Recent attacks, such as the Nimda and Code Red worms, have made it look as if firewalls don't offer enough protection. In fact, these attacks simply highlight the differences between garden-variety firewalls and more sophisticated ones.
Serving as a high-speed inspector, a firewall accepts or rejects traffic based on predefined rules. A more detailed inspection provides a higher level of security.
In general, firewalls work like Internet routers. Routers examine the header of each packet they receive and route the packet from one network interface to another based on the packet's destination IP address. Firewalls also look at each packet they receive and make their access-control decisions according to the packet's contents.
Most routers include a simple firewalling mechanism called packet filtering. In packet filtering, a firewall looks at each packet and uses the packet's header information to decide if the packet should be delivered or discarded. The decision most often relies on the packet's port number, which generally indicates what type of application traffic the packet carries.
File transfers via FTP generally use ports 21 and 22; e-mail via Simple Mail Transfer Protocol generally uses port 25; and Web pages via HTTP generally use port 80. Some sites simply configure their firewalls to allow all traffic related to acceptable protocols and reject all other traffic.
Packet filtering is simple and fast, but its simplicity means it is unable to detect attacks that are embedded in the application protocols themselves. For example, Code Red and Nimda used HTTP messages to infect servers running Microsoft Corp.'s Internet Information Server.
What happens is the worm software, running on an infected computer, transmits an HTTP "get" message to the server under attack. The message is designed to generate a buffer-overrun error in the server. This tricks the server into executing a program that installs a "back door" to give the worm access to the server computer.
In this example, the back door lets the worm execute DOS commands embedded in subsequent HTTP commands. Once the back door is in place, the worm uses it to invoke a variant of FTP to install the rest of the worm's software onto the newly infected computer.
Packet filtering can't stop these worms because it looks in the wrong places to detect attacks. Not even a "stateful" packet filter keeps track of enough information to distinguish between legitimate HTTP traffic and that which carries a worm infection.
Instead, the firewall must provide an application layer gateway or proxy, which goes beyond the inspection of packet headers. A Web proxy handles HTTP traffic. The proxy actually reconstructs HTTP messages that may span two or more packets and makes its access-control decision based on the contents of the entire message, not just one packet. While many sites use Web proxies to cache Web pages, a proxy in a firewall may also enforce access restrictions on Web pages or examine messages for signs of attempted infections.
A proxy can ensure that messages conform to RFC standards and also provide advanced filtering controls such as Unicode-character enforcement, URL-length checks and host-header validation. These controls provide a number of ways to detect and block an attack: The proxy could reject messages that were unnecessarily long or those trying to execute the script root.exe.
Often, the best choice is a firewall that offers a hybrid architecture combining packet filtering and application layer proxies. This lets organizations tailor their firewall protection to optimize performance while maintaining the appropriate level of security for the corresponding risk. Hybrid firewalls use simple packet filtering to provide high throughput for lowest-risk traffic, stateful inspection for slightly riskier traffic, and the application layer gateway where the risk of data-driven attacks is highest.
Smith is senior principal engineer at Secure Computing. He can be reached at email@example.com.