[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

firewalls and routers

Y'all,

Firewalls and routers are essentially different tools designed to do
rather different things. Some manufacturers are blurring the issue,
however, by offering 'package deals' or routers with firewall
functionality.

What a router does is parse headers, which in our case is usually
TCP/IP, though in corporate LANs there may be other protocols running
than TCP/IP. Routers can filter any combination of bits in any number of
headers, including source and destination IP addresses and (TCP or
UDP) port numbers. A port number identifies an application.

Applications are assigned port numbers by IANA (Internet Assigned
Numbers Authority, which is a beer club that meets once a year in
southern Cal and decides which applications get which port numbers). By
means of ACLs (access control lists), routers can be configured to allow
only certain combinations of IP addresses and port numbers to transit
the router.

ACLs do not parse payloads or attachments.

Most malicious code is not part of the TCP/IP header structure, but is
rather in payloads (e.g., email attachments). To stop malicious code
from getting into the LAN you have two options: either stop the source
IP address and port numbers (if these are known) at the router port of
entry, or scan the payloads for suspicious attachments/payloads. Some
routers have extra modules (either software or hardware) which do the
latter, or you can perform the latter on a separate device such as a
firewall or on the receiving station (e.g., a pc).

Professional (industrial strength) protection systems not only scan
payloads, they also perform intrusion detection, and monitor such things
as port scan attacks and denial of service attacks. These are usually
separate devices to routers, but some router manufacturers offer
high-end routers with this functionality. Configuring such devices
requires detailed knowledge of the TCP/IP stack and of the applications
and addresses to be expected in the LAN environment. They are not
plug-and-play devices.

Small-scale firewalls are marketed for private use; they attempt to
automate these functions as much as possible by making assumptions about
which applications most private users are likely to need and allowing
the corresponding port numbers through. Windows nowadays delivers with
such functionality. I consider these automated firewalls to be of
limited value, as the people who hack for fun and profit know very well
which port numbers these 'toy' firewalls routinely leave open.

Router firewalls are not inherently inadequate; what is usually
inadequate is the user's knowledge of how to configure the router. In a
world of ever-changing threats, you cannot expect to configure a router
firewall once and forget it. If you are serious about firewalling, you
have to keep current, and that means checking the following web site (or
a similar one) regularly:

http://securityresponse.symantec.com/avcenter/vinfodb.html#threat_list

There you will find up-to-date information about which port numbers the
current wave of viruses and worms are using to attempt to gain access to
LANs, and the IP addresses of servers with which malicious code will
attempt to communicate if it installs itself within the LAN. I check
weekly. That stops bugs from getting into the LAN.

If you don't know what you're doing, don't. My advice for the TCP/IP
semi-literate is, just install Norton AV or McAffee or whatever and get
rid of the bugs after they get past the router. If your router has
firewall functionality, fine, but don't assume it is current and that
you are protected forever.

Once malicious code gets onto a pc, it is not generally possible to
prevent it from communicating with other machines in the LAN. If you are
logged on to your pc in administrator mode, then the malicious code is,
too. Once you are infected, a firewall won't help, short of blocking all
outbound ports--but in that case, you might as well pull the Ethernet
cable out of its socket.

In my private LAN, I use a combination of ZoneAlarm and MailWasherPro,
and have not needed my Norton AV.

In general, Linux, Mac OS, and OS/2 are seldom targetted by malicious
code.

If anyone wishes more detailed information about routing or firewalling,
I am at your service.

Flash
CCSI (that's Cisco Certified Systems Instructor)