Working with firewalls
A firewall is a network security tool used to monitor and guard traffic passing through a network. It usually resides on its own computer. A true firewall does not scan your system for viruses and trojan horses, nor scan incoming packets for a virus. However, some firewall products are bundled with virus software providing varying levels of virus protection.
There are different types of firewalls, all of which combine hardware and software to achieve maximum protection.
Considerations for choosing a firewall
To configure a firewall that is right for you, consider the following:
What is the security risk to your network?
Do you wish to reject specific users? Specific protocols?
Which requests will you allow (for example, HTTP, Telnet)? Which will you disallow (for example, FTP)?
Firewall architecture
The basic firewall architecture is always the same, with minor variations depending upon the type of firewall you use. Every packet sent from the Internet is first examined on the firewall server. As well, packets sent from your network are also examined on the firewall server. Think of this as the main gate for all traffic, also called the "choke point". It is the computer between the Internet and your network that maintains the security of your system:
 Encryption
When two networks are configured to communicate with each other, their individual firewalls can use encryption as another means of keeping your network safe. Therefore, every packet sent from the firewall will be encrypted. The most popular encryption type is RSA (Rivest-Shamier-Adleman). The following is an example of a network communication where the message is encrypted on the firewall server at the local network, then decrypted on the firewall server at the remote network:
 Types of firewalls
There are three main types of firewalls:
• network-level (first-generation firewall technology)
• circuit-level (second generation)
• application-level (third generation).
Each type of firewall uses a different technique to protect your network. A network-level (or packet filter) firewall analyzes network traffic at the transport protocol layer and compares it to a predefined set of rules that indicates which protocols are allowed.
A circuit-level firewall takes this one step further and validates that a packet is either a connection request or a data packet belonging to a connection between two peer transport layers. This is done by examining each connection setup, and then comparing the connection to a table of valid connection that includes complete session state and sequencing information.
An application-level firewall provides more detail than the other types. It evaluates individual network packets for data at the application layer before allowing a connection. It examines the data in all network packets and maintains complete connection state and sequencing information.
Network-level firewalls
A network-level firewall is commonly known as a screening router. This may also be called a screening ritzer or a packet filter firewall. This is a lower-level firewall that screens packets. Basically, it examines packet addresses to determine whether to pass the packet to the local network or to block the packet from entering.
Because the packet includes both the sender and recipient’s IP address, you can block all incoming or outgoing packets to that specific computer. To do this, you would create a file, sometimes called a black list or an accept and deny list, and populate it with IP addresses (most common filter). The router will check this file each time a connection is requested and block the connection if the incoming IP address matches a listing.
Usually the check will only be performed if the specified user is trying to connect to a service that is disabled by the firewall. In most cases, a screening router filters based upon these rules:
• source address from which the data is coming
• destination address to which the data is going
• data protocol (for example, TCP, UDP or ICMP)
• source and destination application port for the desired service
• whether the packet is the start of a connection request.
The network-level firewall, if installed properly, will be almost transparent to users, unless they try to perform a blocked action.
FirstClass Internet Services has a built-in security feature that performs filtering, thereby acting as a network-level firewall for Internet protocols. For more information, see FirstClass Internet Services Administrator’ s Guide .
A network-level firewall resembles the following:
 In this example, the router rejects specific users based upon an IP address and host, as well as requests for FTP (File Transfer Protocol) services, which would include uploading and downloading files.
The router performs packet-filtering (based upon rules that you specify) independent of the application layer. This means that screening routers let you control your network and its traffic without making changes to your client/server applications.
Stateful Inspection
Another type of network-level firewall is Stateful Inspection, an architecture that is an extension of the basic packet filtering architecture employed by most routers. Stateful Inspection occurs at the Network Layer, making it fast and preventing suspect packets from travelling up the protocol stack. Unlike static packet filtering, however, Stateful Inspection makes its decisions based on all the data in the packet (corresponding to all the levels of the OSI stack). The state of the connection is monitored at all times, allowing the actions of the firewall to vary based on administrator-defined rules and the state of previous sessions. In effect, the firewall is capable of remembering the state of each ongoing session across it, allowing it to effectively screen all packets for unauthorized access while maintaining high
security, even with connectionless protocols such as UDP.
A disadvantage of network-level firewalls is the lack of alerting and auditing applications. Therefore, when the screening router filters out a packet, it will not notify the administrator. Higher-level firewalls, such as the application level firewall, are designed to filter protocols and report rejected requests.
On many systems, the network-level firewall is only the first line of defense. Because it does not handle many protocols, an additional filter is required.
Circuit-level firewall
A circuit-level firewall usually consists of a host computer running proxy-server software. This computer is called a proxy server. Proxy servers communicate with servers outside the network, thereby controlling traffic between two networks.
A circuit-level firewall is similar to an application-level firewall, in that both are proxy servers. The difference is that a circuit-level firewall does not require special proxy–client software applications. A circuit-level firewall creates a circuit between a client and a server without requiring that either application know anything about the application that is used.
Basically, this means that a client and server can communicate across the firewall without communicating with the firewall. This ensures the firewall protects the transaction’s commencement without interfering with the ongoing transaction.
The advantages of a circuit-level firewall are:
• it provides service for a wider variety of protocols
• it is faster because it performs fewer evaluations
• you can use it in conjunction with network address translation to shield internal IP addresses from external users.
The disadvantages of a circuit-level firewall are:
• it cannot restrict access to protocol subsets other than TCP
• it cannot perform strict security checks on a higher-level protocol
• it has limited audit event generation abilities.
Similar to the network-level firewall, a circuit-level firewall uses a blacklist, or an accept and deny list that contains valid connections (including complete session state and sequencing information). Incoming sessions are first examined to ensure they use a legitimate transport layer protocol (TCP). After the handshake is complete, the network packet information is examined against the accept and deny list. If a match is found in the accept list, the packet is permitted. The virtual circuit that is opened upon connection remains open for the duration of the connection.
A circuit-level firewall resembles the following:
 Application-level firewall
As previously stated, an application-level firewall consists of a proxy server communicating with servers outside the network to control traffic between two networks.
When you use an application-level firewall, your local network does not directly connect to the Internet. Instead, the proxy server transfers an isolated copy of each approved packet from one network to another, whether the packet contains incoming or outgoing data. The result is that the firewall effectively masks the original address of the initiating connection and protects your network from intruders who may attempt to obtain network information.
In other words, proxy servers are used to hide your IP address, making you anonymous on the Internet. The downfall is that hackers can also use this "service" to hide their IP addresses when attacking a specific server.
Because proxy servers recognize network protocols, you can configure your proxy server to control which IP services you want on your network. There are many types of proxy servers available. Each protocol that you screen for requires a new proxy server entry (unlike a screening router).
An ideal scenario is one in which the screening router and the firewall run simultaneously to filter out packets and protocols. A system that uses both a screening router and a firewall resembles the following:
 Although positioning the firewall between an external (closest to the Internet) router and an internal router provides little additional protection from attacks, it greatly reduces the amount of traffic that the firewall server must evaluate, which may increase the firewall’s performance. Without a filtering router behind the firewall server, the firewall server would have to process every packet distributed on that subnet, even if the packet is destined for another internal host.
Proxy servers are a good choice for environments that require high security. Because the auditing and filtering is performed by an actual application, the proxy is slower than a network-level firewall. Therefore, the application-level firewall should be placed on the fastest computer host in your network (after the FirstClass server and FirstClass Internet Services computers are selected).
The FirstClass client supports only the SOCKS4 proxy interface directly. Client use through a firewall should be in one of two configurations: NAT (Network Address Translation), or SOCKS4.
Network Address Translation (NAT)
Network Address Translation (NAT) is a facility included in most recent proxy servers (also called software routers) that translates an IP address used within one network to a different IP address known within another network. It is often part of a corporate firewall; it ensures security, because each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request.
NAT is much more transparent than other proxy mechanisms, allowing virtually all applications (including proxy-unaware applications) to connect to other services through the NAT-based proxy server. It supports both TCP/IP and UDP/IP (connectionless protocol) communications.
To configure the FirstClass client to use NAT, simply set the client machine's network gateway to the NAT router machine. This is an operating system setting; therefore, no FirstClass configuration is required.
 NoteNAT is used mostly for outbound client machines on a private network that will connect to the Internet. From a client perspective, NAT is the preferred approach. However, it would not be appropriate for a server on a private network.
SOCKS4
A SOCKS (also "socks") server handles requests from clients inside a company's firewall and either allows or rejects connection requests based on the requested Internet destination or user identification. Once a connection and a subsequent "bind" request have been set up, the flow of information exchange follows the usual protocol (for example, HTTP).
SOCKS4 is a proxy server interface for client programs that supports TCP/IP only. Under this scenario, the proxy server is configured to relay SOCKS4 connection requests to a server machine.
NoteFirstClass does not support SOCKS5.
To configure FirstClass under SOCKS4:
1 Click Setup on the Login form.
2 Specify the server machine as usual.
3 Choose TCP/IP.
4 Click Configure.
5 On the Settings tab, choose:
• TCP Default 510 at Port number.
• Default (1080) at Proxy port.
• 0.0.0.0 at Proxy IP address.
NoteAnything other than 0.0.0.0 in the proxy server field tells the client/outbound connections to be diverted to that address, informing the proxy server of the desired address using the SOCKS4 interface.
• Default at Buffer size.
6 Save the settings.
The proxy server then relays the connection request to the desired IP address on the client's behalf. In addition to knowing the proxy server's IP address, the client software also has to know what port the proxy server is listening on, much like the client must specify port 510 to talk to our servers (see Ports requirements).
In order to configure the FirstClass server to work behind a firewall, it is necessary to open the appropriate connections on the firewall (see Ports requirements).
Any ports specified in the NETINFO file, or by the defaults for the NETINFO port configuration, must be supported by the SOCKS4 proxy server. This typically means port 510 must be accepted for relaying by the proxy server (referred to as "open"). To use additional ports (such as both TCPGUIPORT and TCPRGUIPORT) listed in the NETINFO, the proxy server would have to be configured to open these ports.
Port 23 is the Internet "telnet" program's port, which is used for the CLUI interface. To use the CLUI through a proxy server, you need a telnet program or terminal emulation program (for example, Procomm Plus or HyperTerminal) that supports proxy connections to a TCP telnet host. If you use CLUI, the FirstClass client software and FCP protocol are not involved. Communication occurs between the terminal program and the proxy server. For example, the terminal program and proxy server may support SOCKS5, and they could use that to connect over the CLUI.
If FirstClass Internet Services is on the outside of a firewall, the proxy server will need to include the Internet ports it supports in the list of ports opened for external access. This is usually set already, as it was for telnet, because most proxy servers have default configurations that open port 25 (SMTP), port 80 (HTTP), port 110 (POP3), port 119 (NNTP) and other common Internet ports.
Because FirstClass Internet Services and the server can run on two different machines, it is possible to place Internet Services on the public/Internet side of the proxy server, leaving the core server on the private side.
Some sites choose to isolate their server from the Internet, requiring a SOCKS4 proxy for FirstClass client connections, including possibly a SOCKS4 connection to the server from Internet Services over port 510 or another port. This scenario does not add security; the server is secure in either case.
Performance versus security
A common dilemma when deciding upon a firewall is determining the trade-offs between performance and security. You must consider the path a packet travels, and the level of security checks that are being performed on each packet. Network-level firewalls generally provide the highest performance, followed by circuit-level firewalls, and then application-level firewalls.
The level of security checks generally follows the reverse pattern because, as network packets pass through more protocol layers, they are inspected in more detail. As a result, application-level firewalls are considered more secure than network-level firewalls, which are considered more secure than circuit-level firewalls. However, because a circuit-level firewall does not perform extensive security checks, it often performs faster than a network-level firewall that contains a large set of accept and deny rules.
In general, application-level firewalls are the slowest architecture because each packet is treated as two separate network sessions and they implement the broadest set of security data checks, increasing the required processing time. Throughout the industry, however, application-level firewalls are generally considered to provide the best security.
Ports requirements
The following lists the port number that must be open for each connection type when setting up your firewall:
Port 21 FTP
Ensure this port is accepted for relaying (referred to as "open").
Port 23 CLUI/Telnet
Ensure this port is open. This is the Internet "telnet" program’s port, which is used for the CLUI interface.
Port 25 SMTP
Ensure this port is open on the firewall for two-way communication. It is usually the default configuration on the proxy server.
Port 53 DNS
Ensure this port is open. Although we do not support DNS, we need to connect to DNS servers on this port.
Port 79 Finger
Port 80 HTTP
Ensure this port is open on the firewall for two-way communication. It is usually the default configuration on the proxy server.
Port 110 POP3
Ensure this port is open on the firewall for two-way communication. It is usually the default configuration on the proxy server.
Port 119 NNTP
Ensure this port is open on the firewall for two-way communication. It is usually the default configuration on the proxy server.
Port 143 IMAP
Port 389 LDAP
Port 443 HTTPS
Port 510 TCP FCP
Ensure this port is open on the proxy server on firewall for two-way communication. To use additional ports (such as both TCPGUIPORT and TCPRGUIPORT) listed in the NETINFO, the proxy server would have to be configured to open these ports.
Port 810 UDP FCP
This port is uded for IP Network Notifier.
Port 3000 FCP
FirstClass client Legacy TCP port (not required with newer client versions)
|