What kind of firewall do you need?, Part 1

Most of us have heard of firewalls. For those who haven't, a firewall is a machine that acts as a sentry, blocking certain kinds of network traffic and allowing others. Several kinds of firewalls are available and each has its merits and drawbacks. The key to successfully implementing a firewall is finding the kind of firewall that best suits a particular network's needs.

There are two basic types of firewall, or two ways a firewall can function: Packet filter or proxy. Within each type, though, are different implementations. In part one, I'll discuss the benefits, drawbacks, and functions of packet filtering firewalls.

Packet Filtering Firewalls

A packet filtering firewall is the simplest type of firewall. In its most basic setup, it is a machine with two network interfaces. The firewall software operates strictly on the network layer and uses rules to determine the packets that are forwarded from one interface to another.

By examining the packets' headers, the packet filtering firewall determines whether or not they match the rule set, which consists of the information that can be found in a packet's headers. Such information includes the packet's source and destination addresses, its protocol type (TCP, UDP, ICMP, etc...), the source and destination ports of the packet, flags set on the packet (SYN, ACK, FIN, RST, etc...), or other such basic header information.

Packet filtering firewalls commonly are found in the form of a router's access lists, or a secured host's rules with two network interface cards that can be used as a router. Standard packet filters are a popular choice, because most companies already have a router on which they can configure a rule set, or they can easily get a host with two network cards. They are convenient, fast, and, in most cases, inexpensive.

Stateful Packet Inspection Firewalls

A step above standard packet filtering firewalls, but still considered part of the same architecture, are stateful packet inspection firewalls. The stateful inspection model was built off of standard packet filtering, but it adds more security checks.

Stateful packet inspection firewalls intercept incoming packets from one interface until enough information has been gathered from the packets it's received (using information such as TCP sequence numbers) to determine the connection's 'state'; then, if the intercepted packets pass the rule set, they're forwarded on to the other interface. Using this information, the firewall builds dynamic state tables and uses these tables to track the connections through the firewall. Rather than allowing all packets meeting the rule set's requirements to pass, it allows only those packets that are part of a valid, established connection.

Stateful packet inspection firewalls are not as easy to whip up as standard packet filtering firewalls, but they add an additional level of security. They are also very fast and can handle large amounts of network traffic. Generally, special software must be bought (there *are* free stateful firewalls available, but commercial firewalls usually have graphical user tools for configuration and management). Routers can be used as stateful packet inspection firewalls just as they can be used as packet filtering firewalls, but again, often a company must purchase the software that will allow them to do so.

The drawback to packet filtering and stateful packet inspection firewalls lies, primarily, in comparatively reduced security. Because packet filtering firewalls only consider a packet's headers, the firewall does not protect against attacks directed at an application. For instance, if a packet filtering firewall was set to allow incoming Web connections from the Internet in general, then an attack on the Web service itself (such as the many attacks against vulnerabilities in Microsoft's IIS Web server software) would pass through the firewall without problem.

Proxy firewalls address this issue, which I'll discuss next week in part two.