Firewall

History of Firewall

• The term firewall was applied in the late 1980s to computer network technology fields.
• Firewalls play a vital role in network security by acting as a first line of defense, preventing unauthorized access, and protecting against various cyber threats.

Introduction of Firewall

• The firewall is the first line of defense for any computer system or a computer network.
• A firewall typically establishes a barrier between a trusted network and an untrusted network(internet).
• By default, an operating system contains a predefined/configured firewall which is automatically installed in a computer system with the installation of an operating system.
• The primary aspects of a firewall are:-
  • Firewall policy
  • Packet filters
  • Application Gateway
  • Advanced authentication mechanism.

Definition of Firewall

• A modern firewall is a system/combination/collection of software (applications) and hardware working together with a defined security policy.
• A firewall is an intermediate system that can be plugged between the private LAN (trusted network) and the public network (untrusted network/internet).

Features/Characteristics of Firewall

• All data packets that enter into/out from a computer system or a computer network are passed through this point or firewall.
• Firewalls are generally implemented for a network in two ways-
  • packet filtering and
  • proxy server (Application Gateway)
• Even, all traffic in and out of the trusted network can also be forced to pass through the intermediate system/firewall.
• A firewall is a good place to collect information about system and network use or misuse.
• In an organization, it is created/configured according to the organization’s policy.
• Firewall Policy :
  • The firewall policy directly influences the design, installation, and use of the firewall system.
  • Normally, the two types of firewall policies are defined for an organization according to their need/requirements –
  • The Higher/High-level policy :
    • The Higher level policy controls the services that will be allowed or explicitly denied from/to the restricted network.
    • It is considered a subset of the overall organization’s policy on the security of its information assets.
    • It focuses on Internet-specific issues and outside network access ( dial-in policy, PPP connections, etc.).
    • It should be drafted/created before the implementation of the firewall considering all the demands of an organization.
    • It should maintain a reasonable balance between protecting the network from known risks while still providing Internet access to the users.
    • Its implementation depends on the capabilities and limitations of the Firewall system.
    • In this firewall policy, no inbound access from the Internet but outbound access from the network.
    • This firewall policy allows access from the Internet to selected systems like Web Server, Email Server, etc.
    • This firewall policy allows some users access from the Internet to selected servers but after strong authentication.
  • The Lower/Low-level Policy :
    • The Low-level policy describes how the firewall goes about restricting access and filtering the services that are defined in the High-level policy.
    • The lower level policy is specific to the Firewall and defines to implementation of the “Service Access Policy” already approved in Higher level Policy.
    • It generally implements one of the two basic design policies:-
      • Permit any service unless it is specifically denied.
      • Deny any service unless it is explicitly permitted. This option is stronger and safer but difficult to implement.

Advantages/Functions of Firewall

• The primary function of the firewall is to monitor and control incoming and outgoing network traffic based on predefined security rules or firewall policies.
• A firewall acts as a safeguard for a network which one can use to control access of unauthorized users. This is done by monitoring network traffic patterns to identify suspicious behavior or potential security threats, such as intrusion attempts, malware, or denial-of-service attacks. It blocks or mitigates identified threats by preventing malicious packets from entering the network or by alerting administrators for further action.
• A sophisticated firewall performs a combination of packet filtering, Network Address Translation (NAT, Translates private IP addresses of internal devices to a single public IP address when communicating with external networks, allowing multiple internal devices to share a single public IP address), and Proxy Services(Acts as an intermediary between internal and external networks, receiving and forwarding traffic on behalf of clients, hiding internal IP addresses).
• A firewall saves a network from TCP/IP vulnerabilities, attacks from the internet, and OS vulnerabilities.
• Firewall provides a higher level of security by understanding the context of network traffic and preventing unauthorized access through malicious packets.
• Deep Packet Inspection: A typical Firewall analyzes and filters traffic at the application layer, scrutinizing the content of data packets to identify and block specific applications or protocols known for security vulnerabilities or malicious activity.
• It protects from certain vulnerable services i.e. filtering inherently insecure services like NFS(Network File System)/NIS(Network Information Services), routing-based attacks, etc.
• It provides control access to a site/system i.e. it prevents outside access except for some special services like E-mail or HTTP.
• It focused/concentrated on sensitive security i.e. all sensitive security measures like one-time password and authentication software can be at the firewall as opposed to each host.
• It enhanced user privacy i.e. services like “finger” which displays information about users like last login, whether they have read e-mail etc., can be blocked and IP addresses of the site can be shielded from the outside world by blocking DNS service.
• A firewall also tracks the state of active connections and inspects packet headers and contents to ensure that incoming packets belong to established legitimate connections.
• A firewall records activities done by it in a Log file, including allowed and denied traffic, detected threats, and security events, for analysis and audit purposes. These fog files are used to provide reports to administrators for monitoring network activity, identifying security incidents, and ensuring compliance with security policies.

Disadvantages/Limitations of Firewall

• It blocks access to certain desired resources. This is due to the improper configuration of a firewall that makes the desired resource unavailable.
• It may also block certain useful/desirable services like TELNET, FTP, NFS, etc, which the user wants to use.
• Some network topologies are undergoing major restructuring from the implementation of a firewall which is time-consuming and complex work.
• If modem access is permitted in a firewall then it is possible for an attacker to effectively jump around the firewall which is a large potential back door entry path in a system having a firewall.
• Firewalls are generally designed to prevent a system from an outsider’s attack and normally cannot prevent an insider attack or from copying data, etc. i.e. a firewall has little protection from insider attack.
• A firewall does not protect users from downloading virus-infected programs from the Internet or E-mail attachments.
• A firewall reduces a potential throughput/output for a system due to it acts as a bottleneck.
• When a firewall, is compromised 100%, will be a disaster for that system.

Types of Firewall

(A.) based on the location/place where firewalls are used/installed in a system, they are broadly categorized into two major groups-

(i) Network-based firewalls

• • Network-based firewalls can be positioned anywhere within/in between a LAN or WAN or both to control network traffic or other computing resources.

(ii) Host-based firewalls

• • Host-based firewalls are deployed directly on the host itself to control network traffic or other computing resources.

(B.) On the basis of working components used in a firewall they are again categorized into three major groups-

• • Hardware/Appliance firewalls
  • Software firewalls
  • Hybrid firewalls

(C.) On the basis of firewall’s functioning technology, There are following basic types of network firewalls that are used by companies or organizations to protect their data & devices to keep destructive elements out of network –

(a.) Packet Filter Firewall

(b.) Circuit Level Gateways Firewall

(c.) Application Level Proxy Server Firewall

(d.) Application Level Gateways Firewall

(e.) Stateful Multi- Layer Inspection(SMLI) Firewall

(f.) Next Generation Firewalls(NGFW)

(a.) Packet Filter Firewall:

• • This firewall was designed to check header information of the data packet.
  • This firewall was the first & simple type of firewall used by many organizations to protect their network system.
  • The general/common method of implementing  this firewall in a network is through the use of router. These routers had the ability to either permit or deny data packets based on defined simple rules/policy.
  • This firewall examines five major characteristics of a data packet when they enter into a network system such as Source IP address, Source port, Destination IP address,
    Destination port, IP protocol (TCP or UDP).
  • According to the rules configured into the firewall, the data packets will be allowed through, rejected, or dropped. If the firewall rejects the data packets, it sends a message back to the sender letting him know that the packet was rejected. If the packet was dropped, the firewall simply does not respond to the packet. The sender must wait for the communications to time out. Dropping packets instead of rejecting them greatly increases the time required to scan our network.
  • Packet filtering firewalls operate on Layer 3 (the Network Layer) of the OSI model.
  • Routers are a very common form of packet filtering firewall.
  • A packet filter rule consists of two parts: –
    • An Action Field (to BLOCK or DENY data packets) and
    • A Selection Criteria Field (to PERMIT or ALLOW data packets).
  • Limitations :
    • Packet filter firewall rules are complex to specify and also difficult to test thoroughly.
    • Exception of packet filter firewall rules sometimes can be unmanageable.
    • Some packet filtering routers do not filter on the TCP/UDP source port, which can make the filtering rule more complex and can open up “holes” in the filtering scheme.
    • Sometimes packet filter firewall may apply rules on the
      first fragmented piece of data, which is not serious for inbound traffic but for outbound traffic, even if the first fragmented piece of data is dropped and other pieces may go out that may leave a serious security threat. As we all know that If fragmentation of IP data packet occurs during the transmission then only the first fragment keeps the TCP/UDP header/control information of the original packet, which is necessary to make filtering decision.

(b.) Circuit Level Gateways Firewall:

• • It is another relatively quick way to identify malicious content, i.e. circuit-level gateways monitor TCP handshakes and other network protocol session initiation messages across the network as they are established between the local and remote hosts to determine whether the session being initiated is legitimate — whether the remote system is considered trusted.
  • They don’t inspect the packets themselves.

(c.) Application Level Proxy Server Firewall:

• • Proxy Servers use software to intercept network traffic that is destined for a given application.
  • The proxy server recognizes the request, and on behalf of the client makes the request to the server.
  • In this, the internal client never makes a direct connection to the external server. Instead, the proxy functions as man-in-
    the-middle and speaks to both the client and server, relaying the message back and forth.
  • The addition of proxy server capabilities added to the firewalls created a much more solid security product than a pure packet filter. Proxy software can make decisions based on more than the header information of a packet.
  • In this firewall, every packet is stopped at the firewall mouth and then packets are examined and compared to the pre-defined rules and configuration of the firewall. If the packet is ok then that incoming packet is destroyed first and then it is re-created again and accepted by the system. Because each packet is destroyed and re-created, there is a potential that an application-proxy firewall can prevent unknown attacks if any hidden in the TCP/IP protocol suite that would not be prevented by a packet filtering firewall.
  • It operates on Layer 7(Application Layer) of the OSI model.
  • Limitations/Drawback:
    • The drawback of this firewall is that a separate application-proxy must be written for each application type being proxied. For this, we need an HTTP proxy for web traffic, an FTP proxy for file transfers, a Gopher proxy for Gopher traffic, etc.

(d.) Application Level Gateways Firewall:

• • It also operate on Layer 7 of the OSI model.
  • Application gateway firewalls exist for only a few specific network applications.
  • A typical application gateway firewall is a system where we must telnet to one system in order to telnet again to a system outside of the network.
  • Here, Gateway (an internetworking device) inter-connects one network to another for a specific application and also used in firewall configuration is an Application Level Gateway or even a Proxy Server.
  • The function of application Gateway is application specific i.e. If an application Gateway contains proxies for FTP and TELNET, then only those traffics will be allowed and other services are completely blocked.
  • Limitations/Drawback:
    • Imposition of an application gateway firewall in a network system breaks the conventional client/server model as each communication requires two connections one from the client and the other from the firewall to the server.

(e.) Stateful Multi- Layer Inspection(SMLI) Firewall:

• • It is an improved form of packet filter firewall.
  • It is a packet filter firewall having stateful inspection engine, in which the firewall remembers previous conversations between systems and next time it is only necessary to fully examine only the first packet of a conversation.
  • Here, stateful inspection actually maintains the state information about the past IP packets. Thus, stored state information, derived from past communications and other applications, are an essential factor in making the decision to enter the data packets inside the system or not.
  • The common State information stored by this firewall are –
    • Communication information of all layers of the data packets.
    • Communication info derived from previous communications such as the outgoing port command of an FTP session could be saved so that an incoming FTP data connection can be verified against it.
    • Application derived state from other application such as a previously authenticated user would be allowed access through the firewall for authorized services only.

(f.) Next Generation Firewalls(NGFW):

• • A typical NGFW combines packet inspection with stateful inspection and also includes some variety of deep packet inspection, as well as other network security systems, such as intrusion detection/prevention, malware filtering and antivirus. While packet inspection in traditional firewalls looks exclusively at the protocol header of the packet, deep packet inspection looks at the actual data the packet is carrying. A deep packet inspection firewall tracks the progress of a web browsing session and is capable of noticing whether a packet payload, when assembled with other packets in an HTTP server reply, constitutes a legitimate HTML formatted response.
  • Next-generation firewalls (NGFW) combine traditional firewall technology with additional functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more.
  • Mostly it includes deep packet inspection (DPI). While basic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data.