Stephen Martin | stephenmartin.io

How do I control what computers can and can’t talk to each other?

Too long, didn’t read

The short simple answer is we have devices called firewalls that can sit in places we wish to control the flow of traffic, and those devices allow the traffic they are told to allow and deny anything else. The firewall is also generally where NAT happens. If you are content with this simple explanation, the rest of this section can be skipped. A lot of the history in this section was sourced from Juniper Networks’ “Learn About Firewall Evolution from Packet Filter to Next Generation.”

In the beginning, there were Access Control Lists

By default, routers and switches will pass all traffic presented to them. So how do we prevent unwanted traffic from passing through our network? The simplest and earliest way is something called an access control list or ACL. An ACL is made up of access control entries or ACEs which define source IP, destination IP, protocol, and port, as well as whether the traffic matching that entry is allowed or blocked. In Cisco land, a simple1 ACE entry may be something like:

access-list my_list permit tcp   host 10.1.1.2 host 172.16.1.1 eq 80
             name  action proto    source         dest         port 

This example ACE is an entry on an ACL called my_list. It specifies traffic from 10.1.1.2 to 172.16.1.1 using the TCP protocol and a destination port equal to 80 will be permitted. The source and destination can be a single IP, a single network, or all IPs. Protocols are typically TCP, UDP, ICMP, or you can specify IP to cover all protocols. The destination port can be a single port or a range of ports. If the port is not specified, all ports are assumed. An ACL will be made up of multiple ACEs and can be applied to an interface as either an inbound ACL applying to traffic coming into that port, or an outbound ACL applying to traffic being sent out of that port. An ACL also has something called an implicit deny at the end of it, which means if the traffic doesn’t directly, or explicitly, match an ACE in the list, it is assumed that it should be denied.

Originally, these ACLs would be applied to interfaces routers and that would be the extent of traffic control. However, routers are not built for this purpose. Routing is generally what is known as a stateless operation. That is, every single packet is acted upon individually, and the goal is to process every packet as fast as possible, ideally as fast as, or faster than, they arrive. If a router is simply routing a packet, it merely needs to look at the source and destination IP to decide on what to do with the packet. However, if an ACL is involved, the router now needs to also look at the protocol and port, as well as compare the packet to every entry in the list. If the router could simply do this once per conversation between two servers, this wouldn’t be so bad. But being stateless, a router needs to do this inspection on every single packet. This is a much slower operation. 

Enter the Packet Filter Firewall

Eventually, resolving this inefficiency resulted in the first instance of a new type of network device we know and love today as a firewall2 and the ACLs, at least for traffic from the internet, were able to be moved to these new devices. These first devices, called packet filter firewalls, while still stateless, improved efficiency by bringing the permit/deny operation out of the router and into a discrete device. The firewall filtered packets, the router routed packets, and things moved a little bit better. However, specially crafted packets could still slip through the firewall due to their stateless nature, and in the old days, a single carefully crafted packet could crash an entire server, and a stateless firewall could not necessarily detect these sorts of attacks.

Stateful Inspection

To fix this problem, and improve efficiency along the way, the idea of stateful inspection was created. In a stateful firewall, individual conversations are tracked3. Every TCP conversation begins and ends with a series of packets called a three-way-handshake, which is a series of three packets known as SYN-SYNACK-ACK. This handshake allows the two endpoints to negotiate details of the conversation. When the firewall sees the first step of this three-way handshake, known as a SYN (for synchronize) packet, it checks to see if the proposed conversation is allowed by the ACL. If it is allowed, it lets the SYN packet pass, watches for the SYNACK (for synchronization acknowledgement) packet to be sent back, and a final ACK (for acknowledgement) packet to complete the handshake. It then starts tracking the conversation and assumes that all further packets in the conversation are allowed. A second three-way handshake closes the connection, and the firewall uses that as a cue to stop tracking the conversation. When a packet arrives that does not match a conversation, it is immediately discarded as invalid. 

Modern Firewalling

Over time, firewall manufacturers got better and better at designing hardware and software purpose-built for rapidly processing and filtering packets. They became more than simple in-out devices, and firewalls with multiple interfaces and routing capabilities emerged, allowing for segmenting internal networks into what is commonly called a zone. NAT also generally became the responsibility of the firewall. Other security-adjacent tasks such as VPN tunnels, previously also requiring purpose-built devices, also moved to the firewall. Eventually, they added capabilities that extend beyond source/destination/port/protocol. Layer-7 firewalls, now most commonly referred to as next-generation firewalls (NGFWs), were created that could even inspect the contents of packets to perform tasks like anti-virus, web filtering, and data-loss prevention, or even be tuned to inspect traffic to ensure it is valid for a specific piece of software receiving the traffic. 

  1. Ok TECHNICALLY this is an extended ACE. There exists a simpler form called a Standard ACE/ACL which only specifies the destination IP address and doesn’t care about port/protocol. We’re gonna talk about extended ACEs though. Deal with it. ↩︎
  2. While the word firewall has existed for centuries to describe an actual wall intended to stop the spread of fires, the first use of the word as a computer security term originated in the 1983 sci-fi movie WarGames. It is assumed, but not confirmed, that this is the direct inspiration for the adoption of the term in computer security. While you consider this, how about a nice game of chess? ↩︎
  3. TCP is a stateful protocol, UDP and ICMP are not. TCP firewalling is the most important to understand and is what we will focus on here. ↩︎