Firewall Internet Security - The Basics of a Firewall
Enterprise companies today employ firewalls that do stateful inspection of sessions
between external and internal hosts and devices. Cisco employs a patented ASA algorithm
that utilizes source IP address, destination IP address, TCP sequence numbers, port
numbers and TCP flags to examine and prevent unauthorized sessions. The firewall is
configured with conduit statements to filter traffic by examining source/destination IP
addresses, application port and protocol port before making a decision whether to permit
or deny a session or specific traffic.
Firewalls are implemented at the company demilitarized zone (DMZ) which is located
between the external network and the company internal network. Static routing is typically
configured at the DMZ between firewalls and internal/external routers for improved
security. This is to have greater control over route propagation than would be available
with dynamic routing protocols such as RIP and EIGRP. Internal and DMZ (Public) servers
would be configured to use the firewall as their default route to forward Internet
traffic. If an internal router were available, servers would use that as their default
gateway to forward Internet traffic.
The external router broadcasts a default route to the firewall that is used to forward
traffic destined for the Internet. A conduit must be configured at the firewall for each
protocol type that should be allowed through your firewall. For instance, if your company
manages routers and servers across a firewall, you must configure a conduit for SNMP
traffic to allow traps through the firewall. The conduit would specify the source address
of the router which is sending SNMP traps, the destination address of the network
management station that is receiving SNMP traps, and UDP 161 which is the UDP port number
for sending SNMP traffic from managed devices to a network management station.
The firewall examines the end to end session connection and does a lookup of its
conduit table to determine if a particular source address, destination address, protocol
port or application port is allowed through. The packet is discarded or allowed through on
to the company network (inside) or Internet depending upon the conduit statements configured.
This is a TCP service running on a designated Unix server that authenticates employees
attempting to access a router. The routers must be configured to send a request to the
TACACS server when someone attempts to logon to a router. The router prompts the user for
a username/password pair and sends that to the TACACS server for authentication. TACACS
servers are implemented with VPN services as well to authenticate remote users before
allowing that session to continue with network authentication to Windows Server, Unix or
Mainframe authentication and authorization.
This is a UDP service running on a designated network server that authenticates
employees attempting to access a router. The routers must be configured to send a request
to the RADIUS server when someone attempts to logon to a router. The router prompts the
user for a username/password pair and sends that to the RADIUS server for authentication.
RADIUS servers are implemented with VPN services as well to authenticate remote users
before allowing that session to continue with network authentication to Windows Server,
Unix or Mainframe authentication and authorization.
Shaun Hummel is the author of
Cisco Wireless Network Design Guide
and has a web site focused on information technology solutions, online technical interviews and certifications.
More Network Security Articles:
• Firewall Perimeter Network (DMZ)
• Methods to Combat Distributed Denial of Service (DDoS) Attacks
• The Basics of Network Security
• Implementing a Secure Password Policy
• Understanding the Different Classes of Firewalls
• Wireless Network Security
• Data Encryption
• Domain Name System (DNS) Vulnerabilities
• What is Penetration Testing?
• Nessus Network Vulnerability Scanner