Aurora Group Logo

Security Blog

Why you really need a firewall

Copyright  2010 Aurora Group, Inc.  All Rights Reserved

This article addresses the use of a separate physical firewall box placed in your network between the external Internet connection and your network.  Software firewalls on individual systems are useful, but not sufficient.   Other than the problem that most software firewalls are inadequately configured, the single most important factor is that if there is a flaw in the underlying operating system, the firewall software may be bypassed by an appropriate attack.  A separate physical box limits the possibilities of a successful attack.

Firewall diagram

Firewalls generally perform three major tasks: network address translation, or NAT, regulating incoming traffic and regulating outgoing traffic.  All three of these tasks are important aspects of maintaining the security of your systems.  Firewalls may perform routing functions as well.

NAT was originally developed as a way of expanding the limited address space of IPV4, the basis of today's Internet.  The device performing NAT translates the internal address from a private, usually non-routable, address space into a public address.  The NATting device can map multiple internal devices to a single external address.  It keeps track of which internal device sent which Internet traffic so that answering traffic can be matched to the correct device.

As a side effect of NAT, systems on the Internet cannot directly see an internal system, i.e. it is not directly addressable, unless it is answering traffic that originated from the internal device, or there is some fiddling with the gateway device.  While this has some unfortunate effects on some applications (such as VOIP) that makes them difficult or impossible to use with NAT, it has the positive security aspect of screening your internal systems from casual probes, much like living in a gated community where casual observers can't tell if you're home or not.  When IPV6 is fully deployed, it appears likely that NAT will not be supported and we will lose the screening functionality.  Until then, use of NAT will decrease the likelihood of an attacker finding your system.

Many routers will also perform NAT, however they will not handle the other two, more important, functions of a firewall.

Firewalls may NAT all, some or none of the internal systems.  It all depends on how the internal network is structured.

If your system is visible from the public Internet, it is important to limit the ports visible to any potential attacker.  There are a number of ways to do this, the two most important is to first, limit the services available on the system.  If you do not need to run a web server, make sure it is not running.  If the system is not used for relaying mail, make sure the mail programs are disabled.  Many systems come preloaded with many unnecessary applications that offer potential doors for an attacker.  Removing unnecessary applications is a key to limiting access to an intruder.   However, this is often easier said than done.  The second way to limit access is to use a firewall to limit incoming traffic to only the required ports.  A web server would be limited to ports 80 and 443, for example.  This does not prevent an attack, but it does limit the possibilities for an attacker.  A malicious person might still attempt a compromise on a web server using a http exploit, but they would not be able to use a dns or ssh exploit if they cannot even see the ports.

Many people feel that if they are using NAT or have blocked most incoming ports, but have left any outgoing traffic unregulated, they are relatively safe.  In fact, many small commercial firewalls are set up in this way.  This configuration, however, leaves your systems open to abuse if they are compromised.  A typical situation might involve visiting a web site and getting compromised by a drive-by exploit (such as was recently used in the Google attacks).   Even if incoming traffic is firewalled, since this is over an allowed port such as http, and is in response to traffic initiated on the system, the exploit is delivered to the target system.  The user's system will be compromised and, since all outgoing traffic is allowed, it can 'call home' and make a connection to the hacker's command and control network.  Since the traffic originated on your system, the firewall and router will allow it and the attacker can do what they will with your system.  This could involve becoming part of a botnet to attack other computers, distribute spam, installing key logging software, become a repository for illegal sharing of copyrighted material or worse.

Most official services run on ports below 1000.  Many exploits will use a high numbered port to communicate in an attempt to avoid discovery since most attention will be directed to the 'official' ports.  If a compromised system is unable to communicate, it cannot be used as a member of a botnet to attack or spam other systems.  The exploit might still corrupt the data on your system, but at least the damage will be localized.  The way to manage this is to block all unnecessary outgoing traffic.  On simple firewalls, the easiest way to do this is to block all outgoing traffic for ports 1000 and above.  On more sophisticated firewalls, you should block all outgoing traffic and only allow the ports that are necessary (http, https, dns, mail, etc).  This does not remove the possibility of a successful attack completely, since the compromise may attempt to piggyback on one of the known ports, trying to disguise the traffic as http for example, but it does limit the scope of a potential compromise.

The most secure manner to configure a firewall is to close all incoming and outgoing ports, and then only open the ports necessary to allow your desired applications to work correctly.

Firewalls should be looked at like deadbolts on a door.  They do not eliminate the possibility of a breakin, but they do make it harder.  Properly configured, they will encourage an attacker to  look for a softer target.