Security+: Technologies And Tools – Firewall
Firewalls are an integral part of most organizations’ Information Technology environments today. They control traffic that enters and leaves the network by either allowing or denying traffic and are a standard security solution for almost all organizations. This article will serve as a brief review of the firewall portion of the CompTIA Security+ certification exam.
Firewalls serve as a hardware or software component of an Information Technology environment that is deployed between a private trusted network (such as an organization’s private network) and a public untrusted network (internet). Firewalls use filters, which are simply rules, and if a traffic packet comes in that meets the criteria established in the rule, the firewall will perform an action based upon that rule. If the first rule does not trigger action, the firewall will check the packet against subsequent rules in its data set. Firewalls normally organize rules from the most detailed rules being first and the most general rules being last. Once one rule defines the action to be performed for a data packet, it will not check other rules down the priority list.
Access control lists, or ACLs, are important components to many security devices, including firewalls. ACLs allow or disallow access to specific resources. They get assigned to objects, or to a network and govern who has access to that resource. ACLs are considered the first line of defense of a firewall, and regarding placement, ACLs reside on the edge of the firewall.
On a more granular level, ACLs contain rules. The way that ACL rules are configured can determine how a firewall will act when the rule is fired off. Below is a list of the different rule formats within ACLs:
- Permission-based rules – It is common to see ALLOW/PERMIT when the traffic is allowed and DENY when the rule orders to block the incoming traffic
- Protocol – Protocol based rules, in part, look at the TCP or UDP ports especially when blocking traffic coming from them. When you want to block both TCP and UDP on a single port you should be blocking the IP instead. Also, when you want to stop ICMP pings you should be using ICMP
- Source IP Address – All internet traffic originates from a source IP address, and a firewall can use this fact to its benefit. Firewalls can block traffic from either a specific source IP address or from a range of IP addresses. Due to this flexible configuration, a user could block all IP address if they use wildcards such as ‘any’ or ‘all’, so a bit of caution and precision is required.
- Destination IP Address – Internet traffic also has a destination IP address that firewalls can use. Traffic that is identified via specific destination IP addresses can be allowed or blocked, and this extends to IP address ranges as well. Just like with source IP addresses, wildcards can be used including ‘any’ or ‘all’ which would block all IP addresses.
- Port – It is typical to see a well-known port, such as port 80, be used for HTTP. Some firewalls are configured to use keywords such as ‘gt’ for greater than, ‘lt’ for less than, and ‘eq’ for equal, so instead of your firewall using just port 80, it may have referred to as eq 80.
Application-based vs. Network-based
Application-based firewalls is a server add-on, device, system filter, or virtual service that defines a strict set for rules for a service and all its users. The intention is to be a server-side application-specific firewall to prevent application-specific payload and protocol attacks. An example of an application-based firewall is a web application-based firewall that is used to prevent SQL injection and other web application attacks.
Network firewalls are hardware, often called an appliance, that is used for general network filtering. This type of firewall serves as a general, broad traffic filter for IT network environments.
Whether an application-based or network-based firewall is appropriate for a situation is a decision that should be made on a case-by-case basis. With this said, most networks can find a use for both types of firewalls if their application server requires a firewall.
Stateful vs. Stateless
A stateful firewall keeps track of the different data streams that pass through it. As new data packets make their way through the firewall, they are passed through the filter of rules and made subject to them. Stateful firewalls use TCP three-way handshakes. Once connections are established, they are logged in the state table. This type of firewall is slower and needs more memory to function than stateless firewalls.
Conversely, stateless firewalls are best used in an internal network where threats are less common and where there are fewer restrictions to follow. Stateless firewalls do not monitor the status of connections passing through it and have no idea whether a data packet passing through are legitimate traffic or threats. Stateless firewalls are more susceptible to IP spoofing and DoS attacks than stateful firewalls. The biggest advantage of using stateless firewalls is that they are less memory hungry.
Implicit deny is the default security configuration of most firewalls. There exists a default-deny rule as an implicit rule that resides at the bottom of the list of prioritized rules that firewalls use. Unless there is an explicit allow rule that a data packet meets, it will fall under the default-deny rule and will be denied.