Chapter 13. Proactive Defense: Firewalls
Most people have at best a fuzzy idea of just what a firewall is and how it really works. Thanks to Hollywood and the many Mission Impossible-like movies, quite a few think it has something to do with disassembling a fax machine and hooking it to an iPod.
In its most pure state, a firewall is actually a very straightforward and simple thing. A firewall inspects packets as they arrive on an interface, searching a table until it finds a matching rule to determine what it should do with each packet, and then follows the action the rule specifies.
If the packet does not match a specific rule, a default action decides the packet’s fate, generally known as falling through the bottom of the rules. For firewalls, the generally accepted good default action is Deny. That is, unless we explicitly permit a particular access, the packet is dropped. This allows us to permit what we know and block what we do not.
Generally there are three ways to deploy a firewall: as a Router/NAT Gateway, on an endpoint as a Host-based Firewall, or as a Transparent/Bridging firewall. I will cover the first two in this chapter—the Router and the Host.
Router/Network Address Translation Router
This kind of firewall sits between different LAN subnets at Layer 3 and filters traffic sent to it for forwarding. It cannot prevent attacks between individual nodes on the same subnet (see the section "Transparent/Bridge Firewall" later in this chapter). It may perform Network ...