Firewalls

Where and How To ?


Contents :

A Firewall is a system that tries to monitor and control the data communication between 2 networks, or, in a lot of cases, between your network and the outside world, the internet. They come in shapes and sizes, both in hardware or as software that can be run on your PC, or on a PC that act as a gateway between your local network and the internet. In principle, there is no real difference between an hardware router/firewall and a PC that runs routing / firewall software.

Network Address Translation and Packet Filtering Firewall

The following examples assume the firewall to be a NAT router + packet filtering system. The firewall is placed between the internal, private LAN and the internet. The router connects the LAN to the internet (or connects 2 subnets), the packet filtering imposes limits on the communication that can pass through the interfaces. The use of private IP addresses on the internal network makes them unroutable and therefore inaccessible from outside this subnet. The network address translation allows hosts with private addresses to connect to systems outside the subnet (using the routers's public WAN interface IP address).

firewall schematic

The firewall itself is just an implementation of a set of rules about what kind of communication is allowed between your network and the internet. Setting these rules extremely strict may be more secure, but might also block legitimate communication, eg with the network of the overseas section of your company. Setting the rules a bit loose will allow the normal activity to continue unhindered, but may leave room for outsiders to sneak in. Packet filtering can - on some firewalls - be specified per interface. That's usually only necessary when dealing with multiple subnets.

See also :

Demilitarized Zone

Port Mapping / Port Export is a technique to make services (eg mail server, TCP ports 25 and 110) publicly accessible while they are running on a machine with an unroutable address. It's like punching a hole through the firewall. Therefore, it is common practice to have machines that need public access together on a separate subnet. This subnet is often called the 'Demilitarized Zone' or DMZ.

demilitarized zone

In this example the gateway is set up on a machine with 3 network cards (network interface cards, NIC), ie one to connect to the internet, one to connect to the DMZ, and one to connect to the private LAN. If the firewall configuration allows different rules on each interface, you can specify which communication to allow or deny for all 3 combinations (between internal network and internet, between internal network and DMZ, between internet and DMZ).

Obviously, port mapping is, in this case, only necessary if the IP addresses in the DMZ are private. That would be the case if you have a cheap internet account with 1, dynamically assigned IP address. If your Internet provider gives you multiple, static IP addresses, you can use those for the web server, mail server etc in the DMZ so that you don't need Network address translation and port mapping. You may, however, still choose to apply NAT ('IP masquerading') and port mapping to direct traffic to a the IP address / port of your choice, without the sender knowing.

DMZ between 2 routers

In stead of a 3 NIC host, you can also use 2 routers, with a subnet in between : internet -- (router) - DMZ - (router) -- internal LAN

A firewall should be placed between the DMZ and the internet (on the router or between the DMZ and its router to the internet). Additionally, a firewall can be placed on the gateway from internal network to DMZ.

demilitarized zone

Again, the DMZ can have public or private addresses.

public addresses in Demilitarized Zone

If the DMZ has routable IP addresses, the router between internal network and DMZ will have to do network address translation Communication from / to the internal Lan will be routerd to the DMZ by the first router, and passed on to the second router to travel from the DMZ to the internet.

demilitarized zone

The DMZ is only protected by the packet filtering rules on the firewall between the DMZ and the internet, the internal LAN is subjected to packet filtering rules both between internet and DMZ, and between DMZ and internal network. The internal network is also protected by its unroutable IP addresses. Between internal network and DMZ, Network Address Translation makes that the internet gateway will be able to route to the internal network, via the NAT router.

private addresses in the Demilitarized Zone

If the DMZ subnet does not have public IP addresses, Network address translation is necessary from addresses of the DMZ to the internet, to make the servers visible. Port mapping is needed to give address to the servers from the internet.

demilitarized zone

The internal network obviously also has private IP addresses. A router is able to route from the internal LAN to the DMZ, where an other router (with NAT) will route to the internet. Incoming packets will come through the NAT router to the DMZ, where they will need to be routed to the internal network I'm not sure if that requires NAT on the DMZ-to-internal network router. It might be just a matter of getting the routing tables right, I don't know ...
That's something that remains to be figured out.

firewall with Proxy servers and Demilitarized Zone

The combination of a DMZ between routers and proxy servers can be used to create a very secure firewall : the internal network only communicates with (proxy) servers in the DMZ, the internet only has access to the DMZ, there is no direct connection between the internal network and the internet, while all relevant functionality can be preserved.

demilitarized zone with proxy servers

Koen Noens
July 2003