Firewalls and types of FirewallsA firewall is a network security (hardware or software) device that sits between a private network and a public network. A firewall is used as a barrier to keep destructive forces away from our property, i.e. network and resources available in that network. In fact, that's why it is called a firewall. The job of a firewall is similar to a physical firewall that keeps a fire from spreading from one area to the next.? A firewall ensures that all communications attempting to cross from one network to the other meet an organization’s security policy.? Firewalls track and control communications, deciding whether to allow, reject or encrypt the communications.? In addition to protecting trusted networks from the Internet, firewalls are increasingly being deployed to protect sensitive portions of local area networks and individual PCs.The firewall machine is configured with a set of rules that determine which network traffic will be allowed to pass and which will be blocked or refused. In some large organizations, we may even find a firewall located inside their corporate network to segregate sensitive areas of the organization from other employees. Many cases of computer crime occur from within an organization, not just from outside.Function of a FirewallA firewall's basic task or function is to regulate the flow of traffic between computer networks of different trust levels. Typical example is the Internet, which is a zone with no trust, and an internal network, which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).Four key functions of a firewall are? Packet filtering? Network Address Translator (NAT)? Circuit-level gateway? Application proxiesPacket filtering firewallsPacket filtering is one of the simplest and a primary means of achieving network firewalls. Filters are specialized components present in the firewall, which examines data passing in and out of the firewall. The incoming and outgoing firewall packets are compared against a standard set of rules for allowing them to pass through or be dropped. In most cases, the rule base (commonly known as the ruleset) is predefined based on a variety of metrics. Rules can include source and destination IP addresses, source and destination port numbers, and protocols used.Packet filtering generally occurs at Layer 3 of the OSI model and employs some of the following metrics to allow or deny packets through the firewall:? The source IP address of the incoming packets. Normally, IP packets indicate where a particular packet originated. Approval and denial of a packet could be based on the originating IP addresses. Many unauthorized sites can be blocked based on their IP addresses; in this way, irrelevant and unwanted packets can be curtailed from reaching legitimate hosts inside the network.For example, a significant amount of spam and unwanted advertisements are aimed at third-party businesses, causing wastage of bandwidth and computational resources. Packet filtering using source IP-based rulesets can be highly effective in eliminating much of such unwanted messages.? The destination IP addresses. Destination IP addresses are the intended location of the packet at the receiving end of a transmission. Unicast packets have a single destination IP address and are normally intended for a single machine. Multicast or broadcast packets have a range of destination IP addresses and normally are destined for multiple machines on the network. Rulesets can be devised to block traffic to a particular IP address on the network to lessen the load on the target machine. Such measures can also be used to block unauthorized access to highly confidential machines on internal networks.The main advantage of packet-filtering firewalls is the speed at which the firewall operations are achieved. Because most of the work takes place at Layer 3 or below in the network stack, complex application-level knowledge of the processed packets is not required. Most often, packet-filtering firewalls are employed at the very periphery of an organization’s secure internal networks, as they can be a very handy tool in offering a first line of defense. For example, using packet-filtering firewalls is highly effective in protecting against denial-of-service attacks that aim to bog down sensitive systems on internal networks. The normal practice is to employ additional safety measures inside the DMZ with the packet filtering firewall set up at the external periphery.Though cost effectiveness, speed, and ease of use are appreciable qualities of packet filtering techniques, it has some significant flaws, too. Because packet-filtering techniques work at OSI Layer 3 or lower, it is impossible for them to experiment with application-level data directly. Thus, application-specific attacks can easily creep into internal networks. When an attacker spoofs network addresses such as IP addresses, packet filters are ineffective at filtering on this Layer 3 information. Network address spoofing is a primary tool employed by willful attackers on sensitive networks. Many packet-filtering firewalls cannot detect spoofed IP or ARP addresses. In essence, the main reason for deployment of packet-filtering firewalls is to defend against the most general denial-of-service attacks and not against willful attackers. Security inspections (such as cryptography and authentication) cannot be carried out with packet-filtering firewalls because they work at higher layers of the network stack.Packet filtering is usually implemented on routers that filter traffic based on packet content, such as IP addresses etc.Packet Filtering types arei) Static Packet Filteringii) Dynamic Packet Filteringiii) Stateful Packet Filteringi) Static Packet FilteringStatic packet filtering is a firewall and routing capability that provides network packet filtering based only on packet information in the current packet and administrator rules. Static packet filtering filters packets based on: ? Administrator defined rules governing allowed ports and IP addresses at the network and transport layers of the OSI network model. ? Packet contents including the network and transport layer contents ii) Dynamic Packet FilteringDynamic packet filtering is a firewall and routing capability that provides network packet filtering based not only on packet information in the current packet, but also on previous packets that have been sent. For example without dynamic packet filtering, a connection response may be allowed to go from the internet to the secure part of the network. Dynamic packet filtering filters packets based on: ? Administrator defined rules governing allowed ports and IP addresses at the network and transport layers of the OSI network model. ? Connection state, which considers prior packets that, have gone through the firewall.? Packet contents including the application layer contents.Dynamic packet filtering provides a better level of security than static packet filtering since it takes a closer look at the contents of the packet and also considers previous connection states.iii) Stateful packet filteringStateful packet-filtering techniques use a sophisticated approach, while still retaining the basic tenets of packet-filtering firewalls for their operation. In networking communication, Layer 4 works with the concept of connections. A connection is defined as a legitimate single-source transmitting and receiving to and from a single destination. The connection pairs can usually be singled out with four parameters:? The source address? The source port? The destination address? The destination portStateful inspection techniques use TCP and higher-layer control data for the filtering process. The connection information is maintained in state tables that are normally controlled dynamically. Each connection is logged into the tables, and, after the connection is validated, packets are forwarded based on the ruleset defined on the particular connection. For example, firewalls may invalidate packets that contain port numbers higher than 1023 to transit from application servers, as most servers respond on standard ports that are numbered from 0 to 1023. Similarly, client requests emanating from inappropriate ports can be denied access to the server.Even though stateful inspection firewalls do a good job of augmenting security features generally not present on filtering-based firewalls, they are not as flexible or as robust as packet filtering. Incorporation of the dynamic state table and other features into the firewall makes the architecture of such firewalls complex compared to that of the packet-filtering techniques. This directly influences the speed of operation of stateful inspection techniques. As the number of connections increases (as often is the case on large-scale internal networks), the state table contents could expand to a size that results in congestion and queuing problems at the firewalls. This appears to users as a decrease in performance speed. Most of the higher-level firewalls present in the market are state inspection firewalls. Other problems stateful inspection firewalls face include that they cannot completely access higher-layer protocol and application services for inspection. The more application oriented the firewall is, the narrower its range of operation and more complex its architecture becomes.Application Proxies or Proxy firewallsApplication proxy firewalls generally aim for the top-most layer i.e. Application layer of the OSI model, for their operations. A proxy is a substitute for terminating connections in a connection-oriented service. For example, proxies can be deployed in between a remote user (who may be on a public network such as the Internet) and the dedicated server on the Internet. All that the remote user sees is the proxy, so he doesn’t know the identity of the server he is actually communicating with. Similarly, the server only sees the proxy and doesn’t know the true user. The proxy can be an effective shielding and filtering mechanism between public networks and protected internal or private networks. Because applications are completely shielded by the proxy and because actions take place at the application level, these firewalls are very effective for sensitive applications. Authentication schemes, such as passwords and biometrics, can be set up for accessing the proxies, fortifying security implementations. In many cases, dedicated supplementary proxies can be set up to aid the work of the main firewalls and proxy servers. Proxy agents are application and protocol specific implementations that act on behalf of their intended application protocols.Protocols for which application proxy agents can be set up include the following:? HTTP? FTP? RTP? SMTPThe main disadvantage in using application proxy firewalls is speed. Because these firewall activities take place at the application level and involve a large amount of data processing, application proxies are constrained by speed and cost. Yet application proxies offer the best security of all the firewall technologies.Dedicated proxies can be used to assist the main firewalls to improve the processing speed.Network Address Translation (NAT)Network Address Translation (NAT) is a scheme employed by organizations to handle the address deficiency of IPv4 networking. It basically translates private addresses that are normally internal to a particular organization into routable addresses on public networks such as the Internet. In particular, NAT is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. Though NAT’s main goal is to increase the scope of IP addresses (this necessity is addressed to a great extent by IP-v6 network architectures where there is an abundance of network addresses), security is an essential attribute that can potentially be achieved by NAT.NAT complements the use of firewalls in providing an extra measure of security for an organization’s internal network. Usually, hosts from inside the protected networks(with private address) are able to communicate with the outside world, but systems that are located outside the protected network have to go through the NAT boxes to reach internal networks. Moreover, NAT allows an organization to use fewer IP addresses in making entire networks operational, which aids in confusing attackers as to which particular host they are targeting; in this way security dimensions are increased. Many denial-of-service attacks such as SYN flood and ping of death can be prevented using NAT technology.The main feature in NAT is the translation table that the NAT box maintains. A NAT box might be implemented with a laptop computer and the appropriate network interface cards. The translation table maps external unique IP addresses to internal private IP addresses. Normally, this mapping is not one-to-one. To conserve address space, a single global IP address may be mapped to more than one private IP address. Typically, port associations (on the NAT boxes) are created to achieve multiple mapping of public and private addresses. Any packets from the outside attempting to reach a particular host on the private network get routed with the NAT-specified global address. It becomes the responsibility of the NAT software to look up the translation table to find out the particular private address to which the packet has to be routed. Normally, translation tables are built using three methods:? StaticIn this configuration, the relationships among the global and private IP addresses are fixed.? Dynamic outbound packetsIn this mode, the translation tables get updated automatically as outbound packets are processed from the private network.? Domain name lookupsWhen packets from the external Internet make domain name lookups of hosts inside the private network, the domain name lookup software takes the responsibility of updating the NAT tables.Circuit-Level GatewayA circuit-level gateway is a type of firewall. Circuit level gateways work at the session layer of the OSI model, or between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to a remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets.Types of Firewalls? Server-Based Firewalls? Appliance-Based or Network Appliance Firewalls? Server-Based FirewallsServer-Based Firewalls run on a dedicated computer, using a standard operating system and commercially popular hardware.? Appliance-Based or Network Appliance FirewallsNetwork Appliance Firewalls prevent unsolicited network entry to private networks by computer criminals. Only network responses that have been explicitly requested by authorized users will be permitted past the firewall (example: when an authorized user requests a web page in their browser, only that web page response will be permitted to enter the corporate network from the Internet through the firewall; web pages not expressly requested by that user, which might have been transmitted by a computer criminal from the Internet, will not be able to enter that company's network through its firewall).Additionally, Network Appliance Firewalls are frequently less expensive than Server Based Firewalls because:? there are fewer 'moving parts' than a Server Based Firewall; ? they are usually produced uniformly in large quantities; and ? most involve a simple setup.Disadvantages of firewallsThere are some inherent disadvantages of installing firewalls. The main disadvantage is the cost involved in installation. A thorough analysis of the protected architecture and its vulnerabilities has to be done for an effective firewall installation.Moreover, attackers can compromise the firewall itself to get around security measures. When a clever attacker compromises firewalls, he or she might be able to compromise the information system and cause considerable damage before being detected. Attackers could also leave back doors that may be unseen by firewalls. These trapdoors become potential easy entry points for a frequently visiting attacker. When improperly configured, firewalls may block legitimate users from accessing network resources. Huge losses can result when potential users and customers are not able to access network resources or proceed with transactions.Virtual Private Networks (VPN)Virtual private networks (VPNs) have brought in high promises in the security front on the Internet and large-scale wide area networks (WANs). Though, realistically, security breaches cannot be avoided, the VPN stands as one of the strongest security backbones where WANs are concerned. Many vendors both in the commercial sector and in the defense sector see VPNs as a reliable source of tunneling and security for their internal networks and the Internet. Setting up a VPN is relatively simple and highly secure and does not involve high operational costs. Many financial institutions looked at VPNs as a better option than other techniques for their network security requirements. VPNs are most often used to connect the backbone Internet and ATM networks ofan organization’s central servers with its remote users and vice versa. If an organization’s network is physically distributed across multiple locations (this range may include multiple countries), it can institute a VPN to interconnect the different network sections. An actual scenario is drawn in the figure below, where an organization utilizes VPNs to connect the various segments of its network. VPNs establish tunnels that allow sensitive data to be protected with encryption as it goes over public networks such as the Internet.In recent times, organizations that make use of the Internet as a means of establishing VPNs have had concerns about data security. Such demands have made VPNs evolve from a basic data transportation network to a system that also includes security features.VPN Design issuesVPNs are designed in accordance with an organization’s application needs and network restrictions. More often than not, smaller organizations find it economical to deploy a low-end ISP-based solution, as opposed to other high-end, sophisticated alternatives. The fact that most VPN software lies on the client’s machine and other remote location facilities (such as gateways and routers) makes it difficult to bring in standardization.The basic VPN architecture falls along the following lines:? Remote access VPNsAddress the mobile end users’ connectivity with a corporate main office network. End users (who are normally exclusive and authenticated customers) can log on to the remote access servers through dial-up services provided by an ISP. The corporation usually leaves its virtual private dial-up network in the hands of the network access servers (NAS) operated by the ISP. Normally, a login name and password are exchanged between the NAS for a user at the remote site to log in. This provides low-end solutions and relatively insecure VPNs, as the data may be sent out in the clear in the ISP’s network. Figure 16-6 shows a remote access VPN.? LAN-to-LAN or site-to-site VPNsAnother mode of virtual private networking is establishing communication between two different local area networks. An organization’s business ally can use their networks to connect to the corporate network directly, combining two different large-scale networks into a single virtual network. Site-to-site VPNs require high-end solutions, as the amount of data exchanged is very high compared to with remote access VPNs. IP-Sec and SSL-based security and encryption solutions are used for building site-to-site VPNs. Figure 16-7 shows a site-to-site VPN.--------------Asad Islam
