Network Firewalls Or Hardware Firewalls | Part 5

Network Firewalls Or Hardware Firewalls | Part 5

Virtual Local Area Networks

Modern firewalls support Virtual Local Area Networks (VLANs), i.e., in a physical network interface can be achieved via an appropriately configured switch multiple logical networks. This can be connected to the firewall more networks than allowing the physical limits of network interfaces.

The use of VLANs may also be cheaper than buying additional network interfaces for the firewall. Another advantage is that enough to connect new networks, but a software firewall, and switch configuration, it must be taken no new cables. A disadvantage is that all VLANs share the capacity of the LAN connection. There is a great security to the detriment: the separation of the different networks is not subject to the jurisdiction of the firewall, the system is thus more easily compromised.

In such a case, the firewall is dependent on the cooperation with the used switch. Switches, however, usually do not cure systems, and often offer additional attack plots (Web, SNMP, telnet, and consequently switches for security solutions are not suitable or even only partly. Security problems can arise for several reasons: working with a faulty switch (default password backdoor), by an incorrect configuration of the switch (e.g., SNMP), a faulty implementation, or configuration of the VLAN separation, or by an intrusion into the administration the switch.

Generally, a reset of the switch configuration is not immediately noticeable, because many switches carry VLAN packages such (with VLAN tags), even without a VLAN configuration. Next may be, for example, by inserting a hub, conveniently, all LAN segments of the VLAN monitored simultaneously and unnoticed. On the WAN side can afford such a valuable service VLANs, however, in the DMZ area, they may still be acceptable in a security environment should be but apart from their use.

Routing and multicast

Most firewalls are set up as a router. This is useful especially in the SoHo area, because the connection of several computers where it is usually combined with a router NAT and PPPoE required functionality. In corporate networks is often the desired routing functionality, because here routing replaces the formerly used often firewall (gateway) routers.

Although it has advantages to build a firewall as a bridge, then run as a transparent firewall to work, most remain as a router. If a firewall transparently operated, it can not be tracked on trace-route and similar tools. She herself is so difficult to attack because an attacker has no IP address, with which he can reach them, or addressing, and consequently from a directly adjacent IP network must be achieved.

The routing functionality depends on your operating system, as the routing protocols (e.g., RIP or OSPF), which can be used. These usually come only to be used when absolutely necessary, since they make the system as opposed to a static routing table rather vulnerable.

Just as the routing of the IP multicasting capability of a firewall depends on the operating system. The rules are listed as normal with the multicast addresses ( Other aspects are described in RFC 2588th.

Complex protocols: Voice over IP and video conferencing

Voice over IP (VoIP) and videoconferencing for Stateful firewalls are not trivial, since often several different protocols (e.g., for call signaling, audio transmission, video transmission, application sharing) and participants (callers, called parties, telephone systems, are involved in conference). Some commercial firewalls understand the VoIP protocols (SIP or Skinny) and is therefore open in the position, ports dynamically.

File Transfer Protocol (FTP)

Although FTP is a fairly old, but it is difficult for firewalls protocol. In particular, the “active mode”, is in addition to control connection on port 21, an additional quasi-structured data back from server to client, prepares some firewall issues. The reverse link can be constructed by the operator of the FTP server also theoretically exploit for attacks.

Therefore, some firewall systems build the data connection on port numbers that are used for other services. This has the advantage that the sensitivity is reduced misuse of the data connection to cyber attacks.

Typical symptoms of a firewall that has problems with FTP, is a functioning navigation through the directories, but disconnections without error in data transmission. The above-mentioned problems do not occur with FTP in “passive mode” (Configurable in the FTP client or by entering “PASV” in command-line client) or when using the encrypted SSH protocol based on the SCP.

Troubleshooting Firewall Problem

Troubleshooting in a large network can be very complex. Common errors include, for example, that includes a firewall rule IP addresses that have been changed by a NAT connection or a VPN. Depending on the used firewall software and operating system are different possibilities for debugging.

On the basis of incorrect firewall logs can be rules or IP spoofing detected. Using tools such as tcpdump or snoop on Solaris allows the current network traffic at inbound and outbound network interface monitor and compare. Furthermore, some systems offer a glimpse into the internal processing of the firewall software (such as Checkpoint FW1 with “fw monitor”).

In a firewall system in the cluster operation logs are useful to determine which machine the bad connection at all processed. The log files are not suitable for detailed troubleshooting, if they do not write an entry for each package, but only for each connection. In addition to the possibilities of firewall tools like ping, trace-route, nmap, or help to determine whether the fault lies outside the system, such as in routing or that the destination port is not open.

Additional features of firewalls

  • Protection against SYN flooding, such as SYN cookies
  • Discard of broken packages (e.g., conflicting TCP flags)
  • Protection from Ping of Death, Smurf attack, teardrop attack or attacks, Country
  • Endpoint for VPN connections
  • Consideration of Quality of Service in the processing priority
  • Channeling / link aggregation to combine several physical interfaces to a fast logical interface, for example, two 100 Mbps to 200 Mbps interfaces.

The firewall with inspection rules a system would look like in this example as follows:

  1. Allowed – The sources and (workstation to the target “email provider” via IMAP (mail pick up) and SMTP (send mail access)
  2. Source must use (surf through the proxy at any destination with the services HTTP (web download) and HTTPS access (ActiveX is filtered here)
  3. All other attempts at communication will be discarded



Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.