Introduction to Firewalls

Everybody's heard the word firewall's.

The problem is is firewall's are one of those terms that gets mixed up all over the
place.

How many people have heard the term oh my firewall in my router.

Or you're talking about your individual computer and you've got windows firewall so
we talk about firewalls all the time.

But what I want to do is talk about what firewalls are and the best place to start
is understanding where firewalls live.

So what I want to begin with is my little network here so it's a home network and
I've got some computers here that are hooked to a switch and this is a router.

Now a firewall by definition is something that filters traffic based by criteria.

Now we usually think about filtering in terms of filtering by IP address and ports
but it can do more than that.

I don't want to concentrate so much on what it's filtering right now I just want to
go OK my good filters.

But let's talk about where firewalls live.

So here in this little network what I want to do is prevent naughties from coming
into my network or naughties from going out of the network.

So one of the traditional places we're going to put a firewall is on the edge of my
network and these types of firewalls tend to be actual little boxes.

Now in this case I said this was a router.

So it's very common to have routers with built in firewall features but that were
not limited to that if I wanted to and there are people who would be glad to sell
it to you.

I can do something like this where I've got a firewall and a separate router so it
don't get the idea that all routers are firewalls.

It's a common way to do it.

And it's a convenient place to put it but in no way is that exactly always true.

Let's go and stick with our original idea here.

Don't you think off the router mark.

So this may or may not be a router for this description but what it is for right
now is that it's a firewall.

It is a box that does the actual firewall work.

This is protecting the entire network so we call this a network firewall since it's
usually a dedicated box.
We tend to call this also a hardware firewall.

So this little box which is designed to protect the entire network is a network
firewall and because it's a close to being a dedicated box we also call it a
hardware firewall.

So he is going to be protecting the network for anything that's coming in or out.

Now that's not the only firewall in this game.

If we go over to our individual computers each one of these computers can also have
a firewall feature.

Now since it's if we could if we wanted to People would sell to you we could put
little boxes in front of all of our individual homes but that could be ridiculously
expensive.

And since our hosts usually only have one network connection it's trivial for us to
install software onto these hoes that can act as a firewall at this point.

So since we're just installing software we would call that a software firewall and
because it's only protecting this one computer we call this a host firewall because
his job is only to protect this host from naughties that are coming in and out of
that device.

So if you take a look at this set up this is fairly common for most networks where
you have some box on the edge that is providing firewall features and because it's
on the edge we tend to do a lot with these individual boxes.

Not that long ago in fact you probably still could buy a dedicated box that is just
a firewall.

And people like Barracuda for example would sell you one.

But what we start to see more and more today is that we have one box that can do a
lot.

We have this box that's a firewall but it could also be a VPN in point.

It can also run anti-malware.

It can do all kinds of stuff.

It could be a proxy it can do all kinds of things in this one little box.

And we tend to call these unified threat management or UTM boxes.

So a UTM box can be a firewall but it's going to be a firewall and much much more.

Make sure you know the difference between network and host based and software and
hardware based firewalls.

Firewalls filter traffic based on specific criteria

Firewalls can be network-based or host-based

Firewalls come in hardware and software varieties

Firewalls
Now that we know we're firewall's are located.

Let's talk about what firewall's actually do now.

A firewall by definition is something that filters traffic based on criteria.

All right now what I want to do is use this diagram here and I want to talk about
our firewall in this case that's going to be it external hardware firewall.

This is my network out here.

This is the bad evil world out here that I'm going to just unplug this so we can
just look at this part now when we take a look at a firewall it's going to do one
of two big things.

It's either or going to do what we call stateless.

Or stateful firewalls.

Let's talk about both of these stateless firewalling is like the original type of
firewall thing this goes way back with a stateless firewall.

All this firewall is looking at is data that's coming in or going out of the
network and is filtering that traffic based on primarily IP address and port number
so I can go in to this firewall right here and I could create an Access Control
List and in that Access Control list I can say allow outgoing port 80 and
everything going out so people can get to google.com whatever they want to do.

And it works great.

But there's a problem here.

The problem that we have is that when we look at all of the things that can go in
and out of this particular firewall the job can get messy.

So what I want you to do is let's take a moment and take a look at an access
control list.

When you start up a router and you configure it the first thing you're going to
have to do is create an Access Control List.

Let's take a look at one.

There's a lot of different ways to show you an access control list.

But one of my favorite ways to do it is by using an old home router.

This is an old w r t 54 g router.

The Router of your forefathers.

I love it though because it's simplistic interface really makes it easy to explain
stuff.

Now those of you who are familiar with links as routers will recognize that this is
not the standard interface and what's happened here is this is a popular third
party firmware called DD- w r t and i love it.
And I do this all the time with my routers.

So what we're going to do is go over to let's go to access restrictions.

OK.

And what we're going to do here is we're going to create an access control lists so
right now I have no access controls at all so this guy calls these each individual
control is a policy so a stack of policies is collectively an access control list.

So really all I want to do is I want to stop the guys from playing Battlefield 1942
on my computers.

So I'm going to enable this and I'm going to call it No 42.

That's 43.

So no 42 I'm just given a name so I can remember what it is.

I can edit a list of PCs and I know that those guys are using these IP addresses so
let me just go ahead and type these in so you can see I've set up a range of IP
addresses I could have done this by MAC address or by individual IPs just as
easily.

Let me say this and close it.

OK.

So I've specified which PCs I want to apply this to.

Now I want to allow them Internet access.

That's not a problem.

They can access it anytime they want.

But if I wanted to I could actually live in it.

Now this is a scope of this particular guy.

What I can do is if I wanted to I could deny and I could say when do I want to deny
him and what times I want to deny them.

But that's complete internet access on this particular guy.

If I hit deny that doesn't do anything I certainly want them to do their work.

I just wanted to play Battlefield 1942 so we scroll down here and see there it is.

That's Battlefield 1942.

Notice that this is already in here.

So like most good routers they'll have presets for different port numbers and
things like that.

But if I wanted to I could go ahead and easily type in my own but I'm just going to
use this because it's handy and convenient.
Now you'll see it's zeros here but it actually has a lot of information in here
that says exactly what they're blocking so that they can't pay play Battlefield
1942 I don't even remember the port numbers off the top of my head.

Now if I wanted to I could add more stuff to this specific policy.

I could also say download Do they not play Battlefield 1942.

I could also block by your address I could box by keyword anything like that.

But I'm just going to save settings and what I've done is I have created one
policy.

So I now have an access control list that consists of exactly one policy and I can
make on this particular router I can make nine more as you can see right there.

The bottom line is that all different devices have all different ways to manifest
that access control list.

But I pretty much guarantee you it's always there.

The Access Control List in a stateless firewall really is nothing more than a bunch
of rules that allows a dumb packet filter like our stateless firewall to do what it
does.

The stateless firewalls really just going to be looking at the IP address and the
port numbers and filtering traffic based on that.

Well that's great.

And we use stateless firewalls all the time.

Any good firewall.

Most modern firewall today has a stateless firewall feature built into it.

But there are some weaknesses to a stateless firewall.

Let me give you one great example.

So here's my firewall This is out in the Internet and this is my internal network.

Let's say I have a packet coming in from Port 80 80 I don't know.

Nobody started this.

You understand it just kind of came in on port 80 80.

Based on my Access Control list in order to stop unsolicited incoming port 80 80s
I'm going to have to make a rule in my Access Control List.

OK well you could do that but now the problem is what if this bad guy once it goes
it does 80 81 immediately and then 88 to get the idea.

It becomes a problem.

So we need something that doesn't just look at the dumb packets.

We need something that's actually inspecting the connection that's going on between
two devices we need something that looks at the State of the connection that's
going on.

Keep in mind if you remember a few episodes back when we were talking about TZP IP
we would say we had a client on one side and the server on the other and then the
client would initiate the conversation.

And then the server would respond and they would acknowledge each other and they
would then have a communication going on between the two.

I can make a firewall that is aware of communications he's aware of the state of
the conversation going on through it at all times and we call that a stateful
firewall.

Let me give you a great example.

A stateful firewall.

And this is one simplistic example.

Let's say we have an internal with a little box in here and he wants to get on
google so he'll go out.

Out on port 80 in particular IP address for Google sends it out.

And it heads out towards the Google server.

This stateful firewall creates what's known as a state table and in that state
table it writes down OK so this computer here is going out on port 80 to this
particular IP address.

He writes all this down into the state table and is now ready and expecting an
incoming packet from that server.

And then he goes OK this is a good conversation.

I'm going to go ahead and allow that through that is the most simplistic version of
a stateful firewall.

Now stateful firewalls are great and you don't have to have a stateless or stateful
for in fact most good firewalls are both stateless and stateful at the same time.

We do that's that's common.

We are both critical OK.

So these two guys do a great job of doing a lot of firewalling but there's still
not enough.

Let me give you another example of something that can happen.

There are certain applications out there and these applications can actually change
their report number on the fly a bit torrent.

There's some chat programs that do this there's a lot of programs out there that
can actually change their port number so tinny on the inside here.

If he suddenly wants to talk on his BitTorrent he can go ahead start as BitTorrent

client up and I don't care what's happening here what kind of filtering we have
he'll keep spinning around until he hits a port number that lets him out and then
he can go out get to the bit torrent server that BitTorrent server is going to go
ahead and spin port numbers until he can go back in.

So this is a big problem.

So what we do is we take the idea of a stateful firewall and we take it a little

bit deeper and what we do is we create appliances firewalls that are context an
application where they can actually look not at the IP address not at the port
number not even the hitter it actually looks in the data payload itself.

And it's smart enough to go hey in that database that I don't care what the port
number is.

That's a bit short and it can filter it either way.

So it's absolutely incredible.

This has this feature has been known as deep packet inspection but for the exam
just concentrate on the word application or context to where running at Layer 7 of
the OS II.

So when it comes to firewalling we have two big groups we have state lists which
are the ones that just kind of look at individual packets.

Stateless firewalls filter based on ports and IP addresses

Stateful firewalls track the state of the conversations

Context-and application-aware firewalls filter based on the content of the packets

We have stateful which looks at the actual state of the conversation between any
two computers.

And then as an extension to that we have firewalls that are capable of looking
inside the data payload

and that our application and context aware.