Firewall
254
8.2
What is a Firewall?
BAT54-Rail/F..
Release
7.54
06/08
D Port numbers of source and destination
D MAC address
The rules defined in a packet filter-orientated Firewall determine e.g., wheth-
er the packets may pass on by a special IP address range into the local net-
work, or whether packets should be filtered for special services (i.e. with
special port numbers). By these measures, the communication with certain
workstations, entire networks or via special services can be reduced or even
prevented. Besides, the rules are combinable, so that e.g. only workstations
with special IP addresses get access to the Internet via the TCP port 80,
while this services remains blocked for all other workstations.
The configuration of packet filtering Firewalls is quite simple, and the list with
the permitted or forbidden packets can be extended very easily. Because
also the performance requirements of a packet filter can be address with
quite little means, the packet filters are often directly implemented in routers,
which operate as interface between the networks anyway.
An unfavorable effect on the packet filters is, that the list of rules becomes
uncomfortable after a while. Besides, for some services the connection ports
are negotiated dynamically. To enable communication then, the administra-
tor has to leave open all possibly used ports, which is contrary to the basic
orientation of most security concepts.
One example for a process, which is quite problematical for simple packet fil-
ters, is the establishing of a FTP connection from a workstation of the own
LAN to a FTP server in the Internet. By the generally used active FTP, the
client (of the protected LAN) sends an inquiry from a port of the upper range
(>1023) to port 21 of the server. The client informs the server, over which port
it is expecting the connection. The server will establish as a result from its
port 20 a connection to the desired port of the client.
To enable this process, the administrator of the packet filter must open all
ports for incoming connections, because he does not know in advance for
which port the client will inquire the FTP connection. An alternative is to use
passive FTP. Thereby, the client establishes the connection itself to the serv-
er over a particular port, which was told to the server before. This process is,
however, not supported by all clients/servers.
Source port 4321
Destination port
21
Destination port 4322
Source port 20
Client Server
To Next Page
Loading...
Need help?
General
