What is Firewall? Characteristics, Needs, Limitation and Types
A firewall forms a barrier through which the traffic going in each direction must pass. A firewall security policy dictates which traffic is authorized to pass in each direction. Firewall may be designed to operate as a filter at the level of IP packets, or may operate at a higher.
By the end of this article, you will able to demonstrate the concept of firewall and explore the importance of firewalls protocol layer.
What is Firewall?
A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet. Firewall’s main purpose is to allow non-threatening traffic in and to keep dangerous traffic out.
Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet.
Characteristics of firewalls
1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this chapter.
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this chapter.
3. The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. Trusted computer systems are suitable for hosting a firewall and often required in government applications.
Needs for Firewall
Information systems in corporations, government agencies, and other organizations have undergone a steady evolution. The following are notable developments:
• Centralized data processing system, with a central mainframe supporting a number of directly connected terminals.
• Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe.
• Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two.
• Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN).
• Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN.
Limitation of Firewall
1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters.
2. The firewall may not protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.
3. An improperly secured wireless LAN may be accessed from outside the organization. An internal firewall that separates portions of an enterprise network cannot guard against wireless communications between local systems on different sides of the internal firewall.
4. A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally.
Types of Firewalls
A firewall may act as a packet filter. It can operate as a positive filter, allowing passing only packets that meet specific criteria, or as a negative filter, rejecting any packet that meets certain criteria. Depending on the type of firewall, it may examine one or more protocol headers in each packet, the payload of each packet, or the pattern generated by a sequence of packets. In this section, we look at the principal types of firewalls.
Packet Filtering Firewall
A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. The firewall is typically configured to filter packets going in both directions (from and to the internal network).
Filtering rules are based on information contained in a network packet:
• Source IP address:The IP address of the system that originated the IP packet (e.g., 192.178.1.1)
• Destination IP address:The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2)
• Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET
• IP protocol field:Defines the transport protocol
• Interface:For a firewall with three or more ports, which interface of the firewall the packet came from or which interface of the firewall the packet is destined for The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. If there is a match to one of the rules, that rule is invoked to determine whether to forward or discard the packet. If there is no match to any rule, then a default action is taken.
Two default policies are possible:
• Default = discard:That which is not expressly permitted is prohibited.
• Default = forward:That which is not expressly prohibited is permitted.
Stateful Inspection Firewalls
A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context.
• A simple packet filtering firewall must permit inbound network traffic on all these high-numbered ports for TCP-based traffic to occur. This creates a vulnerability that can be exploited by unauthorized users.
• A stateful inspection packet firewall tightens up the rules for TCP traffic by creating a directory of outbound TCP connections. There is an entry for each currently established connection.
The packet filter will now allow incoming traffic to high numbered ports only for those packets that fit the profile of one of the entries in this directory.
• A stateful packet inspection firewall reviews the same packet information as a packet filtering firewall, but also records information about TCP connections.
Some stateful firewalls also keep track of TCP sequence numbers to prevent attacks that depend on the sequence number, such as session hijacking. Some even inspect limited amounts of application data for some well-known protocols like FTP, IM and SIPS commands, in order to identify and track related connections.
Application-Level Gateway
An application-level gateway, also called an application proxy, acts as a relay of application level traffic. The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall.
Further, the gateway can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features. Application-level gateways tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application-level gateway need only scrutinize a few allowable applications. In addition, it is easy to log and audit all incoming traffic at the application level.
A prime disadvantage of this type of gateway is the additional processing overhead on each connection.
In effect, there are two spliced connections between the end users, with the gateway at the splice point, and the gateway must examine and forward all traffic in both directions.
Circuit-Level Gateway
A fourth type of firewall is the circuit-level gateway or circuit-level proxy. This can be a stand-alone system or it can be a specialized function performed by an application-level gateway for certain applications.
As with an application gateway, a circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.
Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed.
A typical use of circuit-level gateways is a situation in which the system administrator trusts the internal users. The gateway can be configured to support application-level or proxy service on inbound connections and circuit-level functions for outbound connections.
In this configuration, the gateway can incur the processing overhead of examining incoming application data for forbidden functions but does not incur that overhead on outgoing data.
How firewalls work
A Firewall is a necessary part of any security architecture and takes the guesswork out of host level protections and entrusts them to your network security device.
Firewalls, and especially Next Generation Firewalls, focus on blocking malware and application-layer attacks, along with an integrated intrusion prevention system (IPS), these Next Generation Firewalls can react quickly and seamlessly to detect and react to outside attacks across the whole network.
They can set policies to better defend your network and carry out quick assessments to detect invasive or suspicious activity, like malware, and shut it down.
Cases/Example
An example of a personal firewall is the capability built in to the Mac OS X operating system. When the user enables the personal firewall in Mac OS X, all inbound connections are denied except for those the user explicitly permits.
The list of inbound services that can be selectively re-enabled, with their port numbers, includes the following:
• Personal file sharing (548, 427)
• Windows sharing (139)
• Personal Web sharing (80, 427)
• Remote login – SSH (22)
• FTP access (20-21, 1024-64535 from 20-21)
• Remote Apple events (3031)
• Printer sharing (631, 515)
• IChat Rendezvous (5297, 5298)
• ITunes Music Sharing (3869)
• CVS (2401)
When FTP access is enabled, ports 20 and 21 on the local machine are opened for FTP; if others connect to this computer from ports 20 or 21, the ports 1024 through 64535 are open. For increased protection, advanced firewall features are available through easy-to-configure checkboxes.
Stealth mode hides the Mac on the Internet by dropping unsolicited communication packets, making it appear as though no Mac is present.
UDP packets can be blocked, restricting network traffic to TCP packets only for open ports. The firewall also supports logging, an important tool for checking on unwanted activity.
Conclusion on what is Firewall? Characteristics, Needs, Limitation and Types
Internet connectivity is no longer optional for organizations. The information and services available are essential to the organization. Moreover, individual users within the organization want and need Internet access, and if this is not provided via their LAN, they will use dial-up capability from their PC to an Internet service provider (ISP). However, while Internet access provides benefits to the organization, it enables the outside world to reach and interact with local network assets. This creates a threat to the organization.
Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet.
Often asked question
What is Personal Firewall?
A personal firewall controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side. Personal firewall functionality can be used in the home environment and on corporate intranets.
Typically, the personal firewall is a software module on the personal computer. In a home environment with multiple computers connected to the Internet, firewall functionality can also be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface.
What are the benefits of host-based firewall?
A host-based firewall is a software module used to secure an individual host. Such modules are available in many operating systems or can be provided as an add-on package. Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. A common location for such firewalls is a server.
There are several benefits to the use of a server-based or workstation based firewall:
• Filtering rules can be tailored to the host environment. Specific corporate security policies for servers can be implemented, with different filters for servers used for different application.
• Protection is provided independent of topology. Thus both internal and external attacks must pass through the firewall.
• Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. A new type of server can be added to the network, with its own firewall, without the necessity of altering the network firewall configuration.