Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

A Rookie's Guide to Defensive Blocks

Baby, Let Me In

Rule No. 1: Firewalls are all about access control. You create a set of rules defining which ports to keep open, which to disallow, and any IP addresses or entire networks to block. A firewall on the edge of your network is effective only if it is configured correctly. And don't forget in-house traffic--firewalls are not just for Internet connections; they should be used to control access from one part of your internal network to another. You never know: That innocent intern at the front desk could be trying to attack your payroll system.

There are three types of firewalls, each with advantages and disadvantages in terms of security and performance:

• Packet-filter firewalls. The simplest firewall is a packet filter. Packet-filter firewalls often are embedded in routers, broadband modems, NAT boxes, advanced switches, traffic shapers and other gear. That's because packet-filter firewalls are simple for vendors to develop, devour few CPUs and have a modest memory overhead. Packet filters inspect traffic one packet at a time with no knowledge of previous packets; each packet is matched against your rule set. Most commonly, rules are based on source address and port or destination address and port. Some packet-filter firewalls allow for looking at TCP flags, such as SYN packets, but this can get ugly fast, especially if you have to do it by hand. Packet-filter firewalls are useful for filtering out specific traffic types. For example, if you never want SNMP or NetBIOS packets to traverse your border router, use a packet filter.

Packet filters have some major security weaknesses, however. They're susceptible to IP spoofing. They can't see TCP sequencing numbers. And perhaps worst of all, they can't determine if a connection was made from inside or outside. Someone on the outside could send packets with a common source port of 53 (DNS) or 80 (HTTP) and effectively scan the entire internal network.

  • 1