Firewalls

Some Types of firewalls

There are a number of different characteristics by which you can categorize firewalls.

The following characteristics may be mixed. Many real world firewalls may be some combination of the following types.

Packet Filter

This type of firewall requires considerable skill to administer correctly. It offers the highest performance. It preserves all information about the source and destination, which is important to security conscious servers which use this information to aid in logging and authentication. It does not filter the data streams based on content. All other things being equal, packet filters are the least vulnerable to attaks against the firewall itself. Packet filters normally only perform modifications which do not affect the data stream itself and which normally occur on the internet anyway (such as breaking packets into fragments or reassembly of fragments). A basic packet filter based firewall allows all IP packets permitted by the firewall rules to pass (although it may reassemble fragments and/or refragment before doing so).

Proxy Based

Proxies usually require proxy aware applications or proxy aware users. Proxy based firewalls can filter based on content of the data stream and can modify the data stream. This allows them to protect weak server applications inside the firewall against certain types of known attacks but at the expense of a more complicated firewall which is therefore more vulnerable to attacks against the firewall itself; whether this risk is warranted depends on how poorly written the application being protected is. A basic proxy based firewall does not forward any IP packets and only forwards the data streams for which specific application proxies have been installed. A proxy may hide the identities of hosts inside the firewall from hosts outside a firewall and vice versa. Attempting to put software developers and other technically savvy users behind a proxy based firewall could result in death threats.

Transparent Proxy

A transparent proxy combines some of the features of the packet filter and the proxy based firewall. A transparent proxy can inspect and/or modify the contents of the application data stream while optionally preserving and acting on the source and destination information in the IP header. Since the original source and destination information in the packets is availible to the transparent proxy, neither client applications nor users need to be firewall aware to use the services protected by the proxy.

IP Masquerading

In some cases, a firewall is used to allow a large number of internal hosts to use a small number of global addresses. IP Masquerading was primarily developed to handle these situations although it has certain uses for handling certain problematic protocols.

Bastion host

The term "bastion host" may refer to a host which is connected to your internal and external networks with no forwarding path for IP packets either through or around the bastion host, in which case it can be considered a type of firewall, or it may refer to a host located in a "de-militarized zone (DMZ)" between the inside nework and the outside network, typically with one or more firewalls separating the demilatarized zone from either or both the internal and external networks.

Black Box

Crystal Box

Single-homed A single homed firewall is only useful if it used in conjuction with another firewall, typically a packet filtering router.

Dual-homed Most firewalls are dual homed; they have two network interfaces, one for the inside network and one for the outside network.

Multi-homed Technically, multi-homed refers to two or more network interfaces; therefore, dual-homed can be considered a subset of multi-homed. A firewall may have more than two interfaces for a number of reasons. There may be more than one connection to the outside world. You may want to protect various departments within your organization from each other. You may want to implement two logical firewalls on either side of your demilatirized zone with a single firewall. You may want to more throughly isolate certain older, less carefully maintained hosts inside your organization. You may want to offer IP connectivity to another organization within your building while protecting your network from them and offering them some protection as well. You may want to prevent hosts from masquerading as or evesdropping on other hosts within your network; a firewalls ability to effectively protect hosts and traffic within your network is limited to its direct control over the traffic between hosts.

Assorted Links

Filter Language Compiler

linux IP Masquerade mini-HOWTO

Linux IP Masquerading Web Site

Digital by Design (DBD) and

Linux IP masquerade resource Free Electron Labs offer security consulting services including linux based firewalls.

A paper by X/OS is one of the best descriptions of ipfwadm and the kernel firewalling features. In particular, it contains some of the only documentation availible for the transparent proxy features.

X/OS also brings us the A HREF="http://www.xos.nl/linux/ipfwadm/">ipfwadm home page.

X/OS sells configured firewalls based on linux and security consulting.

Firewalls mailing list archive at greate circle.com.

Searchable Firewalls mailing list archive at www.nexial.nl.

There is a poor quality archive of the firewalls mailing list at www.netsys.com

The Linux Router Project

sample cisco firewall rules

The ftp client supplied by microsoft with windows 95 and windows NT cannot support PASV. A couple windows ftp clients which do are WS_FTP Pro and CuteFTP. These are about $35 each. There is an LE version of WS_FTP which is availible free for academic and non-profit use.

Here is a report from Creative Networks based on 66 phone interviews which discusses how standards based SMTP/MIME based systems are much more reliable and cheaper to maintain than proprietary systems like microsoft exchange and Lotus Notes.

Linux Firewalling and Proxy Server HOWTO
This document, unfortunately, is heavily biased towards proxy based systems and supports this bias with a number of absurd statements rather than making any of the legitimate arguments which could be made.

Linux Bridge and Firewall Mini-HOWTO.

socks

RFC1918 gives the address blocks for private internets.

gnatbox

linux net search results.

test

Netscape Automatic Proxy configuration
Netscape 3.0 and higher allow a javascript function to be called to see if it should comminicate via a proxy for each url. SOCKS is permitted.

Microsoft does not appear to publish real information on their autoconfiguration mechanism.

SOCKShome page.

Performance

reported the following performance numbers for linux routers on the linux-tulip mailing list:


Pentium 120 with tulip cards:
  Packet Size (bytes)    64    128    256    512    1024   1280   1518
  Throughput (Mbit/s)  9.560  19.00  34.71  64.81  97.95  98.36  98.56
  Est Packets/sec      18700  18600  16900  15800  12000   9600   8100     

Pentium II/266 with DEC DE500 cards:
   Packet Size (bytes)    64    128    256    512    1024   1280   1518
   Throughput (Mbit/s)  15.25  32.82  59.36  95.87  97.98  98.38  98.56
   Est Packets/sec      29800  32000  29000  23400  12000   9600   8100

He particularly noted that the linux kernel timeslicing limits throughput to 30K packets per second. Robert Olsson reported performance increased from similar values to 100KPPS on a 233Mhz AMD with 32MB RAM with the FASTROUTE patch from Alexey Kuznetsov. The tulip chips themselves are capable of filling fast ethernet at full duplex wire speed even with small 64 byte packets.

Note that these numbers apply to a basic router with no firewall rules or large dynamic router tables. These tables are also for two interfaces. It is not clear how those numbers will scale for more interfaces.

Relevenet RFCs

Most of these are the result of an RFC search on "firewall or proxy".

rfc1919.txt Classical versus Transparent IP Proxies
rfc1351.txt SNMP Administrative Model
rfc1908.txt Coexistence between Version 1 and Version 2 of the Internet-standard Network Management Framework
rfc2145.txt Use and Interpretation of HTTP Version Numbers
rfc1906.txt Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)
rfc1579.txt Firewall-Friendly FTP
rfc2186.txt Internet Cache Protocol (ICP), version 2
rfc1909.txt An Administrative Infrastructure for SNMPv2
rfc1801.txt X.400-MHS use of the X.500 Directory to support X.400-MHS Routing
rfc1636.txt Report of IAB Workshop on
rfc1620.txt Internet Architecture Extensions for Shared Media
rfc2037.txt Entity MIB using SMIv2
rfc2187.txt Application of Internet Cache Protocol (ICP), version 2
rfc1510.txt The Kerberos Network Authentication Service (V5)
rfc2069.txt An Extension to HTTP : Digest Access Authentication
rfc1910.txt User-based Security Model for SNMPv2
---------------------------------
rfc1459 Internet Relay Chat Protocol

This file is maintained by Mark Whitis (whitis@freelabs.com).

Senior Engineer for hire
Software Development - Electronic Design - Embedded Systems - Device Drivers - System/Network Administration and Security - Motor Control, RobotCNC - Linux/Un*x - 25+ years experience
The author of these pages is looking for a new gig.
[RESUME]

Engineers and electronic hobbyists: The new Open Symbol Project is creating open schematic symbols and PCB footprints for a variety of different CAD packages.

Mark Whitis's Website

Home Page

Linux

Book: Linux Programming Unleashed

My Resume

Genealogical Data

Contact Info

Security

About

All email messages received must pass the turing test or they will be considered SPAM. If it could have been written by a machine, it was.

Under no circumstances are you to email me with questions regarding windoze, any other microsoft operating system or application, or any software which runs under any form of windoze.

Firewalls

Reasons for firewalls

Some Types of firewalls

IPsec

Assorted Links

Performance

Relevenet RFCs