What is it that people call network firewalls?

So I have been reading about firewalls today. It can be said that it is a tool, piece of software that controls the flow of traffic between networks. They sit at the border between networks, acting as a gateway that makes decisions about the kind of traffic that should be allowed or denied access. This decision is usually done based on the TCP/IP characteristics. They also log which connections were blocked. These blocked activities are usually generated by malicious hackers running automated tools, port scanning or malwares.

Now we know the basic idea of what firewall does, lets look at different functions a firewall carries out. Here we will look at the following five functions.

  1. Simple Packet filtering
  2. Stateful Packet filtering
  3. Network Address Translation
  4. Intrusion Prevention System
  5. Logging

Different types of Firewalls based on functionality

Packet Filters

This is the most basic functions of firewall device. These devices inspect ingress and egress transmissions to see if their properties meet the rule set, if they meet the rules they are allowed or denied access based on action specified in the rule. Simple packet filtering operation is stateless in their operation, meaning they do not have the capability to associate multiple request or handle sessions.

Stateless packet filters are susceptible to most exploits that take advantage of the TCP/IP protocol stack. For example, many packet filters are unable to detect spoofed IP addresses. More over, some packet filters can filter packets that are fragmented, even though they are legitimate requests. (Firewalls blocking fragmented packets is a common VPN interoperabitliy issues).

The table below shows a simple rule-set for a packet filtering firewall. It is important to know that rules are applied from the top, that is when a rule that match is found, that rules is applied immediately.

Action Source Address Destination Address Protocol Source Port Destination Port Control Bit
Allow Inside Outside TCP Any 80 Any
Allow Outside Inside TCP 80 > 1023 ACK
Deny All All All All All All

The above rule-set allows the users to browse internet.

Stateful Firewalls

This type of devices improve upon the packet filters, by have an additional component, a states table. Stateful firewalls intercepts the packets at the network layer and inspect them to see if they are allowed by the existing firewall rule, while also keep a track of the packet in the state table. The state table properties vary by vendors, but most of them maintains the following properties. Source address, source port, destination address, destination port, connection state and timeout period.

Three major connection state for TCP traffic are

  • Connection establishment
  • Usage
  • Termination

For stateless protocols such as UDP, which do not have a formal process of intialize, establish and termination, their state cannot be monitored at the transport layer. For such protocols, stateful firewalls are able to track the source and destination addresses and port numbers. Hence a state entry is added with a state to allow traffic, but a timeout field is added so the entry can be deleted when timeout occurs.

Application Layer Firewalls

These are the third generation firewalls that work at the application layers. The main component of this type of firewalls is stateful protocol analysis. This improves on the basic stateful inspection described above by adding a basic intrusion detection technology, i.e. an inspection engine that analyses protocols at the application layer to compare benign activities against the traffic activities. This technology is also sometimes referred as Deep Packet Inspection (DPI), as the device is now looking in to the contents of the packet, not just the header as in the previous types of firewalls. Firewalls with both stateful inspection and stateful protocol analysis capabilities are not fully-fledged IDPS, which usually have more capabilities.

Proxy Firewalls

An Application Proxy gateway is a feature of modern firewalls, that combines the lower layer access control with upper layer functionality. These firewalls contains a proxy agent that acts as an intermediary between two host that wish to communicate. This stops direct connection between them, each connection resulting in two separate connection. The proxy is transparent to the host. The proxy agent interfaces directly with the firewall rule-set to determine whether a given instance of network traffic should be allowed to transit the firewall.

Application-proxy gateways are different than the application firewalls in two ways. Firstly they can offer a higher level of security for specific applications, because it prevents direct communications between two hosts. And secondly, they can decrypt the packets, examine them and re-encrypt before sending the to the destination.

The main drawback of this type of firewall is that it take time reading and interpreting the packets.