Exploring Firewall Technology

Securing all aspects of your network can be a daunting task. For an organization with ecommerce, intranet, and extranet sites, as well as e-mail, this only adds to the complexity of the task. Of course, there are costs to providing a high level of security, in terms of both staff and equipment needed to implement a network security policy. These costs must be weighed against the possibility of network security breaches.

For many organizations, the Cisco IOS Firewall meets their need to provide security if they choose not to use a firewall appliance because of financial constraints or technical complexity. For these organizations, the Cisco IOS Firewall provides a full-featured firewall implemented on Cisco routers using Cisco IOS software. This section explores the Cisco IOS Firewall and discusses various firewall technologies.

The Role of Firewalls in Defending Networks

Have you ever wondered where we get the term "firewall"? It originally described the segment that separated the engine compartment from the interior of an automobile. In the network world, this term has been used as a metaphor for how we separate our internal network from the dangers of the outside world. Firewalls allow us to segment our networks into different physical subnetworks, thereby helping limit the potential damage that could spread from one subnet to another. This is much like how original firewalls worked to limit the spread of a fire.

In our world of network security, a firewall may be a piece of software or hardware that acts as a barrier between our internal (trusted) network and the external (untrusted) network, such as the Internet. In practical terms, a firewall is a set of related programs that enforce an access control policy between two or more networks.

Firewalls consist of a pair of mechanisms that perform two separate functions, as shown in Figure 10-1:

■ One mechanism blocks traffic.

■ The second mechanism permits traffic.

A firewall is a set of related programs located at a network gateway server that protects the resources of a private network from users on other networks. As shown in Figure 10-1, basic firewall services may be provided through several means:

■ Static packet filtering

■ Circuit-level firewalls

■ Application server

Figure 10-1 Basic Firewall

Basic Firewall Services:

By placing greater emphasis on either blocking traffic or permitting it based on the specifications you determine, modern firewall designs attempt to balance these two functions. Before implementing a given firewall solution, you must define an access control policy. Upon deployment, the firewall enforces access to and from your network via the firewall. Firewall designs can range from a simple single firewall solution in a small network to multiple firewall designs used to protect multiple network segments in large network implementations.

If you are hosting an application for use over the network, firewalls can be used to manage public access to private network resources such as this. Firewalls can log all attempts to enter the private network, and some can trigger alarms when unauthorized or hostile entry is attempted.

Firewalls filter packets based on a variety of parameters, such as their source or destination address and port number. Network traffic can also be filtered based on the protocol used (HTTP, FTP, or Telnet). The result is that the traffic is either forwarded or rejected. Firewalls also can use packet attribute or state to filter traffic.

• Application Se

Bad Tral

Good Tr

• Application Se

Bad Tral

Good Tr

The Advance of Firewall Technology

Firewall technology has been available to defend networks for quite some time. This section describes four generations of firewall technologies developed between 1983 and 1995. As shown in Figure 10-2, these four generations include static packet-filtering firewalls, circuit-level firewalls, application layer firewalls, and dynamic packet-filtering firewalls. Taken together, these form the foundation of the current technology employed in Cisco firewalls. Figure 10-2 also notes when Cisco acquired PIX technology.

Figure 10-2 Firewall Technologies Through the Years

Dynamic Packet Filtering Firewalls

Application Layer Firewalls

Circuit Level Firewalls

Static Packet Filtering Firewalls

Cisco Acquires PIX Technology





Initial firewalls inspected network traffic using one of four architectural models defined by the information they examine. They used this information to make security-related decisions, determining what to block and what to allow. Today's firewalls have more-advanced capabilities, as we can see in the Cisco PIX Security Appliance and Cisco IOS Firewall.

Table 10-2 lists additional details of the four initial firewall technologies.

Table 10-2 Initial Firewall Technologies

Firewall Technology


Static packet-filtering firewall

This first-generation firewall technology is a Layer 3 device that analyzes network traffic. IP packets are examined to see if they match one of a set of rules defining which data flows are allowed. These rules specify whether communication is allowed based on information contained in the network and transport layer headers, as well as the direction of the packet flow.

Circuit-level firewall

This second-generation firewall technology validates the fact that a packet is either a connection request or a data packet belonging to a connection, or virtual circuit, between two peer transport layers.

,■■ Table 10-2 Initial Firewall Technologies (Continued)

,■■ Table 10-2 Initial Firewall Technologies (Continued)

Firewall Technology


Application layer firewall

This third-generation firewall technology evaluates network packets for valid data at the application layer before allowing a connection. Data in all network packets is examined at the application layer and maintains complete connection state and sequencing information. Application layer firewalls also can validate other security items that appear only within the application layer data, such as user passwords and service requests.

Dynamic packet-filtering firewall

This fourth-generation firewall technology, sometimes called stateful firewalls, keeps track of the actual communication process through the use of a state table. These firewalls operate at Layers 3, 4, and 5.

These various firewall technologies each have advantages and disadvantages, and each has a role to play, depending on the needs of your organization.

The Cisco advances in firewall technologies include the acquisition of the original Private Internet Exchange (PIX) technology in 1995. Today Cisco continues to develop PIX capabilities. The Cisco PIX appliances represent network layer firewalls that employ stateful inspection. These firewalls allow internal connections out (outbound traffic) and only allow inbound traffic that is a response to a valid request or that is explicitly allowed by an access control list (ACL). Cisco PIX technology may be configured to perform a variety of critical network functions, including Network Address Translation (NAT) and Port Address Translation (PAT).

In addition to working with Cisco PIX appliances, you may choose to use the features of the Cisco IOS Firewall embedded in Cisco IOS software. This allows you to turn your router into an effective, robust firewall with many of the capabilities of the Cisco PIX Security Appliance. In addition, Cisco offers the Adaptive Security Appliance (ASA), which provides an easy-to-deploy solution that integrates firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion prevention system (IPS), and content security services.

Transparent Firewalls

In traditional network configurations, a firewall acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall is a Layer 2 firewall and behaves like a "stealth firewall." In other words, it is not seen as a router hop to connected devices. In this implementation, the security appliance connects the same network on its inside and outside ports. However, each interface resides on a separate VLAN.

The characteristics of transparent firewall mode are as follows:

■ Transparent firewall mode supports two interfaces, usually an inside interface and an outside interface. I Topic

■ Transparent firewall mode can run in single as well as multiple context mode.

■ Packets are bridged by the security appliance from one VLAN to the other instead of being routed.

■ MAC lookups are performed rather than routing table lookups.

A transparent firewall can be easily introduced into an existing network. Because it is not a routed hop, IP readdressing is unnecessary. Maintenance is also easy, because there are no routing patterns that might require troubleshooting and no NAT configuration to be done.

Even though transparent mode acts as a bridge, there is no need to be concerned that Layer 3 traffic (IP traffic) will pass through the security appliance from a lower security level interface to a higher security level interface.

You can configure transparent firewalls to allow any traffic through using either an extended ACL (for IP traffic) or an EtherType ACL (for non-IP traffic) if you want. Without a specific ACL, the only traffic allowed to pass through the transparent firewall is Address Resolution Protocol (ARP) traffic; this can be controlled by ARP inspection. Note also that transparent firewalls do not pass CDP packets or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, it is not possible to pass IS-IS packets. One exception is BPDUs, which are supported.

Because the security appliance acts as a bridge device in this configuration, IP addressing should be configured as if the security appliance is not in the network. Note, however, that a management IP address is required for connectivity to and from the security appliance itself and that this address must be on the same subnet as the connected network. A further consideration is that as a Layer 2 device, the security appliance interfaces must be on different VLANs to differentiate the traffic flow.

Application Layer Firewalls

If you are looking to provide a higher level of security than what is offered via circuit-level firewalls, application layer firewalls may be the right choice. Application layer firewalls, sometimes called proxy firewalls or application gateways, allow the greatest level of control and work across all seven layers of the OSI model, as shown in Figure 10-3. These firewalls filter traffic at Layers 3, 4, 5, and 7 of the OSI model.

Figure 10-3 Mapping the Application Layer Firewall to the OSI Model

Application Layer Firewall

OSI Model 0 V







Data Link



Many application layer firewalls include specialized application software and proxy servers. Proxy services manage traffic through a firewall for a specific service, such as HTTP or FTP. The proxy services provided are specific to the protocols that they are designed to forward. These can also provide increased access control along with detailed checks for valid data and can even be used to generate audit records of the traffic that they transfer.

Proxy firewalls serve as an intermediary between networks, often your internal network and the Internet at large, determining whether to allow communication to proceed. In a configuration that employs proxy firewalls, there is no direct connection between an outside user and internal network resources. The proxy server provides the only visible IP address on the Internet. Clients connect to the proxy server to submit their application layer requests. These requests include the actual destination as well as the data request itself. Based on the proxy server settings, the proxy server analyzes the request and may even filter or change the packet contents before proceeding. The proxy server also makes a copy of all the incoming packets and then changes the source address. It does this to hide the internal address from the outside world before it sends the packet to the destination address.

The proxy server receives a reply from the destination server, and then the proxy server is responsible for passing the response to the client.

Benefits of Using Application Layer Firewalls

The proxy server monitors and controls outbound traffic. Doing so helps protect the private network servers inside the network. Access to the network is provided by the proxy server. The proxy server establishes the session state, user authentication, and authorized policy. In this way, users connect to services through application programs or "proxies" running on the gateway that connects to the outside or unprotected zone. Figure 10-4 shows the application layer proxy firewall and the layers at which it may be used to filter traffic based on the OSI model.

Figure 10-4 Application Layer Proxy Firewall and the OSI Model

Application layer firewalls operate at OSI Layers 3, 4, 5, and 7.

Layer 7


Layer 6


Layer 5


Layer 4


Layer 3


Layer 2

Data Link

Layer 1


Application layer firewalls operate at OSI Layers 3, 4, 5, and 7.

Application layer firewalls are responsible for filtering at Layers 3, 4, 5, and 7 of the OSI reference model. Because they process information at the application layer, most firewall control and filtering is performed in the software. By locating the firewall at the application layer, you gain greater control over traffic compared to packet-filtering, stateful, or application inspection firewalls.

Application support can vary based on the application layer firewall. Some support only a limited number of applications, and others are designed to support only a single application. Typically, application layer firewalls might support such applications as e-mail, web services, DNS, Telnet, FTP, Usenet news, Lightweight Directory Access Protocol (LDAP), and finger.

Table 10-3 describes some of the advantages of application layer firewalls.

Table 10-3 Advantages of Application Layer Firewalls



Authenticate individuals, not devices

Typically, connection requests can be authenticated before traffic is allowed to pass to an internal or external resource. This allows you to authenticate the user requesting the connection instead of authenticating the device.

It's more difficult to spoof and implement DoS attacks

Application layer firewalls can help prevent most spoofing attacks, and DoS attacks are limited to the application firewall itself. Application firewalls can detect DoS attacks, thereby reducing the burden on your internal resources.

Can monitor and filter application data

Application attacks such as malformed URLs, buffer overflow attempts, unauthorized access, and others can be quickly detected, because you can monitor all data on a connection. Application layer firewalls also allow you to control what commands or functions you allow an individual to perform based on the authentication and authorization information.

Can provide detailed logging

Detailed logs may be generated, and you can monitor the actual data that the individual is sending across a connection. This capacity is useful in tracking new types of attacks, because you can monitor what the hacker does and how the machine does it, allowing you to address the attack. Logging may also be used for management purposes, helping you track who is accessing what resources, how much bandwidth is used, and how often a user accesses the resources.

Working with Application Layer Firewalls

Application level proxy firewalls control how internal users access the outside world of the Internet and how Internet users access the internal network. They do this by running at the application level of the network protocol stack for each type of service that they want to provide (such as FTP or HTTP). In some configurations, proxy servers are used to block all incoming traffic and only allow internal users to access the Internet. In these implementations, the only packets allowed back through the proxy server are return responses to requests from inside the firewall. Other implementations allow closely controlled traffic to pass onto the internal network, as well as allow for outbound traffic to the Internet.

Figure 10-5 shows the operation of an application level proxy server as it sits between the internal network and the Internet.

Figure 10-5 Application Level Proxy Server

Figure 10-5 Application Level Proxy Server

The topology shown in Figure 10-6 represents a typical proxy server deployment. In this configuration, the application layer firewall usually has two network interfaces. One is used for the client connections, and the other is used to access the website from the Internet.

Figure 10-6 Typical Proxy Server Deployment

2. Repackaged Request

3. Response

Web Server

Proxy Server: Dedicated Application Layer Filter (Proxy) for HTTP

0 0

Post a comment