A firewall is a network device or a software application that monitors and, if necessary, filters traffic based on predefined settings.
A firewall protects network segments or hosts from intrusions performed by exploiting vulnerabilities in software applications or network protocols. It’s work is based on comparing traffic to the templates of known malicious code.
A firewall is usually installed at the edge of the LAN to protect internal hosts. It should be noted that some attacks may originate from within the local network. If a local server is attacked by another internal host, the edge firewall will ignore that attack. That’s why firewalls are now installed not only at the edge of the LAN, but also between its segments, which greatly improves network security.
The history of firewalls dates back to the late 1980s, when the Internet was not as ubiquitous as it is now. The predecessors of firewalls were routers that analyzed traffic based on the data at the network layer. Later, when network technologies have evolved, routers started using transport layer protocol data for traffic analysis. So routers were effectively the first hardware-based firewalls.
Software firewalls appeared much later. For example, Netfilter/iptables, a firewall for Linux, was created only in 1998. That’s because initially anti-virus software fulfilled the function of a firewall very successfully. But as viruses became more sophisticated in the late 1990s, the need for a firewall has arisen.
A firewall filters traffic based on a set of predefined rules (“ruleset”). In other words, it acts as a succession of filters that analyze and handle traffic according to the ruleset. Each filter has its own purpose. The order in which the rules are applied may have a huge impact on the firewall’s performance. For example, most firewalls analyze traffic by comparing it sequentially to known templates from the list. Obviously, the most popular templates should be placed at the top of the list.
A firewall can process incoming traffic based on one of the following two principles. Principle 1: Any data packets are allowed, except for the forbidden ones. So if a data packet has not been blocked based on a rule, it will be passed further. Principle 2: Only the data packets that are not forbidden are allowed. This approach provides the highest degree of security but makes life much harder for the network administrator.
A firewall can either “deny” traffic (drop the packet), or “allow” it (let the packet go further). Certain firewalls can also “reject” traffic (the packet will be dropped, and the sender will be informed that the host is unreachable), which further improves network security.
Firewalls are usually classed depending on the supported layer (based on the OSI seven-layer network model). There are several types of firewalls:
- Managed switches
- Packet filters
- Circuit-level gateways
- Application proxies
- Stateful firewalls
Though often reckoned among firewalls, managed switches work at the link layer of the network model, so they cannot handle external traffic.
Some vendors, such as Zyxel and Cisco, have enhanced their products by adding support for traffic handling based on MAC addresses in the frame headers. However, even this approach does not always work as well as expected because attackers can easily modify MAC addresses by using special software. That’s why nowadays switches mostly rely on other data, such as VLAN ID.
A virtual LAN (VLAN) allows network administrators to group hosts together and completely isolate their data from any external servers. Using managed switches can be a very effective and reasonably priced solution for a corporate network. Their major disadvantage is inability to handle higher-layer protocols.
Packet filters work at the network layer and control traffic based on the data in packet headers. Oftentimes, they can also process the headers of a higher-layer protocol (such as UDP or TCP, which work at the transport layer). Packet filters were the first firewalls in history, and they are still the most popular ones. They analyze the following data in the incoming traffic: the sender’s and the receiver’s IP addresses, protocol type, the sender’s and the receiver’s ports, and packet headers at the network and transport layers.
Their vulnerability lies in the fact that they can allow malicious code pass if it has been split into fragments (so that its packets pose as part of some other, legitimate content). This problem can be solved by blocking fragmented data. Some firewalls can also defragment data at their own gateway, before sending data to a major host. Nonetheless, the firewall can fall victim to a DDoS attack.
Packet filters can be built into operating systems or implemented as edge routers or personal firewalls. Packet filters analyze data packets very quickly. They work great at the LAN edge if it borders with untrusted networks. However, their inability to analyze higher-layer protocol data makes them easy targets for attacks with forged network addresses.
The network administrator can use a firewall to exclude any direct interactions between the host and any external servers. In this case, the firewall acts as a proxy that checks each incoming data packet and blocks any ones that do not belong to the existing connection. Any packets that pose as ones belonging to an already-closed connection are dropped.
A circuit-level gateway is the only thing that connects the LAN to the external network. It will be hard for the attacker to reconstruct the topology of the LAN protected by the circuit-level gateway, which means much better protection from DoS attacks.
But even this approach has a significant drawback: A firewall of this type cannot check the content of each data packet, so attackers can relatively easily pass trojans to the protected network.
Just like circuit-level gateways, application proxies act as go-betweens, but with a significant advantage – they can analyze the context of data transmitted. An application proxy can detect and block unwanted or nonexistent sequences of instructions (often a sign of a DoS attack), and completely forbid some of them.
Such firewalls can also detect the content type of the data transmitted. (For example, certain email services forbid sending executable files.) Moreover, they can authenticate users and check SSL certificates for the presence of a digital signature from a specific certificate authority.
The major disadvantage of using these firewalls is that in-depth packet analysis takes a long time. Besides, application proxies cannot automatically add support for new protocols and networked applications.
The designers of the stateful firewall have set a high goal of combining the advantages of each of the other firewalls (see above) to create one that can handle traffic both at the network layer and at the application layer.
Stateful firewalls can control the following:
- all sessions (using dynamic state tables),
- all transfered data packets (based on the filtering rules table),
- and all applications’ traffic (using application proxies).
Stateful firewalls filter traffic just like circuit-level gateways, so their performance is much higher than that of application proxies. Stateful firewalls have a user-friendly interface and are easy to configure. They are also highly extensible.
Firewalls can be either hardware based or software based. Hardware-based firewalls can be built into a router or a switch, or implemented as a separate device.
The most popular firewalls are software based, simply because the user only needs to install special software on the computer. However, it is often difficult for a company to find an unused computer (which oftentimes must meet pretty high technical criteria) to install a software firewall.
That’s why major companies prefer using dedicated security appliances. Such hardware-based firewalls mostly run Linux or FreeBSD, and have only very specific functionality.
This solution offers the following advantages:
- Easy to control: The network administrator can connect to the security appliance by using any standard network protocol (Telnet, SNMP), or a secure network protocol (SSL, SSH);
- High performance: The operating system is dedicated to performing a single function; any unnecessary services are disabled;
- Fail safety: The security appliance efficiently performs its work; the probability of failure is near zero.
A firewall does not filter any unidentified data. The user can configure actions to be performed on such data via the configuration file that defines how to handle unidentified traffic. For example, such protocols as SRTP, IPsec, SSH, and TLS encrypt traffic to conceal the content of transmitted data, and S/MIME and OpenPGP encrypt data at the application layer. A firewall also cannot filter tunneled traffic unless it knows the specific tunneling protocol.
Most of the drawbacks intrinsic to firewalls have been fixed in the solution known as Unified Threat Management (UTM), or as NextGen Firewall.
Internet access monitoring and reporting software