Firewalls vs. Packet Filters

As technical terms often are, the term "firewall" has come to be used vaguely and inaccurately to include a number of things which are not truely firewalls. This problem has been exacerbated by vendors such as Cisco and Ascend who have tried (successfully) to market turn-key network security solutions under the term"firewall", as well as a plethora of packet filtering programs almost universally known as "ip firewall" or "ipfw".

Firewalls

A firewall is a computer connected to both a private (protected) network and a public (unprotected) network, which receives and resubmits specific kinds of network requests on behalf of network clients on either the private or public network.

Firewalls involve proxies. A proxy acts as a middle-man in a network transaction. Rather than allowing a client to speak directly to a server, the proxy server receives the request from the client, and then resubmits the request, on behalf of the client, to the target server. Each protocol or type of network transaction typically requires its own proxy program, and an administrator enables or installs specific proxies to determine what kinds of services will be allowed between the two networks.

Firewalls are not routers or address translators. Never does a firewall copy or forward a packet from the internal network to the external network, or vice versa. The internal network uses private address space. Neither side of the firewall knows about the address space on the other side of the firewall, and does not know how to route data to the other side of the firewall.

Packet Filters

A packet filter is a set of rules, applied to a stream of data packets, which is used to decide whether to permit or deny the forwarding of each packet. These rules are usually on a router or in the routing layer of a computer's network protocol stack. Using a packet filter, an administrator can dictate what types of packets are allowed into or out of a network or computer.

Some devices, such as the Cisco PIX, combine address translation with packet filtering. Like a firewall, this prevents the outside network from having knowledge of the address space on the protected network. However, aside from translating the addresses of the internal network, packets are forwarded as received through the unit, and no proxies are involved. This certainly improves security, but, strictly speaking, this is not a firewall.

It is worth noting that any good firewall will also employ packet filtering. This is done to protect the firewall itself from intrusion and to isolate intruders from the internal network should an attacker gain control of the firewall.

Making a Choice

None of this is intended to imply that packet filters are a poor solution to your network security issues. Packet filters are an effective mechanism of blocking unwanted and mischievious data from entering (or leaving) your network. As nearly all routers possess packet filtering capability, it is also a cost effective solution.

However, I believe it is important for network administrators to understand the difference between firewalls and packet filtering, so that they can properly evaluate different security options.