Previous Next Contents

2. Understanding Firewalls

A firewall is a term used for a part of a car. In cars, firewalls are physical objects that separate the engine from the passengers. They are meant to protect the passenger in case the car's engine catches fire while still providing the driver access to the engine's controls.

A firewall in computers is a device that protects a private network from the public part (the internet as a whole).

The firewall computer, from now on named "firewall", can reach both the protected network and the internet. The protected network can't reach the internet, and the internet can not reach the protected network.

For someone to reach the internet from inside the protected network, they must telnet to firewall, and use the internet from there.

The simplest form of a firewall is a dual homed system. (a system with two network connections) If you can TRUST ALL your users, you can simple setup a Linux (compile it with IP forwarding/gatewaying turned OFF!) and give everyone accounts on it. The can then login to this system and telnet, FTP, read mail, and use any other service you provided. With this setup, the only computer on your private network that knows anything about the outside world is the firewall. The other system on your protected network dont even need a default route.

This needs re-stating. For the above firewall to work YOU MUST TRUST ALL YOUR USERS! I don't recommend it.

2.1 Drawbacks with Firewalls

The problem with filtering firewalls are they inhibit the access to your network from the internet. Only services on systems that have pass filters can be accessed. With a proxy server users can login to the firewall and then access any system within the private network they have access to.

Also, new types of network clients and servers a coming out almost daily. When they do you must find a new way to allow controled access before these services can be used.

2.2 Types of Firewalls

There are two types of firewalls.

  1. IP or Filtering Firewalls - that block all but selected network traffic.
  2. Proxy Servers - that make the network connections for you.

IP Filtering Firewalls

An IP filtering firewall works at the packet level. It is designed to control the flow of packets based the source, destination, port and packet type information contained in each packet.

This type of firewall is very secure but lacks any sort of useful logging. It can block people from accessing private system but it will not tell you who accessed your public systems or who accessed the internet from the inside.

Filtering firewalls are absolute filters. Even if you want to give someone on outside access to your private servers you can not without giving everyone access to the servers.

Linux has included packet filtering software in the kernel starting with version 1.3.x.

Proxy Servers

Proxy servers allow indirect internet access through the firewall. The best example of how this works is a person telneting to a system and then telneting from there to another. Only with a proxy server the process is automatic. When you connect to a proxy server with your client software, the proxy server starts it's client (proxy) software and passes you the data.

Because proxy servers are duplicating all the communications they can log every thing they do.

The great thing about proxy servers is that they are completely secure, when configured correctly. They will not allow someone in through them. There are no direct IP routes.


Previous Next Contents