Firewall

Why are firewalls important?

Firewalls are important because they have had a huge influence on modern security techniques and are still widely used. They first emerged in the early days of the internet, when networks needed new security methods that could handle increasing complexity. Firewalls have since become the foundation of network security in the client-server model — the central architecture of modern computing. Most devices use firewalls — or closely related tools — to inspect traffic and mitigate threats.

A firewall establishes a border between an external network and the network it guards. It is inserted inline across a network connection and inspects all packets entering and leaving the guarded network. As it inspects, it uses a set of pre-configured rules to distinguish between benign and malicious packets.

The term ‘packets’ refers to pieces of data that are formatted for internet transfer. Packets contain the data itself, as well as information about the data, such as where it came from. Firewalls can use this packet information to determine whether a given packet abides by the rule set. If it does not, the packet will be barred from entering the guarded network.

Rule sets can be based on several things indicated by packet data, including:

  • Their source.
  • Their destination.
  • Their content.

These characteristics may be represented differently at different levels of the network. As a packet travels through the network, it is reformatted several times to tell the protocol where to send it. Different types of firewalls exist to read packets at different network levels.

Advantages

  • A firewall is an intrusion detection mechanism. Firewalls are specific to an organization’s security policy. The settings of firewalls can be altered to make pertinent modification to the firewall functionality.
  • Firewalls can be configured to bar incoming traffic to POP and SNMP and to enable email access.
  • Firewalls can also block email services to secure against spam.
  • Firewalls can be used to restrict access to specific services. For example, the firewall can grant public access to the web server but prevent access to the Telnet and the other non-public daemons.
  • Firewall verifies the incoming and outgoing traffic against firewall rules. It acts as a router in moving data between networks.
  • Firewalls are excellent auditors. Given plenty of disk or remote logging capabilities, they can log any and all traffic that passes through.

Disadvantage

  • A firewall can’t prevent revealing sensitive information through social engineering.
  • A firewall can’t protect against what has been authorized. Firewalls permit normal communications of approved applications, but if those applications themselves have flaws, a firewall will not stop the attack: to the firewall, the communication is authorized.
  • Firewalls are only as effective as the rules they are configured to enforce.
  • Firewalls can’t stop attacks if the traffic does not pass through them.
  • Firewalls also can’t secure against tunneling attempts. Applications that are secure can be attacked with Trojan horses. Tunneling bad things over HTTP, SMTP and other protocols is quite simple and easily demonstrated.

Firewall classification

The way a firewall provides greater protection relies on the firewall itself and on the policies that are configured on it. The main firewall technologies available today are:

  • Hardware firewall
  • Software firewall
  • Packet-filter firewall
  • Proxy firewall
  • Application gateways
  • Circuit-level gateways
  • Stateful packet inspection (SPI)

Hardware firewall

A hardware firewall is preferred when a firewall is required on more than one machine. A hardware firewall provides an additional layer of security to the physical network. The disadvantage of this approach is that if one firewall is compromised, all the machines that it serves are vulnerable.

Software firewall

A software firewall is a second layer of security and secures the network from malware, worms, viruses and email attachments. It looks like any other program and can be customized based on network requirements. Software firewalls can be customized to include antivirus programs and to block sites and images.

Packet-filtering firewall

A packet-filtering firewall filters at the network or transport layer. It provides network security by filtering network communications based on the information contained in the TCP/IP header of each packet. The firewall examines these headers and uses the information to decide whether to accept and route the packets along to their destinations or deny the packet by dropping them. This firewall type is a router that uses a filtering table to decide which packets must be discarded.

Packer filtering makes decisions based upon the following header information:

  • The source IP address
  • The destination IP address
  • The network protocol in use (TCP, ICMP or UDP)
  • The TCP or UDP source port
  • The TCP or UDP destination port
  • If the protocol is ICMP, then its message type

Proxy firewall

The packet-filtering firewall is based on information available in the network and transport layer header. However, sometimes we need to filter a message based on the information available in the message itself (at the application layer).

For example, assume that an organization only allows those users who have previously established business relations with the company, then access to other users must be blocked. In this case, a packet-filtering firewall is not feasible because it can’t distinguish between different packets arriving at TCP port 80.

Here, the proxy firewall came into light as a solution: install a proxy computer between the customer and the corporation computer. When the user client process sends a message, the proxy firewall runs a server process to receive the request. The server opens the packet at the application level and confirms whether the request is legitimate or not. If it is, the server acts as a client process and sends the message to the real server. Otherwise, the message is dropped. In this way, the requests of the external users are filtered based on the contents at the application layer.

Application gateways

These firewalls analyze the application level information to make decisions about whether or not to transmit the packets. Application gateways act as an intermediary for applications such as email, FTP, Telnet, HTTP and so on. An application gateway verifies the communication by asking for authentication to pass the packets. It can also perform conversion functions on data if necessary.

For example, an application gateway can be configured to restrict FTP commands to allow only get commands and deny put commands.

Application gateways can be used to protect vulnerable services on protected systems. A direct communication between the end user and destination service is not permitted. These are the common disadvantages when implementing application gateway:

  • Slower performance
  • Lack of transparency
  • Need for proxies for each application
  • Limits to application awareness

Circuit-level gateways

Circuit-level gateways work at the session layer of the OSI model or the TCP layer of the TCP/IP. It forwards data between the networks without verifying it. It blocks incoming packets on the host but allows the traffic to pass through itself. Information passed to remote computers through it appears to have originated from gateway.

Circuit-level gateways operate by relaying TCP connections from the trusted network to the untrusted network. This means that a direct connection between the client and server never occurs.

The main advantage of a circuit-level gateway is that it provides services for many different protocols and can be adapted to serve an even greater variety of communications. A SOCK proxy is a typical implementation of circuit-level gateway.

Stateful packet inspection

A stateful packet inspection (SPI) firewall permits and denies packets based on a set of rules very similar to that of a packet filter. However, when a firewall is state-aware, it makes access decisions not only on IP addresses and ports but also on the SYN, ACK, sequence numbers and other data contained in the TCP header. While packet filters can pass or deny individual packets and require permissive rules to permit two-way TCP communications, SPI firewalls track the state of each session and can dynamically open and close ports as specific sessions require.

Firewall identification

Normally, firewalls can be identified for offensive purposes. Firewalls are usually a first line of defense in the virtual perimeter; to breach the network from a hacker perspective, it is required to identify which firewall technology is used and how it’s configured. Some popular tactics are:

Port scanning

  • Hackers use it for investigating the ports used by the victims.
  • Nmap is probably the most famous port-scanning tool available.

Firewalking

  • The process of using traceroute-like IP packet analysis in order to verify if a data packet will be passed through the firewall from source to host of the attacker to the destination host of the victim.

Banner grabbing

  • This is a technique to enable a hacker to spot the type of operation system or application running on a target server. It works through a firewall by using what looks like legitimate connections.
Scroll to Top