General Navigation Buttons - Home | Search | Contact Us | Site Map | Whats New
products graphic
white space
products
Software Technology Roadmap
What's New
Background & Overview
Technology Descriptions
Defining Software Technology
Technology Categories
Template for Technology Descriptions
Taxonomies
Glossary & Indexes
Feedback & Participation
Software Engineering Information Repository (SEIR)
white space
About SEI|Mgt|Eng|Acq|Collaboration|Prod.& Services|Pubs
pixel
Rollover Popup Hints for Topic Navigation Buttons above
pixel
Firewalls and Proxies


Status

Complete.

Note

We recommend Computer System Security--an Overview as prerequisite reading for this technology description.

Purpose and Origin

Firewalls were developed in the early 1990s as the use of the Internet rapidly expanded. Intruders external to an organization often try to break into computers on a network to gain unauthorized access, obtain information illegally, or cause damage. Malicious users can also reside internal to an organization on Intranets and Local Area Networks (LANs). The purpose of a firewall or firewall system (which comprises one or more computers performing specific functions) is to serve as one element of an organization's perimeter defense. The perimeter can be defined as what separates the external world from the internal network or what separates internal sub-networks with differing access requirements. Ultimately, a firewall implements policy that specifies constraints on what network traffic is allowed to move between two or more networks.

A proxy is a software program that runs on a firewall system. It handles service requests between two networks by managing two connections: one between the requestor and the proxy server and one between the proxy server and the destination service. It evaluates all incoming and outgoing messages for a given service to determine if the message should be permitted to continue through to its destination network or blocked. Proxies are often provided for services such as email, FTP, Telnet, and World Wide Web (WWW) access.

Technical Detail

Firewall Architectures. A firewall can play several roles. It can be the primary line of defense against external threats from public networks such as the Internet. It can implement internal network partitioning to enforce access restrictions and protect against insider attacks. It can provide protection when interacting with partner networks and when merging with new organizational units (particularly those operating less securely). And it can serve as a central point where security policies can be implemented and logging/monitoring can occur. As shown in the figure below, there are typically three basic firewall architectures:

Figure: Three Firewall Architectures

The simplest approach is the Basic Border Firewall. The firewall includes a screening router and it performs certain packet filtering functions. The firewall host can be configured as a "Bastion Host," that is, a host that is minimally configured (containing only necessary software/services) and carefully managed to be as secure as possible1. This architecture is sometimes referred to as a Screened Host.2

The Basic with DMZ Network is a more secure architecture for protecting hosts that offer public services such as WWW as well as protecting the internal network from external users accessing public services. The firewall examines all incoming traffic to determine if it should be passed to the DMZ network (where one or more hosts providing public services reside) or to the protected network. It examines all outgoing traffic to determine if it should be passed from the protected network to the DMZ network (requesting public services), to the protected network from the DMZ network (responding to public service requests), or to the external world. This firewall architecture may also be referred to as a Dual-Homed Gateway (due to having two network connections, one to the DMZ Network and one to the protected network).3

One of the most secure firewall architectures is the Dual Firewalls with DMZ Network, sometimes referred to as a Sub-Network Firewall. In this architecture, the protected network is further isolated from the hosts offering public services and the external world by adding a second firewall host. By protecting the public services network with one firewall host and the protected network with a second firewall host (creating an additional DMZ between the two firewalls), traffic between the protected network and the Internet must traverse two firewalls.

Each firewall architecture can support one or more of the functions described below.

Firewall Functions. Static packet filters are "rules" that permit and deny Internet Protocol (IP) packets based on the contents of fields in the packet header (such as source/destination address, source/destination port, and protocol type). Each packet is processed individually with no reference as to what packets precede or follow. Dynamic packet filtering takes static packet filtering one step further by maintaining a connection table in order to monitor the state or context of a communication session by attempting to match up outgoing and incoming packets. The information retained in the table usually includes the source and destination addresses and source and destination ports. Dynamic packet filtering is useful in handling "connectionless" protocols such as UDP4 and ICMP5 and is sometimes referred to as stateful filtering or stateful inspection.

A proxy is a software program that runs on a firewall. It understands the service protocol that it is responsible for processing, it implements protocol/service-specific security such as access control and levels of authentication, and makes all packet-forwarding decisions. Proxy servers evaluate the request and decide to permit or deny it based on a set of rules that apply to the individual network service (e.g., SMTP6 for email, HTTP7 for WWW, FTP,8 Telnet, etc.) as well as host/user permissions. Proxy servers mirror the service as if it were running on the destination host [Smith 01]. Proxies provide a greater level of security by ensuring that two connecting hosts never exchange packets directly. Given they operate at the application layer in the OSI 7-layer protocol,9 proxies can filter based on packet content, and provide a central point for more sophisticated and relevant alerts and logging information. Proxies can be transparent (totally invisible to the end user) or non-transparent (requiring some level of client knowledge and software configuration).

Network Address Translation (NAT) allows protected network users to gain access to the external network without allowing outsiders to get in. When a request is sent through the firewall, the NAT application substitutes its own address for the source address field. When a reply comes back to the NAT application, it replaces its own address in the destination field with that of the original client making the request. With NAT, external hosts cannot find the internal host addresses because they are aware of only one IP address, the firewall. The ability to attack internal hosts is greatly reduced using by employing NAT [Ogletree 01], [Smith 01]. Three NAT variations include static, dynamic, and overloading or port address translation [Tyson/Cisco].

Usage Considerations

In a single-layer architecture (Basic Border Firewall, Basic with DMZ Network), one network host is allocated all firewall functions and is connected to each network for which it is to control access. This approach is usually chosen when cost is a primary factor or when there are only two networks to interconnect. It has the advantage that everything there is to know about the firewall resides on the firewall host. In cases where the policy to be implemented is simple and there are few networks being interconnected, this approach can also be very cost-effective to operate and maintain over time. The greatest disadvantage of the single layer approach is its susceptibility to implementation flaws or configuration errors&emdash;depending on the type, a single flaw or error might allow firewall penetration.

In a multiple-layer architecture (Dual Firewalls with DMZ Network), the firewall functions are distributed among a small number of hosts, typically connected in series, with DMZ networks between them. This approach is more difficult to design and operate, but can provide substantially greater security by diversifying the defenses being implemented. Although more costly, it is advisable to use different technology in each of these firewall hosts. This reduces the risk that the same implementation flaws or configuration errors will exist in every layer.

With respect to firewall functions, start with implementing static packet filters. Add dynamic filtering for more accurate policy implementation, greater control, a higher level of security, and lower risk. Use application proxies for additional policy implementation, for packet content management, and for controlling application-program-specific/service access. Most firewalls implement some form of NAT as a default feature.

Maturity

There are a large number of commercial and open source/freeware products available that implement some or all of the firewall architectures and functions described above. This is a very mature product market and continues to evolve based on changing threats to network security. Recent developments include some function merging between the capabilities of firewalls and intrusion detection systems. One source of firewall evaluation information is the 2001 ICSA Labs Firewall Buyers Guide available at http://www.icsalabs.com/html/communities/firewalls/buyers_guide2001/index.shtml. TruSecure's/ICSA's list of certified firewall products is available at http://www.trusecure.com/corporate/press/2003/labs012703.shtml.

Costs and Limitations

The major tradeoffs to perform when selecting firewall architectures and functions are availability, performance, security, and cost. Availability is achieved by a combination of reliability and redundancy. Start by choosing hardware and software components that are reliable. If the level of reliability achieved is insufficient, consider using redundant components to meet availability requirements. Performance analysis is predominantly based on the anticipated traffic through the firewall system. An organization may need multiple firewall hosts to distribute the load and handle traffic at an acceptable rate. With respect to security, weigh the use of single versus dual firewall systems at the network perimeter. The factors to consider include:

  • having outside traffic passing through two firewall systems instead of one (benefits vs. cost)
  • ability to monitor traffic and the monitoring locations
  • ability to recover from compromises including disconnecting one firewall system while keeping the other operational
  • number of network ports needed
  • performance
  • failure characteristics
  • expense

The Basic Border firewall is the least expensive to operate and maintain but also the least secure. Using only one firewall is a point of organizational and network vulnerability that needs to be managed from a risk perspective. The Basic with DMZ Network provides an additional level of protection for servers hosting public services but requires additional effort for ongoing operation and maintenance. The Dual Firewalls with DMZ Network is the most secure but also the most expensive to maintain and operate.

Dependencies

Firewall technology is driven by the capabilities of rapidly changing networking technologies, and the growing sophistication of intruder attack approaches. For instance, when Java applets became available on the WWW, it was possible to import malicious code hidden in the applets. To prevent this, it was desirable to block any Java applet at the firewall. If a proxy was being used in the firewall to filter WWW traffic, the proxy had to be enhanced to recognize Java applets from the WWW protocol. In addition, there is a growing number of products that perform email content and attachment examination and filtering. These products need to be integrated with firewall technologies so that both can work together effectively to protect organizational networks and hosts.

Alternatives

The security alternative to using firewalls to prevent theft of data or damage from malicious users is physical isolation of the networks. Doing so may conflict with mission performance needs if manual transfer of data from network to network is not acceptable. Data theft may be prevented through encryption, but that will not stop malicious damage.

Complementary Technologies

Complementary technologies include intrusion detection systems and content filtering applications. In a trusted computing environment, network security guards are a complementary technology as they provide similar functionality.

Index Categories

This technology is classified under the following categories. Select a category for a list of related topics.

Name of technology

Firewalls and Proxies

Application category

System Security (AP.2.4.3)

Quality measures category

Vulnerability (QM.2.1.4.1)
Security (QM.2.1.5)

Computing reviews category

Security & Protection (K.6.5)
Computer-Communications Network Security and Protection (C.2.0)

References and Information Sources

[Allen 01]

Allen, Julia. The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley, 2001.

[Fithen 99]

Fithen, William, et al. Deploying Firewalls. (CMU/SEI-SIM-008). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999. Online: http://www.cert.org/security-improvement/modules/m08.html.

[Cheswick 94]

Cheswick, Willliam R.; & Bellovin, Steven M. Firewalls and Internet Security. Reading, MA: Addison-Wesley, 1994.

[Comer 95]

Comer, Douglas E. Internetworking with TCP/IP, Vol. 1: Principles, Protocols,and Architecture. 3rd edition. New York: Prentice-Hall, 1995.

[Ogletree 00]

Ogletree, Terry William. Practical Firewalls. Que, June 2000.

[Ranum 98, Curtin 00]

Ranum, Marcus J.; & Curtin, Matt. "Internet Firewalls: Frequently Asked Questions," 1998, 2000. Available at http://www.interhack.net/pubs/fwfaq

[Smith 01]

Smith, Gary. "A Brief Taxonomy of Firewalls - Great Walls of Fire." May 18, 2001. Available at http://www.sans.org/infosecFAQ/firewall/taxonomy.htm

[Stevens 94]

Stevens, W. Richard. TCP/IP Illustrated, Vol. 1: The Protocols. Reading, MA: Addison-Wesley, 1994.

Tyson, Jeff]

Tyson, Jeff. "How Network Address Translation Works." Online: http://www.howstuffworks/nat.htmand Cisco Systems Inc. "How NAT Works." Online: http://www.cisco.com/warp/public/556/nat-cisco.shtml

[Zwicky 00]

Zwicky, Elizabeth. Cooper, Simon. Chapman, D. Brent. Building Internet Firewalls, 2d Edition. Sebastopol, CA: O'Reilly & Associates, June 2000.

Current Author/Maintainer

Julia Allen, Software Engineering Institute

External Reviewers

Numerous through review of [Fithen 99] and [Allen 01]

Modifications

10 Jan 1997: Original
12 Mar 2002: Update
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.

Copyright 2007 by Carnegie Mellon University
Terms of Use
URL: http://www.sei.cmu.edu/str/descriptions/firewalls_body.html
Last Modified: 11 January 2007