Routers and Firewalls

Part of 22C:169, Computer Security Notes
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science


When a network is constructed of multiple network segments, network hosts must be prepared to accept messages from one network segment and forward them onto another network segment. This applies to any network host that is connected to multiple network segments -- the term internet, with a lower case i, implies connection of multiple subnetworks and therefore an internet can only be constructed using routers.

When a machine links two networks with incompatable network protocols, the machine is called a gateway. All gateways perform some routing functions, but in addition, they convert between the incompatible protocols.

This function is called network routing. Network routing typically involves some kind of routing algorithm. Typically, these use local routing tables to figure out, from the destination network address, which of many outgoing network links should be used to send messages addressed to that destination.

A machine dedicated to network routing is called a router. Such a machine has a fully developed link-layer and network-layer software, but the only software running at any higher layer is there to support a single application, the user interface used for configuring the routing tables.

A router could, in theory, auto-configure itself, searching the networks to which it is attached for machines willing to export routing table information, but usually, it needs some hints, for example, the network addresses of name servers that it can get additional information from.

Routers can serve security functions by hiding the existance of some network addresses on one of the networks attached to the router from users of some other network attached to the router. When used in this way, a router begins to serve as a firewall.

Routers can also perform network address translation, so that the apparent from-address on packets sent through the router is changed. This can be used maliciously in order to hide the identity of an attacking machine, but it is also a legitimate way to deal with a limited supply of real addresses in a large network, and a legitimate way to protect hosts on.

Attacks on the network routing tables of routers can be very dangerous, because such an attack can send messages that were intended to go to one machine to another machine instead -- typically the attacker's machine.


Firewalls, as opposed to routers, lift messages up to a higher level in the protocol stack. For example, messages are lifted to the transport layer, so that the firewall can selectively block, translate addresses or redirect messages addressed to specific ports (or transport-level destinations) on specific machines instead of lumping all traffic to the same machine together.

With a firewall in place, stmp messages (e-mail) can be directed to a mail server, while http messages (web-service) can be directed to a web server, even though the network addresses on the two classes of messaage are the same.

The term firewall can also be used generically to refer to any technology that selectively blocks access to resources, motivated by a desire to prevent the spread of damage or attack.

Firewalls are usually thought of as blocking access to a specific set of network ports from the outside world. Thus, you might use a firewall to block internet chat while permitting e-mail to flow.

Higher level firewalls can lift messages up to the applications layer, for example, extracting all E-mail flowing through the firewall in order to filter for prohibited content or block E-mail with from-lines that are associated with known spammers.

The most famous firewall is the Great Firewall of China, officially known as the Golden Shield Project. Saudi Arabia and several other nations attempt a similar degree of network filtering in order to prevent access to forbidden or offensive material.

Demilitarized Zones

A demilitarized zone is a zone between two firewalls where resources are located that are accessible from both inside the protected world and from the outside world. All access to the zone is through firewalls, and no resources in the protected world are directly accessible from the outside world. Web servers, for example, go in the DMZ to export data to the public, while the official copies of all data are maintained in the protected world.


As usual, the Wikipedia is a good source. See: