Firewalls: Because your computer should use protection with strangers on the internet.
Introduction
We have all heard of firewalls in network security at some point or another, but the market has grown considerably and it’s worth taking the time to understand our options. What distinguishes firewalls from other forms of security controls? Under what situations is a firewall required and under what scenarios are firewalls the greatest security option? Welcome to this hitchhikers guide to firewalls.
What is a Firewall?
Firewalls are network security devices that filter incoming and outgoing network traffic to and from trustworthy computers or networks. They monitor incoming and outgoing traffic and decide whether to allow or prohibit certain traffic based on a set of security rules. Firewalls are an essential component of network security as they help protect against unauthorized access and potential cyber threats.
This layman's description of firewalls is very much like any border control process, where passage is restricted to a chokepoint and is regulated by immigration while being subjected to certain emigration rules of who may pass and who cannot. There may often be a different set of rules for immigration versus emigration. Certain people or traffic may also face more scrutiny than others.
Some sources indicate that the term "firewall" is borrowed from the construction practice of building walls in between or through the middle of buildings designed to contain a fire. This practice is aimed at preventing the spread of fire to other parts of the building and is similar to the way a firewall in computer systems prevents the spread of malware or unauthorized access to other parts of the network.
Types of Firewalls
Every border has different "immigration" rules and processes that vary dynamically depending on the country and situation. Similarly, firewalls and their exact security rules differ from product to product, even device to device, but they can be roughly divided into two broad categories (depending on the implementation level), each with a set of features: hardware and software.
Hardware vs Software Firewall
A software firewall is installed on a computer and regulates traffic through port numbers and applications, while a hardware firewall is a piece of equipment installed between the local network and the gateway.
Hardware firewalls tend to be network-based and for large enterprises, while software firewalls tend to be host-based and generally targeted for individual home users' needs. Hardware firewalls are typically implemented as standalone devices, while software firewalls are installed on individual computers or servers. It is recommended to have a combination of both types simultaneously, even multiples of the same type, because they have complementary advantages and disadvantages. Having a combination of both types of firewalls enhances overall network security and provides a layered defense against potential threats.
What | Hardware | Software |
---|---|---|
Scope | Network-based (filters traffic from internal LAN) | Host-based (filters traffic to and from the computer it is installed on, not whole network) |
Typical Users | For large corporations | For individual home users |
Packaging | Packet filter firewalls (a subset of hardware firewalls) operate usually on OSI Layer 3, the network layer, and is often part of a router | Often comes as part of the operating system (OS) |
Packet Inspection Capabilities | No (Generally) | Potentially |
Furthermore, we can divide firewalls on the basis of their implementation use cases as external and internal.
External vs Internal Firewall
External firewalls filter traffic between public and private networks; internal firewalls filter traffic between network segments within the same organization or between two (or more) organizations that share the same network. Internal firewalls are useful for situations with different levels of access. They help protect sensitive information and prevent unauthorized access to specific network segments. This can lead to the segmenting of the network into various sub-sections, such as
external public networks, such as the public or global internet, extranets.
internal private networks, such as home networks and corporate intranets.
perimeter networks, which are border networks made of bastion host computers that have hardened security, like "tanks" in a battle. These are not as secure as internal networks but are more secure than external networks.
1988: The First Generation: Packet Filter Firewalls
The earliest and most basic firewalls were packet filter firewalls (a.k.a., static packet-filtering firewalls or stateless inspection firewalls). These devices catch all data packets at Level 3 of the OSI model, which is the network layer. They then check each one against a set of security rules based on the source and destination IP addresses, port number, and type of packet before sending them to specific addresses if the rules allow it. These rules (the access control list) are manually created and require continued revision.
First released in 1988 by Digital Equipment Corporation (DEC), packet filters are stateless firewalls that have no memory. Every packet received is independently checked against the ACL.
Since level 3 routers are responsible for identifying the destination IP addresses of each packet, packet filter firewalls are often ingrained into routers, like guards at a post office who check that none of the packages look suspicious or none of the sources or destinations are blacklisted before letting the postman or office deliver the package.
However, stateless packet filter firewalls lack context and are vulnerable to frequent attack strategies, such as not being able to block a request for the deletion of protected or sensitive data if it is coming from a trusted source address.
In 1988, the concept of packet filter firewalls emerged as the first generation of network firewalls. These early firewalls were developed as a response to the growing need for security in computer networks, particularly the nascent internet. Here are some key points about the first-generation packet filter firewalls:
The first-generation firewall can be summarized as follows:
Basic Packet Filtering: Packet filter firewalls operate at the network layer (Layer 3) of the OSI model. They inspect data packets as they come through a network interface and decide whether to accept or reject them based on specified rules or filters.
Rule-Based Filtering: These firewalls use a set of rules that specify which packets are permitted and which are denied. Rules are typically based on criteria such as source and destination IP addresses, source and destination ports, and protocols (e.g., TCP, UDP, etc.).
Stateless Inspection: Packet filter firewalls are stateless, which means they do not maintain information about the state of connections. Each packet is evaluated independently based on the rules, without considering the context of previous packets in the same session.
Efficiency: One advantage of packet filter firewalls is their efficiency. They can process a large number of packets quickly because they focus on basic header information rather than inspecting the content of the data payload.
Limitations: While packet filter firewalls are efficient, they have limitations. They are not capable of deep inspection of packet content, which makes them vulnerable to certain types of attacks. For example, they cannot detect and block malicious content within encrypted traffic.
Evolution: Over time, packet filter firewalls evolved to include more advanced features. Stateful inspection firewalls, which maintain state information about connections and can make more informed decisions, became a later development in firewall technology.
Security Context: The emergence of packet filter firewalls marked the beginning of a more formalized approach to network security. It introduced the idea that network security should be context-aware and that rules should be defined to control traffic based on specific criteria.
Historical Significance: The development of packet filter firewalls in 1988 was a pivotal moment in the history of network security. It laid the foundation for subsequent generations of firewalls and security technologies as the internet continued to grow and evolve.
1989: Second Generation: Circuit Level Gateways, aka Stateful Firewall
Developed in 1989–1990 by AT&T Bell Labs, only about a year after first-generation firewalls, circuit-level gateways belonged to the second generation of firewalls, a category also known as stateful firewalls.
Circuit-level gateways filter packets at the session layer, Layer 5 of the OSI model, to determine whether a requested session is legitimate or not, i.e., whether it is from an authorised device, at a legitimate time, etc.
These firewalls don't just filter; they maintain a record of all connections passing through (the names of trusted sources) in a dynamic state table. If a packet to be transferred does not meet the active connection, it is evaluated according to the ACL established for creating new connections, so there is some flexibility when compared to first-generation firewalls. Note that in circuit-level firewalls, once a session is accepted, no further checks at the level of individual packets are done.
Key features and characteristics of circuit-level gateways or stateful firewalls include:
Stateful Inspection: These firewalls maintain a state table that keeps track of the state of active network connections. They can distinguish between established, related, and new connections. This enables them to make context-aware decisions about whether to permit or deny traffic.
Connection Tracking: Circuit Level Gateways analyze the state of a connection, tracking important information such as source and destination IP addresses, port numbers, and the sequence of packets. This information helps in identifying legitimate connections and flagging suspicious or unauthorized activity.
Improved Security: The ability to understand the context of network connections allows these firewalls to provide better security than first-generation firewalls. They can prevent common attacks, such as IP spoofing and port scanning, by analyzing the behavior and state of network traffic.
Application Layer Awareness: While circuit-level gateways focus primarily on session-level inspection, they can also perform limited application-layer filtering by examining the data payload of packets. However, this is not as reliable as the application-layer inspection that Next-Generation Firewalls and other firewalls from later generations offer.
Performance: Circuit-level gateways are generally more resource-intensive than packet-filtering firewalls due to the need to maintain state information for each connection. However, advancements in hardware and software have improved their performance over time.
1991: Third Generation: Application Proxy Firewalls
An application proxy, also known as an application-level gateway / application-layer firewall or application-level proxy, acts like a proxy server and filters services and protocols. The security rules can be application-specific (e.g., confined to a particular browser) or protocol-specific (e.g., FTP, SSH). For example, an FTP proxy will only allow FTP traffic to pass through, while all others could be blocked.
As the name suggests, these firewalls filter at layer 7 of the OSI model protocols (BUT can inspect and filter at any level), such as HTTP and FTP, and use both stateful and deep packet inspection. These firewalls are considered more advanced and sophisticated compared to previous generations. Application proxy firewalls represented a significant advancement in the realm of network security, particularly in terms of application-level control and security.
Here are some key characteristics and features of application proxy firewalls:
Application-Layer Inspection: Application Proxy Firewalls operate at the Application Layer (Layer 7) of the OSI model. They have a deep understanding of various application protocols, allowing them to inspect and filter traffic at the application level. This means they can make intelligent decisions based on the content and context of network packets.
Protocol Awareness: Application Proxy Firewalls are aware of the specific application protocols being used in network traffic. They can identify and control traffic for a wide range of applications, including HTTP, FTP, SMTP, and more. This enables granular control over which applications are allowed or denied.
Proxying and Authentication: These firewalls act as intermediaries (proxies) between the internal network and external resources. When a user or application requests access to an external service, the firewall establishes a separate connection to that service on behalf of the client. This allows for user authentication, content inspection, and data manipulation.
Content Filtering: Application Proxy Firewalls can inspect and filter the content of application-layer traffic. This means they can block or allow specific URLs, keywords, file types, or attachments within network traffic. Content filtering helps enforce security policies and prevent data leaks.
Stateful Inspection: Similar to circuit-level gateways, application proxy firewalls often incorporate stateful inspection capabilities. They maintain session state information to make context-aware decisions, ensuring that only legitimate connections are established.
Advanced Security: Application Proxy Firewalls are highly effective at preventing application-specific attacks, such as SQL injection, cross-site scripting (XSS), and application-layer DDoS attacks. Their ability to understand and analyze application protocols makes them suitable for protecting against these threats.
Granular Access Control: These firewalls provide granular control over user and application access. Network administrators can define access policies based on user roles, applications, and content types, allowing for fine-grained control over network traffic.
While application proxy firewalls offer enhanced security and application-level control, they can introduce additional latency due to the proxying process. However, advancements in hardware and software have mitigated some of these performance issues over time.
A Unified Threat Management (UTM) Approach
A modern network security posture includes many components: security rules, access lists, gateway antivirus, sandboxing, network profiling, the Intrusion Prevention System (IPS), anti-spam, VPN, etc. The term for this is Unified Threat Management (UTM). UTM has become an indispensable tool for organizations to ensure comprehensive network security. It combines multiple security features into a single platform, making it easier for organizations to manage and protect their networks. Here are some other key words that might be relevant to our discussion:
The Next Generation Firewall (NGFW)
NGFWs, also referred to as third-generation firewalls, move beyond port/protocol inspection. In addition to traditional network filtering capabilities, it also filters based on packet content (deep packet inspection), includes Intrusion Prevention Systems (IPS), sandboxing (executing incoming code in isolation to ensure it is not malicious), application control, URL filtering based on geolocation and reputation, advanced malware protection, network profiling, identity policy, VPN, etc.
Application awareness (knowledge of which programs are running), identity awareness (which user is logged in and the associated user rights), and sandboxing are considered by Cloudflare to be NGFW-specific.
Stateful Multilayer Inspection Firewall (SMLI)
This kind of firewall combines features of circuit-level gateways, application-level gateways, and packet filter firewalls. It filters traffic on three levels of the OSI model: the network, the session, and the application layers. At the application layer, it checks the contents of each packet to make sure it is legitimate at the session level. They also have memory like NGFWs, comparing packets against known trusted packets and allowing them to pass only if each layer of the entire packet matches criteria. They are expensive and require competent personnel to administer them.
House Firewalls
Firewalls, also known as screening routers, are essential network security components that safeguard a network from unauthorized access and potential internet-based threats. They serve as a barrier between an internal network (like a residential network) and an external network (typically the internet). The screened host firewall model and the screened subnet firewall model are two prevalent types of home firewalls.
Screened Host Firewall Model
In this model, a single, highly protected host (computer) functions as a firewall. This host sits between the internal network and the internet. The screened host's primary function is to filter incoming and outgoing traffic, allowing only authorized traffic to travel and blocking or denying unauthorized traffic.
Key characteristics of the screened host firewall model:
Simple setup, as there is only one host to configure and manage.
Typically used in smaller networks or homes where there is a single point of entry/exit to the network.
Offers a high level of control over traffic filtering and security policies.
Vulnerabilities or misconfigurations in the host can be a single point of failure.
Screened Subnet Firewall Model
In this model, a DMZ, or demilitarized zone (also known as a screened subnet), is constructed between two firewalls. The internal network, the external network (internet), and the DMZ are all distinct segments. The first firewall, also known as the external firewall, safeguards the internal network from untrusted external traffic. The second firewall, the internal firewall, prevents unauthorized access to the internal network from the DMZ.
Key characteristics of the screened subnet firewall model:
Provides an additional layer of security by segregating the DMZ from the internal network.
Typically used in larger networks where there is a need to host public-facing services (e.g., web servers) that require internet access but should not have direct access to the internal network.
Offers enhanced security through a dual firewall setup, reducing the risk of a single point of failure.
In both models, the function of the firewall is to examine incoming and outgoing traffic against a set of predefined rules (firewall rules) to determine whether the traffic should be permitted or denied. These regulations are intended to protect the network from a variety of threats, such as unauthorized access, malware, and other cyberattacks. In order to ensure the security and integrity of the network, it is crucial to routinely update and maintain the firewall rules, implement security patches, and adhere to best practices when configuring a home firewall.
Network Address Translation (NAT) firewalls
NATs, like the Tor browser or VPN, allow multiple machines with different local network addresses to connect to the internet using a single public IP address, concealing individual IP addresses and increasing security posture against attackers. NAT firewalls, like proxy firewalls, serve as an intermediary between a group of computers and outside traffic. Network Address Translation (NAT) firewalls are a form of firewall that includes NAT as part of its security features. NAT firewalls are critical components of network security because they provide an extra layer of protection between a local network and the internet. This is accomplished by converting local network IP addresses to a single external IP address.
Cloud Firewalls
Cloud firewalls are security solutions that have been tailored for cloud computing workloads in which applications, data, and services are hosted on cloud infrastructure. These firewalls are an important component of cloud security, assisting in the protection of cloud-based resources from unauthorized access, data breaches, and other cyber threats. Here are some of the important qualities and features that distinguish cloud firewalls:
Cloud-Native Protection: Cloud firewalls are designed to provide security for cloud-native applications and services. They are typically offered as a service by cloud providers (such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform) or as third-party solutions specifically designed to integrate seamlessly with cloud environments.
Network Security: Cloud firewalls control incoming and outgoing network traffic to and from cloud resources. They enforce security policies and rules to allow or block traffic based on factors such as IP addresses, port numbers, protocols, and application-layer information.
Virtualized and Scalable: Cloud firewalls are highly virtualized and can dynamically scale to accommodate the changing demands of cloud workloads. They can adapt to handle increased traffic or additional cloud resources as needed without requiring physical hardware changes.
Integration with Cloud Services: Cloud firewalls often integrate closely with other cloud security services and features, such as identity and access management (IAM), virtual private clouds (VPCs), and security groups. This integration helps enforce security policies consistently throughout the cloud infrastructure.
Application Layer Filtering: Some advanced cloud firewalls offer deep packet inspection (DPI) and application layer filtering, allowing them to identify and block specific applications or services that may pose security risks.
Logging and Monitoring: Cloud firewalls typically provide logging and monitoring capabilities, enabling administrators to track and analyze network traffic, security events, and potential threats. These logs can be used for security incident response and compliance purposes.
Security Groups and Rules: In cloud environments like AWS and Azure, security groups and network security rules can be defined to control traffic at the instance or resource level. These security groups effectively function as cloud firewalls, allowing you to specify which traffic is allowed to reach specific resources.
Geo-Blocking and Threat Intelligence: Some cloud firewall solutions offer features like geo-blocking, which allows administrators to block traffic from specific geographic regions. Additionally, they may incorporate threat intelligence feeds to identify and block traffic from known malicious IP addresses and sources.
Automation and Orchestration: Cloud firewalls can be configured and managed programmatically through APIs, enabling automation and orchestration of security policies as part of the DevOps and infrastructure-as-code (IaC) processes.
High Availability and Redundancy: Cloud firewalls can be configured for high availability and redundancy to ensure continuous protection against network threats and minimize downtime.
References:
Register for instructor-led online courses today!
Check out our self-paced courses!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.
Comments