A firewall in its simplest form is a boundary guard between two networks, usually an internal private network and the Internet. The main purpose of a firewall is to guard a trusted network from mistrusted parties on the outside that could access or tamper with internal information and resources. Firewalls can be implemented as either hardware and software, or a combination of both. Firewalls are not just filters, but also gateways and chokepoints.

A firewall should provide the following key features and characteristics.

  • Monitor all incoming and outgoing traffic:  All traffic from inside the network to the outside, and vice versa, should pass through the firewall. This can be achieved by logically blocking all access to the local network except via the firewall.
  • Source or destination based blocking: Blocking unwanted incoming traffic from a specific source or to a specific destination is provided by a firewall. An example would be the blocking of all incoming port 80 requests to all servers except the web server.
  • Outgoing network traffic blocking: A firewall should provide mechanisms for the system administrator to block all outgoing requests to websites which are considered harmful based on the company’s security policy. A firewall can contain the risk of phishing through network traffic blocking.
  • Content filtering: Network traffic content analysis can help scan for virus signatures and other common threats.
  • Support for Virtual Private Network (VPN) connections:  VPNs allows secure connections from the Internet to a corporate network. Firewalls can be used to establish a site to site and remote access VPNs to securely connect the various sites and users to the organization.
  • Immunity to penetration: The firewall itself is impervious and stable. This implies the use of a trusted and secure operating system.

Firewall classification

Firewalls can be broadly classified into different types based on factors such as:

  • The type of protection offered
    •  Host-based firewalls (personal firewalls)
    •  Network-based firewalls (enterprise firewalls)
  • Implementation
    •  Hardware firewalls
    •  Software firewalls
  • Protection methodology
    •  Packet filter
    •  Stateful packet inspection
    •  Connection filter
    •  Application proxy filter

Classification based on type of protection offered:

The kind of firewall installed for a large organization is different than one installed on a user’s desktop.

  • Host-based firewall: A personal firewall is most often a software application installed on a single host and protects just that computer. However, host-based firewalls can also be implemented as separate hardware components, or they are built into other network devices. A host-based firewall does not provide extensive reporting and management features.
  • Network firewall: Network firewalls have the capacity to screen network traffic for a number of computers. They provide extensive reporting and management features and even allow the configuration of multiple firewalls in a single step.

Classification based on implementation

  • Hardware firewalls: An integrated appliance which has firewall software pre-installed on a device with its own operating system is called a hardware firewall. Hardware firewalls can be implemented as dedicated personal computers with hard disks or as solid state application-specific integrated circuit (ASIC) devices. ASIC firewalls are generally faster performers. Hard disks, on the other hand, can be a potential single point of failure.
  • Software firewalls: Firewall applications that can be installed on the user’s operating system are called software firewalls. Software firewalls can be implementing either as a packet filter or a process filter. Process filters can be easily tricked into allowing malicious code to access the network.

Classification based on technical methodology

  • Static packet filter: The static packet filter checks the source and destination IP addresses in the network header and the source and destination port numbers in the transport header in addition to determining the protocol of the data packet.  This information is used by the static packet filter to determine whether to permit the corresponding data packet, or to discard it at the point of entry as per the firewall’s rules into the network. The filtering unit denies all packets that are explicitly denied by the set of rules, allows all packets that are explicitly allowed by the set of rules and drops all other unknown packets. Traditionally, static packet filters are stateless – they do not keep track of connection sessions. This implies that networks protected are still susceptible to ping floods and Denial of Service (DoS) attacks.
  • Stateful packet inspection: The packet filter examines the network and transport headers for similar information as the static packet filter. In addition, it provides state awareness by maintaining a table of connection streams. This table is called the “Connection Bypass table”.  All data packets, which have the same monitored network and transport headers, form a unique connection stream. Each packet that arrives is associated with a connection stream. If the data packet is associated with a connection stream already in the table, it is allowed without any further verification. However, if the packet arrives on an unknown connection stream, it is first verified as per the firewall rules and permitted only after it passes the inspection. This means that the packet filter is aware of the difference between a new and an established connection.
  • Connection filter: The connection filter maintains a Connection Verification table which maintains the TCP flag sequences. The connection filter verifies that the TCP handshaking process is valid by examining the state of the flags.
  • Application proxy filter: The application proxy examines the network header for the source and destination IP address, the transport header for the source and destination port numbers and the header of an application protocol like HTTP, Telnet, etc.  This type of firewall actually reconstructs the packet inside the host, thereby protecting it from covert attacks. But such reconstruction at the application layer has a performance penalty and increases the latency of the application.

Key Functions of the Firewall Include:

  • Content Filtering and Scanning
  • Network Address Translation
  • Network Traffic Filtering
  • Acceptable Use Monitoring

Key Firewall Requirements Include:

Operations requirements

  • Blocks unwanted incoming/outgoing traffic between selected end points
  • Enables scanning for virus signatures and other common threats
  • Provides granular policy definitions to develop specific security policies by user, group, content, or bandwidth
  • Supports seamless and agentless integration with the approved standard directory services
  • Supports the common routing protocols: BGP, OSPF, EIGRP and IGRP
  • Provides an intuitive working user interface to ensure that staff can be trained in operating the system
  • Supports application level backups using the vendor provided tools that can be scheduled on a regular basis

Performance and capacity requirements

  • Supports the peak traffic/number of simultaneous connections/connection rate that is expected.
  • Supports any load from the variously defined user communities
  • Supports communications from multiple time zones
  • Synchronizes with the approved trusted time source

Availability requirements

  • Provides 99.999% availability
  • Utilizes local and global replication features to support performance, failover and high availability

Reliability requirements

  • Meets any applicable service continuity requirements
  • Detects and notifies when event data is corrupted
  • Fails elegantly without taking any other infrastructure component or node down with it
  • Provides disaster recovery and failover options

Monitoring and notifications requirements

  • Can be monitored using the approved system management capability
  • Aligns with the security and network management program

IPS (Purpose / Definition)

Intrusion Prevention System (IPS) is a software that has all the capabilities of an Intrusion Detection System (IDS) and can also attempt to stop possible incidents as per the actions configured. IPS extends the function of Intrusion Detection System (IDS) by detecting potential threats and invoking actions to mitigate the risk. IPS are always designed to be inline (i.e. traffic would pass directly via IPS and thus, if the IPS is down the traffic would be dropped), whereas IDS being a passive device is deployed in promiscuous mode allowing the traffic to pass.

There are many types of IPS technologies, which are differentiated primarily by the kinds of events that these devices can identify and the methodologies that they use to identify incidents. In addition to monitoring and analyzing the events to recognize unwanted activity, all types of IPS technologies typically perform the following:

  • Tracking and recording information associated to the observed events – Information is generally recorded locally, and may also be sent to a separate system such as security information and event management (SIEM) system, centralized logging servers, and other enterprise management systems.
  • Alerting and notifying security administrators of significant observed events – These notifications, also called as an alert across products, can be configured through any of several methods, including but not restricted to the following: SMS messages, syslog messages, e-mails, messages on the IDS user interface, SNMP (Simple Network Management Protocol) traps, and user defined programs and scripts. A notification message characteristically includes only elementary information concerning an event; administrators need to access the IDPS for additional information.
  • Producing reports – Reports review and summarizes the monitored events or make available details on particular events of interest.

Some IPSs are also able to change their security profile when a new threat is detected. For example, an IDPS might be able to collect more detailed information for a particular session after a malicious activity is detected within that session. An IPS might also alter the settings for when certain alerts are triggered or what priority should be assigned to following alerts afterward a specific threat is detected.

IPS technologies are differentiated from IDS technologies primarily by one major characteristic: IPS can respond (or take an action) to a detected threat by making an attempt to prevent it from succeeding. They utilize numerous response practices, which can be segregated into the following groups:

  • The IPS stops the attack itself – Illustrations of in what way this could be done are as follows:
    • Terminate the active network connection or user session which is being used for the attack real-time
    • Block the corresponding access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attributes
    • Block all access to the targeted host, service, application, or another resource.
  • The IPS can modify the security environment – The IPS could alter the configuration of other security controls and measures to disrupt an attack. Such as reconfiguring a network device (e.g., firewall, router, switch etc.) to block access, and changing a host-based firewall configuration on a target to block incoming attacks.
  • The IPS might change the attack payload’s content – For example, some IPS technologies can remove or replace malicious portions of an attack to make it benign, as in an IPS removing an infected file attachment from an e-mail and then authorizing the cleaned email to reach its matching recipient. At times an IPS that acts as a proxy and normalizes incoming requests, which signifies that the proxy re-packages the payloads of the corresponding requests, discarding header information. This causes certain attacks to be thrown out as a part of the normalization process.

Key IPS Requirements Include:

Operations requirements

  • Supports processes and features for labeling custom checks, attack vectors, or other controlled events (e.g. through a vulnerability description language)
  • Provides the capability of declining updates (or rolling the system back to its previous state)
  • Supports false negative notification (e.g. notifying the IDS operator to the fact that the system cannot handle an intense workload and is starting to miss events)
  • Processes fragmented packets
  • Supports additional customization of each signature according to specific user requirements (e.g. to reduce false positives)
  • Notifies personnel when the IDS detects an attack, misuse, or another anomaly including sending a notification to the central console of the system, registering events in the event database, Syslog server, etc.
  • Logs the type of event, date and time of detection, the sensor that detected that specific event, the source and destination addresses related to the event are registered, and detailed content of all data fields related to the event
  • Provides an event tracing mechanism that allows you to record all events in exactly the identical sequence and at precisely the same speed at which the hacker or intruder was operating
  • Supports remote management of an unlimited number of sensors
  • Supports a hierarchical management, allowing the system to switch between two consoles automatically, without user intervention
  • Supports group operations (e.g. Updating the attack signature database, applying templates, and starting and stopping groups of sensors)
  • Provides the ability to specify priorities for detected attacks and vulnerabilities both statically and dynamically
  • Provides a comprehensive report generating mechanism (e.g. reports at various levels of detail, information on the identified attack along with the operating systems and applications vulnerable to it, cases of false positives, methods of elimination, etc.)
  • Supports prevention mechanisms including closing the network connection to the attacking host, blocking the intruder’s user account, reconfiguring network equipment and security tools, automatic elimination of the vulnerability, etc.
  • Protects against rogue access points
  • Provides an intuitive working user interface to ensure that staff can be trained in operating the system
  • Supports application level backups using the vendor provided tools that can be scheduled on a regular basis

Performance and capacity requirements

  • Supports the peak number of simultaneous connections/traffic volume/connection rate that is expected. Note the number of packets that this node needs to handle should be computed at the protocol level and not at the business function or user activity level
  • Supports any load from the variously defined user communities
  • Supports communications from multiple time zones
  • Synchronizes with the approved trusted time source

Availability requirements

  • Provides 99.999% availability
  • Utilizes local and global replication features to support performance, failover and high availability

Reliability requirements

  • Meets any applicable service continuity requirements
  • Detects and notifies when event data is corrupted
  • Fails elegantly without taking any other infrastructure component or node down with it

Maintainability requirements

  • Provides updates to the signature database
  • Uses industry standard repositories to store output data that support local and geographic failover

Monitoring and notifications requirements

  • Can be monitored using the approved system management capability
  • Aligns with the security and network management program

Conclusion

From a CISSP perspective, perimeter defense techniques are a crucial element (from a technical standpoint) and the technologies such as IPS and Firewalls are the most sensitive areas which are assessed in depth. Following this article readers should be able to answer the following questions:

  1. Why are such technologies used?
  2. What are the capabilities provided by these technologies?
  3. How is it different than each other with adequate relevance to different environments?

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan