External firewall

An external firewall (also known as a network or hardware firewall ) controls the connection between two networks and is used to restrict network access based on the sender or destination address and the services used. It monitors the data traffic flowing through the firewall and uses defined rules to decide whether certain network packets are allowed through or not. In this way it tries to prevent unauthorized network access.

The networks could be, for example, a private network ( LAN ) and the Internet ( WAN ); however, it is also possible to connect different network segments in one and the same network.

In contrast to the personal firewall , the software of an external firewall does not work on the systems to be protected, but on a separate device that connects networks or network segments with one another and, thanks to the firewall software running on it, simultaneously restricts access between the networks. Such a specialized device primarily offers a security-optimized system that is stable on the network side, which, thanks to the physical separation from the computer systems to be protected, cannot be manipulated so easily.

An external firewall thus consists of software and hardware components . Hardware components are devices with network interfaces that connect the networks with one another, such as bridges , routers or proxy ; Software components are their operating system and the firewall software that was installed on these devices (including their packet or proxy filters).

The external firewall is located between different computer networks and restricts access between these networks, in this example between the Local Area Network (LAN) and the Wide Area Network (WAN).

Basics

Firewall types

In addition to the option of installing a firewall software (for example Check-Point Firewall 1 or IPFire ) on a suitable machine and hardening the operating system yourself , there is the option of using a firewall appliance : they offer a coordinated combination consisting of hardware, hardened operating system and firewall software (e.g. Cisco ASA or Astaro Security Gateway).

A distinction is made between the following types:

Bridging firewall

Here the network interfaces are coupled like a bridge (now mostly replaced by a switch ). A bridge is intended to connect two physically separate network segments with each other on OSI layer 2. It is characterized by the fact that it only passes data (frames) through to the other segment if the addressed subscriber is also in the relevant segment. The OSI layer 2 addresses ( MAC ) of the data frames form the basis for this filtering .

In order to do its work, a bridge does not need any higher (IP) addresses for itself (unlike a router , it is not addressed directly by any communication partner at this level) and is therefore practically invisible in the network and also not at this level vulnerable ("bump in the wire"). However, the bridging firewall can usually be assigned a higher (IP) address with the appropriate configuration so that it can be administered not only locally but also from the network. This is usually done on a management interface dedicated to firewall administration purposes.

So that its filtering is not limited to low-level addresses, the bridging firewall differs from a typical bridge in that it also internally accesses higher protocol levels and is therefore able to filter IP addresses and ports, sometimes including Stateful packet inspection . It can also redirect addresses ( IP and port forwarding ) as soon as the bridging firewall is part of the communication path. Such a firewall can be implemented, for example, with the Netfilter framework.

Routing firewall

Here the network interfaces are coupled like a router . This is the most common type; it is used in practically all SoHo devices (for private use and smaller companies), but sometimes also in larger systems. Compared to the bridge, a router works on a higher level of abstraction by mediating between different IP domains ( subnets ) (the classic router manages all routes that a network packet should take in meshed networks based on the IP address). A disadvantage is that a firewall placed on it is therefore visible in the network and can be attacked directly (either it appears as a link between the subnets - router without NAT - or it is even addressed as a supposed communication partner - router in NAT mode).

NAT mode is a possible feature of the router. It influences the behavior of the firewall when it is set up on such a device: In NAT mode, known from the private sector mainly through DSL routers , this firewall maps its own external address to the respective internal client that is making the connection to the external network (Internet). Seen figuratively, it then works like an automated mailbox, which provides all outgoing packets that pass the firewall with their own sender address. This ensures that the target system will also send the response packets back to the "mailbox". Thanks to a special NAT management ( PAT ), it recognizes which internal device an incoming response packet from the Internet belongs to. It forwards the package there without the sender knowing the real (internal) address of his communication partner from the Internet. This behavior is not possible on a bridging firewall. In this mode, the routing firewall - just like a proxy firewall - hides the structure of the internal network, but in contrast to this, it is not able to influence communication.

Proxy firewall

Here the firewall works as a proxy between the source and target system.

As a transparent proxy , the proxy firewall behaves in a similar way to that described under the routing firewall in NAT mode . With an appropriately configured network infrastructure, the client's request is automatically routed through the proxy firewall without the sender noticing or even being able to influence it. In contrast to NAT, a proxy firewall does not simply forward communication. Rather, it establishes its own connection to the target system. It therefore conducts the communication itself, on behalf of the requesting client. A proxy firewall can therefore analyze the content of the network packets coherently, filter requests and, if necessary, make any adjustments, but also decide whether and in what form the response of the target is passed on to the actual client.

There is also the conventional proxy, which also conducts communication itself, but acts as a direct communication partner on both sides. He is therefore consciously addressed (addressed) by them. Here the client asks the proxy to take over communication with the target system on its behalf. So z. B. the web browser is configured in such a way that it does not send all Internet requests directly to the target address, but rather sends them to the proxy firewall as a request.

With reference to the OSI layer model , a proxy firewall is also called an application level firewall . Each of your proxy filters establishes the connection to the target system on behalf of the clients. For each higher communication protocol (such as HTTP , FTP , DNS , SMTP , POP3 , MS- RPC etc.) there is a separate filter, called dedicated proxy . Several 'dedicated proxies' can run simultaneously on a single device in order to be able to use different protocols. Among other things, you can prohibit unwanted protocol options , such as no BDAT, VRFY or similar in an SMTP transaction . allow.

Hardware firewall

In practice, there are no firewalls that are based exclusively on hardware . A firewall can run on its own operating system and access different network levels, but it does not become part of the hardware. A firewall always contains software as an essential component .

Rather, the term hardware firewall is used as a synonym for external firewalls . It is intended to express that this is a separate piece of hardware on which the firewall software runs. However, there is hardware that has been optimized for the use of the firewall software, for example in that a corresponding hardware design helps to accelerate parts of the decryption and encryption of certain protocols.

Network zones (interfaces)

The hardware component of an external firewall has several network interfaces (usually between 2 and 20), to which the network areas to be separated are connected. Depending on the product, these can be divided into the following network and trust zones:

The external network (usually labeled as a WAN port)

Mostly the internet, but also another customer network. These are considered unsafe (no trust).

The internal network (usually titled as a LAN port)

From the firewall's point of view, this is its own network, which it needs to be protected and is considered trustworthy by the firewall (high level of trust).

The management network

This network connection is optional. All access to the configuration of the firewall system, to importing the rules and other administrative functions takes place from here (absolute trust). With the help of this network it is achieved that the firewall cannot simply be adapted from the internal network.

The demilitarized zone (DMZ)

This (also optional) network connection accommodates the servers that can be reached from the external network (little trust). These servers cannot establish their own or only limited connections to the internal network on their own, whereas the internal clients can generally access these servers in the same way as they can access servers from the Internet. This has the advantage that - should such a server be taken from the external network - direct access by the intruder to the internal network is not possible from there.

Larger companies often have several firewalls and DMZs, each with different rights, e.g. B. to separate the more vulnerable web and mail servers from the servers with the data for the field staff.

The exposed DMZ (also DMZ for short) and the exposed host

The term 'exposed DMZ' (“exposed demilitarized zone ”) suggests that this could be a separate network, although its virtual network connection can only be assigned to a single internal computer. Depending on the manufacturer, this “zone” is sometimes even called “DMZ” for short (without “exposed”), but has nothing in common with a real DMZ or a separate network zone. Rather, some manufacturers use the designation “DMZ” for another functionality that is known in specialist circles as an exposed host . Although many devices do not meet the technical requirements for a real DMZ due to cost reasons, their product is advertised with a wrong technical term.

All packets from the external network that cannot be assigned to another recipient are forwarded to this exposed host . This means that it can be reached from the Internet on all of its ports via the external address of the firewall, which means that participants from the Internet can access all of its network services with practically no restrictions. But as soon as this (exposed) computer is taken over by an intruder, you have lost the firewall protection for all other internal participants, as unhindered access to the internal network is possible from there. This places an element with a low level of trust (exposed host), which actually belongs in a real DMZ, in the middle of a zone with a high level of trust (the internal network).

Filter process

Packet filter: The simple filtering of data packets based on port , source IP and destination IP address is the basic function of all network firewalls.

Stateful inspection: This state-controlled filtering is an expanded form of packet filtering that evaluates further connection data and thus ensures that only the communication partners involved can access the connection. After a connection has been established, the firewall can also use it to detect whether and when the internal client is communicating with the external target system, whereby the firewall only allows replies to this. If the target system sends data that was not requested by the internal client, the firewall blocks the transfer even after the connection between the client and the target system has been established. In addition, it blocks network packets that do not fit into the flow of communication, i.e. that have obviously been manipulated or are simply faulty.

Proxy filter: A proxy filter establishes the connection with the target system on behalf of the requesting client and forwards the response from the target system to the actual client. Since he conducts the communication himself, he can not only see it, but also influence it at will. Specialized in a particular communication protocol, such as B. HTTP or FTP , he can analyze the data coherently, filter requests and make any adjustments if necessary, but also decide whether and in what form the target's response is passed on to the actual client. Sometimes it is used to temporarily store certain answers so that they can be retrieved more quickly for recurring requests without having to request them again from the target. Several proxies are often used in parallel on a single device in order to be able to operate different protocols.

Content filter: This content filter is a form of proxy filter that evaluates the user data of a connection and is intended, for example, to filter out ActiveX or JavaScript from requested websites or to block generally known malware when downloading . Blocking unwanted websites using keywords and the like is also included.

Adaptation of the network address in the transition between the internal and external network

Depending on the type, the firewall can change the network address (within the IP network this is specifically the IP address ) as soon as the packets pass the firewall device on their way to the destination. There are two different methods for this: proxy and NAT .

A simple analogy should clarify the proxy principle: Friends come to visit. They want something to eat and the host first draws up a list of the orders. Then he calls the pizza delivery service, places the order, takes the packages at the door and then passes them on to his friends.

The host acted in the same way as a proxy firewall: He contacted the pizza service on behalf of his friends. And he took the parcels on his behalf at the door in order to later distribute the pizzas to his friends based on the list. He is able to check the goods beforehand for correct delivery and, if he wants, can also garnish the pizzas (change the packages) before passing them on.

The pizza delivery man may think that he will not eat all the pizzas alone, but he has never seen the people for whom the pizzas were actually intended. For him, the host was the only addressee and contact person (a deputy).

Thanks to the adaptation of the address, not only can the real IP address of the actual communication partner be hidden, but also individual participants in a network or even entire networks can be connected to one another even if they are incompatible in terms of addressing and a direct connection would therefore not be possible.

The NAT procedure also makes such an adjustment. In relation to the previous example, the NAT device can be compared better with a sophisticated rail system behind the door slot, which allows the pizzas pushed through by the pizza delivery man to slide directly to the actual recipient. Although NAT also hides the identity of the real recipient, manipulation and analysis of the packet contents is not possible there.

Strictly speaking, it is the port management that enables the firewall device to connect a complete private (self-contained) network to the Internet via a single official Internet IP address . Comparable to the "list of orders" used above, each connection to the Internet in the firewall device has its own return port. The connections can be assigned to different internal clients - the PCs from the private network. Several computers in the private network that cannot communicate directly with the Internet with their private IP addresses (such as 192.168.0.0/16) are assigned a single official IP address (i.e. one that is valid for the external network) pictured. Since the target system does not see the actual client but only the firewall device, possible attacks from there are directed to the firewall that is predestined for this and do not hit the client directly.

With a NAT device, this behavior is called address translation , as it adapts the address of one and the same network connection. In contrast, strictly speaking, the proxy firewall does not implement an address translation of a network connection, but is itself a communication partner that intervenes in the traffic. A proxy is the end and starting point of separate connections to the other network. Viewed from the outside, however, the behavior of both devices is similar (on the surface): The sender address changes as soon as the request sent to the Internet passes the firewall device.

In contrast, the bridging firewall and a firewall router (in the mode without NAT) allow direct communication with the client without changing the address at the gateway.

Controversy about the term firewall in DSL routers

DSL routers are designed to make DSL Internet connections accessible to computers on a private network. In the private network they work as routers (often even in the form of a layer 3 switch that includes the router). This makes it possible to configure the DSL router on the internal devices as the “ default gateway ”, which means that it can mediate between the subnets of the internal (private) network as well as between the private network and the Internet.

The address translation is implemented in these devices thanks to a special NAT process, the dynamic Network Address Port Translation ( NAPT , also PAT ; see Port Address Translation ). In the early days, DSL routers were sometimes referred to as DSL firewalls when they only relied on pure address translation using NAPT as a security technology.

The security function of the address translation is based on the fact that these devices dynamically forward their ports only to those communication partners who have requested communication from the internal network. The ports of the device are blocked as long as they do not belong to an internal connection. The use of the ports that belong to such a connection is not restricted to the original communication partner when implementing NAPT. Only through a firewall with stateful packet inspection can even the dynamically opened ports only be addressed by the respective communication partner.

The pure address conversion by NAPT can only be viewed as a limited security technology, which usually offers the contacted Internet servers more access options to the internal computers than is usual with a conventional firewall. The level of protection of a conventional firewall cannot be achieved by mere NAPT.

Today, however, devices are mostly used that have at least a packet filter installed in addition to NAPT , which increases the security function of these devices. As an example, Netfilter forms the heart of numerous modern DSL routers. This is software that runs within a Linux kernel and takes care of the port and address translation. It can evaluate and filter packets (including stateful packet inspection ) and forward ports ( port forwarding ). Their configuration is usually implemented using iptables and a user interface provided by the manufacturer.

Fundamental safety limits

Since DSL routers are intended to connect the networks with one another and not to separate them, manufacturers of devices for private households try to avoid connection problems as automatically as possible, even if this means weakening or even breaking the security function. Because a connection blockage sometimes leads to problems with some applications that offer their own services, for example. External access to it should normally be blocked by the DSL router as soon as the port of the service differs from the return port of the requested connection. However, this would mean that this part of the application would not work without special configuration settings for the DSL router, which is why the manufacturers adapt the NAT implementation accordingly.

If the internet connection of your own private computer works straight away without any restrictions, the device is particularly popular with customers. Security only plays a minor role here - if at all. For professional devices, the requirement is usually exactly the other way around. DSL routers that are intended for private use therefore often look bad in terms of security. Therefore it is controversial to call these devices a firewall. On the other hand, Elisabeth D. Zwicky writes in her book “Setting up Internet Firewalls”: “The world is full of people who are anxious to make you believe that something is not a firewall. [...] If it's meant to keep the bad guys off your network, it's a firewall. If it succeeds in keeping the bad guys out, it's a good firewall; if not, it's a bad firewall. That's all there is to say about it. "

As an example of DSL routers weakening security functions, it can happen, depending on the product purchased, that the home DSL router treats the first computer managed by it via DHCP as an exposed host by default , which is also the case in the user interface of the DSL route titled as "Standard Server". The protection against uninvited Internet access is thus practically switched off for this computer, since this means that all network services of the private computer are visible and accessible from the Internet. At least in households that only connect a single computer to the DSL router, the manufacturer avoids numerous possible functional problems. The fact that this is questionable in terms of safety does not play a role with these devices. After all, they do this under the aspect that otherwise some applications would not run error-free without manual configuration effort.

In order to ensure smooth work without manual configuration effort even with less drastic means, the DSL router can react as openly as possible to communication requirements of the Internet server contacted, depending on the implementation of the connection concept. If an internal computer establishes a network connection to an Internet server, it is sometimes possible that this Internet server can now arbitrarily establish its own connections to the internal computer. To do this, a network request is forwarded to the internal computer on any external port on the DSL router as soon as the sender address matches the Internet server to which the internal computer has previously established a connection. A reaction that is open to a limited extent is possible in that the DSL router only reacts in this way if the client's network request previously indicates a protocol that is otherwise problematic for the connection (for example when FTP is active). If several internal computers have established a connection to this server, the DSL router tries to guess the right recipient using a heuristic. Depending on the product, DSL routers react differently restrictively to such requests, which is why it can be a little more time-consuming for the Internet server contacted to access any port of the communication partner.

In and of itself there is nothing wrong with the automated activation of communication as soon as the DSL router has a secure command of the protocols of the services and allows controlled access to them. But that is precisely the problem. They usually lack intimate knowledge of the protocols used. This applies in particular to encrypted connections and connectionless protocols, for example also to active FTP and SIP . Since the inexpensive hardware of these devices already excludes a parallel analysis of the protocols, or at least restricts it to a minimum, some devices simply try to allow all external requirements as far as possible in the hope that the corresponding application will work properly. If the DSL router does not have a packet filter function, certain ports cannot even be excluded.

How little security plays a role in DSL firewall routers is shown by the designation “DMZ” on some devices for a functionality that has nothing in common with a real DMZ . The customer's increased security risk is accepted with approval.

For general security-related deficiencies in NAT-based devices, see RFC 2663 (" IP Network Address Translator (NAT) Terminology and Considerations ", Section 9 and, in this context, Section 7; English).

Example of a simple firewall environment

Example of a firewall between the local network and the Internet

A simple firewall structure should clarify the matter: A company wants to connect its workstation computer to the Internet. To prevent malware from being downloaded from the Internet , for example , a firewall can ensure that the workstation PCs are only allowed to access permitted websites (white list).

To keep the example simple, the workstation PCs 10.0.0.2 and 10.0.0.3 are only allowed to establish connections to the company's mail server. So that research on the Internet is possible, there can also be a dedicated surfing computer that can access websites via a proxy . The surfing computer is additionally protected in that ActiveX is filtered out of the requested HTML pages for security reasons (other objects would have to be filtered out for safe surfing, there are also sandboxes - also kiosk modes - for the PC, but the example should just stay).

Other external access to the company network is blocked. It is important that in this constellation the workstation computers themselves cannot establish any direct connection to the Internet that is not permitted. This means that malicious programs smuggled in via other channels cannot transmit any information over the Internet and can only spread further or download further malware from the Internet if they find a way via the proxy or the mail server.

The firewall rules of a system with stateful inspection would look like this in this example:

Sources 10.0.0.2 and 10.0.0.3 (workstation) are allowed to access the destination "Mail provider" via IMAP (fetch mail) and SMTP (send mail)
Source 10.0.0.1 (surfing computer) is allowed to use the proxy to access any target with the services HTTP (download websites) and HTTPS (ActiveX is filtered)
All other communication attempts are rejected

More examples can be found in the article Demilitarized Zone

Other functions and aspects

Anti-spoofing (ingress filtering)

An important function of firewalls is to prevent IP spoofing . Since the filtering is essentially based on the IP addresses, it must be ensured as much as possible that these are not forged. Firewalls with anti-spoofing functionality therefore offer the option of being able to assign specific IP addresses and networks to specific network interfaces. All IP addresses except those used for other purposes are then automatically assigned to the Internet interface. IP packets arriving at the wrong interface are logged and discarded. Firewalls with Internet connection can discard all packets from and to private IP addresses ( RFC 1918 ) on the Internet interface , as these are not routed in the Internet anyway. This rules out IP spoofing with these addresses from the Internet. Although the assignment of IP networks to certain network interfaces should actually be unambiguous, problems sometimes arise in practice with dual homed hosts and routing loops (packets that take different routes on the way there and back).

Authentication

Since the filtering on the basis of IP addresses cannot be fully trusted due to potential IP spoofing, some firewalls offer the option of being authenticated and only then having certain rules activated for a limited period of time. For a strong authentication, for example, the Check Point Firewall-1 and the Juniper Networks Firewalls offer compatibility with the SecurID tokens from RSA Security.

Intrusion detection and intrusion prevention systems

"Intrusion Detection Systems" (IDS) and "Intrusion Prevention Systems" (IPS) are sometimes installed on a firewall device, but do not belong to the firewall module. While the firewall module does not recognize attacks, but is only intended to allow certain communication relationships - based on the sender or destination address and the services used - these additional modules add the property of recognizing a break-in attempt based on communication patterns. In contrast to the IPS, an IDS can only recognize the intrusion (detection), while an IPS (prevention) also tries to block unwanted access.

Such a system can sometimes create the possibility for a denial of service attack. Some systems create a temporary firewall rule that blocks all further connection attempts from the alleged attacking IP address. If, however, an attacker sends packets to the system with a forged sender address, he can use this to prevent access to the forged address. In this way, he can seal off all the addresses that the attacked system needs for his work ( DNS server , etc.).

High availability

Due to the importance of the Internet, firewalls have become critical network components in many companies and in some cases even represent a single point of failure for important business processes. Therefore, high availability techniques such as failover or cluster operation try to reduce the risk of failure .

Another advantage of these techniques is that individual firewalls can be switched off for maintenance purposes or for software updates without interrupting the connection.

The same solutions are often used for implementation as with high-availability routers (for example HSRP , VRRP or CARP ) or special products such as Rainwall from EMC2 .

In the event of a failover, there are two options for the stateful inspection firewall taking over the existing connections. One method is that all firewalls permanently synchronize their dynamic connection tables with one another, so that each firewall is able to assign all connections correctly. The other method works without comparison, but all existing connections are checked again against the rules by the accepting firewall after the change. This solution is simpler, but causes problems with complex protocols such as active FTP . Since the ports negotiated here for the data connections are random, the accepting firewall cannot assign these packets to any rule and will discard them.

The firewalls from Check Point , OpenBSD (via pf_sync) and Linux (via ct_sync) provide synchronization of the connection tables.

High security environments

Only when it is known against which scenarios a certain level of security is to be achieved can one start thinking about how this will be implemented. The creation of a security concept helps . In larger organizations, a separate security policy is usually used for this .

The firewall is part of the security concept. Just as “fire protection” is a bundle of measures (and not just the smoke detector in the stairwell), this partial aspect can be a bundle of several measures, depending on the security concept. The firewall can consist of several components, some of which serve, for example, a DMZ .

Different installations have different security requirements. For example, banks, stock exchanges, the military, etc. have a high need for security. If, for example, tunneling represents a risk that should be minimized, this can possibly be implemented explicitly by regulating the traffic using whitelists . In a high security environment, it is advisable to prevent any traffic that is not absolutely required.

However, there can be no absolute certainty; Even a well-configured firewall does not represent a security mechanism that cannot be overcome sooner or later. At best, the barrier can be made into a major challenge to an intruder that is so large that it is not worth attacking.

In the case of software products, free access to their source code is an aspect of computer security. Among other things, it is important to minimize the risk that a product may contain functionalities that the user should not be aware of. Open-source software can be checked by the public to this effect and, moreover, examined for weak points using legally unobjectionable means ( audit ), which can be closed more quickly in this way. In addition, the user can carry out his own translation of the source code and thus ensure that only this source code is actually used on his device.

In extreme cases, multi-level solutions can also help to minimize the exploitation of security gaps within the firewall. For example, the network package can pass through several firewall systems from different manufacturers connected in series, so that system-related errors or possibly back doors installed by the manufacturer lose a large part of their effectiveness depending on the coordination of the systems.

Virtual Local Area Networks

Modern firewalls support Virtual Local Area Networks (VLANs). H. Several logical networks can be reached via one physical network interface . This means that more networks can be connected to the firewall than the physical limit of network interfaces allows.

Using VLANs may be cheaper than buying additional network interfaces for the firewall. Another advantage is that a software configuration of the firewall and the other network components is sufficient to connect new networks; no new cables have to be pulled.

The disadvantage is that all VLANs share the capacity of the LAN connection. In terms of security, it is questionable that the separation of the various networks is not subject to the authority of the firewall; the system is therefore easier to compromise. In such a case, the firewall depends on the cooperation with the network components used. These components are not necessarily hardened systems and sometimes offer additional attack surfaces (WWW, SNMP, Telnet etc.) and are therefore not or only partially suitable for security solutions.

Security problems can arise for various reasons: due to a malfunctioning network component, an incorrect configuration of the component (e.g. SNMP), an incorrect implementation or configuration of the VLAN separation or a break in the administration of the network device. A configuration reset of a component may not be noticed immediately, because many switches, for example, transport VLAN packets (those with VLAN TAGs) even without a corresponding VLAN configuration. Furthermore, by looping in a hub, LAN segments of the VLAN can be monitored simultaneously and unnoticed.

On the WAN side, VLANs can provide valuable services. In the area of the DMZ, the disadvantages are sometimes still acceptable, depending on the environment; however, in a security-critical environment the disadvantages will outweigh the disadvantages.

Routing and Multicast

Most firewalls are designed as routers . This is particularly useful in the SoHo area, because a router with combined NAT and PPPoE functionality is usually required to connect several computers . In company networks, routing functionality is often desired, because here the routing firewall replaces the "default gateway" that was used in the past.

Just like routing, the IP multicasting capability of a firewall depends on the operating system of the device on which the firewall software is running. The rules are entered with the multicast addresses (224.0.0.0–239.255.255.255). Further aspects are described in RFC 2588 .

administration

Performance measurement and optimization

Since the speed depends on many dynamic factors, it is not trivial to evaluate the performance of a firewall. This includes the size of the rules and the order of the rules, the type of network traffic and the configuration of the firewall (e.g. stateful, logging). Uniform benchmarking of firewalls is described in RFC 2647 .

The following measures are possible for optimization:

More main memory and / or a faster CPU .
Switch off logging for individual rules.
Remove unused rules and routing entries.
Move frequently used rules up in the set of rules. It should be noted that this could change the meaning of the rules.
In fault-tolerant systems, switch off the synchronization of the connection table for individual rules. This is particularly possible with short-lived HTTP connections.
Use product-specific features, such as B. Nokia IPSO Flows or Check Point SecureXL.
Check that all network interfaces work with full duplex .
Adjustment of network parameters of the operating system

Troubleshooting

Troubleshooting a large network can become very complex.

Common mistakes are e.g. E.g. that a firewall rule contains IP addresses that have been changed by a NAT connection or a VPN . The options for troubleshooting differ depending on the firewall software and operating system used.

Incorrect firewall rules or IP spoofing can be detected on the basis of the log files . With tools such as tcpdump or snoop under Solaris , the current network traffic at the incoming and outgoing network interface can be observed and compared. Furthermore, some systems offer an insight into the internal processing of the firewall software (e.g. with Check Point FW1 with "fw monitor" ).

With a firewall system in cluster operation, log files are useful to determine which machine is actually processing the faulty connection. The log files are unsuitable for detailed troubleshooting if they do not write an entry for each individual package, but only for each connection.

In addition to the options of the firewall, tools such as ping , nmap or traceroute are helpful to determine whether the error is outside the system, e.g. B. in routing or that the destination port is not open at all.

Problematic protocols

Voice over IP and video conferencing

Voice over IP (VoIP) and video conferencing are not trivial for stateful firewalls, as several different protocols (e.g. for call signaling, sound transmission, image transmission, application sharing) and participants (callers, called parties, telephone systems, conference calls) are usually involved. Some commercial firewalls understand the VoIP protocols ( SIP or Skinny ) and are therefore able to open ports dynamically.

See also Session Initiation Protocol (SIP)

File Transfer Protocol (FTP)

FTP is a fairly old protocol, but it is difficult for firewalls to use. In particular, the active FTP mode, in which, in addition to the control connection on port 21, a further data connection is established backwards from the server to the client, causes problems for some firewalls.

The backwards established connection can theoretically also be misused by the operator of the FTP server for attacks. Therefore, some firewall systems prohibit the establishment of the data connection on port numbers that are known for other services. This has the advantage that the susceptibility to misuse of the data connection for attacks is reduced.

Typical symptoms of a firewall that has problems with FTP are functioning navigation through the directories, but disconnections without an error message during data transfer. The above-mentioned problems do not occur with passive FTP (configurable in the FTP client or by entering “PASV” in command line clients) or when using the encrypted SCP based on the SSH protocol .

Origin of the firewall

The first packet filters were built into their routers by Cisco in 1985 . The first study of network traffic filtering was published in 1988 by Jeff Mogul .

In the early days of the Internet , administrators were mostly not aware of possible attacks within the network. That only changed in 1988 when Robert Morris programmed and released the first computer worm . He paralyzed about 6000 computers - at that time that corresponded to about 10% of the global network. After that, the use of firewalls became popular.

Products

Firewall software

"Astaro Security Linux" is a commercial Linux distribution for firewall systems.

Check Point Firewall 1 is a commercial firewall application that runs on Unix, Windows and Nokia appliances

Endian Firewall is an open source Linux distribution for gateway / router / firewall systems that offers comprehensive gateway protection (antivirus, antispam, DMZ, intrusion detection, etc.) and, as a headless server, is very easy to configure via a web frontend .

The one- disk router fli4l is, in addition to the Gibraltar CD variant, a project that allows old PCs to be used as a firewall in the interests of sustainable use .

IPFire is a free Linux distribution that primarily functions as a router and firewall, which can easily be expanded with many additional functions using a package manager.

IPCop is an easy-to-use Linux distribution, a balanced compromise between a secure firewall and a wide range of functions (antivirus, antispam, DMZ, proxy).

ipfw is a packet filter of the FreeBSD operating system, also available as wipfw for Windows systems.

Netfilter / IPTables - packet filter within the Linux kernel.

M0n0wall is a BSD-based firewall, optimized for security, a solution that comes close to professional firewalls with its functions and is still very easy to configure.

OPNsense a free firewall based on FreeBSD and the Address Space Layout Randomization (ASLR) from HardenedBSD, allows the use of the free crypto library LibreSSL , as an alternative to the standard OpenSSL (selectable in the GUI ).

pfSense is an easy-to-use BSD-based firewall, offshoot of M0n0wall , a compromise between a secure firewall and a wide range of functions (antivirus, antispam, DMZ, proxy).

phion netfence - European enterprise firewall product, which is available as a software and hardware appliance .

Microsoft Internet Security and Acceleration Server is a commercial firewall Microsoft, based on Windows Server 2000 / 2003 . Integration into the Active Directory directory structure is advantageous .

pf is an open source firewall originally developed for OpenBSD and later ported to other BSD operating systems.

"Securepoint Linux" is a commercial UTM Linux distribution.

Shorewall

SME Server is a firewall based on open source software that also contains server functions for use in the SoHo area.

Firewall devices

Firewall devices offer a coordinated combination of hardware, hardened operating system and firewall software:

Check Point VPN-1 Edge and UTM-1
Cisco ASA (predecessor: PIX) and Firewall Service Module (FWSM) for Catalyst switches
Juniper Networks Netscreen and SSG
Innominate Security Technologies (a Phoenix Contact company) mGuard industrial appliances
Palo Alto Networks Next-Generation Firewall
phion
Watchguard Firebox X Core and Peak Appliances

swell

↑ BSI Basic Protection Catalogs: Appropriate selection of a packet filter ( Memento of the original from February 11, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ BSI basic protection catalog: Appropriate selection of an application level gateway ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Toter Link / www.bsi.bund.de
↑ RFC 2663 : IP Network Address Translator (NAT) Terminology and Considerations, Section 9.0
↑ What you should pay attention to when buying a router ( Memento of the original from December 30, 2010 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. ,afe-im-netz.de, safe online e. V., Berlin @1@ 2

^ Elisabeth D. Zwicky, ISBN 3-89721-169-6 , 2001, p. 34

↑ ^a ^b Firewall FAQ by Lutz Donnerhacke

↑ PAT attack on computers behind a firewall router

↑ BSI Basic Protection Catalogs: Security Gateways and High Availability ( Memento of the original dated February 11, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ BSI basic protection catalogs: Development of a concept for security gateways
↑ Michael Wächter, “Falsification and Progress in Data Protection”, ISBN 3-428-09780-7 , 1998, p. 92
↑ Tuning Check Point Performance ( Memento of the original from December 1, 2008 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ FTP-NAT test ( memento of the original from April 29, 2006 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ Evolution of the Firewall Industry ( Memento of the original from March 11, 2007 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Cisco, 2002 @1@ 2

^ The Packet Filter: An Efficient Mechanism for User-level Network Code Jeffrey C. Mogul, November, 1987

↑ RFC 1135 The Helminthiasis of the Internet

↑ OPNsense GUI, Select LibreSSL [1]

↑ Moritz Förster: Open Source Firewall: New major release of OPNsense for more security . In: Heise Open Source (online) . KW30, No. 2016, July 28, 2016. Accessed August 4, 2016.

literature

Jacek Artymiak: Building Firewalls with OpenBSD and PF. 2nd edition. devGuide.net, Lublin 2003, ISBN 83-916651-1-9 .
Wolfgang Barth: The Firewall Book. Basics, structure and operation of secure networks with Linux. 3rd updated and expanded edition. Millin-Verlag, Poing 2004, ISBN 3-89990-128-2 .
Federal Office for Information Security: Design of security gateways. The right structure and the right modules for a secure network. Bundesanzeiger, Cologne 2005, ISBN 3-89817-525-1 .
William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin: Firewalls and internet security. Repelling the Wily Hacker. 2nd edition, 3rd printing. Addison-Wesley, Boston MA a. a. 2007, ISBN 978-0-201-63466-2 ( Addison-Wesley Professional Computing Series ).
Andreas Lessig: Linux Firewalls. A practical introduction. 2nd Edition. O'Reilly, Beijing et al. a. 2006, ISBN 3-89721-446-6 ( download of the LaTeX sources).
RFC 2979 Behavior of and Requirements for Internet Firewalls.
Stefan Strobel: Firewalls and IT security. Basics and practice of secure networks: IP filters, content security, PKI, intrusion detection, application security. 3rd updated and expanded edition. dpunkt-Verlag, Heidelberg, 2003, ISBN 3-89864-152-X ( iX edition ).

Web links

Wiktionary: Firewall - explanations of meanings, word origins, synonyms, translations

A comparison between personal and hardware firewalls as well as detailed explanations on the subject of firewalls can be found in the Habo WiKi

A checklist from the State Commissioner for Data Protection Lower Saxony (PDF; 149 kB) can serve as a general orientation basis for a security concept

computec.ch lists free German-language publications on the subject of firewalling

A BSI firewall study ( Memento from January 25, 2012 in the Internet Archive ) from 2001 shows a direct comparison of six hardware firewalls
webscan.security-check.ch a website for the functional test of firewalls
A specialist article on Security-Insider.de gives decision-making aids for the use of firewalls
Firewall Lexicon - A small encyclopedia where terms such as B. Bridging, Application Level, NAT, Load Balancing and much more are clearly explained

[1] BSI Basic Protection Catalogs: Appropriate selection of a packet filter ( Memento of the original from February 11, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[2] BSI basic protection catalog: Appropriate selection of an application level gateway ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Toter Link / www.bsi.bund.de

[3] RFC 2663 : IP Network Address Translator (NAT) Terminology and Considerations, Section 9.0

[4] What you should pay attention to when buying a router ( Memento of the original from December 30, 2010 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. ,afe-im-netz.de, safe online e. V., Berlin @1@ 2

[5] Elisabeth D. Zwicky, ISBN 3-89721-169-6 , 2001, p. 34

[Firewall-FAQ-Lutz-Donnerhacke-6] Firewall FAQ by Lutz Donnerhacke

[PAT-Angriff-auf-Computer-hinter-einem-Firewallrouter-7] PAT attack on computers behind a firewall router

[8] BSI Basic Protection Catalogs: Security Gateways and High Availability ( Memento of the original dated February 11, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[9] BSI basic protection catalogs: Development of a concept for security gateways

[Michael_Wächter_ISBN3-428-09780-7-10] Michael Wächter, “Falsification and Progress in Data Protection”, ISBN 3-428-09780-7 , 1998, p. 92

[11] Tuning Check Point Performance ( Memento of the original from December 1, 2008 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[12] FTP-NAT test ( memento of the original from April 29, 2006 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[13] Evolution of the Firewall Industry ( Memento of the original from March 11, 2007 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Cisco, 2002 @1@ 2

[14] The Packet Filter: An Efficient Mechanism for User-level Network Code Jeffrey C. Mogul, November, 1987

[15] RFC 1135 The Helminthiasis of the Internet

[16] OPNsense GUI, Select LibreSSL [1]

[HeiseOpenSource-OPNsense-17] Moritz Förster: Open Source Firewall: New major release of OPNsense for more security . In: Heise Open Source (online) . KW30, No. 2016, July 28, 2016. Accessed August 4, 2016.