What is a firewall: An overview
A typical corporate network makes use of a number of networking devices for preventing various attacks and maintaining the security of their network. The firewall is one of the most important defenses in line to achieve this goal. In this article, we will be learning in-depth about firewalls, their types and their architecture.
What is a firewall?
A firewall is a network security device placed at the perimeter of the corporate network. The main function of the firewall is to screen all the packets entering, leaving and flowing in the network to prevent unauthorized access between two or more computers. A firewall scans all the packets and accordingly accepts, rejects or drops the packet, depending upon the rules configured on it. Rules are defined based on the security policy of the organization.
Accept: Allow the traffic
Reject: Block the traffic, replying with an “unreachable error”
Drop: Block/reject the traffic and don’t give any reply
For example, a firewall may have rules configured to allow only HTTP packets. If a firewall receives an ICMP packet, it simply drops the packet and does not allow the packet to enter into the network.
Thus, a firewall acts as a barrier between the internal networks and the outside network such as the Internet.
It is not possible to explicitly define every possible rule on the firewall. Due to this, every firewall has a default policy. Every default policy consists of either of the following actions – accept, reject or drop.
Example: If no rule is defined for FTP connection to the server on the firewall, the firewall will follow the default policy defined onto it. If the default policy is set to accept, then any remote computer outside of the network can establish an FTP connection to the server. Thus, setting default policy as drop (or reject) is always recommended from a security point of view.
Generations of firewall
Based on the generations of firewalls that evolved and developed over time, there are many firewall types available for use. They include Packet Filtering Firewall, Stateful Inspection Firewall, Application Layer Firewall, Next-Generation Firewalls, Circuit Filter Firewalls, Air Gap, etc. Not all of them are used widely and discussing each one of them is out of scope.
Major ones which are widely used have been described below –
- Packet Filtering Firewall (1st generation): Packet filtering firewalls are also called stateless firewalls since they do not maintain the state of the stream of packets flowing in and out of the network. Packet filtering firewall controls access to the network by monitoring incoming and outgoing packets in the network and filters them based on IP address, ports and protocols. Packet filtering firewall analyses traffic at the transport layer of the OSI model and treats each packet in isolation. Since packet filtering firewalls don’t maintain any state and process the packets based on the ruleset, they are fast and responsive.
- Stateful Inspection Firewall (2nd generation): Unlike Packet filtering firewalls, Stateful firewalls can determine the connection state of the packet thus making it more efficient over Stateless Firewall. Stateful Firewall aggregates related packets until the connection state is determined before applying any firewall rule to the traffic. Thus, in stateful firewalls, filtering decisions are not only based on defined rules but also on the packet history collected by the firewall.
- Application Layer Firewall (3rd generation): Application layer firewalls are capable of inspecting and filtering the packets on any OSI layer, up to the application layer. Application layer firewalls are capable of blocking specific content and recognize if certain applications and protocols ( FTP, HTTP) are being misused. Thus, Application layer firewalls filter packets by process instead of port. Application layer firewalls can allow or block the traffic based on predefined rules, thus preventing attacks on processes like FTP, HTTP, SMTP, guarding against SQL injection, XSS, DDoS attacks etc. Application layer firewalls can be used as Network Address Translator(NAT) and are also known as proxy-based firewalls.
- Next-Generation Firewalls (4th generation): Next-Generation Firewall is abbreviated as NGFW and is being used to safeguard against modern security breaches like Advance Malware Attacks and Application-layer level attacks. NGFW provides Deep Packet Inspection, SSL/SSH inspection, Application Inspection and other features to protect the network from modern threats.
Generally, there are two types of firewalls available for use. They are as follows:
- Network-based firewall: These firewalls function at the network level. It takes care of all the packets coming in and going out of the network and filters traffic based on the rules configured on the firewall.
- Host-based firewall: Host-based firewalls are the ones that are installed on a personal computer/PC. Thus, this firewall takes care of filtering all the traffic for a single dedicated system — unlike network-based ones, which take care of the whole network. These are software-based firewalls, which usually come as a part of the operating system.
Firewall tools and software
Now we have a good understanding of firewalls, the following are the common software packages that can help us to configure firewalls effectively. The explanation and configuration of firewall rules in this tool is out of consideration:
- IP Tables: Standard firewall for Linux systems, being replaced by nftables.
- UFW: Uncomplicated Firewall. It is an interface to UFW.
- Fail2ban: Fail2ban is an IPS software which can automatically configure a firewall to block brute force attempts and DDOS attacks.
- Firewall ID: It is a complete firewall solution for CentOS 7 servers.
Some of the popular techniques and tactics used to identify firewalls are:
- Port scanning: Hackers use this technique for checking the ports used by the victims. Nmap is a widely used port-scanning tool available.
- Firewalking: This technique utilizes traceroute to analyze IP packets and map networks.
- Banner grabbing: This technique enables a hacker to identify the type of operating system being run on a target computer. It works through a firewall by using what looks like legitimate connections.