Corporate networks today rely on a router and/or firewall to protect their computers or LAN from unauthorized external access. Firewalls provide security by filtering or redirecting inbound traffic.
A firewall can be implemented as software or hardware and works by examining packets of information passing into a network through ports.
We explored packets a bit in the previous blog post. Data sent between a client and a server is broken down into chunks small enough to be sent easily over the network. These chunks, or payload, are wrapped in several layers of contextual information which tell the server what needs to be done with the packet information. The firewall examines these layers for authenticity. If the packet doesn’t meet the firewall’s requirements for security, it gets silently “dropped”—it doesn’t get through the firewall, and any security risks it harbors are nullified.
IP Addresses and Ports
In order to start a connection between a client and an FTP server, you need the IP address of the server and a port to latch onto. The world of IPs is huge and constantly shifting. Most routers have a public-facing IP address that connections can target, while harboring a range of different IPs behind it, one for each different device on that network. Of course, each device can use a different IP number in that range anytime it reconnects to the network; the router keeps track of which device is using which IP, so that incoming traffic is directed to the correct device. The router in this case is working as a firewall by presenting a public face, screening traffic, and passing it along without allowing the incoming traffic to interact directly with the networked device.
Corporate networks usually purchase large ranges of IPs. Keeping an outward-facing IP that is very different from the range of internal IPs provides an extra layer of defense to the network. To add to this, firewalls can be configured to forward information that comes in on the default port to that port on the internal network.
Configure Port Forwarding
To ensure users have access to a server on the internal LAN without endangering the computers linked through the LAN, companies regularly use port forwarding through the firewall to direct the TCP/IP traffic to the proper computer. Port forwarding is used by most routers/firewalls. Port forwarding literally forwards data incoming on a specific port to the same port on a different computer.
During port forwarding, the firewall will redirect traffic to the server based on IP address. Therefore, the networked computers must use a static IP address that the firewall can always refer to. If the server’s IP address is DHCP (Dynamic Host Configuration Protocol) based, the firewall could forward the data to the wrong computer.
Both your router/firewall and server will need to be configured to use port forwarding, however.
To set up a static IP on a Cornerstone installed on an internal LAN-based computer:
- Retrieve the external public IP address of the firewall, the internal IP address of the router, and the internal LAN IP address of the Cornerstone server.
- Have the Network/LAN Administrator reconfigure the firewall to forward server traffic to the Cornerstone Server according to the following table:
We recommend opening a range of 10 to 50 ports for information from the firewall—this is known as a passive port range. These ports will be used for transferring data and directory listings to the client. Do not use a single port, as this may result in data transfer failures for clients.
Firewalls are fairly standard with current computing and networking systems, and in combination with port forwarding they provide a robust form of protection. However, by putting your data behind a firewall, you’ve hidden it from other computers and thrown roadblocks in the way of communication. Thankfully, your security team can initiate automated workarounds in the form of Active and Passive Modes. Our next post will cover Active and Passive Modes, which allow networks to exchange data through the firewall securely.