Introduction to Firewalls
As you may have noticed in the static routing lab, a true router will accept any and all packets and forward them wherever it sees fit. This creates security problems because it allows an intruder to point a static route to your hub and access your entire network. We use firewalls to fix this problem.
Functions of a Firewall
A firewall-only appliance only does packet filtering, but they can also contain other functionality such as:
Network address translation
Traffic monitoring
Basic routing
DHCP server
DNS resolver
VPN server
For the firewalling lab, we will be discussing NAT, DHCP, DNS, and packet filtering.
Packet Filtering
A packet filter is an application on a firewall that upon retrieval of each packet, runs them through a list of rules. These rules specify where packets can go and if they are allowed through the wall. If none of the rules are matched, the packet is dropped (blocked). In most scenarios, firewalls automatically block all traffic unless otherwise stated.
There are two main types of rules: pass and block. A pass rule defines which traffic to allow to pass through, and a block rule defines which packets to drop. Rules are put in a specific queue or order that they are applied in. So, if a packet is originally given a block rule but a rule further down allows it through, the packet will still go through.
Some rules in firewalls are called quick. Quick rules and a binding rule that have no other options. If a quick rule applies to a packet, the packet will be either blocked or passed through right there, no matter what follows that rule. Even if your packet has a rule that should allow it, if there is a quick rule that blocks it before it, the packet will be blocked.
Remember that if you don’t have any firewall rules, all packets will be dropped, stopping you from having any access to the firewall.
Packet filtering adds security to the network by blocking malicious traffic. You can block traffic to and from a specific source IP if you know that it is malicious.
For example, if you didn’t want someone access Google, you can make a rule that blocks that traffic from coming into your network:
block out quick on $ext_if from any to 8.8.8.8
This is blocking any traffic that comes on our external interface from anywhere from access Google.
Network Address Translation (NAT)
As you know, your computer does not have a public IP. It has a private IP. NAT is what takes your private IP, maps it to your firewall’s public IP, and allows it to communicate with the rest of the internet. You normally have multiple private Ips on one public IP When the website you’re visiting sees your IP, it will see your public IP, not your private IP. For example, go to ipchicken.com. It will show your public IP.
Hosts on the outside only seeing your public IP is very good for security because it stops them from distinguishing individual PCs inside the network. This can sometimes be an issue when isolating a problem, however, because it becomes difficult to isolate an infected machine if they come off of the same public IP.
DHCP
You already know a little bit about DHCP from the intro to KVM lab. As a refresher, DHCP gives machines a private IP whenever they are connected to your network. DHCP works the same way on firewalls; it just is consolidated into one unit instead of having to have a secondary DHCP server.
DNS Resolver
A DNS resolver takes DNS (domain name system) requests and checks if it knows what IP address the DNS query should resolve to. In other terms, it turns URLs (google.com) to IPs (8.8.8.8). If it isn’t located, it forwards that query to another DNS server, and that DNS server returns the appropriate address.