A firewall system contains a set of predefined rules allowing:
to authorize the connection ( allow ).
to block the connection ( deny ).
reject the connection request without notifying the sender ( drop ).
These rules make it possible to implement a filtering method based on the security policy adopted by the IT team. There are usually two types of security policies allowing:
or to only authorize communications that have been explicitly authorized, therefore " Anything that is not explicitly authorized is prohibited ".
or to prevent exchanges which have been explicitly prohibited.
The first method is undoubtedly the safest, but it nevertheless imposes a precise and restrictive definition of communication needs.
Simple packet filtering
A firewall works on the principle of simple packet filtering ( stateless packet filtering ). It analyzes the headers of each data packet exchanged between a machine on the internal network and an external machine.
These data packets which are exchanged between the machine of the external network and that of the internal network (pass through the firewall) are systematically analyzed by the latter. Each packet has the following headers:
IP address of the sending machine;
IP address of the receiving machine;
packet type (TCP, UDP, etc.);
port number (reminder: a port is a number associated with a network service or application).
The IP addresses contained in the packets identify the sending machine and the target machine, while the type of packet and the port number give an indication of the type of service used.

The table below gives examples of rules

Rule Action Source IP IP dest Protocol Source port Port dest
1 Accept 199.202.10.20 123.145.192.3 tcp any 25
2 Accept any 148.127.10.3 tcp any 80
3 Accept 199.202.10.0/24 any tcp any 80
4 Deny any any any any any
Ports, numbered between 0 and 1023, are associated with common services; for example, ports 25 and 110 are associated with email, port 80 is dedicated to the web.

At a minimum, most firewalls are configured to filter communications according to the port used. It is generally advisable to block all ports that are not essential (according to the agreed security policy).

Port 23 is for example often blocked by default by firewall devices because it corresponds to the Telnet protocol, making it possible to emulate terminal access to a remote machine so as to be able to execute commands remotely. The data exchanged by Telnet is not encrypted, therefore likely to be intercepted by a malicious person who would like to "listen to the network" in order to steal any passwords circulating in the clear. Network administrators generally prefer to use the SSH protocol, which is known to be secure and provides the same functionality as Telnet.

Personal firewall concept
If the protected area is limited to the computer on which the firewall is installed, this is referred to as a personal firewall.

A personal firewall makes it possible to control the access to the network of the applications installed on the machine in order to prevent harmful programs (attacks of the Trojan horse type for example), which could open a breach in the system and thus have a remote control on the machine by this hacker. The personal firewall therefore makes it possible to identify and prevent unsolicited opening by unauthorized applications to connect to the network.

The limits of the firewall
Needless to say, a firewall system does not provide complete security. These only offer reliable protection insofar as all communications to the outside world systematically pass through them and that they are correctly configured. It is therefore important to understand that access to the external network bypassing the firewall is automatically security breaches. This is particularly the case for connections made from the internal network using a telephone modem or any connection means beyond the control of the firewall.

Likewise, the introduction into your system of any storage media from outside can seriously damage the overall security policy of your network.

Finally, in order to guarantee a maximum level of protection, it is necessary to administer the firewall and in particular to monitor its activity log in order to be able to detect intrusion attempts and anomalies.

In an institutional environment, the installation of a firewall must therefore be done in accordance with a comprehensive security policy.

For more information about: network firewall security