Networking by Jared Crandall on Dec 2013

Follow the Bouncing Packet: Firewalls

FtBP: Firewalls

Part 5/8

 

Last time we talked about how a router will direct a network packet, today we will discuss how a packet gets assessed by a network firewall in determining whether to forward the traffic, or squash it. Here is where we left off last time with our network packet:

 

L2-[Source MAC: 04-04-04-04-04-04| Destination MAC: 05-05-05-05-05-05]

                L3-[Source IP: 10.1.1.100 | Destination IP: 11.1.1.100]

                L4-[Source Port: TCP 1025 | Destination Port: TCP 445]

 

One key to remember as we go about this series is the role that each network device holds and where it sits in the OSI model. This will help us to know what we can use to route the traffic. In this article we are going to stick with firewalls, which are Layer 4 devices. Because of this we will be able to look at the data contained in layers 2, 3 and 4 of the network packet (or the Source and Destination MAC addresses,  Source and Destination IP addresses, and Source and Destination ports). Here is our picture for this scenario:

 

firewalls

 

Firewall Basics

With the inclusion of client side firewalls among modern technologies, you are very likely familiar with some kind of network filtering. Host based firewalls can only protect against traffic they receive (or traffic that they send). Network firewalls are intended to secure entire networks from unwanted traffic. They do this by setting rules about who can talk to whom, and over what protocols and ports. A traditional firewall really just looks at IP and Port, though some modern firewalls can even look into the data that is transferred and do assessments based on it. For our purposes though, we will stick with the traditional IP and Port filtering.

 

Traversing Firewall A

So let’s look at this in our scenario. Here again is the packet as the firewall will receive it (Firewall has the IP address 12.1.1.2 and the MAC 05-05-05-05-05-05, that we talked about last time).

L2-[Source MAC: 04-04-04-04-04-04| Destination MAC: 05-05-05-05-05-05]

                L3-[Source IP: 10.1.1.100 | Destination IP: 11.1.1.100]

                L4-[Source Port: TCP 1025 | Destination Port: TCP 445]

 

When Firewall A receives this packet on its internal interface it will start by making sure that this packet is destined for it, so it will check to see if the DestMAC matches its own. It does, so it will now look to see if the DestIP matches as well. It does not, so it hands the packet over to the filter engine. On Firewall A our network admins have previously allowed CIFS traffic through a rule much like this one:

(1a)SourceIP      (1b)NetMask     (2)SourcePort    (3a)DestIP           (3b)NetMask     (4)DestPort

10.1.1.x                /24                       Any                      11.1.1.x                 /24                       TCP 445

 

This rule says that traffic from a host on the 10.1.1.x network and from ANY port, will be allowed to the 11.1.1.x network if it is also destined for TCP port 445. Let’s look and see how this rule is matched against the traffic. You will see that the columns above are numbered, here is a sample of the type of logic preformed with that data:

1a+1b – The SourceIP in the network packet is compared against these values to see if it falls within the given IP range. (i.e. – “Does 10.1.1.100 fall between 10.1.1.0-10.1.1.255)

2 – The SourcePort in the network packet is compared against this values to see if it falls within the given port range. (i.e. – “Does TCP 1025 match ANY [Meaning any port is allowed])

3a+3b – The DestIP in the network packet is compared against these values to see if it falls within the given IP range. (i.e. – “Does 11.1.1.100 fall between 11.1.1.0-11.1.1.255)

4 – The DestPort in the network packet is compared against this values to see if it falls within the given port range. (i.e. – “Does TCP 445 in the network packet match TCP 445 in the rule set)

 

Traffic will have to match EVERY  field in the firewall rule or it will not be allowed. This means that if the SourceIP, SourcePort, and DestIP match, but the DestPort does not (or any one or many values do not match), the traffic is blocked. Basically, it is all or nothing; the firewalls says: “play by my rules, or I will POP your ball”. Because our packet matches the rule it will be allowed to traverse the firewall.

Next time will discuss how this packet is transferred from Firewall A through a Site-to-Site VPN tunnel.

Follow the Bouncing Packet – Series Navigation

Part1: Prerequisites

Part2: Packet Formation

Part3: Switching

Part4: Routing

Part5: Firewalls

Part6: VPN Tunnel

Part7: NAT and PAT

Part8: End-to-End, B-to-A