firewalls were strictly a do-it-yourself affair. A big innovation
was the introduction of several firewall toolkits - ready-made
proxies and client programs designed to build a simple, straightforward
firewall system. Lately, a number of companies have started offering
complete firewall "solutions."
there are four basic types of firewalls in use:
These firewalls are typically built from routers
that are programmed to pass some types of packets and to block others.
Traditional proxy-based firewalls
These firewalls require that users follow special
procedures or use special network clients that are aware of the
These firewalls rewrite the contents of the IP packets
as they pass between the internal network and the Internet. From
the outside, all communications appear to be mediated through a
proxy on the firewall. From the inside network, the firewall is
These firewalls bisect a single Ethernet with a
pair of Ethernet interfaces. The screen doesn't have an
IP address. Instead, each Ethernet interface listens to all packets
that are transmitted on its segment and forwards the appropriate
packets, based on a complex set of rules, to the other interfaces.
Because the screen does not have an IP address, it is highly resistant
to attack over the network. For optimal security, the screen should
be programmed through a serial interface or removable media (e.g.,
floppy disk), although you can design a screen that would be addressed
through its Ethernet interface directly (speaking a network protocol
other than IP). Some manufacturers of screens provide several network
interfaces, so that you can set up a
or a news server on a separate screened subnet using the same screen.
In this section, we will discuss the construction of a firewall
built from a choke and a gate that uses proxies to move information
between the internal network and the external network. We describe
how to build this kind of firewall because the tools are readily
available, and because this type seems to provide adequate security
for many applications.
For additional useful and practical
information on constructing your own firewall, we recommend that
Building Internet Firewalls
by D. Brent Chapman and Elizabeth
D. Zwicky (O'Reilly & Associates, 1995).
start purchasing equipment or downloading software from the Internet
for your firewall, you might first want to answer some basic questions:
What am I trying to protect?
are simply trying to protect two or three computers, you might find
that using host-based security is easier and more effective than
going to the expense and difficulty of building a full-fledged firewall.
Do I want to build my own firewall, or buy a ready-made
Although you could build a very effective firewall, the
task is very difficult and one in which a single mistake can lead
Should I buy a monitored firewall service?
If your organization lacks the expertise to build its
own firewall, or it does not wish to commit the resources to monitor
a firewall 24 hours a day, 7 days a week, you may find that paying
for a monitored firewall service is an economical alternative. Several
now offer such services as a value-added
option to their standard Internet offerings.
How much money do I want to spend?
You can spend
a great deal of money on your own systems, or on a commercial product.
Often (but not always) the extra expense may result in a more capable
Is simple packet filtering enough?
If so, you can
probably set up your "firewall" simply by adding
a few rules to your existing router's configuration files.
If simple packet filtering is not enough, do I want
a gate and one choke, or two?
Will I allow inbound Telnet connections? If so,
how will I authenticate them? How will I prevent passwords from
How will I get my users to adhere to the organization's
After you have decided
on your configuration, you must then assemble the parts. This assembly
Most organizations use a router. You can use an
existing router or purchase a special router for the purpose.
Usually, the gate is a spare computer running the
operating system. Gates do not need to be
top-of-the-line workstations, because the speed at which they function
is limited by the speed of your Internet connection, not the speed
of your computer's
. In many cases,
a high-end PC can provide sufficient capacity for your gate.
You'll want to get a variety of software
to run on the gate. Start with a firewall toolkit, such as the one
from Trusted Information Systems. You should also have a consistency-checking
package, such as Tripwire, to help you detect intrusion. Finally,
consider using a package such as Tiger to help find security weaknesses
in the firewall's
The choke is the bridge between the inside
network and the outside network. It should not forward packets between
the two networks unless the packets have the gate computer as either
their destination or their origination address. You can optionally
further restrict the choke so that it forwards only packets for
particular protocols - for example, packets used for mail
transfer but not for telnet or rlogin.
There are three
main choices for your choke:
an "intelligent router." Many of these routers
can be set up to forward only certain kinds of packets and only
between certain addresses.
You can use a standard
with two network interfaces. If you do so, do not run the program
/usr/etc/routed (the network routing
daemon) on this computer. Set up the program so that it does not
forward packets from one network interface to the other (usually
by setting the kernel ip forwarding variable to 0).
A computer set up in this fashion is both the choke and the gate.
You can alter your operating system's network
driver so that it only accepts packets from the internal network
and the choke. If you are running Linux, you can use the operating
system's kernel-based IP filtering, accessible through
command, to prevent the system from
receiving packets from non-approved networks or hosts. In the not
too distant future, other vendors may offer similar features.
The details of how you set up your choke will vary greatly,
depending on the hardware you use and that hardware's software.
Therefore, the following sections are only general guidelines.
choke is an intelligent filter: it is usually set up so that only
the gate machine can talk to the outside world. All messages from
the outside (whether they're mail,
or attempts to break in) that are directed to internal machines
other than the gate are rejected. Attempts by local machines to
contact sites outside the
are similarly denied.
The gate determines destinations, then handles requests
or forwards them as appropriate. For instance,
(mail) requests can be sent to the gate, which resolves local aliases
and then sends the mail to the appropriate internal machine.
Furthermore, you can set up your choke so that only specific
kinds of messages are sent through. You should configure the choke
to reject messages using unknown protocols. You can also configure
the choke to specifically reject known protocols that are too dangerous
for people in the outside world to use on your internal computers.
The choke software should carefully examine the option
bits that might be set in the header of each IP packet. Option bits,
such as those for IP forwarding, fragmentation, and route recording,
may be valid on some packets. However, they are sometimes set by
attackers in an attempt to probe the state of your firewall or to
get packets past a simple choke. Other options, such as source routing,
are never acceptable; packets that specify them should be blocked.
You also want to configure the choke to examine the return
addresses (source addresses) on packets. Packets from outside your
network should not state source addresses from inside your network,
nor should they be broadcast or multicast addresses. Otherwise,
an attacker might be able to craft packets that look normal to your
choke and clients; in such cases, the responses to these packets
are what actually do the damage.
The choke can also
be configured to prevent local users from connecting to outside
machines through unrestricted channels. This type of configuration
prevents Trojan-horse programs from installing network back doors
on your local machines. Imagine a public domain data-analysis program
that surreptitiously listens on port 49372 for connections and then
forks off a /bin/csh. The configuration also discourages
someone who does manage to penetrate one of your local machines
from sending information back to the outside world.
there should be no way to change your choke's configuration
from the network. An attacker trying to tap into your network will
be stuck if your choke is a PC-based router that can be reprogrammed
only from its keyboard.
The way you configure your choke will depend on the
particular router that you are using for a choke; consult your router's
documentation for detail.