What is a Firewall and why it is important for network security?
-A firewall is a logical object (hardware and/or software) within a network infrastructure which
prevents communications forbidden by the security policy of an organization from taking place,
analogous to the function of firewalls in building construction. Often a firewall is also referred to as
a packet filter
-The basic task of a firewall is to control traffic between different zones of trust and/or
administrative authorities. Typical zones of trust include the Internet (a zone with no trust) and an
internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity
between zones of differing trust levels through the enforcement of a security policy and a
connectivity model based on the least privilege principle
-the Proper configuration of firewalls demands skill from the administrator. It requires considerable
understanding of network protocols and of computer security. Small mistakes can lead to a
firewall configuration worthless as a security tool and, in extreme situations, fake security where
no security at all is left
How Does a Firewall Work?
THE NEED FOR FIREWALLS
have undergone a steady evolution in terms of using firewall. The following are notable developments:
• Centralized data processing system, with a central mainframe supporting a
number of directly connected terminals
• Local area networks (LANs) interconnecting PCs and terminals to each other
and mainframe.
• Premises network, consisting of a number of LANs, interconnecting PCs, Servers, and perhaps a mainframe or two.
• Enterprise-wide network, consisting of multiple, geographically distributed
premises networks interconnected by a private wide area network (WAN).
• Internet connectivity, in which the various premises networks all hook into the
Internet and may or may not also be connected by a private WAN
Internet connectivity is no longer optional for organizations.
Further explanation:
-The information
and services available are essential to the organization. Moreover, individual users
within the organization want and need Internet access, and if this is not provided via
their LAN, they will use dial-up capability from their PC to an Internet service provider (ISP). However, while Internet access provides benefits to the organization, it enables the outside world to reach and interact with local network assets. This
creates a threat to the organization. While it is possible to equip each workstation
and server on the premises network with strong security features, such as intrusion
protection, this may not be sufficient and in some cases is not cost-effective.
Consider
a network with hundreds or even thousands of systems, running various operating
systems, such as different versions of UNIX and Windows. When a security flaw is
discovered, each potentially affected system must be upgraded to fix that flaw. This
requires scalable configuration management and aggressive patching to function
effectively. While difficult, this is possible and is necessary if only host-based security
is used. A widely accepted alternative or at least compliment to host-based security
services is the firewall.
The firewall is inserted between the premises network and the
Internet to establish a controlled link and to erect an outer security wall or perimeter. The aim of this perimeter is to protect the premises network from Internet-based
attacks and to provide a single choke point where security and auditing can be
imposed. The firewall may be a single computer system or a set of two or more
systems that cooperate to perform the firewall function.
The firewall, then, provides an additional layer of defense, insulating the internal systems from external networks. This follows the classic military doctrine of
“defense-in-depth,” which is just as applicable to IT security.
FIREWALL CHARACTERISTICS
- Service control: Determines the types of Internet services that can be
accessed, inbound or outbound. The firewall may filter traffic on the basis of
IP address, protocol, or port number; may provide proxy software that receives
and interprets each service request before passing it on; or may host the server
software itself, such as a Web or mail service.
- Direction control: Determines the direction in which particular service
requests may be initiated and allowed to flow through the firewall.
- User control: Controls access to a service according to which the user is attempting to access it. This feature is typically applied to users inside the firewall
perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology,
such as is provided in IPsec.
- Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to
only a portion of the information on a local Web server.
TYPES OF FIREWALLS
Next-generation firewalls (NGFW)
Proxy firewalls:
-Filter network traffic at the application level. Unlike basic firewalls, the proxy acts an intermediary between two end systems. The client must send a request to the firewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP and use both stateful and deep packet inspection to detect malicious traffic.
Network address translation (NAT) firewalls
– Allow multiple devices with independent network address to connect to the internet using a single IP address, keeping individual IP addresses hidden. As a result, attackers scanning a network for IP addresses can’t capture specific details, providing greater security against attacks. NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of computers and outside traffic.
– To filter packets at the network, transport, and application layers, comparing them against known trusted packets. Like NGFW firewalls, SMLI also examines the entire packet and only allow them to pass if they pass each layer individually. These firewalls examine packets to determine the state of the communication (thus the name) to ensure all initiated communication is only taking place with trusted sources.
Packet Filtering Firewall (rules set):
Packet Filtering Firewall
A packet-filtering firewall applies a set of rules to each incoming and outgoing IP
packet and then forwards or discards the packet (Figure 22.1b). The firewall is typically configured to filter packets going in both directions (from and to the internal
network). Filtering rules are based on information contained in a network packet:
• Source IP address: The IP address of the system that originated the IP packet
(e.g., 192.178.1.1)
• Destination IP address: The IP address of the system the IP packet is trying to
reach (e.g., 192.168.1.2)
• Source and destination transport-level address: The transport-level (e.g., TCP
or UDP) port number, which defines applications such as SNMP or TELNET
• IP protocol field: Defines the transport protocol
• Interface: For a firewall with three or more ports, which interface of the firewall the packet came from or which interface of the firewall the packet is destined for
The packet filter is typically set up as a list of rules based on matches to fields
in the IP or TCP header.
If there is a match to one of the rules, that rule is invoked
to determine whether to forward or discard the packet. If there is no match to any
rule, then a default action is taken. Two default policies are possible:
• Default = discard: That which is not expressly permitted is prohibited.
The default discard policy is more conservative. Initially, everything is
blocked, and services must be added on a case-by-case basis. This policy is more
visible to users, who are more likely to see the firewall as a hindrance. However,
this is the policy likely to be preferred by businesses and government organizations.
• Default = forward: That which is not expressly prohibited is permitted.
The default forward policy increases ease of use for end-users but provide reduced security; the
security administrator must, in essence, react to each new security threat as it
becomes known. This policy may be used by generally more open organizations,
such as universities
- IP address spoofing: The intruder transmits packets from the outside with a
source IP address field containing an address of an internal host. The attacker
hopes that the use of a spoofed address will allow penetration of systems that
employ simple source address security, in which packets from specific trusted
internal hosts are accepted. The countermeasure is to discard packets with an
inside source address if the packet arrives on an external interface. In fact, this
countermeasure is often implemented at the router external to the firewall.
- Source routing attacks: The source station specifies the route that a packet
should take as it crosses the Internet, in the hopes that this will bypass security
measures that do not analyze the source routing information. The countermeasure is to discard all packets that use this option.
- Tiny fragment attacks: The intruder uses the IP fragmentation option to create
extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that
depend on TCP header information. Typically, a packet filter will make a filtering decision on the first fragment of a packet. All subsequent fragments of
that packet are filtered out solely on the basis that they are part of the packet
whose first fragment was rejected.
FIREWALL LOCATION AND TOPOLOGIES:
1.1 Location:
– a firewall is positioned to provide a protective barrier
between an external, potentially untrusted source of traffic and an internal network.:
DMZ Networks
-Systems
that are externally accessible but need some protections are usually located on
DMZ networks. Typically, the systems in the DMZ require or foster external connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name system) server.
The external firewall provides a measure of access control and protection for
the DMZ systems consistent with their need for external connectivity.
The external firewall also provides a basic level of protection for the remainder of the enterprise
network. In this type of configuration, internal firewalls serve three purposes:
1. The internal firewall adds more stringent filtering capability, compared to the
external firewall, in order to protect enterprise servers and workstations from
external attack.
2. The internal firewall provides two-way protection with respect to the DMZ. First,
the internal firewall protects the remainder of the network from attacks launched
from DMZ systems. Such attacks might originate from worms, rootkits, bots, or
other malware lodged in a DMZ system. Second, an internal firewall can protect
the DMZ systems from attack from the internal protected network.
3. Multiple internal firewalls can be used to protect portions of the internal
network from each other. For example, firewalls can be configured so that
internal servers are protected from internal workstations and vice versa.
A common practice is to place the DMZ on a different network interface on
the external firewall from that used to access the internal networks.
Virtual Private Networks
-the virtual private network (VPN)
offers an attractive solution to network managers. In essence, At each corporate
site, workstations, servers, and databases are linked by one or more local area networks (LANs). The Internet or some other public network can be used to interconnect sites, providing cost savings over the use of a private network and offloading
the wide-area network management task to the public network provider
a VPN
uses encryption and authentication in the lower protocol layers to provide a secure
connection through an otherwise insecure network, typically the Internet
The most common protocol the mechanism used for this purpose is at the IP level and is known as IPsec.
An organization maintains LANs at dispersed locations. A logical means of
implementing an IPsec is in a firewall; If IPsec is implemented in a separate box behind (internal to)
the firewall, then VPN traffic passing through the firewall in both directions is
encrypted. In this case, the firewall is unable to perform its filtering function or
other security functions, such as access control, logging, or scanning for viruses.
IPsec could be implemented in the boundary router, outside the firewall.
However,
this device is likely to be less secure than the firewall and thus less desirable as an
IPsec platform.
TO NOTE: IPsec is a
framework of related protocols that secure communications at the network or
packet processing layer. It can be used to protect one or more data flows
between peers. IPsec enables data confidentiality, integrity, origin
authentication, and anti-replay.
A VPN security scenario
Distributed Firewalls
A distributed firewall configuration involves stand-alone firewall devices plus host-based firewalls working together under central administrative control. Administrators can configure host resident firewalls on hundreds of servers and workstations as well as configure
personal firewalls on local and remote user systems. These firewalls
protect against internal attacks and provide protection tailored to specific machines
and applications. Stand-alone firewalls provide global protection, including internal
firewalls and an external firewall
Summary of Firewall Locations and topologies:
– To define a
spectrum of firewall locations and topologies. The following alternatives can be
identified:
• Host-resident firewall: This category includes personal firewall software and
firewall software on servers. Such firewalls can be used alone or as part of an
in-depth firewall deployment.
• Screening router: A single router between internal and external networks with
stateless or full packet filtering. This arrangement is typical for small
office/home office (SOHO) applications.
•Single bastion T: Similar to single bastion inline but has a third network
interface on bastion to a DMZ where externally visible servers are placed.
Again, this is a common appliance configuration for medium to large
organizations.
• Double bastion inline: where the
DMZ is sandwiched between bastion firewalls. This configuration is common
for large businesses and government organizations.
• Double bastion T: The DMZ is on a separate network interface on the bastion
firewall. This configuration is also common for large businesses and government organizations and may be required.
• Distributed firewall configuration: This configuration is used by some large businesses and government organizations.