For the typical home setup, in which you have perhaps one or two machines and are not running server software such as your own Web site or mail server, blocking incoming traffic using firewall software is easy. If you’re running applications that can open ports on your system, such as PCAnywhere or Winroute Web Administration, you must be aware of what these third-party applications open on your system. Several of the ports you really need to be concerned about (whether you run Windows or Linux) and ensure that your firewall software blocks if you are not running server software include

• FTP (21)
• Telnet (23)
• Mail (25)
• DNS (53)
• Finger (79)
• Web (80)
• Sunrpc (111)
• Auth (113)
• SNMP (161)
• EPMAP (135)
• NetBIOS-NS (137)
• NetBIOS-SSN (139)
• Microsoft DS (445) TCP, (445) UDP
• R-Services (511-515)

Watchguard SOHO— The small office/home office (SOHO) uses stateful inspection and NAT. One feature, LiveSecurity, is a subscription that provides software updates, technical support, and some training. This makes for a painless process in updating the features of the firewall. The SOHO also has a remote management feature and is frequently used in corporate environments to connect small home offices to the central corporate office, forming a virtual private network (VPN).

D-Link Systems DI-704— The DI-704 comes with a built-in hub or switch. This cuts down on the cost of buying a hub or switch to set up your internal network. It is not a robust appliance like the SOHO and has no VPN capability, Remote Authentication Dial-In User Service (RADIUS) capability, or encrypted remote management.

SonicWall SOHO2— The SOHO2 is on the expensive side of small appliances, retailing for about $495 for a 10-user model. It includes NAT, Web proxy, antivirus protection, multiple user IDs, RADIUS, DHCP server and client services, Web-content filtering, VPN, an intrusion detection mechanism, digital certificate authentication, centralized policy management, and customizable firewall protection.

Linksy’s BEFSR11— This model, similar to the DI-704, is cheaper than a SOHO2, but it does not have VPN capability, support for centralized policy management, built-in antivirus or Web-content filtering support, or Java and cookie filtering capabilities. It uses packet filtering to protect the system, and it has an easy-to-understand user interface.

SNAPgear PRO— SNAPgear focuses on providing PPTP and IPsec VPN capabilities. Its price competes with the SOHO2 and the Watchguard SOHO. It has a second serial port that can be used to simultaneously support a dial-up/ISDN WAN and dial-in RAS connection and supports RADIUS/TACACS+ authentication and encryption. This is a robust Linux-based firewall.

Appliances do not really fit the needs of consumers in many cases. Remote management, VPN, and authentication to RADIUS servers is not really high on the priority list for home users.

Previously we discussed the way Firewalls works. Now lets discuss the Firewall Tools that are available on the Internet. There are many tools available, each having its own set of features. You can choose whatever is appropriate for your network.

• Using Freeware and Shareware Products
• TCP Wrappers
• The TISFirewall Toolkit
• SOCKS
• SQUID
• Drawbridge
• SATAN
• Other Handy Security Software

Using Freeware and Shareware Products

There are new firewall vendors springing up almost daily. When you begin to think about how you want to implement a firewall, one of the things you have to do is to evaluate the available products and determine how they can fit into the architecture you design for the firewall. Some vendors offer a one-stop service and can provide you with everything, including packet filtering, application proxies, other security software, and even training and full-time support around the clock. If you do not have the skilled in-house resources to maintain a firewall, you might want to choose this route.

Before you decide on any specific solutions, though, you should read through this Post to learn about some of the firewall-related products available for download from the Internet. Most of these are either free or available for a small charge. Some, such as the TIS Firewall Toolkit, can be downloaded for free, yet have a “cousin” —a commercial version containing more features than the free version—that you can purchase.

Even though you might not decide to use any of these products in your firewall, simply understanding how they work can make you a better purchaser when it comes to evaluating the products you do have to pay for. In this Post, you will examine a few of the more popular products. In the Post that follow, you will look at some of them in more detail.

TCP Wrappers

This set of programs was created by Wietse Venema to help protect the network at the Eindhoven University of Technology, where he was employed at the time. The purpose of the wrapper program is to insert a layer of access control and logging into the client/server-based TCP/IP network services model.
TCP Wrappers uses a daemon process named tcpd that is started in place of the actual network services defined in the inted.conf file. In the usual configuration, the Internet Daemon (inetd) listens for incoming network service requests. It determines which service is needed by matching the request’s port number with the service as defined in the file /etc/services. Using the service name, inetd then uses the configuration information found in inetd.conf to determine which protocol to use and how to start the needed daemon process.
The TCP Wrapper daemon uses the syslogd daemon for logging purposes and sends its log data to the same place as the sendmail daemon. You can configure how syslogd operates by editing the syslogd.conf file.

The TIS Firewall Toolkit

The Trusted Information Systems Internet Firewall Toolkit— usually just called FWTK or The Toolkit—has been around for quite some time. When Trusted Information Systems (TIS) merged with Network Associates, this new company was also the vendor responsible for the Gauntlet firewall. Although Gauntlet was originally developed as a commercial version of The Toolkit, it has since been developed and enhanced and for the most part does not share the same code as The Toolkit.

Since FWTK was developed for the Defense Advanced Research Projects Agency (DARPA), the code was placed into public domain. You can download it from the Internet, but you must first agree to the license. This is done by sending an email request to TIS. In response, you receive an automated email message, usually a few minutes later, that tells you the name of a temporary directory (available for only 12 hours) from which you can FTP the software.
Major components of The Toolkit are proxies that are used for the most popular TCP/IP utilities. The software tools that are included are the following:

• netacl To provide for Telnet, Finger, and network access control lists.
• smap and smapd To provide for a secure SMTP service.
• ftp-gw To provide a proxy server for FTP.
• tn-gw To provide a proxy server for Telnet.
• rlogin-gw To provide a proxy server for Rlogin.
• plug-gw To provide a general-purpose proxy service.
• authd To provide an authentication service to enhance “strong authentication” practices.
• telnetd A Telnet server that can be used to manage the firewall.
• login-sh An enhanced login program that provides support for secure logins using token authenticators, such as a smart card.
• syslogd A replacement of the traditional UNIX logging daemon.

The netacl component is usually configured to provide service access to the firewall itself, whereas the other proxies—such as tn-gw and ftp-gw—are used to provide pass-through proxies. They enable external users to access services that reside on hosts in the internal LAN, and vice versa.

SOCKS

SOCKS is a protocol designed to work in a client/server environment. A SOCKS server runs on the firewall host and provides a proxy service. When a client outside the protected LAN wants to connect to a particular service, it does so directly if a direct connection is available. If not, it then tries to contact the SOCKS proxy server and, by exchanging messages defined by the SOCKS protocol, negotiates a proxy connection. When a connection is established, the client communicates with the SOCKS server using the SOCKS protocol. The application server communicates with the SOCKS server as if it were the actual client.

There are two versions of the SOCKS protocol at this time. Version 4 is in wide distribution and supports TCP-based applications. Version 5, which is described in several Request For Comments documents, adds support for UDP applications and authentication.
Unlike the proxy services provided by the TIS Firewall Toolkit, clients that use the SOCKS proxy protocol must first be “SOCKSified.” This means that they usually need to be recompiled to add the SOCKS client functions to the code. There are some exceptions to this. Vendors have developed libraries for Windows clients that can SOCKS-enable existing client software. The SOCKS protocol has also been adopted by a large number of software manufacturers who have enabled their clients with SOCKS functions. In addition, the SOCKS Version 4 implementation, available from NEC, includes clients for Telnet, FTP, Finger, and WHOIS. Their SOCKS Version 5 package adds clients for Archie, PING, and traceroute.

SQUID

SQUID, as the FAQ for this application states, is usually available at sushi bars. It is also the name of a proxy caching server available on the Internet. Like the TIS Firewall toolkit and several other products I have discussed in this chapter, SQUID comes in source-code format and compiles on many of the popular UNIX variants.
A proxy server, as I have discussed, works by intercepting the flow of IP traffic between and client and server. The proxy server communicates with each of these systems and acts as a man-in-the-middle so that no actual IP packets are ever exchanged between the client and server. Proxy servers can hide the identity of clients sitting behind the firewall. A caching server, however, performs a different function. Caching is the process of holding copies of “hot objects—”those that are frequently requested—so that when another object request is received, it can be retrieved quickly from the cache. By servicing requests from the cache, the response to the client is usually faster than actually querying the source of the object directly.
Objects that the caching server buffers in memory (or in disk files) include data that comes in response to requests by FTP, HTTP, and other network clients. In addition to caching these objects, SQUID also supports caching DNS lookups. SQUID is composed of several programs, including the proxy caching server (called squid), a DNS lookup program called dnsserver, and other optional applications.

Drawbridge

So far in this Post, I have covered products that work basically as proxy servers. Remember, however, that for a proxy server to work optimally, you should place it behind a packet filter instead of connecting the proxy server host directly to the Internet. You can use a screening router as a packet filter, or you can use a software solution that also runs on a host computer.

Drawbridge is a free, high-speed packet filter that, although it originally ran on a DOS platform, now runs on the FreeBSD UNIX platform. Like Drawbridge, FreeBSD is also available at no charge—hence its name! This packet-filtering application was developed at Texas A&M and was designed specifically with the academic environment in mind.

SATAN

With such an infamous name, you might think that the SATAN utility is a hacker’s tool designed to destroy your network. Actually, the term is an acronym, standing for System Administrator’s Tool for Analyzing Networks. If the name offends you, there is an option in the utility you can use to change its display name to SANTA. Regardless, this tool uses passive probing techniques to search out possible security problems in your network. SATAN is not really a proxy server or a packet filter or a firewall component at all. It is mentioned in this chapter because it is one of the more important tools that, if used correctly, can be valuable in helping you determine whether your firewall will do what you expect.

Other Handy Security Software

This post briefly covered some of the tools you can download from the Internet and use to construct a firewall. You also took a quick look at the SATAN security reporting tool. Although the main topic of this Post is firewalls, it is important for you to also be able to monitor your network so that you can be sure that the firewall is really protecting you against known methods of attack.

When a computer is connected to the Internet, it constantly sends and receives packets of information. Typically, this information is something useful. For instance, Web browsers receive packets that contain Web pages, and e-mail programs send packets that contain e-mail messages.

Sometimes your computer might receive packets of harmful data. For example, someone might send packets containing a program that scans your computer for weaknesses and then exploits those weaknesses. Other packets might contain malicious programs that can harm your data or steal personal information. To protect your computer from these threats, you should use a firewall to prevent harmful packets from entering your computer and gaining access to your data .

The Internet Connection Firewall included with Windows XP monitors and filters packets that are received by your computer. It prevents outsiders from making unauthorized connections to your computer, and it hides information about your computer from other computers on the Internet. Only the packets of information that your computer has specifically requested are allowed to pass; all others are silently discarded. In addition, the firewall can keep track of attempts to scan or compromise your computer, and it can store that information in log files.

While using the Internet Connection Firewall greatly increases your online security, keep in mind that it is limited to monitoring the Internet connection. It does not scan Internet content, such as Web sites, downloaded files, or e-mail messages, for viruses, nor does it protect your computer from intruders that have physical access to your computer or network

Software Firewalls

A software firewall is an application that provides firewall services and is installed on a dedicated (typically) computer. Software firewalls are the oldest type of firewall available and generally work very well. The downfall of a software firewall is that you need a separate computer to run the firewall software and that, in turn, requires additional cost and administration to keep it running and secure. In addition, software firewalls are prone to the pitfalls of any other software packages, namely memory leakage and operating system instability and vulnerabilities. Popular firewall packages vary in price and capability—anywhere from free (usually included in many Linux distributions) to several thousand dollars for well-optioned versions.

Hardware Firewalls

Similar to a software firewall, hardware firewalls perform the same functionality, but, instead of requiring separate computer hardware, they are typically dedicated units. Typical candidates for hardware firewalls are routers and small network appliances, which are basically small computers with no other use but to run a basic operating system (often Linux) and the firewall application. These units can be easier to maintain because they are purposely built for the task, but can cost more because you have to purchase the hardware at the same time (instead of perhaps using a spare system for a software firewall). Sometimes, depending on the unit, upgrading or changing your firewall can come at an even greater cost because you are usually locked in to that particular brand of firewall, instead of being able to change just the firewall application as you would with a software firewall. In addition, dedicated servers can handle more data being passed through the firewall; so, if your site generates a lot of Internet traffic, you may want to take this into consideration when planning your firewall implementation.

Packet Filters

Packet filters are the most basic kind of firewall package you can use. A packet filter takes packets and routes them between trusted networks (your internal network) and untrusted networks (the Internet). The benefits of a packet filter include being typically inexpensive to purchase and implement, and featuring fast scanning of data passing by. You can also purchase basic packet filters for individual workstations.

On the bad side, they are the least secure because they cannot be used to lock down individual application data passing through to the outside world. This is because they typically operate only on the Network layer and not the Application layer. Packet filters can be used to help block data to specific ports, which can be helpful in limiting data for a particular service, such as dropping packets destined for port 21 (FTP). Packet filters can be useful tools, but should be used in concert with other firewall solutions for good security, such as a first-line firewall in front of a stateful packet inspection firewall.

Stateful Packet Inspections

This type of firewall encompasses packet filtering with a slight twist. When a packet goes through the firewall, any rules that pertain to that packet may be altered for the duration of that packet to allow the return packet through without any hassle. This is different from a typical firewall in that if you have UDP blocked, for instance, it’s blocked all the time unless you specify specific systems that can pass the information. These types of firewalls also tend to function well at the Network layer of the TCP/IP model, allowing for better overall security for your network.

Stateful packet inspection firewall solutions also improve upon the packet filter design by allowing administrators to implement user authentication to be able to connect to and pass information through the firewall. In addition, most of these types of firewalls can be configured to pass data based on application type, something that is not an option with many other types of firewall solutions. To their downfall, they can be costly, and although this is constantly changing, many of these solutions are software only. Ultimately, stateful packet inspection is the next big thing in firewall technology, something that will likely take over in the coming years due to its performance and flexibility.

Proxy Servers

Proxy servers are a type of firewall that not only can help limit what data flows in and out of your network, but can also help provide additional network performance. Most proxy servers provide caching of Web pages to help cut down on the amount of data being transferred from the Web site to the client and thus improve performance.

As far as security is concerned, proxy servers have a few useful features in that they can require authentication to allow data to pass through to that client. In addition, they can be used to limit access to a given URL from users on your inside network and can also perform filtering of requests. By filtering requests, proxy servers can scan for inappropriate words or data that should be blocked and then stop access to that data.

Proxy servers are relatively easy to set up initially, but can be difficult to achieve top performance when it comes to caching, and blocking of specific URLs and content filters in a way that doesn’t disrupt regular use by end users. In addition, proxy servers also require additional configuration on each client using the proxy server. Although most, if not all, operating systems and Web browsers have the client or capability to be configured for a proxy server, it entails additional time to configure and maintain each system, certainly something to keep in mind.

As you can see, many of the different types of firewall technologies share similar features. Do keep in mind, though, that each firewall type provides its own benefits and drawbacks as you select the type or types you need.

Although the firewall’s main purpose is to protect inside users from outside threats, the PIX firewall can also help control which Web sites internal users can access. The PIX firewall can be linked to a URL filtering server such as WebSense or N2H2, which provide Internet monitoring and URL Web site blocking if necessary.

1.The client opens a connection to a Web server and sends an HTTP GET message to access a Web page.

2.The PIX intercepts the call and forwards the request to the URL filtering server and the Web site at the same time.

3.The filtering server searches its database of Web sites to see whether the user has permission to access the Web site. In the meantime, the Web site is attempting to respond to the user’s request.

4.If the URL server’s response is yes, the PIX allows the Web site response to be forwarded to the requesting client. Otherwise, the Web site’s response is dropped.

In networking, a firewall is a device that prevents certain types of traffic from entering or leaving your network. Usually, the danger comes from attackers attempting to gain access to your network from the Internet, but not always. Firewalls are often deployed when connecting networks to other entities that are not trusted, such as partner companies.

A firewall can be a standalone appliance, software running on a server or router, or a module integrated into a larger device, like a Cisco 6500 switch. These days, the functionality of a firewall is often included in other devices, such as the ubiquitous cable-modem/router/firewall/wireless-access-point devices in many homes.

Modern firewalls can serve multiple functions, even when they’re not part of combination devices. VPN services are often supported on firewalls. A firewall running as an application on a server may share the server with other functions such as DNS or mail, though generally, a firewall should restrict its activities to security-related tasks.