Skip to content

Computer Security 101 - Part 3 - Firewalls

When it comes to computer and network security, I believe in an outside-in approach. Start as far away from your computer as possible and work your way back, putting up as many roadblocks in the way as you can. This approach has served me well in the past, and will likely continue to do so in the future. And so we will continue delving into computer security at the network perimeter with the firewall.

Before we begin I should point out that passwords were covered first and foremost due to their very nature. That is to say, everything has passwords of one sort or another. Firewalls included. So it would have been negligent of me to not cover passwords first. Now we can move on. Thank you for your patience.

There are a lot of people out there who do not know what a firewall really is, let alone understand what it does. This group of people includes many IT professionals, even very seasoned professionals. I often get a look of disbelief during technical interviews when I am asked about experience with a particular firewall or another, because I always respond with something along the lines of "a firewall is a firewall."

Usually my resume is directly in front of them and lists my Check Point Certified Security Administrator NG, Cisco Certified Network Associate, and Certified Information Security Manager certificates; as well as a plethora of various hardware that I have worked on (such as PIX or Watchguard firewalls). So when the person across the desk asks me if I have experience with a Sonic firewall, well, "a firewall is a firewall" is about as polite an answer as I can give. Sometimes I just blow the interview right there and go into sassy mode. But I digress.

A firewall is a firewall is a firewall. Period. Some are better than others, but they all do the same basic thing and are configured the same way. The interface might be different, but just because one car has a digital speedometer does not make it any more difficult to drive than one with a standard needle (analog) speedometer. Let's dive in to what that same basic thing is.

In the beginning we had routers. Routers route network traffic. Then someone said, hey, let's make a specialized router that does the same thing, only less of it, call it a firewall and charge additional money for it. Thus the firewall was born.

If you were to think of your network as a company, with the computers as departments and the software running on the computers as people; firewalls would be the mailroom. Any type of parcel has three things that are readily available to be seen: 1) The address the parcel was sent to, 2) The address the parcel came from, and 3) How the parcel was delivered (FedEx, UPS, USPS, etc). A good mailroom looks at these three things and determines what to do with the parcel. Simple and easy.

A mailroom example of what is taking place with that parcel: A letter arrives addressed to the CEO of the company, there is no return address, and the letter arrived with a bulk mail (USPS) stamp on it. What do you think the mailroom is going to do with that letter? Were I a CEO, I would fire a few people for delivering junk mail to me; thus the mailroom might trash the letter outright or they might decide to deliver it someplace else, say the CEO's secretary (sorry, administrative assistant). It really would depend on the instructions given to the mailroom, right?

Next a big brown box arrives that is addressed only to the company itself. The box arrived via UPS ground. A good mailroom is going to look at the packing slip to find a little more information. They immediately notice the parcel arrived from Dell Computer Corp, and move the box on down to the IT department without a second thought.

Mailroom gets a letter for Jane Smith, well there is no Jane Smith here: RETURN TO SENDER. And the mailroom never accepts C.O.D. parcels.

This is exactly what a firewall does. It is behaves like a good mailroom staff with instructions on what to do with each parcel that arrives; only it deals with data as its parcel. There are three things that are readily available to a firewall: 1) The address the data is sent to, 2) The address the data came from, and 3) What port the data is being delivered on. Simple and easy.

Configuring a firewall is about the same as giving instructions to the mailroom. "Only allow marketing to send out bulk mailers." "Anything that comes in from Dell goes to IT." "Only John can send out packages using the freight company." Etc, etc. The only differences are in what the address looks like (hint, it's an IP address instead of a postal address) and instead of saying "UPS Next Day Delivery," we use port numbers.

The bulk of setting up a firewall comes before you even touch it. Before you can set it up, you need to know what the instructions are going to be. The best instruction is always return everything to sender that comes in and don't let anyone use the stamp machine to send out. In firewall terms, this is "deny any any". It should always be your starting point; everything else gets built on top of that and creates a pecking order for what happens with the data parcels. This works for a firewall just like a mailroom: John can use the stamp machine. You are not John; therefore you get denied the use of the stamp machine.

Coming up with the instructions to give the firewall are relatively easy, but usually takes a few minutes to do. It involves a little research to see what software applications are used to do what on your network. This includes sending and receiving email, browsing the web, running a SageTV placeshifter server or playing online games. If something needs to talk to the Internet, it needs a rule for the firewall. You just need to figure out (look up) what those rules need to be.

A few simple guidelines for setting up rules:

1) Permitting all outgoing traffic is a very bad thing. So don't do it. Spend the 15 minutes to find out what traffic needs to go out and to where.

2) If you have a dedicated email server, it should be the only thing on your network that can send or receive email. That is to say that POP3 (port 110) and SMTP (port 25) should only be permitted to and from that server.

3) If you do not have a dedicated email server (meaning you get your email from your ISP) you should block incoming SMTP & POP3, and allow outgoing SMTP & POP3 **ONLY** to your email provider (these are the addresses that look like that you put into Outlook when you setup your email account).

4) If you have a dedicated DNS server, it should be the only thing on your network that can send out DNS lookup packets (port 53).

5) If you do not have a dedicated DNS server you should only allow outgoing DNS traffic to go to your ISP's DNS server (your ISP gave you this address someplace).

6) Unless you handle your own DNS services for an Internet server, you should block incoming DNS requests.

7) Explicitly stating where any outgoing traffic is going to is a very good thing. If your game requires port 9110 to be open, then only allow port 9110 to be open with an outbound address of the game server.
You can't surf porn without allowing web traffic, so odds are you will want to allow outgoing HTTP (port 80) and HTTPS (port 443). Not much you can do there, but it does provide a big loophole. Other programs use these ports to bypass firewalls, and that is a bad thing. The fix is an Application Layer Firewall. If you are setting up your firewall for home use, don't worry about it. If you are doing it for a company and you have not yet purchased your firewall, or have the budget to "upgrade" your firewall, get an Application Layer Firewall.

Continuing the mailroom analogy... A fruit basket arrives addressed to Gertrude in Accounting delivered by the flower delivery guy. Every company accepts deliveries from the flower delivery guy. The flower delivery guy is HTTP on Port 80. So the mailroom rushes that fruit basket over to Gertrude, only instead of pineapples, the fruit basket contained pineapple grenades. Boom. Poor Gertrude. And poor everyone in Accounting.

An Application Layer Firewall is like if the mailroom X-rayed every piece of mail that came through there. More so, they were allowed and required to open every parcel that comes and goes to take a quick peek to make sure the package is what it says it is. That is exactly what an Application Layer Firewall does, because the Internet is chock full of people trying to send pineapple grenades to Gertrude; and Gertrude (bless her little heart) is trying to send socks to her nephew in Utah using the company's UPS account.

A last note on firewalls, primarily for corporate IT people: Two firewalls are better than one. The best setup for a firewall is to have an external firewall that handles incoming traffic, such as allowing traffic to your web server, and a second internal firewall that handles outgoing traffic. The external firewall can be in drop-in mode (meaning it knows all the external IP addresses that your company uses, but is not performing NAT translations, just filtering). The internal firewall connects to the external firewall, gets one of those external IP addresses, provides NAT translations (using that external IP) and should be an Application Layer Firewall. More internal firewalls are even better, but two should suffice. Between the two firewalls are your outside only services (web servers, email forwarders, porn, etc). You can even get creative and place honey pots between them, but that is a bit beyond the scope here.

Firewalls are as complicated as you want to make them, but really you should be making them very simple. Keep in mind that a firewall performs the same tasks as a good mailroom. If you do your homework to determine what traffic you need to allow (port numbers), where the traffic should be coming from, and where it should be going to; then you have 99% of what it takes to setup a secure firewall. The other 1% is just punching in that information.


I Am. When? on : Computer Security 101 - Part 7 - Personal Firewall

Show preview
I already covered firewalls during part 3 of my computer security series, but now that we are focusing on desktop security we once again have to review the subject. For part 3 the firewall topic was in regards to the perimeter, or network; which is usual


Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options