Unity University

College of Engineering, Technology, and Computational Sciences

Department of Computer Science

Course Title: Computer System Security

Topic: Firewall Basics (Part 1)

Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
 Explain the role of Firewalls in computer networks,
 List down the benefits and limitations of Firewalls,
 Describe the various Firewall types, and
 Discuss the methods used to bypass Firewalls.

1. Introduction to Network Firewalls

1.1 Understanding Firewall Basics

Nations without controlled borders cannot ensure the security and safety of their citizens, nor can
they prevent piracy and theft. Networks without controlled access cannot ensure the security or
privacy of stored data, nor can they keep network resources from being exploited by hackers.
When you connect your private network to the Internet, you are actually connecting your network
directly to every other network that's attached to the Internet directly.

In order to protect private networks and individual machines from the dangers of the greater
Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined
set of rules that are called firewall policies.

Firewalls may be used both as a protective measure, to shield internal network users from
malicious attackers on the Internet, or as a means of censorship. For example, many companies
prevent internal users from using certain protocols or visiting certain web sites by employing
firewall technology. On a much larger scale, some countries, such as China, impose censorship of
their citizens by subjecting them to restrictive national firewall policies that prevent users from
visiting certain types of web sites.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 1

 Unity University

 Network Firewall defined

 A network firewall is a piece of software or hardware that filters all network traffic between

your computer, home network, or company network and the Internet. Everyone who uses

the Internet needs some kind of firewall protection.

 A network firewall protects a computer network from unauthorized access.

 Network firewalls may be hardware devices, software programs, or a combination of the two.

 Network firewalls guard an internal computer network (home, school, business intranet)

against malicious access from the outside.

 Network firewalls may also be configured to limit access to the outside from internal users.

 Firewalls are used to create security checkpoints at the boundaries of private networks.
 At these checkpoints, firewalls inspect all packets passing between the private network and
the Internet and determine whether to pass or drop the packets depending on how they
match the policy rules programmed into the firewall.
 If your firewall is properly configured, is capable of inspecting every protocol you allow to
pass, and contains no serious exploitable bugs, your network will be as free from risk as
possible.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 2

 Unity University

 Firewall implementation
Firewalls can be implemented in either hardware or software, and are typically deployed at the
perimeter of an internal network, at the point where that network connects to the Internet. (See
Figure 1 below). In this model of network topography, the Internet is considered an untrusted
zone, the internal network is considered a zone of higher trust, and any machines, like a firewall,
situated between the Internet and the internal trusted network are in what is known as a
demilitarized zone, or DMZ (borrowing terminology from the military). Incidentally, firewalls are
also commonly implemented in software on personal computers.

Although larger organizations may also place firewalls between different parts of their own
network that require different levels of security, most firewalls screen traffic passing between an
internal network and the Internet. This internal network may be a single computer or it may
contain thousands of computers.

There are literally hundreds of firewall products available, and there are different theories from
different security experts on how firewalls should be used to secure your network. This chapter
will explore the operation of a generic firewall in detail, outline the important features you need
in a firewall, and discuss how firewalls should be deployed in networks of any size.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 3

 Unity University

 What Firewalls Do?

What exactly does a firewall do? As network traffic passes through the firewall, the firewall
decides which traffic to forward and which traffic not to forward, based on rules that you have
defined. All firewalls screen traffic that comes into your network, but a good firewall should also
screen outgoing traffic.

Most firewalls examine the packet header to determine whether the packet should be allowed to
enter or leave a network behind a firewall. The header contains valuable information about:

a) where a packet comes from (source IP address),

b) what computer is the intended recipient of the packet (destination IP address & destination port),
c) what program on the destination computer should process the information in the packet.

This program could be a Web server or a mail server application. Some firewalls can also examine
the inside of a packet or the insides of multiple packets, such as all packets that comprise an e-mail
message or a Web page, and then decide how to handle this traffic.

Linux and Windows ship with a simple firewall. For Windows, the firewall handles filtering both
inbound and outbound traffic. You should turn on and configure your individual computer firewalls
in addition to perimeter firewalls.

The following list includes the most common features of firewalls:

a) Block incoming network traffic based on source or destination: Blocking unwanted incoming
traffic is the most common feature of a firewall.

b) Block outgoing network traffic based on source or destination: Many firewalls can also
screen network traffic from your internal network to the Internet. For example, you may
want to prevent employees from accessing inappropriate Web sites

c) Block network traffic based on content: More advanced firewalls can screen network traffic
for unacceptable content. For example, a firewall that is integrated with a virus scanner
can prevent files that contain viruses from entering your network. Other firewalls integrate
with e-mail services to screen out unacceptable e-mail.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 4

 Unity University

d) Make internal resources available: Although the primary purpose of a firewall is to prevent
unwanted network traffic from passing through it, you can also configure many firewalls
to allow selective access to internal resources, such as a public Web server, while still
preventing other access from the Internet to your internal network.

e) Allow connections to internal network: A common method for employees to connect to a

network is using virtual private networks (VPNs). VPNs allow secure connections from the
Internet to a corporate network. For example, telecommuters and traveling salespeople can
use a VPN to connect to the corporate network. VPNs are also used to connect branch
offices to each other. Some firewalls include VPN functionality and make it easy to establish
such connections.

f) Report on network traffic and firewall activities: When screening network traffic to and from
the Internet, it’s also important to know what your firewall is doing, who tried to break
into your network, and who tried to access inappropriate material on the Internet. Most
firewalls include a reporting mechanism of some kind or another.

 Firewall security policies

When a packet arrives at a firewall, a security policy is applied to determine the appropriate action.
Actions include accepting the packet, which means the packet is allowed to travel to the intended
destination. A packet can be denied, which means the packet is not permitted to travel to the
intended destination (it is dropped or possibly is bounced back). The firewall may also log
information about the packet, which is important to maintain certain services.

It is easy to consider a firewall policy (or rule) as an ordered list of rules, as shown in table 1. Each
firewall rule consists of a set of tuples (or groups) and an action. Each tuple corresponds to a field
in the packet header, and there are five such fields for an Internet packet(in-the-order, see table 1):
 Protocol,
 Source Address,
 Source Port,
 Destination Address, and
 Destination Port. The firewall rule also contain wildcards (*) in standard prefix
format.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 5

 Unity University

Table 1: A security policy consisting of six rules (from 1 to 6), each of which has five parts

As packets pass through a firewall, their header information is sequentially compared to the fields
of a rule. If a packet’s header information is a subset of a rule, it is said to be a match, and the
associated action, to accept or reject(or deny), is performed. Otherwise, the packet is compared to
the next sequential rule. This is considered a first-match policy since the action associated with the
first rule that is matched is performed.

For example, assume that a packet has the following values in the header: The protocol is TCP, source
IP is 210.1.1.1, source port is 3080, destination IP is 220.2.33.8, and destination port is 80.

When the packet arrives it is compared to the first rule, which results in no match since the rule is
for UDP packets. The firewall then compares the packet second rule, which results in no match
since the source IP is different. The packet does not match the third rule, but it does match the
fourth rule. The rule action is performed and so the packet is allowed to pass the firewall.

A default rule, or catch-all, is often placed at the end of a policy with action reject. The addition of
a default rule makes a policy comprehensive, indicating that every packet will match at least one
rule. In the event that a packet matches multiple rules, the action of the first matching rule is
taken. Therefore the order of rules is very important.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 6

 Unity University

 Methods used by Firewalls to enforce security policy

There are four general techniques that firewalls use to control access and enforce the site’s security
policy.
a) Service control: Determines the types of Internet services that can be accessed, inbound or
outbound. The firewall may filter traffic on the basis of IP address, protocol, or port
number; may provide proxy software that receives and interprets each service request
before passing it on; or may host the server software itself, such as a Web or mail service.

b) Behavior control: Controls how particular services are used. For example, the firewall may
filter e-mail to eliminate spam, or it may enable external access to only a portion of the
information on a local Web server.
c) Direction control: Determines the direction in which particular service requests may be
initiated and allowed to flow through the firewall.

d) User control: Controls access to a service according to which user is attempting to access it.
This feature is typically applied to users inside the firewall perimeter (local users). It may
also be applied to incoming traffic from external users; the latter requires some form of
secure authentication technology, such as is provided in IPSec .

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 7

 Unity University

1.2 Firewall Types

Firewalls can be categorized into three general classes:
a) Packet filters(or stateless packet Filtering) Firewall,
b) Stateful packet firewalls, and
c) Application layer firewalls (or Application-proxy gateway firewall).
Each type provides a certain type of security and is best described within the context of a Layered
model for computer networks —for example, the Open Systems Interconnect (OSI) or TCP/IP
model, as shown in Figure 2.

Figure 2: Layered model for computer networks and example implementations for each layer.

The following sections will discuss each of Firewalls and list down the advantages and
disadvantages of each.
i) Packet Filtering(or stateless packet filtering) Firewall
 The capability to implement packet filtering is built in to routers. A network router which
utilizes access control lists is a good example for packet filtering device. Packet filtering is
configured through access control lists (ACL). ACLs enable rule sets (or policies) to be built
that will or block traffic based on header information. The Figure below shows a firewall
with packet filtering router.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 8

 Unity University

 Firewalls with packet filters operate at the network and transport layers based on the
information available in a packet.
 As traffic (or packet) passes through the router, each packet is compared to the rule set and
decision is made whether the packet will be permitted or denied.

 This will be based on the information from the network and transport layers. ACLs work
with header information to make a permit or deny decision. ACLs can make permit or deny
decisions on the following categories:

a) Source IP address --- Is it from a valid or allowed address?

b) Destination IP address --- Is this address allowed to receive packets from this devices?
c) Source port --- Includes TCP, UDP, and ICMP.
d) Destination port --- Include TCP, UDP, and ICMP.
e) TCP flags --- Includes SYN, FIN, ACK, and PSH.
f) Protocols --- Includes protocols such as FTP, Telnet, SMTP, HTTP, DNS, and POP3.
g) Direction --- Can allow or deny inbound or outbound traffic.
h) Interface --- Can be used to restrict only certain traffic on certain interfaces.

Summary on Packet-filtering Firewall

 PROS:

- Transparency and high performance (very fast)

- Easy implementation and maintain

- Application Independence

 CONS:

- Low security

- No screening above network layer

(No 'state' or application-context information)

- Data content passes unchecked

- Reliant on DESTPORT

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 9

 Unity University

 Detailed discussion on Packet filter Firewall

 The packet filter has no memory (or state) regarding the packets that have arrived and departed.
That means, since in a stateless filter, no record is kept, the filter does not remember any
packet that has passed through it. This is a weakness that can be exploited by hackers to do
IP spoofing.

 Packet filters cannot keep up with state, it means that packet filters can’t tell if a connection
started inside or outside the organization.
 Each packet is treated as a singular event without reference to the preceding conversation.
That makes packet filtering firewalls quite susceptible to some DoS attacks, such as SYN
floods and other types of host flooding.

ii) Stateful Packet Inspection(SPI) Firewall

 Stateful firewalls maintain state tables containing information on each active connection,
including the IP addresses, ports, and sequence numbers of packets.
 Each new packet is compared with the existing values in state table to identify any deviation
from its expected state.
 Using these tables, stateful firewalls can solve the problem of only allowing inbound TCP
packets that are in response to a connection initiated from within the internal network.

 Stateful packet inspection tracks the state of connections and blocks the packets that
deviate from the expected state to improve the utility of packet filters by utilizing the
transport layer features.

 TCP traffic has three states, namely, connection establishment, usage, and termination.
 Once the initial handshake is complete and allowed through the firewall, all subsequent
communication via that connection will be allowed, until the connection is finally
terminated.

 For example, to pass through a firewall, an attacker generates a packet with a header
representing it as an established connection. Stateful inspection in a firewall must first
confirm whether the received packet is a part of an established connection with the help of
lists already available in the state table.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 10

 Unity University

 Table 2 (depicted below) shows an example of a state table. From the internal network, if a
device (e.g. 192.168.1.147) tries to connect to a device (192.0.9.40) outside the firewall, then
the connection is first verified with the firewall ruleset (or firewall policy) to identify whether
it is allowable.

Table 2: State table Example

 If the connection is allowed, then an entry is added in the state table indicating that a new
session is initiated.
 If a connection completes the three-way TCP handshake, then the connection state is changed
and all the consequent traffic which matches the row entry is permitted to pass through the
firewall.

Note:
 Stateful packet firewall is aware of the context (or entrance) in which a specific packet was
sent. This makes these firewalls far less susceptible to ping floods and SYN floods, as well as
less susceptible to IP spoofing.
 For example, if the firewall detects that the current packet is an ICMP packet and a stream
of several thousand packets have been continuously coming from the same source IP, it is
clearly a DoS attack and the packets will be blocked.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 11

 Unity University

iii) Application-proxy gateway firewall

 Application-proxy gateway firewall have a proxy agent (or proxy server) between two
intermediary communicating hosts which does not allow a direct connection. Proxy server
sits between a client and a web-server and communicate with the server on behalf of the
client. Actually for every successful connection, two separate connections were created one
between the client and the proxy server and another between the proxy server and the true
destination. The proxy remains transparent to both the hosts like with an illusion of a direct
connection.

 Proxy servers have the following advantages:

1) can be used to cache frequently accessed pages.

2) provide a higher level of security by preventing direct connections between the hosts and

inspects traffic content for identifying policy violations.

3) have the ability of decrypting packets, examining them and re-encrypting them before

sending them to the destination host.

 Firewalls with application-proxy gateways also have a disadvantage that the firewall spends
more time to read and interpret every packet.

 An application proxy or application-level proxy is a program that runs on a firewall. When a

client program, such as a web browser, establishes a connection to a destination service,
such as a web server, it connects to an application gateway, or proxy. The client then
negotiates with the proxy server in order to gain access to the destination service (web server).

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 12

 Unity University

 In effect, the proxy establishes the connection with the destination behind the firewall and acts
on behalf of the client, hiding and protecting individual computers on the network behind the
firewall. This process actually creates two connections. There is one connection between the
client and the proxy server and another connection between the proxy server and the
destination.

That means it does not allow direct connections between an internal host and an external
server under any circumstances .

 Once a connection is established, the application gateway makes all decisions about which
packets to forward. Since all communication is conducted through the proxy server,
computers behind the firewall are protected.

 Summary on Application-proxy gateway firewall

 Maintains complete TCP connection state and sequencing through 2 connections
 User to proxy session
 Proxy to destination server session
 Process table manages to keep the connections straight
 The most secure form of firewall
 Slower performance

Note
 Application firewalls are available for various common protocols that includes HTTP (Hyper Text
Transfer Protocol), FTP, DB (such as SQL [Structured Query Language]), E-mail (SMTP [Simple
Mail Transfer Protocol], Post Office Protocol [POP], and Internet Message Access Protocol
[IMAP]), Voice over IP (VoIP) and Extensible Markup Language (XML).

 An example of a proxy server is a Web application firewall server. Popular Web applications
are filtered based on their port numbers as below:

• HTTP (port 80) • FTP (port 20 and 21) • SSL (port 443)

• Gopher (port 70) • Telnet (port 23) • Mail (port 25)

 An application-proxy gateway operates at the application layer and inspects the actual
traffic content. An application-proxy gateway has the following advantages:

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 13

 Unity University

 Summary on Application-proxy gateway firewall

 PROS:
- Good security
- Full application-layer awareness
 CONS:
- Poor Performance
- Limited Application Support
- Poor Scalability (Breaks client/server model)

The following list summarizes the different technologies that can be used to protect a network:

Name Category Attributes

Network address translation Address translation Hides internal addresses
(NAT)
Packet filter Firewalls Performs stateless packet Filter based on packet header
inspection options
Stateful packet Firewalls Tracks connection state Filtering based on packet
data/state
Proxy servers Performs caching/stateful Application-level inspects
inspection entire packet

 NAT (network address translation):

 NAT can be used to translate between private and public IP addresses.
 Private IP addresses are those that are considered unroutable—being unroutable means
that public Internet routers will not route traffic to or from addresses in these ranges. RFC
1918 defines the three ranges of private addresses as

192.168.0.0 --- 192 168.255.255

172.16.0.0 --- 172.31.255.255

10.0.0.0 --- 10.255.255.255

 NAT enables a firewall or router to act as an agent b/n the Internet and the local network.
 NAT provides a somewhat limited amount of security b/c it can hides internal IP addresses
from external systems))

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 14

 Unity University

1.3 What a firewall can’t do or How to bypass Firewalls?

Firewalls can be defeated because of misconfiguration or liberal Access Control Lists (ACLs). You
must also consider the following firewall weaknesses when designing network security:

a) Insider misuse or internal hacking: Firewalls cannot prevent attacks that originate inside

the network perimeter. Users on the internal network have already passed the firewall. The

firewall can do nothing to stop internal network snooping or intrusion attempts from

within. That means, Firewalls do not protect against internal threats.. Other security

measures, such as configuring restricted permissions on workstations and servers, and

enabling the auditing of network access, should be implemented to protect against these

kinds of attacks. (Although you can deploy firewalls between your corporate servers and

your internal users as well.)

 Firewalls are useless against attacks from the inside

- Evildoer exists on inside

- Malicious code is executed on an internal machine

- Organizations with greater insider threat include: Banks and Military

b) Social engineering attack: Firewall cannot protect against social engineering attacks. This

is the term used to describe attacks in which hackers obtain information by calling

employees and pretending to be a colleague at the front desk, a member of the security staff,

or just somebody from the firm doing routine checks. This person asks for privileged

information, such as server names, IP addresses, or passwords. Employees should be aware

of these tactics and know that certain information should never be given.

That means, Firewalls cannot stop social engineering attacks or an authorized user

intentionally using their access for malicious purposes.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 15

 Unity University

c) Viruses and Trojan horse programs: Firewalls attempt to scan for viruses in all network
traffic, but these wicked programs change constantly. Distinguishing between acceptable
e-mail attachments and malicious content continues to be a problem for computer users.
Good precautions should be taken to prevent the spread of viruses and to minimize the
damage that a virus can do.
Trojan horse programs are perhaps even harder to spot, because they don’t attempt to
spread to other files or computers like their virus sisters. A very small Trojan horse
program that is run once by an unsuspecting user can open up a back door to his computer.
A good example of the kind of damage that these programs can do is a Trojan horse
program that sends out all collected keystrokes at password prompts once a week.
In short, a firewall won’t stop you from downloading a Trojan horse program . or

 Firewall cannot protect against transfer of virus-infected programs or files

d) Poor Firewall policy or misconfiguration: The firewall doesn’t know what is acceptable and
what is not unless an administrator tells it. Competent firewall administrators should
correctly specify which network traffic should be blocked. Most firewalls, however, can
easily be confused by fragmented IP packets and should be explicitly configured to handle
such fragments.
That means, Firewalls cannot enforce security policies that are absent or undefined..

1.4 Comparing Software and hardware firewall

As described in the previous sections, a firewall applies a policy to an arriving packet to
determine the appropriate match. The policy is an ordered list of rules, and typically the
first rule that matches the packet is performed. This operation can be performed primarily
in either software or hardware. Performance is the principal reason to choose one
implementation.

 Software firewalls are application software that can execute on commercial hardware. Most
operating systems provide a firewall to protect the host computer (often called a host
firewall). For example, iptables is the firewall application provided as a part of the Linux
operating system. Several major firewall companies offer a software version of their
network firewall. It is possible to buy off-the-shelf hardware (for example, a server) and
run the firewall software.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 16

 Unity University

 The advantage of software firewalls is their ability to upgrade without replacing the hardware.
In addition, it is easier to add new features—for example, iptables can easily perform
stateful filtering, NATing, and quality-of-service (QoS) operations. It is as simple as
updating and configuring the firewall software.

 Hardware firewalls rely on hardware to perform packet filtering. The policy and matching
operation is performed in dedicated hardware—for example, using a field-programmable
gate array (FPGA).
 HW - simpler to use than software firewalls, and they don't have any [performance] impact
on the computer,
 HW firewall doesn’t cause problems when installing new SW on the system and the firewall
cannot be taken out.
 The major advantages of a hardware firewall are increased bandwidth and reduced latency.
• Bandwidth is the number of packets a firewall can process per unit of time, and
• Latency is the amount of time require to process a packet.

 Hardware firewalls can operate at faster bandwidths, which translates to more packets per
second (10 Gbps is easily achieved).
 In addition, hardware firewalls can operate faster since processing is performed in dedicated
hardware. The firewall operates almost at wireline speeds; therefore, very little delay is
added to accepted packets. This is important since more applications, such as multimedia,
need QoS for their operation.

 The disadvantage is that upgrading the firewall may require replacement of hardware,
which can be more expensive.

Review questions

1. What is the most basic type of a firewall since it only filters at the network and transport layers
(layers two and three)?
a) Proxy firewall
b) Virus
c) Worm
d) Packet filter firewall

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 17

 Unity University

2. What perform the same operations as packet filters, but also maintain state about the packets
that have arrived?
a) Stateful firewalls
b) Virus c) Worm d) Packet filter firewall

3. What can filter traffic at the network, transport, and application layer?
a) Application layer firewalls
b) Virus
c) Packet filter firewall
d) User-level Rootkit

4. Which of the following is a disadvantage to using an application gateway firewall?

a) It is not very secure.
b) It uses a great deal of resources.
c) It can be difficult to configure.
d) It can only work on router-based firewalls.

5. What is SPI?
a) Stateful packet inspection
b) System packet inspection
c) Stateful packet interception
d) System packet interception

6. What is the term for a firewall that is simply software installed on an existing server?
a) Network host based
b) Dual-homed
c) Router based
d) Screened host

7. What is a major weakness with a network host–based firewall?

a) Its security is dependent on the underlying operating system.
b) It is difficult to configure.
c) It can be easily hacked.
d) It is very expensive.

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 18

 Unity University

Part II : Descriptive questions

1. List the different types of firewalls.
2. List four characteristics used by firewalls to control access and enforce a security policy.
3. Which type of attacks is possible on a packet filtering firewall?
4. How does a traditional packet filter make filtering decision?
5. What is the difference between a packet filtering firewall and a stateful inspection firewall?
6. Describe, in detail, “Application-Level Gateway”.

Answers for question number 6:

 An application-level gateway, also called a proxy server, acts as a relay of application-level traffic.
 The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the
gateway
• asks the user for the name of the remote host to be accessed.

 When the user responds and provides a valid user ID and authentication information, the gateway
• contacts the application on the remote host and relays TCP segments containing the
application data between the two endpoints.

 If the gateway does not implement the proxy code for a specific application, the service is
not supported and cannot be forwarded across the firewall.
 Further, the gateway can be configured to support only specific features of an application
that the network administrator considers acceptable while denying all other features.

Advantage
• Application-level gateways tend to be more secure than packet filters.
• Rather than trying to deal with the numerous possible combinations that are to be allowed
and forbidden at the TCP and IP level, the application-level gateway need only scrutinize
a few allowable applications.
• In addition, it is easy to log and audit all incoming traffic at the application level.

A prime disadvantage

• Additional processing overhead on each connection.

• In effect, there are two spliced connections between the end users, with the gateway at the

splice point, and the gateway must examine and forward all traffic in both directions

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 19

 Unity University

7. Consider the Firewall Locations depicted in the figure below.

Required:
In this type of configuration , discuss the purposes of the following firewalls:
a) Internal firewall
b) External firewall

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 20

 Unity University

Answer for question number 7:

As Figure above indicates, a firewall is positioned to provide a protective barrier between an
external (potentially untrusted) source of traffic and an internal network.

DMZ Networks

 An external firewall is placed at the edge of a local or enterprise network, just inside the
boundary router that connects to the Internet or some wide area network (WAN).
 Between these two types of firewalls are one or more networked devices in a region referred
to as a DMZ (demilitarized zone) network. Systems that are externally accessible but need
some protections are usually located on DMZ networks.
 Typically, the systems in the DMZ require or foster external connectivity, such as a
corporate Web site, an e-mail server, or a DNS (domain name system) server.
 The external firewall provides a measure of access control and protection for the DMZ
systems consistent with their need for external connectivity.
 The external firewall also provides a basic level of protection for the remainder of the
enterprise network.

 In this type of configuration, the internal firewall serve three purposes:

1. The internal firewall adds more stringent (or strict) filtering capability, compared to
the external firewall, in order to protect enterprise servers and workstations from
external attack.
2. The internal firewall provides two-way protection with respect to the DMZ.
 First, the internal firewall protects the remainder of the network from attacks
launched from DMZ systems. Such attacks might originate from worms, rootkits,
bots, or other malware lodged in a DMZ system.
 Second, an internal firewall can protect the DMZ systems from attack from the
internal protected network.
3. Multiple internal firewalls can be used to protect portions of the internal network from
each other.

================ The End ! ================

Source: Feleke Merin HaileMariam (Dr. Engr.) Page 21