This is a new blog post in my series called Interviewing for an IT Job. If you have not read the series announcement and my previous posts, please do so.

 

Index of Related Posts:
1. Interviewing for an IT Job
2. What You Need to Know When Interviewing For a Job in IT
3. What to Expect When Going Through the Technical Interview
4. What You Should Know about Headhunters and Recruiters
5. Tips for Networking Success
6. 5 Tips for Successful Webcam Interviews
7. The Basics of Troubleshooting – Part 1 – Ping
8. The Basics of Troubleshooting – Part 2 – Traceroute
9. The Basics of Troubleshooting – Part 3 – Firewalls
10. The Basics of Troubleshooting – Part 4 – NAT
11. The Basics of Troubleshooting – Part 5 – PAT
12. The Basics of Troubleshooting – Part 6 – 1:1 NAT
13. The Basics of Troubleshooting – Part 7 – Port Forwarding

Last week I showed you how to use Traceroute and Ping as a part of the troubleshooting routine and also how these two networking utilities complement each other.

Today I am going to write about firewalls and give you a basic understanding of how they work and what they are used for. In this article we are going to focus on how firewalls are deployed and what that means to you when it is time to troubleshoot a problem.

What is a Firewall?

Think of a firewall as a security guard at the front desk of a high-rise building. The guard’s main purpose is to control the access to and from the building and ensure the traffic of people is following a pre-determined set of rules. For example, people may not enter the premises if they are not in a list of authorized visitors; people may not leave the building carrying the soda machine.

There are many flavors of firewalls: hardware and software, network layer or packet filters, application-layer filters, and proxy servers.

Firewalls are systems that may combine both hardware and software.

I am not going to explore all these types of firewalls, as they can be very complex and require advanced knowledge of networking. I am going to focus on the basic concept that firewalls will only let authorized traffic to go through it.

Let’s assume that a server is behind a firewall and it should only be reached using HTTP (Hypertext Transfer Protocol) on TCP (Transmission Control Protocol) port 80 (typical for web servers).

firewall

There are many reasons why it is desirable to let only specific traffic to go through a firewall, but as you probably know, the main reason is security. Even though a server may have a specific function (e.g. web server), this server may be running many other services in the background.

For example, web developers may use an FTP service running on a web server to upload files that later will be available via a web portal. That means the web server is listening for HTTP traffic (TCP 80) and also FTP traffic (TCP 21). We want the developers who work in the LAN to be able to access the FTP service to do their job, however, we don’t want people on the Internet accessing that FTP service from the outside.

To protect our server, we need to create a few rules for our firewall:

  • Any TCP network traffic coming from the Internet on port 80 HTTP is allowed.
  • Any other traffic coming from the Internet is explicitly disallowed.

The rules above are very simplistic but efficient. The firewall will only let through the traffic that meets the rules mentioned above. So, if someone on the Internet is trying to connect to the FTP server behind the firewall on TCP port 21, the firewall will just drop the packets and pretend that nothing happened. The software that initiated the request from the Internet will eventually time out for lack of response from the firewall.

It is important to clarify that the picture above is a very simplistic representation of what companies do to protect their servers and services. In reality, companies use complex firewall designs and security layers to keep hackers and attackers away from their servers. Furthermore, the firewall rules listed above are related to outside traffic only. Firewalls also have a set of rules for traffic on the LAN and between LAN and WAN.

What you need to take from this example is that whether you are troubleshooting a problem inside or outside your company’s network, you need to be aware that the reason why you can’t ping or traceroute a server may be due to a firewall rule.

Let me explain.

Let’s look at the rules we previously created for our firewall.

  • Any TCP network traffic coming from the Internet to port 80 HTTP is allowed.
  • Any other traffic coming from the Internet is explicitly disallowed.

So if I am a user on the Internet, I should be able to point my browser to the website hosted on the web server behind the firewall and browse their web pages.

However, if I try to ping or traceroute their server, I am going to receive a “Request Timed Out” message. That happens because we explicitly told the firewall to disregard any traffic other than TCP on port 80. This is very common, so don’t be surprised if you can connect to a server or service but can’t ping it.

The main reason why companies do not let you ping their servers is because in 1996 a wave of Denial of Service (DoS) attacks were launched against computers all over the world. These attacks took advantage of a flaw on the IP protocol and were called “ping of death”. Operating system vendors made patches available to users by the end of 1997 and, since then, many companies decided to block ICMP to prevent further attacks.

Now, if I add another rule to the firewall that explicitly allows pings (ICMP requests), we could then ping or traceroute the same server from the Internet.

Here is our new set of rules:

  • Any TCP network traffic coming from the Internet to port 80 HTTP is allowed.
  • Any ICMP Echo Request traffic coming from the Internet is allowed.
  • Any other traffic coming from the Internet is explicitly disallowed.

After these rules are applied to the firewall, users on the Internet will be able to ping it.

Wrapping Up

Whether you are going through a technical interview or troubleshooting connectivity problems, you should always understand where firewalls may be deployed and what that means for your troubleshooting process.

Resource List

Below is a list of links to important concepts and information that you should be familiar with.

Local Area Network (LAN) – http://en.wikipedia.org/wiki/LAN
Wide Area Network (WAN) – http://en.wikipedia.org/wiki/Wide_area_network
Fully Qualified Domain Name (FQDN) – http://en.wikipedia.org/wiki/FQDN
Domain Name System (DNS) – http://en.wikipedia.org/wiki/DNS
Uniform Resource Locator (URL) – http://en.wikipedia.org/wiki/URL
Router – http://en.wikipedia.org/wiki/Router_(computing)
Network Switch – http://en.wikipedia.org/wiki/Network_switch
Firewall – http://en.wikipedia.org/wiki/Firewall_(computing)
Ping – http://en.wikipedia.org/wiki/Ping_(networking_utility)
Nslookup – http://en.wikipedia.org/wiki/Nslookup
Traceroute – http://en.wikipedia.org/wiki/Traceroute
Ping-of-Death – http://www.cert.org/advisories/CA-1996-26.html
Denial-of-Service (DoS) Attack – http://en.wikipedia.org/wiki/Denial-of-service_attack
Network Address Translation (NAT) – http://www.cisco.com

What’s Next?

In my next article, we are going to talk about Network Address Translation (NAT).

Cheers!

Fabio.