Site Map

Flanagan Consulting

Archive    19 Feb 2008      #66

Reliable, but not Secure?

By Vladimir Kaminsky, Sr. Associate

This ViewsLetter addresses an important part of network functionality for availliability--the ability to survive constant security threats. The network hardware, software, and links can be fully redundant, but that does not prevent disabling attacks unless certain security measures are implemented.


The most common method to defend a network from attacks is to insert a firewall (or firewalls) between the user's LAN and the Internet.
There's not much controversy over what is required from network firewalls, but no single standard defines this device. We can say broadly that a Network Firewall is a system or group of systems used to control access between two networks--a trusted network and an untrusted network. Firewalls can operate only on communications traffic that physically passes through it--a firewall has no impact on traffic between two devices when both are on the same "side" of the firewall. That is, if both are connected to the same firewall network card or port (usually referring to the "inside" or local LAN) then a firewall may not see the messages at all. Networks may have internal firewalls to control such traffic.

Primarily, firewalls allow or block network traffic between devices based upon rules set up by the firewall administrator. Each rule defines a specific traffic pattern one wants the firewall to detect and the action the firewall should take when that pattern is detected. Firewalls can look inside packets to examine application content, referred to as "deep inspection."

Technically, firewalls are considered to be packet filtering, proxy, or stateful firewalls. Note that there are other types of these devices, but those mentioned are the primary. Also, the firewall terminology is not standardized, and one can find other terms for these firewall types.

Packet filtering firewalls are like packet filtering routers but with some differences in implementation. A firewall can be relatively simple, using Access Control Lists (ACL’s) at the network (IP) layer to:
  • Block traffic to/from particular hosts, internal or external--the existence of internal hosts can be hidden from people on the other side of the firewall.
  • Block certain identifiable protocol classes.
  • Block traffic to certain identifiable ports (TCP and UDP addresses), thereby blocking certain types of traffic

A proxy firewall acts as a middleman between the two parties and decides whether or not the communication should be allowed. There is no direct connection between the two parties: the firewall terminates layer 3 and 4 protocol sessions with both parties. This setup shields internal network information like host names and topology from outside eyes. The proxy is the only machine with a visible IP address on the Internet. The proxy makes a copy of each incoming packet, changes the source address, and puts it on the other wire to the destination address.

The stateful firewall is the most advanced type. It looks inside packets to examine application content and may anticipate how a packet will behave on a server. It keeps track of the actual communication process by use of a state table, and allows or disallows packets based on the access policy. It also follows connectionless protocols like UDP, storing the state and context of the data in the packets in the state table, updated continuously, to detect attacks such as packet replay and message injection that can't replicate the proper state of the connection. The stateful firewall works at five upper layers of the OSI model.

And More

While doing this filtering, a FW can perform many additional functions, but the major ones are:

User authentication. Firewalls can be configured to authenticate users by asking a database server to confirm the submitted ID, password, and other credentials (like a token or certificate) before allowing packets to pass. This function can be quite sophisticated, allowing network administrators to control access by each user to specific services and resources after a single sign on. Authentication also allows network administrators to track specific user activity and flags unauthorized attempts to gain access to protected networks or services.

Auditing and logging . Firewalls can log every event to provide auditing capabilities. Firewalls can generate statistics based on the information they collect, often useful in making policy decisions that relate to network access and utilization.

Separation . Firewalls can hide internal or trusted networks from external or untrusted networks by changing addresses. Network Address Translation (NAT) offers an additional layer of security by shielding services from unwanted scans.

Central Management . Firewalls can provide a central point for security management over multiple locations. This can be very beneficial when an organization's human resources and financial resources are limited.

Firewalls are based on both software and hardware. Next time we'll look at some best practices for allocating these protective functions to either, and on what platforms (one multifunction box or several specialized devices).


New Books
FC Associate Ray Horak recently authored two books on networking. William Flanagan was the technical editor for both. They offer extensive coverage of many technologies, and are as accurate as two old pros can make them.

The new titles are:
Telecommunications and Data Communications Handbook, 791 pages.
Webster's New World Telecom Dictionary, 568 pages.

Wiley is the publisher. Available in bookstores and on the web from multiple merchants--do a web search for "Ray Horak" or start with Ray's profile page at http://www.amazon.com/gp/pdp/profile/AL7TPWAFURLDA.
How Can Flanagan Consulting Help You?

  We understand not only the technology of networks, but also
  the surrounding business processes:  procurement, bid
  preparation/analysis, statements of work, financial analysis,
  consensus building, and more.
We have current experience in litigation support for attorneys
  involved with patents or contracts related to networking or
  voice and data communications.

Find out now:  call +1.703.242.8381

Subscriptions to ViewsLetter
    Mailman, the Linux application, keeps the mailing list
    and posts messages.  It is set up as a "read only" list.
    Because of the number of 'out of office' autoreplies,
    replies to this message are discarded.  You can unsubscribe
    or subscribe at:
    You will need a password to unsubscribe, but Mailman
    will send you one on demand.  If you have a problem with the
    list, send an email to Publisher@ViewsLetter.com.
Special thanks for supporting ViewsLetter to www.webtorials.com,
your best source for communications tutorials and white papers.
"Flanagan Consulting" and "ViewsLetter" are Service Marks of W. A. Flanagan, Inc.

Flanagan Consulting
W. A. Flanagan, Inc.
45472 Holiday Drive, #3
Sterling, VA 20166
Ph:  +1.703.242.8381
Fx:  +1.703.242.8391
In Converged Networking,
We have the Experience