56 3.5 Summary
As explained in earlier chapters, a firewall on a computer network is
a device that protects a private local network from the rest of the
world (public parts of the same network or the Internet at large). The
role of a firewall is typically filled by a computer (or computers) that
can reach both the private network and the Internet, thereby allowing
it to restrict the flow of data between the two. The protected network,
therefore, cannot reach the Internet, and the Internet cannot reach
the protected network unless the firewall computer allows it. For
someone to reach the Internet from inside the protected network,
they must login to the firewall (via Telnet, rlogin, etc.) and use the
Internet from there.
With the preceding in mind, a dual-homed system (i.e., a system
with two network connections) is the simplest form of a firewall.
A firewall can be set up with IP forwarding or “gatewaying” turned off,
and accounts can be given to everyone on the network—that is, if
system users can be trusted. The users can then login to the firewall and
run their network services (FTP, Telnet, mail, etc.) from there. Thus,
the only computer on the private network that knows anything about
the outside world is the firewall with this setup. Therefore, a default
route is not needed by the other systems on the protected network.
Such a system relies entirely on all users being trusted, and that’s its
greatest weakness. It is, therefore, not recommended.
Nevertheless, firewalls are indispensable assets in most organiza-
tions today. However, like all technologies, firewalls can create
problems of their own. Imagine the case where your organization’s
Web server publishes a Java applet that makes calls to a Java
Database Connectivity (JDBC) client. It then sends messages to a
JDBC server (a Transmission Control Protocol [TCP] service) running
on a particular port of a host at your site. As the administrator of
your site, you configure your firewall (see Chapter 7 for detailed
information) to allow this traffic in either direction. But, you may
have neither knowledge nor control of the remote site whose browser
downloaded your applet. If a firewall at that site is configured to deny
traffic destined for this same port, you have a problem. This is an
instance where an intranet over which you have control can provide
a more certain solution than the Internet, over which you have
relatively little control.