A Firewall is a system that tries to monitor and control the data communication between 2 networks, or, in a lot of cases, between your network and the outside world, the internet. They come in shapes and sizes, both in hardware or as software that can be run on your PC, or on a PC that act as a gateway between your local network and the internet. Just installing a firewall will not fully protect you. Users can -unknowingly or not - perform actions that bypass the firewall and grant access to outsiders.
The firewall itself is just an implementation of a set of rules about what kind of communication is allowed between your network and the internet. Setting these rules extremely strict may be more secure, but might also block legitimate communication, e.g. with the network of the overseas section of your company. Setting the rules a bit loose will allow the normal activity to continue unhindered, but may leave room for outsiders to sneak in.
There are several approaches to safely connecting a LAN to the internet.
An application level gateway (usually called a Proxy Server) works at the application level (re. TCP/IP and OSI reference model), it sits between a client application (e.g. a web browser) and the corresponding service (e.g. a web server). It intercepts requests from a client application, and repeats itself the request to the server, receives the reply, then sends the reply to the client, which originally made the request.
As a result, all communication beyond the proxy server carries the proxy server's IP address as return address, thus hiding the address where the request originated. This makes the computers 'behind' the proxy quasi invisible. The connection with the internet is made by the proxy server 'on behalf of' the computers in the network you want to protect.
Application level gateways act as a proxy between the client and the server. Authentication, Access Control Lists and other types of rules and filtering can be applied to control which client can talk to what server, and what sort of content will be allowed to pass back to the client. A typical example is a http proxy, but a mail relay or any other intermediary application can be set up as an application-level firewall. The actual implementation will depend on the application you want to filter.
Proxy servers are often used for Web access, and can be configured to deny access to certain web pages or web sites. A proxy server can also help to speed up Web access by caching web pages so that they do not need to be retrieved from the actual web server.
Main disadvantage of application level gateways is that you need a proxy server for every application protocol you want to use. If no proxy server exists for a given application, you can not use this technique. As a workaround to this problem, there's sort of a universal proxy, SOCKS, that allows you you 'socksify' certain applications so that they can be used with proxy servers. ( Socks). Application-level firewalls are usually used to complement other types of filtering (see below).
A router is a machine (or software) that routes (IP-)packets to their destination. A NAT (Network Address Translation) router substitutes the sender's address with its own address, thus creating a separation between the internet and the LAN or computer the packet originated from. This can be used to connect a LAN with private addresses to the internet, using only 1 internet account with 1 (public, routable) IP address. The Network Address Translation makes the LAN practically invisible to the internet, they only IP address know to the internet is that of the router. This is also called 'IP masquerading'.
Network Address Translation / IP Masquerading sounds similar to the way a proxy server works, and both are often used to connect a LAN to the internet (e.g. Freesco, free software router). The main difference is in the level they work on : proxy servers work on the application level, routers on the network level. Therefore, application level gateways will often allow only one or some applications to pass through (web proxy, FTP proxy), while NAT-routers will transport data packets no matter what application they belong to.
Application level gateways and NAT routers make your PC or Local network invisible to the internet, and thus form a simple but effective 'firewall' against attacks from the outside. Most 'Firewall' software includes an implementation of Network address Translation and proxy . When using NAT with private, unroutable IP addresses (see : private network addresses) on your local area network, the LAN can not be accessed from the internet. You'll only have to worry about connections originating from your network, (or about attempts to abuse your to your router / firewall / gateway.)
While passing through the firewall, every packet that passes on its way in to or out of the local network is inspected for destination and origin address and ports. Filtering rules can be applied to block access from or to certain addresses, e.g. to allow only certain machines to access the internet, or to disallow access to sites that are known to contain malicious code, or to prevent connection attempts from addresses outside the local network.
Packet filtering can be fooled by 'IP address spoofing'. This is a technique by which the intruder changes the origin address of the packets into an address that will be trusted by the firewall.
Additional filtering rules can check packets regarding source and destination port, protocol used, etc.
Also referred to as dynamic packet filtering. Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.
"stateful inspection", according to webopedia. I couldn't have said it better myself.
Most firewall soft- and hardware uses a number of the above techniques(e.g. Network Address Translation + packet filtering) to control communications between the internet and the local network. Note that just installing the firewall software is not enough. You'll need to make decisions on what you should allow an what not, keeping in mind the consequences towards security as well as towards the needs of your users. And you have to implement them correctly.
Virtual Private Networking refers to the fact that you may have a network, and then there may be remote users or another network that is physically remote from your network, but should be able to function as a part of it. Consider for instance the networks of a corporate headquarters and the networks in regional offices.
Virtual Private Networks consist of virtual tunnels between 2 gateways. For the connected network, it looks as if there's a direct connection between the gateways, even if the actual route passes through other, possibly public and insecure networks. This is accomplished by wrapping the 'private' IP packets into other IP packets (as payload). while no strangers are able to come in. On its way to the other gateway, the data packets travel over the internet or another untrusted network. To protect information from being intercepted, the data is encrypted.
VPNs can be used to manage remote access to a network behind a firewall : in stead of having to configure all sorts of rules to allow several services through the firewall, you just need to allow and enable VPN, and be done with it. This does mean you need to trust every host on the remote network, because they'll have unlimited access (unless, of course, you apply firewalling to the traffic that comes through ht tunnel as well)
More about secure tunnels and vpn
Linux users are lucky. As a superior network operating system, Linux has build-in router and firewall functionality that can be set up to match almost any requirement. (Linux is, after all, said to be the network admin's dream).
Linux is therefore often used on a gateway machine to handle the routing and firewalling stuff. When stripped down to the bare necessities, such a system can fit on a floppy and be made to turn an obsolete personal computer into a fully functional router/firewall combination. (LOAF - Linux on a floppy, or router projects such as Freesco).
When configuring a firewall, you'll have to take decisions about which 'incoming' and 'outgoing' connections to allow. This can be confusing at first.
For example : you want to allow web browsing to the people from your local area network, so you can not completely seal of your local network from the internet, but you don't want this opening to be used for outsiders to 'browse' on your local network. So if you block 'incoming' traffic, will the responses from the webserver, i.e. the web pages you want to see, still arrive on your PC ?
The question to ask to distinguish what is incoming and what is outgoing, is : "who took the initiative for this connection ?" - "who started first ?".
When you want to view a web page, your browser sends a 'GET' request to the web server ; the Web server, in reply, returns a html file to your browser so that he can put the web page on your screen. In this case the initiative comes from your PC (or a PC on your LAN) and a request is send toward out. This is outgoing traffic; The reply comes from outside towards your local network, but is in reply to a request you sent, so it is to be considered part of the same 'outgoing' connection.
The other way around :
If someone from outside your network wants to connect to your web server, he'll need to send a 'GET' request to your web server. The connection is initiated from the outside, so this is an 'incoming' connection.
Maybe it's more clear when we look at how a TCP/IP connection is set up.
In plain English :
Now there is a connection.
If the connection originates from your local LAN, it's an outgoing connection, if the connection is initiated from outside your LAN, its an incoming connection.
You may notice in the log files of your firewall entries such as 'attempt to connect from ... ' or 'suspicious SYN packet' or so : these are incoming connections ; if you have configured your firewall to refuse them, it will send back 'denied', thus breaking the 3-way handshake so that no connection can be made. It can also just drop the packet, ignore it, so that the attempted connection fails and, as an added bonus, the sender gets no confirmation that his attempt to connect actually reached the gateway to your network ('stealth mode').
You can tell the firewall from which addresses or ranges of addresses or domains they should accept incoming connections, and block all others. Or just block every incoming connection, and allow only outgoing. That means you can surf the web (the connection is initiated from the local network), but no surfers can brows your network (that would be an incoming connection, the initiative would come from outside). People on your network would also be able to browse the intranet web server, because that connection would not have to pass the firewall.
Still, a small problem remains : when people can surf the web, the can download pages or files, which may be a way for trojans to sneak through the firewall. And once inside the firewall, a connection from the backdoor program to its creator( or -more likely- the script kiddie that is using it) would be - for the firewall - a legitimate outgoing connection, thus giving that script kiddie access to your LAN.
Virus scanners may detect most trojans, educating your users may help (and should thus be part of the 'firewall policy'), but still, you may want more control over what exactly leaves your network. Time for packet filtering.
When applying packet filtering, all packets are checked, not just the connection.To distinguish between incoming and outgoing packets, the firewall can check the SYN and ACK bits in the packet header. This poses a problem for UDP, a connectionless transport protocol. Contrary to TCP, UDP sends its packets to the destination address without setting up a connection first (no handshake, no SYN and ACK to check). It is often used to deliver large amounts of data in situations where spreed is more important that accuracy. Without acknowledgements, there is no guarantee that a packet has been delivered and it can not be re-send in case of error. Applications such as video and audio streaming etc. usually don't suffer from a lost packet here and there, so UDP is often used for this type of data communication. Likewise for on-line games.
In addition, some applications don't always use the same ports but negotiate port numbers. Netmeeting, for instance, uses TCP to set up the initial connection and for the main part of the communication, but then uses UDP for additional video and audio communication. The UDP port(s) to be used are negotiated between the participating hosts.
All of this makes UDP a difficult protocol to handle in regard to packet filtering.
If certain services on your local network need to be accessible from the outside ( a web server, a mail server, a database server that is part of a distributed system, ...), you have a problem.
The only address of your LAN that is actually know, visible and reachable from the outside, is the IP address of your gateway's WAN interface. It is not likely that your database server is running on the gateway machine. It would not be a good idea anyway.
Say this database server is running on machine with IP 10.0.0.3 in your lan, and listens (waits for incoming connections) on TCP port 3024. Other servers will have to connect to this port, but they can't, because there is no way the can find the machine 10.0.0.3. They can only see public addresses such as 240.166.1.125 (lets assume that's your gateway's WAN address).
The thing to do then is to tell the firewall to
This is called 'export a port' - you virtually put this port 10.0.0.3 : 3024 outside the LAN, on the WAN side of the firewall; you make it accessible as if it were 240.166.1.125 : 3024.
It is sometimes also called port mapping :
you map 240.166.1.125 : 3024 to 10.0.0.3:3024; you tell your system that 240.166.1.125 : 3024 points to 10.0.0.3:3024.
You can also map to a different port. If the clients on the far side of the firewall connect to 240.166.1.125 : 3024, but the service they need is running on 198.162.0.45 : 123, you can map 240.166.1.125 : 3024 to 198.162.0.45 : 123.