What is it that people call network firewalls?

So I have been reading about firewalls today. It can be said that it is a tool, piece of software that controls the flow of traffic between networks. They sit at the border between networks, acting as a gateway that makes decisions about the kind of traffic that should be allowed or denied access. This decision is usually done based on the TCP/IP characteristics. They also log which connections were blocked. These blocked activities are usually generated by malicious hackers running automated tools, port scanning or malwares.

Now we know the basic idea of what firewall does, lets look at different functions a firewall carries out. Here we will look at the following five functions.

  1. Simple Packet filtering
  2. Stateful Packet filtering
  3. Network Address Translation
  4. Intrusion Prevention System
  5. Logging

Different types of Firewalls based on functionality

Packet Filters

This is the most basic functions of firewall device. These devices inspect ingress and egress transmissions to see if their properties meet the rule set, if they meet the rules they are allowed or denied access based on action specified in the rule. Simple packet filtering operation is stateless in their operation, meaning they do not have the capability to associate multiple request or handle sessions.

Stateless packet filters are susceptible to most exploits that take advantage of the TCP/IP protocol stack. For example, many packet filters are unable to detect spoofed IP addresses. More over, some packet filters can filter packets that are fragmented, even though they are legitimate requests. (Firewalls blocking fragmented packets is a common VPN interoperabitliy issues).

The table below shows a simple rule-set for a packet filtering firewall. It is important to know that rules are applied from the top, that is when a rule that match is found, that rules is applied immediately.

Action Source Address Destination Address Protocol Source Port Destination Port Control Bit
Allow Inside Outside TCP Any 80 Any
Allow Outside Inside TCP 80 > 1023 ACK
Deny All All All All All All

The above rule-set allows the users to browse internet.

Stateful Firewalls

This type of devices improve upon the packet filters, by have an additional component, a states table. Stateful firewalls intercepts the packets at the network layer and inspect them to see if they are allowed by the existing firewall rule, while also keep a track of the packet in the state table. The state table properties vary by vendors, but most of them maintains the following properties. Source address, source port, destination address, destination port, connection state and timeout period.

Three major connection state for TCP traffic are

  • Connection establishment
  • Usage
  • Termination

For stateless protocols such as UDP, which do not have a formal process of intialize, establish and termination, their state cannot be monitored at the transport layer. For such protocols, stateful firewalls are able to track the source and destination addresses and port numbers. Hence a state entry is added with a state to allow traffic, but a timeout field is added so the entry can be deleted when timeout occurs.

Application Layer Firewalls

These are the third generation firewalls that work at the application layers. The main component of this type of firewalls is stateful protocol analysis. This improves on the basic stateful inspection described above by adding a basic intrusion detection technology, i.e. an inspection engine that analyses protocols at the application layer to compare benign activities against the traffic activities. This technology is also sometimes referred as Deep Packet Inspection (DPI), as the device is now looking in to the contents of the packet, not just the header as in the previous types of firewalls. Firewalls with both stateful inspection and stateful protocol analysis capabilities are not fully-fledged IDPS, which usually have more capabilities.

Proxy Firewalls

An Application Proxy gateway is a feature of modern firewalls, that combines the lower layer access control with upper layer functionality. These firewalls contains a proxy agent that acts as an intermediary between two host that wish to communicate. This stops direct connection between them, each connection resulting in two separate connection. The proxy is transparent to the host. The proxy agent interfaces directly with the firewall rule-set to determine whether a given instance of network traffic should be allowed to transit the firewall.

Application-proxy gateways are different than the application firewalls in two ways. Firstly they can offer a higher level of security for specific applications, because it prevents direct communications between two hosts. And secondly, they can decrypt the packets, examine them and re-encrypt before sending the to the destination.

The main drawback of this type of firewall is that it take time reading and interpreting the packets.

Principles of a secure network design

Introduction

As internet keeps on growing, letting more people to come online, the number of network security breaches are increasing as well. To guard against these security breaches a good secure network design needs to be in place. This article will discuss some of theses principles of a securely designed network. Below is the five principle that will be discussed.

  1. Defense in depth
  2. Compartmentalization
  3. Principle of Least Privilege
  4. Weakest Link in the chain
  5. Accountability and Traceability

Defense in depth

This is a term that includes several of the principles of network design. The large number of components that builds up a network and its complexity makes the network vulnerable in many areas, its hard to identify which one has the weak security features built in. Hence, it is desirable to build a network, with many layers of security giving a more depth of security against the weakness in different components.

The following three rules apply to defense in depth strategy.

  1. Defense in multiple places: This principle states that network could be attack from multiple points (insiders and outsiders), so security devices should be deployed at different points in the network, to prevent attacks that pass through one device.
  2. Build layered defenses: More than one security layer should be built, to stop attackers from reaching their target. For example nested firewalls, couple with IDS/IPS could be deployed at outer and inner boundaries.
  3. Use robust components: This rule states that the security devices should be deployed based on the value of what you are protecting and threat at the point of application.

Compartmentalization

IT system resources of different sensitivity levels(i.e., different risk tolerance values and threatsusceptibility) should be located in different security zones, be it physically or logically.

With proper placement and configurations of firewalls help create secure architectures by dividing the network infrastructure into security zones and controlling communication between them.

Principle of Least Privilege

This rule states that access of systems or should be restricted to minimum user or administrators. This also covers the physical access to the domain, access to the systems, applications and web services as well. In addition to this, control of external user access is also covered. An extension of this rule is the “Need-to-know” rule, which states the information should be given to the people who absolutely need to know it.

Weakest Link in the chain

The security of the IT system depends on the least secured element of the system. A layered approach to network design with weaker and least protected assets residing in a separated domain mitigates the existent of these weakest link (Humans are considered to be the weakest link in information security architectures).

 Accountability and Traceability

This principle states that the security risks will exist, we need to do our best to manage and mitigate the risk as soon as the risk appears.

Hence, the the network architecture should provide means of tracking the users, attackers and administrator actions. This principle translate to functions such as auditing, event management and monitoring and forensics.