SE 4C03 Winter 2005 An Introduction of Firewall Architectures and Functions Kevin Law 26 th March, 2005-03-29
1). Introduction A person who has used the Internet before would hear about the term firewall. Firewall is a program or hardware device that would control the flow of information coming through the Internet connection into our private network. The firewall is usually placed in between the Internet and the private network. When a packet of information has reached the firewall, the filter will examine the content of the packet and the packet is allowed to go through if the it does not violate the rules that are set in the firewall implementation. The firewall administrator may define the rules. Firewall is a very effective tool to protect your private network, it can prevent intruders from getting important information from your computer system, and therefore in this project we are going to discuss the design principle of a firewall step by step, starting from choosing the architecture layers, then select firewall functions and the firewall topology. Furthermore, we would compare the advantage and disadvantage of different technologies that can be used within each step. When establishing an Internet firewall, the first thing to do is to establish the requirements of your firewall. The requirements phase plays an important role in the whole development. It determines what your firewall would do, what kind of packets information are allowed to pass through. Since the firewall would be hardly changed once it has been completed, developers should carefully capture all the requirements in this phase. Then the next phase would be choosing the architecture layers. Generally there are two classes of architecture, which we refer to as the single layer and the multiple layers architecture. Architecture means the set up of the hardware/ software, the connectivity and the functions that are to be used in the development. We will discuss the two classes of architecture in Section 2. The section is divided into section 2.1 and section 2.2 for discussing the single layer and multiple layers architecture respectively. After we have decided which architecture to go for, the next is the selection of firewall functions, which we will be discussing in section 3. There are many types of function that we can select, however this paper would only restrict to the three most popular one, which are the packet filtering in section 3.1, application proxies in section 3.2 and the stateful inspection or dynamic packet filtering in section 3.3. At the end, we will present our conclusion on this project which is in section 4. 2). Choosing the architecture layers In this section, we are going to discuss each architecture class, the advantage and disadvantage of both classes. 2.1) Single layer architecture In the single layer architecture as shown in Figure 1-1, all firewall function is allocated in one single network host that is connected to the private network on one side and to the Internet on the other side. The purpose of the network host is to control
the access of information. This approach has a low cost and is suitable when there are only two networks to interconnect. It has the advantage that everything about the firewall resides on that one host. The disadvantage of this approach is that a single flaw might allow penetration through the firewall. 2.2). Multiple layer architecture In the multiple layer architecture as shown in Figure 1-2, the firewall functions are distributed among a small number of hosts connected in series, with DMZ networks between them. This approach is difficult to implement and operates. Using different technology in each firewall hosts is recommended, although costly but this would reduce the risk that each host has the same implementation flaws or errors. The advantage of this approach is that it provides better security than the single layer.
3). Select firewall functions There are many firewall functions available, but the most popular threes are the packet filtering, application proxies, and the stateful inspection filtering. They will be discussed in the following three sub-sections in detail. 3.1). Packet filtering Packets are analysed against a set of filters based on contents of the packet headers such as the source address, destination address, protocol, and port). Packets that can make through the filters are sent to the requesting system, while others are discarded. The advantage of packet filtering is that it offers high performance mechanism, however, the downside is that they are harder to configure, because everything is configured in low level. 3.2). Application proxies An application proxy as shown in Figure 1-3, is an application program that runs on the firewall system. When a client wants to establish a connection through the proxy to the destination. It first has to establish a connection to the proxy and request a connection from the proxy to the destination. If successful, the destination is now connected to the proxy, and on the other hand the client is connected to the proxy, so now they can communicate with each other. The proxy acts as a bridge between the two, and start forwarding traffics. Proxy application is more secure than packet filtering, but it is slower than packet filtering.
3.3). Stateful inspection filtering Stateful inspection filtering is a compromise between performance and security. It is an add- on to packet filtering. Instead of making filter decision based on the packet header, it also considers any prior packet. Therefore, it is also named as dynamic packet filtering. 4). Conclusion When designing a firewall system, the very first thing is always capturing all the requirements. After the requirement has met the clients needs, we can then go on to selection of architecture and firewall functions. In real world applications, we have to consider other properties such as performance, reliability, security, cost, and functionality; there are always tradeoffs between these properties. There is not a definition on which architecture or firewall function is the best. Depending on the clients needs, for example if the client wants the firewall to be high performance and the target network is small, then we can choose packet filtering for the firewall function and single layer architecture for the architecture. If the client wants the firewall to be as secure as it can and speed does not matter, then application proxy is the way to go.
6). REFERENCE Jeff Tyson. How firewall works. Retrieved 26 th March, 2005 from http://computer.howstuffworks.com/firewall.htm/printable. Carnegie Mellon University (1999). Design the firewall system. Retrieved 25 th March, 2005 from http://www.cert.org/security-improvement/practices/p053.html. Last updated 1 st July 1999.