Firewalls

Firewalls

If you are connecting yourself to the Internet at all, then you need to consider protecting your internal network. If you set up an Internet server that has only one network interface, that being to the Internet, then your internal network is safe from intruders. This solution provides the ultimate in security (short of not connecting at all), but requires more work on your part to transfer data to and from that machine.

The alternative is to implement a system by which someone from the outside has the least chance of getting into your network, but you have the ability to get to and through that gateway machine. This is the concept of a firewall.

Like a firewall in a building, a network firewall functions more or less as “damage control”. Should a fire break out, the firewall prevents it from spreading further. With a network firewall, should an intruder break into the gateway machine, the potential for further damage is limited.

In the following section, we will be talking about the basic issues involved with implementing a firewall on your machine. Keep in mind that these are the basics. There is more to it if your want to make your system as safe as possible. In comparison to car security, this is analogous to telling you about locking your door or installing an anti-theft device like “The Club”, but we won’t go into details like electronic devices that cut the gas flow if the car is “hot-wired”.

First let’s briefly, talk about the firewall itself. Your firewall is a machine that has routing capabilities. Technically, it does not need to be a computer, but can be something as simple as a router. As it’s name implies, a router is a machine that routes packets. Most routers allow you to not only configure where packets are allowed to go to, but also from where they are allowed to come. In addition, many can be even more finely tune it, such as limiting the type of packets and to/from what ports.

If you use a computer as your router, it needs to have routing capabilites such as a Linux machine. Because of the features such as FTP and HTTP services, a Linux machine is well suited to the task. This explains why approximately 10% of all Internet servers are running Linux.

A good way of making the firewall safe is to prevent all external packets from going through it. This means that packets are not forwarded. Certain routers will allow you to configure them in such a way that incoming packets are blocked, but outgoing packets are let through.

Note that this does not mean that you can only send packets to the outside, but never hear their answer. Instead that means that packets that originate on the outside are blocked. When you send a request from an internal machine, the packet that you receive is a response or acknowledgment. Such packets are allowed through, but those sending the initial request are not.

This has a slight danger in that acknowledgment packets can be intercepted and manipulated. This requests detailed knowledge of both the TCP/IP protocols and the application involved, so it is not something that the casual hacker is going to try. However, it is possible.

To increase the security of your system, you turn off packet routing altogether. This means that no packet is let through. In such as system, you need to connect first to the firewall machine and then to the Internet. At this point, you now have two distinct networks. Although the firewall can see both of them, neither can see the other. Since nothing gets through, not even email, your internal network is (fairly) safe.

This means that an intruder cannot reach your internal network, he must first reach the firewall and use it as a “springboard” to get inside. Unfortunately, this also means that people on the inside cannot reach the Internet without first getting to the gateway machine. If this is your choice, then the security is more important than the slight inconvenience that the users encounter.

The alternative is what is called a proxy server. In essence, this functions like a translator. When packets reach the proxy server, they are redirected to another connection on the other side of the firewall. For example, httpd (your web server daemon) normally listens on port 80. However, this has been disabled. Instead, I connect to port 1080 (or something greater than 1024). The services that is listening on that port makes a connection to port 80 on the destination machine to complete the HTTP connection. This middleman, or proxy, does the translation for my application. Other than knowing that I need to connect to the proxy server first, the functionality is the same as if there were no firewall.

There are a couple of ways of implementing the proxy under Linux, which we will get to later.