Re: What does a firewall do?

From: Nick Roberts (nick.roberts_at_acm.org)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 22:44:38 +0000

IPGrunt <me@privacy.net> wrote:

> Hard to get a straight answer here, isn't it? I have no problem with your
> question and will answer briefly.

Hehe. I think I'm partly to blame, in the way I asked it.

> Basically, a firewall does what a good protocol stack *should* do:
> controls when ports are opened and closed, according to a rule set.

I understand the opening and closing of ports, but I don't entirely
understand the rule set.

My idea of the incoming packet functions for the IP router for host
(address) H is:

1. Forward packets not for H, if forwarding is activated. I would expect
that forwarding would usually be deactivated altogether in AdaOS (because it
uses a non-IP protocol to communicate within a cluster). If activated, I
think there should be an automatic adaptive filtering system, based on
reject packets coming back the other way: if H forwards a packet from node X
to node Y (from port P to port Q?) and a reject comes back to H, drop all
further packets from node X to node Y (from port P to port Q) for the next
15 minutes.

2. Direct packets that are for H to port P, provided port P is open for
receipt of packets. If the port is not open for receipt, send a reject
packet back. A port will be opened for receipt either by the TCP component
or by some other UDP-based server program. Again, I think there should be an
automatic filtering system: if more than 5 packets are sent to closed port P
within a 30 second window, drop all further packets to that port for the
next 15 minutes (unless the port is opened for receipt within that time).

In other words, if I want packets sent to port 111 to be rejected (and, if
they keep coming, dropped), I just don't open a service on port 111. Right?

> As an adjunct, firewalls these days are also part router, in that they
> provide a port proxy service by implemeting network address translation,
> and part filter, in that they can provide arbitrary port blocking (never
> accept connections on port 111, for instance).

Am I right that NAT tends to create problem for a variety of internet
applications (that were programmed to assume that if a packet's send address
is A, the computer that sent it was computer A)? I intend AdaOS to support
IPv6 (as well as IPv4 and IPSec). Roll on IPv6.

> But one of the most important features that firewalls provide is so-called
> "statewise" or "stateful" port access control, in that the firewall
> software maintains an open connection table that records the source of an
> open port, and acts accordingly, allowing packets from only that source to
> enter that particular port, blocking packets from any other address.

Isn't that something that the TCP component could and should do (very
easily)? Or is it more complicated than that?

> Firewalls also provide very good logging capabilities these days, so add
> that to your list.

Yes, but I think (and I have read in the literature) that it is generally
better for applications to their own auditing, because they can do it at a
higher level (more intelligent filtering, more useful data).

> Finally, firewalls are now managing private channels through public
> transports, like VPN, using both standard and proprietary protocols. Some
> of these involve data packet encryption/decryption using symmetric and
> asymmetric key mechansism, for example, IPSec.

Is that a good argument for hardware firewalls? I'm thiking about the speed
of packet encryption.

> As we move toward universal use of IP6, some of these functions will
> migrate naturally to the network stack, however, I say it's high time to
> move firewalling, or at [least] perhaps the hooks and stubs for
> firewalling appliances inside the network stack.

That is what I feel.

> In this century, networking without security is a fool's undertaking.

I couldn't agree more.

Thank you hugely for your helpful answer! 

-- 
Nick Roberts

Relevant Pages

  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: OT .. Road Warrior communications question
    ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    (alt.guitar.bass)
  • Re: Logs: Many hits with source port of 80
    ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
    (Incidents)
  • Re: Error 720 connecting to server via VPN
    ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.windows.server.sbs)
  • Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
    ... You have a concern about the outbound port 137 traffic in the SBS domain. ... The UDP 137 is related to the NetBIOS Over TCP/IP name service. ... I did run NETMON on the SBS2003 box, it did find the extraneous packets ... ... connected to the Internet (If the SBS server is the 2 NICs scenario). ...
    (microsoft.public.windows.server.sbs)