Using Firewalls Networking

It is popular these days to connect a corporate network to the Internet. By connecting your private network (only authorized users have access to the data) to a public network (everyone connected has access to the data), you introduce the possibility for security break-ins. For this reason, firewalls are implemented. A firewall protects a private network from unauthorized users on a public network.

Firewalls are usually a combination of hardware and software. The hardware is typically a computer or a dedicated piece of hardware (often called a black box) that contains two network cards. One connects to the public side; the other, to the private side. The software controls how the firewall operates and protects your network. It examines each incoming and outgoing packet and rejects any suspicious packets. In general, firewalls work by allowing only packets that pass security restrictions to be forwarded through the firewall. The Network+ certified system administrator usually does not have the resources to design, install, and manage a firewall. These sections are to help you work in an environment where a firewall is already installed. You might also work as part of a team to install or upgrade your company’s firewall solution. These sections will give you the tools you need to understand the basic operation of a firewall.

Firewalls can be placed on top of an existing operating system or be self-contained. Black box systems are proprietary systems that have external controls and are not controlled by the operating system. If you want to use a general-purpose operating system, you have two options: UNIX and Windows. Both can support third-party firewall products. Novell makes its own firewall product, BorderManager, which is excellent and runs on NetWare. But at the time of this writing, there are few third-party firewall products for NetWare. All Windows NT firewalls should be installed on Windows Server computers rather than on Windows Workstation computers.

Firewall Technologies

There are many firewall technologies, and they differ in the method they use to restrict information flow. Some, such as access control lists and dynamic packet filtering, are themselves used as firewalls. Others, such as proxies and demilitarized zones, are implemented with other firewall technologies to make a more robust, complete implementation.

Two networks with an ACL-enabled router

Two networks with an ACL-enabled router

Access Control Lists (ACL)

The first form of defense for every network connected to the Internet is access control lists (ACLs). These lists reside on your routers and determine which machines (that is, which IP addresses) can use the routers and in what direction. ACLs have been around for decades and have other uses apart from a firewall. Figure 8.1 shows how these lists prevent users on Network B from accessing Network A.

Note that data from users in Network A can pass through the router into Network B. IP spoofing attacks (in which someone, presumably a hacker, pretends to have a network address on the inside of a firewall to gain access to a network) can still occur if a user in Network B pretends to be located in Network A.

The Demilitarized Zone (DMZ)

Most firewalls in use today implement a feature called a DMZ, which is a network segment that is neither public nor local, but halfway between. People outside your network primarily access your web servers, FTP servers, and mail-relay servers. Because hackers tend to go after these servers first, you should place them in the DMZ. A standard DMZ setup has three network cards in the firewall computer. The first goes to the Internet. The second goes to the network segment where the aforementioned servers are located, the DMZ. The third connects to your intranet.

When hackers break into the DMZ, they can see only public information. If they break into a server, they are breaking into a server that holds only public information. Thus, the entire corporate network is not compromised. Last, no e-mail messages are vulnerable; only the relay server can be accessed. All actual messages are stored and viewed on e-mail servers inside the network. As you can see in Figure, the e-mail router, the FTP server, and the web server are all in the DMZ, and all critical servers are inside the firewall.

A firewall with a DMZ

Protocol Switching

Protocol switching protects data on the inside of a firewall. Because TCP/IP is the protocol used on the Internet, many external types of attacks, including the Ping of Death and SYN floods (discussed later in this chapter), are based on this protocol stack. You can choose between two common approaches:

_ Use a different protocol (not TCP/IP) on the internal network inside the firewall. For example, IP-based attacks aimed at your development server will never have any effect if you are using IPX on the internal network side of a router. This approach makes a router a natural firewall. _ Use TCP/IP on both the internal network and the Internet, and use a different protocol in a dead zone between them. For example, switch from IP to IPX in a dead zone, and then switch back to IP again once inside your network. You can see both approaches in Figure 8.3. Notice the position of the dead zone between two of the routers, and also notice that the only protocol on the inside of either router is IPX. Any TCP/IP packet from the Internet is unable to pass into the local network because of the difference in protocols. In both approaches, only the internal network is protected. You still need a firewall to handle any attacks on your network’s access point and protocol switching device.

E-mail Router
E-mail Server
Using Firewalls 335

Protocol switching with and without a dead zone

Dynamic Packet Filtering

Packet filtering is the ability of a router or a firewall to discard packets that don’t meet certain criteria. Firewalls use dynamic packet filtering to ensure that the packets they forward match sessions initiated on their private side. A dynamic state list (also known as a state table), held on a firewall, keeps track of all communications sessions between stations inside the firewall and stations outside the firewall. This list changes as communications sessions are added and deleted. Dynamic state lists allow a firewall to filter packets dynamically.

In dynamic packet filtering, only packets for current (and valid) communications sessions are allowed to pass. Someone trying to play back a communications session (such as a login) to gain access will be unsuccessful if the firewall is using dynamic packet filtering with a dynamic state list because the data sent would not be recognized as part of a currently valid session. The firewall will filter out (or “drop”) all packets that don’t correspond to a current session using information found in the dynamic state list. For example, a computer in Network A requests a Telnet session with a server in Network B. The firewall in between the two keeps a log of the communication packets that are sent each way. Only packets that are part of this current communication session are allowed back into Network A through the firewall.

A failed attempt to infiltrate a network that is protected with a dynamic state list. Notice that the hacker attempts to insert a packet into the communication stream but fails because they did not have the correct packet number. The firewall was waiting for a specific order of packets, and the hacker’s packet was out of sequence.

Proxy Servers

Proxy servers (also called proxies, for short) act on behalf of a network entity (either client or server) to completely separate packets from internal hosts and from external hosts. Let’s say an internal client sends a request to an external host on the Internet. The request is first sent to a proxy server, where it is examined, broken down, and handled by an application. That application then creates a new packet requesting information from the external server. Figure 8.5 shows the process. Note that this exchange is between applications at the Application layer of the OSI model.

A hacker denied by a dynamic state list

A hacker denied by a dynamic state list

A packet going to a proxy

A packet going to a proxy

Proxies are good firewalls because the entire packet is dissected and each section can be examined for invalid data at each layer of the OSI model. For example, a proxy can examine a packet for information contained in everything from the packet header to the contents of the message. Attachments can also be checked for viruses. Messages can be searched for keywords that might indicate the source of a packet.

You can use this type of searching to prevent sensitive information from exiting your organization with the outbound data stream. If your sensitive documents contain a header or footer that includes the words MyCompanyName Confidential, you can set up your proxy server software to search for those keywords. This level of detailed searching degrades performance, however, because it is more time-intensive than checking state lists.

There are many types of proxy servers:

IP Proxy An IP proxy hides the IP addresses of all stations on the internal network by exchanging its IP address for the address of any requesting station. You do not want a hacker to know IP addresses specific to your internal network. Web servers on the Internet will also be unable to determine the specific IP address from which a request is being sent. All communications look as if they originate from the proxy server. This type of proxy is also known as a Network Address Translation (NAT) proxy.

Web (HTTP) Proxy Web proxies (also called HTTP [Hypertext Transfer Protocol] proxies) handle HTTP requests on behalf of the sending workstation. When a web proxy is implemented correctly, a client’s web browser asks a web server on the Internet for a web page using an HTTP request. Because the browser is configured to make HTTP requests using an HTTP proxy, the browser sends the request to the proxy server. The proxy server changes the From address of the HTTP request to its own network address and sends it to the Internet web server. The response to the HTTP request goes directly to the proxy (because it replaced the sender’s address with its own). The proxy server then replaces its address with the address of the original sender, and the response is delivered to the original sender.

The most popular implementation of a web proxy is a proxy cache server. This server receives an HTTP request from a web browser and then makes the request on behalf of the sending workstation. When the requested page is returned, the proxy server caches a copy of the page locally. The next time someone requests the same web page or Internet information, the page can be delivered from the local cache instead of the proxy server having to formulate a new request to the web server on the Internet. This speeds up web surfing for commonly accessed pages. Web proxies can also increase network security by filtering out content that is considered insecure, such as executables, scripts, or viruses.

FTP Proxy FTP proxies handle the uploading and downloading of files from a server on behalf of a workstation. An FTP proxy operates in a fashion similar to that of a web proxy. As with web proxies, FTP proxies can filter out undesirable content (viruses and the like).

SMTP Proxy SMTP proxies handle Internet e-mail. Here, the actual contents of the packet and mail can be automatically searched. Any packets or messages that contain material that is not considered secure can be blocked. Many SMTP proxies allow network virus protection software to scan inbound mail.

Not every firewall falls into a category. Traditional firewall vendors are adding features to their firewalls to make them difficult to classify. Vendors who traditionally offered packet-filtering solutions are now also offering proxy solutions, and vendors who traditionally offered proxy solutions are now also offering packet-filtering solutions. The network administrator can now get a packet-filtering firewall and a proxy firewall combined into one product. Dual-style firewalls are considered hybrids.

Security Protocols

The security of data that is traversing the Internet is of prime concern to many people, including business owners. For the most part, data is sent across the Internet without any encryption or security. Sensitive data, however, is usually sent using one of several different security protocols. Security protocols are those sets of conditions or rules that define how a secure connection is maintained when transmitting data via an unsecure medium (like the Internet or a wireless connection).

The Network+ exam tests your knowledge of several:

_ Layer 2 Tunneling Protocol (L2TP)
_ Internet Protocol Security (IPSec)
_ Secure Sockets Layer (SSL)
_ Kerberos
_ Wired Equivalent Privacy (WEP)
_ Wi-Fi Protected Access (WPA)
_ 802.1x
_ Password Authentication Protocol (PAP)
_ Challenge Handshake Authentication Protocol (CHAP)
_ Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
_ Remote Authentication Dial-In User Service (RADIUS)

1. L2TP

The Layer 2 Tunneling Protocol (L2TP) is a protocol that was designed by the Internet Engineering Task Force (IETF) and supports non-TCP/IP protocols in virtual private networks (VPNs) over the Internet. It’s a combination of the Microsoft Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technology. Because it operates at the Data Link layer (layer 2) of the OSI model, it supports many different protocols, such as IPX and Apple-Talk. It’s a good protocol to implement when you have two non-TCP/IP networks that need to be connected via the Internet.

2. IPSec

IP Security, or IPSec, is a security protocol designed by the IETF to provide authentication and encryption over the Internet. IPSec works at the Network layer of the OSI model (layer 3) and secures all applications that operate above it (layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the Internet. However, if you need to run IPX versions of NetWare through VPN tunnels across the Internet, PPTP would be your best bet because PPTP is based on PPP, which supports IPX through its IPX Control Protocol (IPXCP).

3. SSL

The Secure Sockets Layer (SSL) security protocol was developed by Netscape for integration into its Navigator browser. SSL is based on RSA public key encryption and is used to provide secure Session layer connections over the Internet between a web browser and web server. It is service independent, so many different network applications can be secured using SSL. The HTTP Secure (HTTPS) protocol is based on SSL. Eventually, SSL was merged with other Transport layer security protocols by the IETF to form a new protocol called Transport Layer Security (TLS).

4. Kerberos

Kerberos is not just a protocol, but an entire security system. Created at MIT, it establishes a user’s identity when they first log on to a system that uses Kerberos. That identity and its security credentials are then used throughout an entire logon session. It uses strong encryption to encrypt all transactions and communication. This encryption is freely available, and the source code for it can be freely downloaded from many different sites on the Internet.

5. WEP

Wired Equivalent Privacy (WEP) is used to provide basic security for a wireless 802.11b local area network. The WEP protocol is used to encrypt data being transmitted over a wireless 802.11b network. It is a lower-layer security protocol and it encrypts the data before transmission using an algorithm known as RC4. To encrypt the data, a string of characters known as a key is used. The key is made up of a random number known as the Initialization Value (IV) plus a string of text chosen by the administrator or user that sets up WEP on a device. The keys used to encrypt the data stream are usually 40, 64, or 128 bits long.

6. WPA

Wi-Fi Protected Access (WPA) is a standard that improves upon the original design of WEP. It was designed to be compatible with WEP-enabled hardware and software and can be implemented usually with a simple software upgrade. In order to provide this enhanced security, WPA adds two main components: TKIP and user authentication. Temporal Key Integrity Protocol (TKIP) encrypts the keys so they are more difficult to intercept by an eavesdropper. WPA’s user authentication uses the Extensible Authentication Protocol (EAP), which is a form of public key encryption, to ensure that the user using the wireless network is a valid user.

7. EAP

Extensible Authentication Protocol (EAP) is an extension to PPP that provides a host of additional authentication methods for remote access clients. Examples include smart cards, certificates, Kerberos, and biometric schemes, such as retinal scans and fingerprint and voice recognition. While EAP itself does not provide mutual authentication, enhanced forms of the protocol do. For example, EAP-TLS and EAP-TTLS, a tunneled version of EAP-TLS, creates a secure tunnel through which to run password-based versions of EAP, such as EAP-MD5.

8. 802.1x

Even the IEEE recognizes the potential security holes in wireless networking. To that end, it has designed the IEEE 802.1x standard as a method for authenticating wireless users. 802.1x is an open framework designed to support multiple authentication schemes. Before a client (known as a supplicant in 802.1x parlance) can communicate on a wireless network, it asks the access point (known as an authenticator) for permission to enter and provides its credentials. The access point passes those credentials to a centralized authentication server (like a RADIUS server or similar).The server sends back an accept message to the access point if the authentication method is successful, and the access point will allow the user to connect to the wireless network. It is important to note that 802.1x will allow no access to any wireless ports of any kind (except for 802.1x/EAP during authentication) until the user is authenticated. Also, encryption is not required for use with 802.1x. It is an authentication method only, but it can provide significant security measures, even without WEP keys.

9. PAP

Of all the authentication schemes in use today, the Password Authentication Protocol (PAP) is arguably the simplest. In PAP, pairs of usernames and passwords are used. When a client wants to authentication to a server, for example, the client will send the username and password to the server over the network. The username and password are sent in clear text, that is to say, unencrypted. The server receives the username and password and compares them to an encrypted, locally stored table of username-password pairs. If the username and password are a match, the client is authenticated. Although it is simple, PAP is easily cracked because the username and password are sent in easily readable text form over the network. Anyone with a simple “sniffing” program can intercept a username and password.

10. CHAP

The Challenge Handshake Authentication Protocol (CHAP) is a significant improvement over PAP. In CHAP, the username and password never cross the wire. Instead, both the client and server are configured with the same text phrase (known as a shared secret). When a client requests to be authenticated, the server sends out a random value (known as a nonce) plus an ID value to the client. The client takes these two strings and concatenates them with the shared secret and then generates a one-way hash value using the MD5 encryption algorithm. This hash value is transmitted back to the server (which has performed the same algorithm using the same values and same shared secret). The server compares the hash received from the client with the hash value it has calculated. If they match, the client is authenticated.


Microsoft as its own variation of CHAP known as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). It works basically the same way as CHAP, except for a couple of items. First of all, CHAP requires that the shared secret be stored locally in clear text. Microsoft decided to take out that requirement and encrypt the secret locally. While CHAP provides authentication of the client by the server only, MS-CHAP version 2 is capable of mutual authentication so that the client can be sure the server is legitimate as well. Version 1 of the protocol, however, was not capable of mutual authentication. Also, the encryption method used to generate the one-way hash in MS-CHAP is DES. Finally, as you may have already guessed, MSCHAP doesn’t work on Linux or other platforms; it’s a Windows-only protocol.


Even though its name suggests it, the Remote Authentication Dial-In User Service (RADIUS) is not a dial-up server. Although that may have been its origins (dial-up authentication in ISPs), it has blossomed into more of a verification service. RADIUS is an authentication and accounting service. It is used for authenticating users over various types of links, including dial-up. Many ISPs use a RADIUS server to provide a central location for all of the usernames and passwords of their clients. All of the dial-up modem banks are then configured to pass authentication requests to the RADIUS server. It is also used in firewalls. If a user wants to access a particular TCP/IP port, they must provide a username and password. The firewall then contacts the RADIUS server to verify the credentials given. If successful, the user is granted access to that port.

Comparing Firewall Operating System Platforms

Most firewalls are implemented as a combination of hardware and software. The hardware is typically a server-class machine. The software is usually specially written and sits on top of a network operating system. Firewalls are typically dedicated computers (that is, they don’t do file/print serving or perform any other network function). Let’s briefly look the major network operating systems and, and how each implements a firewall.

The UNIX Operating System

UNIX is the network operating system on which the Internet is based and, as such, is also the network operating system on which firewalls are based. In UNIX, you can unload and lock down individual services. This means that you can configure a UNIX server so that only the firewall service is up and running. Proponents of UNIX argue that it is more secure than other operating systems because nonessential services can be removed, though knowledgeable Microsoft
or Novell administrators can do the same with Windows and NetWare.

To support multiple segments, the firewall needs a number of network interface cards. An advantage of using UNIX-based firewalls is that they allow the most network cards (more than 32). NetWare has a practical limit of 16, and Windows is currently limited to 4.

As you learned in Chapter 5, UNIX is a command-line-based operating system and thus doesn’t lend itself to be the most friendly firewall platform in the world. However, since the introduction of the X Window interface (and firewall software’s adoption of it), UNIX-based firewalls have become easier to use.

Finally, because firewalls must examine hundreds, even thousands, of packets per second, speed is a major factor in all firewall platforms. Many companies make security products for both UNIX and Windows NT/2000. UNIX implementations tend to be significantly faster than Windows NT/2000 implementations. If you’re communicating over a T1 line, however, platform speed won’t create a bottleneck. This only becomes a problem when your corporation gets into the higher connection speeds that T3, OC3, and other connections provide (and therefore your firewall must be examining more packets per second). In these cases, you should consider UNIX-based firewall implementations.


NetWare, through the leverage of NDS, provides for easy network administration through Net- Ware Administrator, the graphical utility that runs on Windows 95/98 and Windows NT/2000. The primary firewall is Novell’s own product, BorderManager. BorderManager installs onto Net- Ware servers and has a NetWare Administrator snap-in. With this feature, you can continue to use familiar NetWare tools to manage the many aspects of your network, including the firewall.

As a firewall platform NetWare offers two major benefits: speed (which is discussed shortly) and client compatibility. NetWare is compatible with just about every client platform, including Mac OS, Windows 95/98, Windows NT/2000, DOS, and OS/2. NetWare (with BorderManager) can offer firewall protection for all of these client platforms.

BorderManager integrates with NDS and thus can be managed with NetWare’s single administration utility, NetWare Administrator. This makes BorderManager an easy-to-use firewall product, especially for experienced NetWare network administrators.

NetWare’s core operating system has been optimized for the Intel platform, which is cheap and widely available. Apart from UNIX running on a RISC processor, NetWare is considered by the IT industry to be the fastest, and most efficient, network operating system. Border- Manager running on NetWare is one of the fastest firewall software packages available.


As Windows becomes more and more popular, firewall developers are porting their software from UNIX to Windows. However, because of security problems associated with Windows,it doesn’t rival UNIX or NetWare for firewall installations. As these problems are solved (through patches and other fixes, and likely in future editions of Windows), Windows NT and 2000 will gain ground in the firewall market.

Most third-party, Windows-based firewalls can integrate with Windows Domain/Active Directory security. This allows proxies to use Windows usernames and passwords.

The primary advantage of a Windows firewall is that it can be managed through a graphical user interface, as can Windows itself. Windows servers (and thus firewalls based on them) are more intuitive to the general user than a UNIX operating system, with almost the same level of features. If your network support staff is well versed in Windows, the learning curve for a new firewall will not be as steep as that for another operating system.

Windows, however, isn’t the fastest network operating system platform, mainly because of the overhead required to maintain the graphical interface; thus, firewalls running on it aren’t the fastest.To address this issue, some firewall vendors are adding hardware accelerator cards to increase firewall throughput. Microsoft is advancing the line of Windows servers to utilize more than a dozen CPUs and gigabytes of memory in one box so that performance can be increased to much higher levels.These new features will make Windows NT much faster and thus more effective as a firewall platform. With the advent of Windows 2000 servers, high-end throughput speeds are possible.

The Black Box

A black box firewall implementation is your fourth choice. You do not know what operating system is inside the box, but it is definitely not Windows. It might be a special implementation of UNIX or a completely proprietary system. These implementations tend to have the fastest throughput because they are designed specifically as firewalls rather than as file and print network operating systems that run firewall software. Cisco’s PIX Firewall is an example of a proprietary black box system.

The major feature of a black box firewall is simplicity. You don’t have to worry about extraneous features such as file or print services. The box is only a firewall, not a server and a firewall.

Ease of use is not, however, a feature of a black box, which often lacks a screen or an input device. The administrator must rely on connecting to the black box using an external keyboard or terminal to change firewall configuration data. This is not typically a problem with firewalls that don’t require significant configuration (as in simpler network implementations). In this case, once the firewall is configured, you can pretty much leave it alone.

Given the dedicated nature of black box firewalls (they aren’t used to provide other network services) and that they are designed from the ground up as firewalls, they are often very efficient and fast. They use RISC processors and operating systems designed specifically for a firewall. Unfortunately, black boxes cannot be upgraded easily and often must be replaced as new technology is released.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Networking Topics