By Fred Mallet
Nearly all sites have some form of firewall installed. Not all administrators have to deal with those firewalls. This tip will cover some basic firewall terminology for those that have heard the acronyms, but are unsure of the meanings.
Some firewalls are in the form of hardware, others are 'normal computers' with hardened operating systems running special software. The methods used to protect you from attack are similar, yet not all firewall types perform all methods of protection. Here are some of the methods:
Packet filtering: This is the most basic form, handled by nearly all firewalls, even those little $100 jobs stating to only be a 'router with protection', commonly called a screening router. The methodology here is the units ability to look at the IP level, and reject or accept packets. This decision is based on the intended address, protocol type (UDP, TCP, ICMP), the source address, and possibly the intended and source port. This allows you to pass certain types of messages (http requests?) and not others. If this is the only line of defense, it is fairly weak. You cannot allow any requests for service from the outside without strongly weakening your defences. Packet filtering is vulnerable to fragmented packet attacks.
Stateful packet inspection: This bumps the level of protection up a bit, in addition to the above, this method also looks at some level 4 data, such as acknowledgement number and sequence number. This makes it harder for an attacker to spoof a packet, pretending it is a reply to an earlier request, and have it get past the firewall. Stateful Packet filtering is also vulnerable to fragmented packet attacks.
Circuit Proxy: A circuit proxy breaks communication at the firewall. For example, if you wanted to telnet to an outside host, your telnet session would be captured by the firewall, and it would start another session with the outside host, translating between the two sessions, often transparently. In this situation, host hiding is performed. The outside host thinks it was telnet'ed to from the firewall, and knows nothing about the host inside the firewall.
Application Proxy: This is the next level up, as the firewall proxy software understands which application it is doing the proxy for, and actually inspects the data passing through. This allows for much finer control (ftp gets, but no puts for example). It also provides much finer protection, as you can filter for viruses in incoming data, be it email, ftp, or http. There must be proxy software for each application type you want to proxy.
Network address translation is the last of the terms to cover, but we'll save that for the next tip, as there are some details there to explore.
Fred Mallet is founder of FAME Computer Education, which provides standup delivery of educational classes on a variety of UNIX and Win32 related subjects.