A firewall is any device used to prevent outsiders from gaining access to your network. This device is usually a combination of software and hardware. Firewalls commonly implement exclusionary schemes or rules that sort out wanted and unwanted addresses.

To understand how firewalls work, consider some of the subjects discussed earlier in this book. First, most simple authentication procedures use the IP address as an index. The IP address is the most universal identification index on the Internet. This address can be either a static or dynamic address:

* A static IP address is permanent; it is the address of a machine that is always connected to the Internet. There are many classes of static IP addresses. One class can be discovered by issuing a whois query; this class consists primarily of top-level machines in a network, such as domain name servers, Web servers, and root-level machines. These actually have registered hostnames within the whois database at InterNIC. Other classes of static IP addresses are addresses assigned to second- and third-level machines within networks dominated by domain name servers, root servers, Web servers, and so on. These also have permanent physical addresses. However, these machines might or might not possess a registered hostname. In any event, their addresses are registered as well.

* A dynamic IP address is one that is arbitrarily assigned to a different node each time it connects to a network. Dynamic IP is often used by ISPs for dial-up access--each time a node dials up, it is assigned a different IP address.

Whether your address is static or dynamic, it is used in all network traffic that you conduct. For example, as discussed in Chapter 13, "Techniques to Hide One's Identity," a Web server records your IP address when you request a Web page. This is not to intrude on your privacy; it is done so that the server knows how to send you the requested data. In a similar fashion, all network services capture your IP (either temporarily or permanently) so they can return data to your address. In essence, it works much like the postal service: Imagine if every letter mailed had a return address. On the Internet, things are just so. The IP is the return address.

When a connection is made between your machine and a remote machine, various dialogs may ensue. I discussed some of those dialogs in Chapter 6, "A Brief Primer on TCP/IP." A common one--which you are apt to remember--is the TCP/IP three-way handshake. At any rate, such dialogs occur, during which time your IP is known by the target machine.

Under normal circumstances, where no firewall or other superseding utility (such as TCP_Wrapper) has been installed, the dialog between your machine and the remote machine occurs directly (see Figure 27.1).

When I say that information travels directly, that is a very qualified term. As you can see, the process (even without security measures) is complex:

1. The data originates somewhere within Your Network (which, by the way, could refer to a machine in your home). In this case, you are connected to your provider's network. For our purposes, your provider's network is Your Network.

2. Information travels from your machine to a machine on the provider's network. From there, the information travels through an Ethernet cable (or other means of transport) to the main server of Your Network.

3. The server of Your Network passes this information to Router 1, which promptly pours the information through the telephone line (or other high-speed connection) to the Internet at large.

4. The information travels across the Internet (passing through many routers and gateways along the way), ultimately reaching Router 2. Router 2 pipes the information into Their Server; the information is then served via Ethernet (or other transport) to Their Network.

If neither side has installed security measures, the path is deemed (for all purposes) direct. Router 2, for example, allows packets from any source (IP) address to travel directly to Their Server and ultimately, to Their Network. At no point during that travel do the packets meet an obstacle. This is a completely insecure situation. However, for many years, this was the standard. Today, the type of situation illustrated in Figure 27.1 is too dangerous. Over the years, network engineers considered a wide range of solutions, including the firewall.

What Are the Components of a Firewall?

The most fundamental components of a firewall exist neither in software nor hardware, but inside the mind of the person constructing it. A firewall, at its inception, is a concept rather than a product; it is an idea in the architect's mind of who and what will be allowed to access the network. Who and what dramatically influence how network traffic (both incoming and outgoing) is routed. For this reason, constructing a firewall is part art, part common sense, part ingenuity, and part logic.

Suppose the architect knows a Web server must exist on the host network. This Web server will obviously accept connections from almost any IP address. A restricted area, therefore, must be created for that server. In other words, in providing Web services from the host network, the architect must ensure that the Web server does not endanger the remaining portions of the network. Likewise, incoming mail is also an issue.

Specific Components and Characteristics

Firewalls can be composed of software, hardware, or, most commonly, both. The software components can be proprietary, shareware, or freeware. The hardware can be any hardware that supports the software being used.

If hardware, a firewall can (and often does) consist of no more than a router. As you will learn in Chapter 28, "Spoofing Attacks," routers have advanced security features, including the capability to screen IP addresses. This screening process allows you to define which IP addresses are allowed to connect and which are not.

Other implementations consist of both hardware and software. (These can get pretty eclectic. I have seen people using 386 boxes with shareware firewall/bridge products on them.)

In any event, all firewalls share a common attribute: the capability to discriminate or the capability to deny access generally based on source address.

Types of Firewalls

There are different kinds of firewalls, and each type has its advantages and disadvantages. The most common type is referred to as a network-level firewall. Network-level firewalls are usually router based. That is, the rules of who and what can access your network is applied at the router level. This scheme is applied through a technique called packet filtering, which is the process of examining the packets that come to the router from the outside world.

In a router-based firewall implementation, the source address of each incoming connection (that is, the address from which the packets originated) is examined. After each IP source address has been identified, whatever rules the architect has instituted will be enforced. For example, perhaps the architect decides that no network traffic will be accepted from any address within Microsoft Corporation. Thus, the router rejects any packets forwarded from microsoft.com. These packets never reach the internal server or the network beneath it.

Router-based firewalls are fast. Because they only perform cursory checks on the source address, there is no real demand on the router. It takes no time at all to identify a bad or restricted address. Nevertheless, the speed comes with a price: Router-based firewalls use the source address as an index. That means (barring controls against such access) packets sent from forged source addresses can gain at least some level of access to your server.

In fairness, many packet-filtering techniques can be employed with router-based firewalls that shore up this weakness. The IP address header is not the only field of a packet that can be trapped by a router. As packet-filtering technology becomes more sophisticated, so do the schemes or rules employed by an administrator. One can now even apply rules related to state information within packets, using indexes such as time, protocol, ports, and so forth.

However, these are not the only deficiencies of packet-filtering, router-based firewalls. For example: