic component that allows current to pass in one only one direction. Other symbols also are commonly used to represent firewalls. Most of those involve a brick wall with or without flames.
A firewall is having following default behavior:
- In general, outbound connections from a higher security interface to a lower one are allowed, provided that they are permitted by any access lists that are applied to the firewall interfaces.
- All inbound connections from lower security interface to a higher one are blocked.
The default behavior can be changed using so that some inbound connections can be allowed. Also, firewall interfaces can be assigned identical security levels so that traffic is allowed to pass between them.
All traffic is inspected according to a suite of stateful firewall inspection process and algorithms. These are commonly called inspection engines or application layer protocol inspection.
Inbound and outbound connections refer to the direction in which a connection is initiated. For example, if a host on the outside tries to initiate a connection with an inside host, that is an inbound connection.
Keep in mind that an inbound connection is entirely different from traffic that returns in the inbound direction. Return traffic is allowed inbound through the firewall only if it is in response to a previously established outbound connection. The same is true for connections and return traffic in the opposite direction.
A Cisco firewall inspect traffic through a progression of functions, Picture shows the order these functions as a packet arrives at interface X and exits at interface Y. The following sections describe each firewall function.
Types of Firewall
Firewalls fall into four broad categories: packet filters, circuit level gateways, application level gateways and stateful multilayer inspection firewalls.
Packet Filtering Firewall
Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router. A router is a device that receives packets from one network and forwards them to another network. In a packet filtering firewall each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it or send a message to the originator. Rules can include source and destination IP address, source and destination port number and protocol used. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Most routers support packet filtering. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at a low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based models. Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering.
Circuit level Gateway
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets.
Application level Gateway
Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific. They can filter packets at the application layer of the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms, an application level gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through. Because they examine packets at application layer, they can filter application specific commands such as http:post and get, etc. This cannot be accomplished with either packet filtering firewalls or circuit level neither of which know anything about the application level information. Application level gateways can also be used to log user activity and logins. They offer a high level of security, but have a significant impact on network performance. This is because of context switches that slow down network access dramatically. They are not transparent to end users and require manual configuration of each client computer.
Stateful Multilayer Inspection Firewall
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer. They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways. They rely on algorithms to recognize and process application layer data instead of running application specific proxies. Stateful multilayer inspection firewalls offer a high level of security, good performance and transparency to end users. They are expensive however, and due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel. (See Figure 8)
In this article, I talked about the basics of firewalls used in computer networking. If you have any suggestions and ideas, please feel free to post them at the bottom of this article.