This article addresses the use of a separate physical
firewall box placed in your network between the external Internet
connection and your network. Software firewalls on individual
systems are useful, but not sufficient. Other than the
problem that most software firewalls are inadequately configured, the
single most important factor is that if there is a flaw in the
underlying operating system, the firewall software may be bypassed by
an appropriate attack. A separate physical box limits the
possibilities of a successful attack.
Firewalls generally perform three major tasks: network address
translation, or NAT, regulating incoming traffic and regulating
outgoing traffic. All three of these tasks are important aspects
of maintaining the security of your systems. Firewalls may
perform routing functions as well.
NAT was originally developed as a way of expanding the limited address
space of IPV4, the basis of today's Internet. The device
performing NAT translates the internal address from a private, usually
non-routable, address space into a public address. The NATting
device can map multiple internal devices to a single external
address. It keeps track of which internal device sent which
Internet traffic so that answering traffic can be matched to the
As a side effect of NAT, systems on the Internet cannot directly see an
internal system, i.e. it is not directly addressable, unless it is
answering traffic that originated from the internal device, or there is
some fiddling with the gateway device. While this has some
unfortunate effects on some applications (such as VOIP) that makes them
difficult or impossible to use with NAT, it has the positive security
aspect of screening your internal systems from casual probes, much like
living in a gated community where casual observers can't tell if you're
home or not. When IPV6 is fully deployed, it appears likely that
NAT will not be supported and we will lose the screening
functionality. Until then, use of NAT will decrease the
likelihood of an attacker finding your system.
Many routers will also perform NAT, however they will not handle the
other two, more important, functions of a firewall.
Firewalls may NAT all, some or none of the internal systems. It all depends on how the internal network is structured.
If your system is visible from the public Internet, it is important to
limit the ports visible to any potential attacker. There are a
number of ways to do this, the two most important is to first, limit
the services available on the system. If you do not need to run a
web server, make sure it is not running. If the system is not
used for relaying mail, make sure the mail programs are disabled.
Many systems come preloaded with many unnecessary applications that
offer potential doors for an attacker. Removing unnecessary
applications is a key to limiting access to an intruder.
However, this is often easier said than done. The second way to
limit access is to use a firewall to limit incoming traffic to only the
required ports. A web server would be limited to ports 80 and
443, for example. This does not prevent an attack, but it does
limit the possibilities for an attacker. A malicious person might
still attempt a compromise on a web server using a http exploit, but
they would not be able to use a dns or ssh exploit if they cannot even
see the ports.
Many people feel that if they are using NAT or have blocked most
incoming ports, but have left any outgoing traffic unregulated, they
are relatively safe. In fact, many small commercial firewalls are
set up in this way. This configuration, however, leaves your
systems open to abuse if they are compromised. A typical
situation might involve visiting a web site and getting compromised by
a drive-by exploit (such as was recently used in the Google
attacks). Even if incoming traffic is firewalled, since
this is over an allowed port such as http, and is in response to
traffic initiated on the system, the exploit is delivered to
the target system. The user's system will be compromised and,
since all outgoing traffic is allowed, it can 'call home' and make a
connection to the hacker's command and control network. Since the
traffic originated on your system, the firewall and router will allow
it and the attacker can do what they will with your system. This
could involve becoming part of a botnet to attack other computers,
distribute spam, installing key logging software, become a repository
for illegal sharing of copyrighted
material or worse.
Most official services run on ports below 1000. Many exploits
will use a high numbered port to communicate in an attempt to avoid
most attention will be directed to the 'official' ports. If a
compromised system is unable to communicate, it cannot be used as a
member of a botnet to attack or spam other systems. The exploit
might still corrupt the data on your system, but at least the damage
will be localized. The way to manage this is to block all
unnecessary outgoing traffic. On simple firewalls, the easiest
to do this is to block all outgoing traffic for ports 1000 and
above. On more sophisticated firewalls, you should block all
outgoing traffic and only allow the ports that are necessary (http,
https, dns, mail, etc). This does not remove the possibility of a
successful attack completely, since the compromise may attempt to
piggyback on one of the known ports, trying to disguise the traffic as
http for example, but it does limit the scope of a potential compromise.
The most secure manner to configure a firewall is to close all incoming
and outgoing ports, and then only open the ports necessary to allow
your desired applications to work correctly.
Firewalls should be looked at like deadbolts on a door. They do
not eliminate the possibility of a breakin, but they do make it
harder. Properly configured, they will encourage an attacker
to look for a softer target.