74
Networking: A Beginner's Guide
Protecting a Network with Firewalls
Firewalls are hardware devices that enforce your network security policies. Firewalls
often are installed with routers. For instance, firewalls are sometimes installed with
routers to create internetwork connections. In most routers designed for small office/
home office use, a firewall is part of the router itself. Equipment for larger networks
still keeps these duties in separate pieces of equipment, however.
A firewall is a hardware device (which can be a computer set up for the task that
runs firewall software or a dedicated firewall device that contains a computer within
it) that sits between two networks and enforces network security policies. Generally,
firewalls sit between a company LAN and the Internet, but they can also be used
between LANs or WANs.
There are basically two different types of firewalls:
A
network-based firewall operates at the network level (layer 3) and usually
implements a technique called packet filtering, where packets between networks
are compared against a set of rules programmed into the firewall before the
packets are allowed to cross the boundary between the two networks. Packet-
filtering rules can allow or deny packets based on source or destination address,
or based on TCP/IP port.
An application-based firewall usually acts in a proxy role between the two
networks, such that no network traffic passes directly between the two
networks. Instead, the firewall (usually called a proxy firewall) acts as a proxy
for the users of one network to interact with services on the other network.
This proxy interaction is usually done using a technique called network
address translation (NAT), where the network addresses on the internal
network are not directly exposed to the external network. In the application-
based model, the proxy firewall takes care of translating the addresses so that
the connections can take place.
NOTE
Firewalls do not provide a network security panacea. The best firewall in the world won't
protect your network from other security threats, such as some discussed in Chapter 11. However,
they are an important part of network security, particularly for LANs connected to the Internet.
Firewalls come in all shapes and sizes, and range in cost from as little as a few
hundred dollars to thousands of dollars. In fact, these days, you can even find small
personal firewalls for home use that cost less than $200 for hardware-based devices, or
around $40 for firewall software that can be installed on a home computer.
Different firewall devices have various features, and might encompass both
network-based and application-based techniques to protect the network. Firewalls also
usually serve as an audit point for the traffic between the two networks, using logging
and reporting tools to help the administrator detect and deal with inappropriate
network traffic.
Firewalls are discussed in the context of network security in Chapter 11.