Monday, August 16, 2004
Choosing a Personal Firewall
Personal firewalls make use of all the same methods as more robust, and expensive, enterprise firewalls. However, they simplify the operation of the product to meet the needs of a less technically savvy consumer. Where an enterprise firewall may require full-time supervision, a personal firewall is often installed and forgotten.
In order to better understand how personal firewalls work, we're going to examine each of the current standard firewall methods individually: network address translation, static packet filtering, stateful inspection, and application proxy. Personal firewalls often combine these standard methods to provide a more complete product, and even include additional features such as blocking on attack signature and intrusion detection.
We also briefly touch on a new effort to certify personal firewalls. It is believed that consumers will benefit from certified products, knowing that they have been compared against a set standard.
Network Address Translation
I would like to start off by saying that network address translation, or NAT, is not a firewall. NAT was never meant to protect computers. Network address translation is a method used to allow many computers to connect to the Internet with one (or few) public IP addresses. In essence, NAT is used when the number of hosts that need Internet access exceeds the number of public IP addresses that an organization has been assigned. The internal IP addresses come from a private pool as designated by RFC 1918, and a NAT device translates those private IP addresses to a public IP address that is routable on the Internet. The NAT device keeps track of the translations in an address translation table.
Dynamic NAT provides some protection for users behind the NAT device. When the translation tables are dynamic, there is no easy way for an external user (on the Internet) to initiate contact with a host behind the NAT device since the table entry is created when the internal host initiates an outgoing session and is deleted at the end of that session. Static NAT provides no real protection for the hosts behind it. Direct communication can be initiated with hosts having static translation information. Static NAT is also possible and is used to allow contact to a specific host behind the NAT device. Static NAT would be used in the case of a Web server that has a private IP address but needs to be contacted by Internet users. The NAT device would have a specific translation defined for the Web server.
How NAT Is Implemented in Personal Firewalls
In order to perform network address translation, you must begin with a device that is able to route traffic from one network to another. This device will be "multi-homed," having one network connection on the private network and one on the public network. In addition to routing, this device will translate addresses from private to public. It uses a table to keep track of the translations.
Personal firewall software itself doesn't usually perform these functions. Some early hardware devices marketed as firewalls really only performed NAT, though. You still can find hardware devices that rely primarily on NAT as their method of protection. The consumer must be aware of how NAT works in order to judge whether this technology provides adequate protection.
Typically you find NAT functionality in a hardware router. Many companies have products for the home market. Using a hardware device is simple since devices targeting home users generally come preconfigured for dynamic NAT. The device can serve out private IP addresses to the hosts connected to its internal network ports and it gets its public IP address from your Internet service provider. So, simply plug everything in and you're up and running in a dynamic NAT state. Dynamic NAT, as stated earlier, does provide a measure of security. It is difficult to establish a connection where the NAT mappings change regularly.
Static NAT requires more configurations. If you do wish to allow external hosts to connect to something on your private network, you will need a static route to provide the pathway. You would do this if you have a Web or mail or FTP server that you want others to be able to connect to. Static mapping is required to allow anyone to connect back in to one of your hosts.
If you can control the static mapping by port—only mapping traffic on port 80 back to the Web server, for example—it is better than having to map all traffic back to the Web server then hoping your host won't respond to requests on other ports. You are still at risk for non-HTTP applications tunneled over port 80.
If you cannot control the static mapping by port (eek), any type of traffic can be directed at your host. Hosts listen on the dandiest of ports—ports you wouldn't expect. You can use net stat –un to see which ports your host is listening on.
In order to better understand how personal firewalls work, we're going to examine each of the current standard firewall methods individually: network address translation, static packet filtering, stateful inspection, and application proxy. Personal firewalls often combine these standard methods to provide a more complete product, and even include additional features such as blocking on attack signature and intrusion detection.
We also briefly touch on a new effort to certify personal firewalls. It is believed that consumers will benefit from certified products, knowing that they have been compared against a set standard.
Network Address Translation
I would like to start off by saying that network address translation, or NAT, is not a firewall. NAT was never meant to protect computers. Network address translation is a method used to allow many computers to connect to the Internet with one (or few) public IP addresses. In essence, NAT is used when the number of hosts that need Internet access exceeds the number of public IP addresses that an organization has been assigned. The internal IP addresses come from a private pool as designated by RFC 1918, and a NAT device translates those private IP addresses to a public IP address that is routable on the Internet. The NAT device keeps track of the translations in an address translation table.
Dynamic NAT provides some protection for users behind the NAT device. When the translation tables are dynamic, there is no easy way for an external user (on the Internet) to initiate contact with a host behind the NAT device since the table entry is created when the internal host initiates an outgoing session and is deleted at the end of that session. Static NAT provides no real protection for the hosts behind it. Direct communication can be initiated with hosts having static translation information. Static NAT is also possible and is used to allow contact to a specific host behind the NAT device. Static NAT would be used in the case of a Web server that has a private IP address but needs to be contacted by Internet users. The NAT device would have a specific translation defined for the Web server.
How NAT Is Implemented in Personal Firewalls
In order to perform network address translation, you must begin with a device that is able to route traffic from one network to another. This device will be "multi-homed," having one network connection on the private network and one on the public network. In addition to routing, this device will translate addresses from private to public. It uses a table to keep track of the translations.
Personal firewall software itself doesn't usually perform these functions. Some early hardware devices marketed as firewalls really only performed NAT, though. You still can find hardware devices that rely primarily on NAT as their method of protection. The consumer must be aware of how NAT works in order to judge whether this technology provides adequate protection.
Typically you find NAT functionality in a hardware router. Many companies have products for the home market. Using a hardware device is simple since devices targeting home users generally come preconfigured for dynamic NAT. The device can serve out private IP addresses to the hosts connected to its internal network ports and it gets its public IP address from your Internet service provider. So, simply plug everything in and you're up and running in a dynamic NAT state. Dynamic NAT, as stated earlier, does provide a measure of security. It is difficult to establish a connection where the NAT mappings change regularly.
Static NAT requires more configurations. If you do wish to allow external hosts to connect to something on your private network, you will need a static route to provide the pathway. You would do this if you have a Web or mail or FTP server that you want others to be able to connect to. Static mapping is required to allow anyone to connect back in to one of your hosts.
If you can control the static mapping by port—only mapping traffic on port 80 back to the Web server, for example—it is better than having to map all traffic back to the Web server then hoping your host won't respond to requests on other ports. You are still at risk for non-HTTP applications tunneled over port 80.
If you cannot control the static mapping by port (eek), any type of traffic can be directed at your host. Hosts listen on the dandiest of ports—ports you wouldn't expect. You can use net stat –un to see which ports your host is listening on.
# posted by firewall software @ 7:49 PM 
