Understanding Firewall Types

Firewalls primarily function using at least one of three methods: packet filtering, Network Address Translation (NAT), and proxy services. Crystal Enterprise works with each of these firewall types. Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. NAT translates the IP address of internal hosts to hide them from outside accessNAT is often referred to as "IP masquerading." Proxy services make high-level application connections on behalf of internal hosts to completely break the network layer connection between internal and external hosts. Let's look at these different types in more detail.

Packet Filtering

Packet filtering inspects and selectively deletes packets before they are delivered to the destination computer. Packet filtering can delete packets based on the following:

• The address from which the data is coming
• The address to which the data is going
• The session and application ports being used to transfer the data
• The data contained by the packet

Typically, there are two types of packet filtering: stateful and stateless. Stateful packet filters remember the state of connections at the network and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts. Stateless packet filters do not retain information about connections in use; they make determinations packet-by-packet based only on the information contained within the packet.

Understanding NAT

NAT converts private IP addresses in a private network to globally unique public IP addresses for use on the Internet. Its main purpose is hiding internal hosts. It makes it appear that all traffic from your site comes from a single IP address. NAT hides internal IP addresses by converting all internal host addresses to the address of the firewall as packets are routed through the firewall. The firewall then retransmits the data payload of the internal host from its own address using a translation table to keep track of which sockets (connections) on the exterior interface equate to which sockets on the interior interface. This is also a simple proxy.

There are several NAT types including the following:

• Static translation (port forwarding) This is when a specific internal network resource has a fixed translation that never changes. If you're running an e-mail server inside a firewall, a static route for port 25 of the external address can be established through the firewall that maps to the right machine internally.
• Dynamic translation (automatic, hide mode, or IP masquerade) This is where a large group of internal clients share a small group of external IP addresses for the purpose of expanding the internal network address space. Because a translation entry does not exist until an interior client establishes a connection out through a firewall, external computers have no method to address an internal host that is protected using a dynamically translated IP address.
• Load balance translation In this configuration, a single IP address and port is translated to a pool of identically configured serversa single IP address serves a group of servers. This allows you to spread the load of one very popular Web site across several different servers by using the firewall to choose which internal server each external client should connect to on either a round-robin or balanced load basis. This is somewhat similar to dynamic translation in reversethe firewall chooses which server each connection attempt should be directed to from among a pool of clones.
• Network redundancy translation Multiple Internet connections are attached to a single NAT firewall. The firewall chooses and uses each Internet connection based on load and availability. The firewall is connected to multiple ISPs through multiple interfaces and has a public masquerade address for each ISP. Each time an internal host makes a connection through the firewall, that firewall decides, on a least-loaded basis, on which network to establish the translated connection. In this way, the firewall is able to spread the internal client load across multiple networks.

Understanding Proxy Servers

Proxy servers were originally developed to cache Web pages that were frequently accessed. As the Web went supernova the proxies became less effective as caching mechanisms, but another asset of proxy servers became evident: Proxy servers can hide all the real users of a network behind a single machine, and they can filter URLs and drop suspicious or illegal content, or hide the identity of a user. The primary purpose of the majority of proxy servers is now serving as a sort of firewall rather than Web caching.

Proxy servers regenerate high-level service requests on an external network for their clients on a private network. This effectively hides the identity and number of clients on the internal network from examination by an external network user.

Proxies work by listening for service requests from internal clients and then sending those requests on the external network as if the proxy server itself was the originating client. When the proxy server receives a response from the public server, it returns that response to the original client as if it were the originating public server. You can even use the proxy server to load balance similar to the NAT load balancing. As far as the user is concerned, talking to the proxy server is just like talking directly to the real server. As far as the real server is concerned, it's talking to a user on the host that is running the proxy server; it doesn't know that the user is really somewhere else.

The use of proxies does not require any special hardware, but something somewhere has to be certain that the proxy server gets the connection. This might be done on the client end by telling it to connect to the proxy server (Socks), or it might be done by intercepting the connection without the client's knowledge and redirecting it to the proxy server.

Socks is a protocol that a proxy server can use to accept requests from client users in a company's network so that it can forward them across the Internet. Socks uses sockets, a method for communication between a client program and a server program in a network. A socket is an end point in a connection. Sockets are created and used with a set of programming requests or function calls to represent and keep track of individual connections. A proxy must exist for each service. Protocols for which no proxy service is available cannot be connected through a proxy except by a generic TCP proxy service that would work similar to a NAT.