January 08, 2012

1.1.1 Firewalls

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. I.e. it examines each network packet, against a set of rules, to determine whether to forward it toward its destination.

Firewalls are one of the first lines of defense in a network; it cannot, however, be considered the only such line. The basic purpose of a firewall is to isolate one network from another. There are different types of firewalls and they can be either stand-alone systems or included in other devices such as routers or servers. You can implement a firewall in either hardware or software form, or a combination of both.
Firewalls can be located to monitor traffic between the internal and external networks. It can also be placed between internal networks. In any position, a firewall controls and monitors access between different networks by filtering inbound and outbound traffic.

To configure the firewall, an administrator can set up a number of rules to use each time on incoming and outgoing network communications.

Firewalls function as one or more of the following:
  • Packet filter
  • Proxy firewall
  • Stateful inspection firewall

Packet Filter Firewalls

A packet filtering firewall passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn't analyze the data of a packet; it decides whether to pass it based on the packet's addressing information, e.g. source/destination IP address and port number. For instance, a packet filter may allow web traffic on port 80 and block Telnet traffic on port 23.

If a received packet request asks for a port that isn't authorized, the filter may reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall.

Proxy Firewalls

Proxy firewalls operate at the application layer of the firewall, where both ends of a connection are forced to conduct the session through the proxy.

Proxy firewalls are also known as application gateway firewalls because they can inspect application layer traffic. Proxy firewalls combine stateful inspection technology with the ability to perform deep application inspections. A proxy service must be run for each type of Internet application the firewall will support -- a Simple Mail Transport Protocol (SMTP) proxy for e-mail, an HTTP proxy for Web services and so on.

The proxy intercepts all the packages and reprocesses them. In a proxy based firewall, every packet is stopped at the proxy firewall. The packet is then examined and compared to the rules configured into the firewall. If the packet passes the examinations, it is recreated and sent out. Because each packet is recreated, an application-proxy firewall has an increased potential to prevent unknown attacks than a packet filtering firewall. The drawback is that a separate application-proxy must be written for each application type being proxy examined.

A proxy firewall typically uses two network interface cards (NICs). One of the cards is connected to the outside network, and the other is connected to the internal network. The proxy software manages the connection between the two NICs. This setup segregates the two networks from each other and offers increased security.

The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. The proxy can also offer caching, should the same request be made again, and can increase the efficiency of data delivery.

The proxy function can occur at either the application level or the circuit level. Application-level proxy functions read the individual commands of the protocols that are being served. Circuit-level proxy creates a circuit between the client and the server and doesn't deal with the contents of the packets that are being processed.

Stateful Inspection Firewalls

Stateful inspection is also referred to as stateful packet filtering. It is a firewall that keeps track of the state of network connections traveling across it.

Stateless firewalls treats each network frame (or packet) in isolation. After a packet is passed, the packet and path are forgotten. A drawback is that they have no memory of previous packets which makes them vulnerable to spoofing attacks.

In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel. A stateful firewall is able to hold significant attributes of each connection in memory, from start to finish. This adds complexity to the process. Denial-of-Service attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot.

The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP.

References:

No comments:

Post a Comment