Firewalls are responsible for either “blocking” or “allowing” data traffic to an internal network. By default, firewalls use what is called “implicit deny;” until a network administrator explicitly allows a certain type of traffic, it is blocked. The data traffic that a network administrator blocks or allows is part of the Access Control List. Firewalls and routers have access control list to control what data traffic they accept or forward.
In order for the Network Administrator to determine which ports are open on the firewall, he or she will commonly run what is referred to as a port scanner. By knowing where the openings or holes are on the firewall will lead to increased port security. Well know port scanners include Network Mapper (NMAP) and SuperScan.
Firewalls can be implemented through software or through a physical piece of hardware such as a network appliance. Firewalls that are software based are typically Host-based Firewalls and Network-based Firewalls are typical on network appliances (i.e. Barracuda ).
Figure 1 Screenshot of Windows Firewall with Advanced Security
There are two types of firewalls classes: stateful or stateless.
Stateless: A stateless firewall is one that just does packet-filtering. The stateless firewall just checks the source and destination IP address, port number and inbound/outbound status of the packet. Stateless firewalls operate at the Network Layer of the OSI Model.
Stateful: A stateful firewall checks the data packets for information to ensure the packet has not been spoofed (i.e. faked, manufactured, etc.). A stateful firewall can analyze the data stream made between two hosts before it allows traffic to pass through firewall. Stateless firewalls are faster than stateful firewalls due to the size of data/information it has to process.
It should also be noted that stateful firewalls operate at the Application Layer of the OSI model. Stateful Packet Inspection (SPI) further describes stateful firewalls, in that, SPI monitors incoming data packets and ensures they correspond to a previous outgoing request. Data packets are blocked if they are not requested.
Data Traffic Controls
Firewalls are not the only tools used to control data traffic. Review the following types of data traffic controls: demilitarized zone (DMZ), network address translation (NAT) and port address translation (PAT).
DMZ: A network administrator will often place servers or other network equipment in the demilitarized zone (DMZ). This prevents users who need access to company info, from compromising the internal network.
For instance, a hotel chain needs to provide customers with a web server to browse and book hotel rooms, these web servers can be placed in the DMZ so external users can access them while the internal network is not exposed. The DMZ can also be used to specify what types of data traffic are allowed within it. The DMZ is where the protected network segments of an organization intersect with the public network or internet.
NAT/PAT: Network address translation (NAT) and port address translation (PAT) were explained in the installation and configuration chapter; however, NAT plays an important role in regards to network security. NAT prevents unwanted users from identifying the internal (private) IP addressing scheme. Web and email servers can be located inside the protected network by configuring firewalls to forward HTTP and SMTP traffic to specific ports, an example is port forwarding.
Port forwarding and PAT are two different techniques and should not be confused. Port forwarding is something that a Network Admin configures on a firewall, router, or gateway and PAT is used to forward data packets to the specific host that set it from a network address translated (NAT) environment.
Access Control
Access Control List (ACL) in networking determines what data traffic is allowed through a router or firewall. Access control list are also used in software to determine who or what systems have access to a resource. A good way to think of an access control list is like a filter. A filter allows some things through, while blocking others. For example, a water filter blocks or traps impurities and the water that does pass is purified.
An access control list on a router of firewall can be configured with one or all of the following filtering types: Mac filtering, IP filtering, and Port filtering.
1. MAC filtering passes or blocks data traffic based on the host MAC address. This is commonly seen in wireless networks, when you only want to allow certain host to be able to connect to a WAP. MAC filtering is also implemented on wired networks as well. For additional information about filtering, view F5 Data Center Firewall Implementation Part 3: Access Control (4:35).
2. IP filtering passes or blocks data traffic based on a data packets source and destination IP address. A network administrator may notice that an unfamiliar external IP address is constantly trying to gain access to the network and block all data packets that contain this unfamiliar address.
3. Port filtering passes or blocks data traffic based on the port a data packet is destined for. Remember that different protocols communicate over different ports. Many Network Administrators who do not want hackers to identify what hosts are on their network will block ICMP traffic. Ping data packets will not pass through the router or firewall because port 7 is blocked from sending or responding to echo request.
Summary
Network security is a vital component of computer networks.
- Firewalls and Access Control Lists control data traffic entering and exiting the network.
- The software and hardware tools designed to improve security can be combined for increased security.