FireWall IRX’s packet filtering rule set also enables a security manager to construct rules that are more powerful than those available in simpler routers. For example, IP spoofing (in which an untrusted IP system pretends to have a trusted system’s IP address) could not be detected by many Cisco routers running older software. If you want to buy a used Cisco for use as a router-based firewall, make sure that it includes version 10 or, preferably, version 11 of the IOS software.

If a multi-protocol firewall is important, Network Systems Corporation’s (NSC) The Security Router is an important product to evaluate. The Security Router does everything that the FireWall IRX can do, and more. It adds AppleTalk, DECnet, XNS, and VINES protocols to the firewall rule set, and provides a facility for secure IP tunnels.

All the other products in this chapter offer greater power, security, and flexibility than these routers, but at far greater cost. A packet filtering router is not the state-of-the-art in Internet firewall technology; it might be all you need, however, when coupled with good host security.

Advanced Firewall Architectures

While router-as-firewall may work for many organizations, a more sophisticated firewall is often called for. In this case, either a stateful packet filter or an application gateway (or a hybrid of the two) is called for.

Stateful Packet Filters

The next region along the firewall spectrum is occupied by a dedicated workstation-based packet filter. This type of firewall is probably the least expensive one that can satisfy the needs of a larger organization. Stateful packet filters are a logical outgrowth of filtering routers. To understand why, you have to understand a little bit about what routers cannot do.

Because any router makes decisions on filters without any state information, it cannot support a wide variety of security policies. The IP protocol is a connectionless datagram protocol. TCP, which sits on top of IP, is a connection-oriented protocol. UDP, however, has no connection establishment phase.

In order to implement a security policy with protocols that run over UDP, such as DNS, more information is required. The router would have to contain “state information” (from the oft-used protocol model of a finite state machine) about what packets have passed through it recently to know whether to drop or pass a packet coming in from the Internet. UDP isn’t the only protocol that requires state information. Certain TCP protocols, such as FTP, use two connections for data transfer and make similar demands on the firewall.

A router has no state information, which means it examines each packet individually without any knowledge of other packets that have been before. For example, it isn’t possible to permit DNS responses (which use connectionless UDP) to pass through the firewall only in response to DNS queries.

If you add state information to packet filtering router, you can now build a very powerful and intelligent box that can make security decisions with much more context information available to it. This technology is called “stateful packet filter” by the vendors who sell it.

Application Gateways

When you move away from firewalls that are really enhanced routers, you make an enormous jump into complex security protection systems. In each case, the firewall acts as an application gateway between two networks that are joined at no other point. These types of products offer the ultimate in fine-grained control over security, but at a substantial cost; they are expensive to install, difficult to manage, and can be irritating to corporate users who want to access Internet services.

Although the vendors are quick to point out small differences in their products, you will find few important ones. Fundamentally, the technologies used by the firewalls in our application gateway group are identical; a firewall must take an active part in each connection between the Internet and the corporate network. The firewall maintains state information and builds either transport-level or application-level gateways between the internal and external networks.

Firewalls of this type enable network managers to require authentication information for any user wishing to use Internet services. Based on this authentication and other factors, such as time of day, access may be granted or denied. These firewalls are considered intrusive because they require either application-level changes on internal users’ systems or procedural changes (such as logging onto the firewall before any external access is allowed).

Strict control also limits flexibility. Application gateway firewalls cannot protect all Internet services because each application has to have special code written to support the firewall. Any new services that do not fit into the mold cast by the firewall designer cannot pass through the firewall without a software upgrade.

---

Note:  Although this limitation sounds significant, it really isn’t—73 percent of Internet traffic is composed of just 10 different applications, all of which are handled well by most firewalls.

---

The complete break between the Internet and corporate network may extend far into the application layer. For example, many of the firewalls in this chapter will reach into electronic mail messages passing through them and remove any reference to local hosts in header lines. The very existence of a corporate network can be hidden.

Application firewalls can also solve the problem of corporate networks using incorrectly chosen IP addresses. Because no internal network numbers can ever pass through these application firewalls, all corporate network addresses are completely hidden from the Internet. This is a valuable benefit to network managers who would otherwise need to renumber each network workstation before joining the Internet.