Overview
Firewalls are network devices and effective security controls to protect network systems or services from various network-based threats. Moreover, it is a device to control incoming and outgoing network traffic based on configured security rules. Besides, the primary objective of a firewall is to isolate the internal network from public networks such as the Internet. Additionally, we typically place firewalls at the boundary of an organization’s network.
Routers, multilayer switches (layer 3), VLANs, and dedicated host devices are some of the approaches to achieve network segmentation. Through these separation mechanisms, we can allow authorized entities to our network and block the unauthorized ones. Furthermore, we use firewalls to prevent unauthorized flow of data from one subnet to another within a given network. Additionally, firewall is a crucial security control that facilitate secure connection to the outside world through WANs and the Internet at large.
Firewalls can be a dedicated appliance, a software-based or hybrid component. However, whether it is hardware or software-based, the whole purpose of firewalls is the same i.e. to stop traffic from unauthorized entities. In other words, traffic coming into and out of the internal network must always pass through the firewall services.
Organizations use firewalls to create boundaries between internal and external networks as show in the above diagram. Moreover, they can use it to create functional segments even within the private network itself. The firewall therefore will block or allow traffic from moving across those boundaries. Besides, it deeply scrutinizes each packet and blocks those that do not meet defined security rules. The security rules of firewalls mostly come from access control lists (ACLs).
Characteristics of Firewalls
Firewalls are core security controls that we deploy primarily at the edge of corporate networks and subnets. Besides, all traffic from inside to outside and vice versa, must pass through the firewalls. Moreover, firewalls accomplish these tasks by physically blocking all access to the network except via the firewall. They only allow authorized traffic to pass through the network according to the security policies defined in the ACL. And there are various types of firewalls which can implement various types of security policies discussed in the next section.
The firewall itself is not immune from security threats, it must have the latest OS version, and security patches. This implies to use a hardened firewall system with a secured OS, plugins and APIs. Furthermore, firewalls must be used in combination with other security controls in a layered fashion. And they must be redundant to avoid single point of failure (SPOF) in corporations as well.
Most people in organizations think that firewalls are just enough to protect enterprise networks and their data. However, that is not the case when it comes to securing data in enterprises. Organizations should employ various security controls such as SIEM, EDR, NAC, IDS/IPS and so controls in defense in depth fashion. In addition, firewalls require configuration and human management and security professionals must understand how to use them properly.
Egress and Ingress Traffic Monitoring
Firewalls typically provide stateful inspection of incoming (ingress) and outgoing (egress) network traffic. Moreover, the position of firewalls can be on perimeter router of corporations or at the edge of the network to monitor the traffic. Besides, the expression “behind-the-firewall” describes traffic that flows within a subnet and firewalls do not protect from malicious activities within the subnets.
Egress Traffic
Egress traffic refers to process of data moving out of the internal network to an external network. Moreover, the data movement may pose grave threats to organizations if sensitive data leaves and reaches unauthorized recipients. Because, sensitive and critical proprietary data may fall at the hand of cybercriminals and competitors. And the greatest risk that data egress poses to an organization is accidental or malicious insider threats. Therefore, firewalls are responsible to scrutinize each packet that leaves an organization in combination with data loss prevention (DLP).
Ingress Traffic
Ingress traffic refers to data that comes from outside networks and destines towards the internal network of an organization. More specifically, ingress is the traffic from the Internet to the internal network of an enterprise. Monitoring this traffic via tools, such as Simple Network Management Protocol (SNMP) plays significant role in protecting organizations. Furthermore, firewalls are one of the best security controls to monitor data while in transit.
Types of Firewall
Firewalls are the first line of protection in a defense-in-depth principle of network security architecture. Moreover, it is the most prevalent and foundational security solutions used to protect information systems and networks. And firewalls generate logs and monitor each activity of packets in a network environment. Thus, security administrators should review and audit the firewall logs to understand its status and performance.
The types of firewalls we are going to discuss here are network firewalls. Besides, there are tons of firewalls types such as web application firewalls (WAF), database firewalls, and cloud-based firewalls. These types of firewalls are out-of-scope and we will discuss them in upcoming episodes.
When protecting enterprise network, we should employ various types of firewalls at different layers of the OS reference model. There are four basic types of firewalls:
- Static packet filtering firewalls;
- Application-level firewalls;
- Stateful inspection firewalls;
- Circuit level firewalls;
The main differentiator between the four types of firewall is the layer of the OSI model at which each operates.
Static Packet Filtering Firewalls
A static packet filtering firewall or screening router is one of the earliest, fastest and the simplest firewall designs. And it operates at the network layer (layer 3) of the OSI reference model. Moreover, it monitors each packet and tracks the IP address and the port number of both the destination and the source address of the packet. However, unlike the other firewalls, it does not have the ability to track the connection state between the packets. It quickly allows or denies the connection depending on the packet type and the defined security rules. However, it makes filtering decisions based on an individual packet and does not consider any higher-layer contexts. Furthermore, if a packet violates the established rules, it will drop and log it. And it offers no authentication service and it can be vulnerable to spoofing attacks.
Stateful Inspection Firewalls
The stateful inspection firewall (aka dynamic packet filtering firewall) strictly monitors and tracks the destination of each packet sent from the internal network. And it only allows an incoming message that is in direct response to the service request sent out from the internal network. This happens due to the ability of the stateful firewall to monitor the status of each network connections. Besides, it may perform deep packet inspection activities that involve analysis of the content of the packet or the payload. Moreover, it operates at both the network (layer 3) and transport layers (layer 4) of the OSI model.
Stateful inspection firewall monitors the state of the connection based on the three-way handshake of TCP connection establishments. Moreover, it will keep tracking the state of each connection and temporarily stores attributes of the connection in a memory. Besides, the firewall will apply these connections information to filter traffic based on the rules. That means, it allows incoming traffic only for those packets that have pre-existing information on the outbound TCP connection directory. Moreover, it keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number, such as IP spoofing and session hijacking.
Application-Level Firewalls
The application-level firewall is the most secure type of firewall and operates at the application layer of the OSI model. And it inspects and treats packets and network traffic with more interrogation than other packet-filtering firewalls. Moreover, it allows or denies an incoming or outgoing traffic to and from the internal network based on specific application types and protocols. In other words, it acts as an application proxy that separates end users from external networks. Moreover, the proxy configuration supports only specific features of the application and denies all other features.
Application-level firewalls, unlike the packet filtering, deeply scrutinizes allowable applications and services, instead of TCP and IP attributes of packets. Because of this processing overhead incurred on each connection, it is the slowest of all types of firewalls.
Circuit-Level Firewalls
A circuit-level firewall is a proxy that establishes secure sessions between communicating parties. This firewall type is simple and efficient and functions at the session layer (layer 5) of the OSI model. Moreover, the main task of circuit-level firewalls is to ensure the completeness of the TCP three-way handshaking. However, it does not inspect actual content of packets and as a result takes no action on packets. Rather it solely focuses on establishing sessions based on IP and port rules, captive portals, and attribute-based access controls (ABAC).
The circuit-level firewall verifies the sessions via deployed proxies without exposing the connection details of the internal network.
Next Generation Firewalls
The next generation firewall (NGFW) combines multiple advanced features including IDS/IPS, UTM, content filtering, QoS management and so on capabilities. Moreover, it operates at multiple layers of the OSI model and includes the functionalities of the other four traditional firewalls. It provides deep packet inspection (DPI) functionalities that goes beyond port and protocol inspections. Moreover, it offers NAT/PAT, VPN connections, routed mode connections, and anomaly preventions, to name a few.
Firewall Architectures
Depending on different factors, organizations may settle for one or more firewall architectures. The factors may include overall nature of the network, in-house ability to configure the envisioned architecture and available budget. The following are the most common firewall architectures that organizations can deploy:
Multi-homed Firewalls
Multihomed host describes a firewall that has two or more network interfaces. Besides, each interface will be applicable to establish logical or physical connection with network segments. The following diagram shows the depiction of multi-homed firewall architecture.
Bastion Host
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. It is a host computer positioned logically behind the services of a core network routing device or in a DMZ. Moreover, the router separates the internal network from an untrusted network and logs all activities of systems. Besides, it serves as a platform for an application-level and circuit-level firewalls.
The bastion host will have a limited number of applications to reduce the possible impact of the host compromise. Most commonly, the application is a proxy server to facilitate services and encapsulate data through the bastion host. This arrangement allows inbound traffic to access only the Bastion host and that in turn blocks access to the internal resources.
Screened Host Firewall
Screened host is a bastion host connected to the internal network with a packet-filtering router between the external network and the bastion computer. Moreover, it is a firewall architecture with three interfaces. The three interfaces establish connection with the internal private network, public network (Internet) and the Demilitarized Zone (DMZ). Besides, it combines a packet-filtering router and a separate application proxy (aka Bastion host).
Screened Subnet Firewall (DMZ)
This architecture of firewall is the most secure and employs two firewalls or routers. Moreover, it allows Internet users to access the DMZ resources and the internal hosts can access the DMZ layer. Besides, the Internet hosts do not know about the structure of the internal private network. Furthermore, it adds an additional layer of security to screened host architecture by adding a network to better separate the bastion host. This helps to reduce compromise of the bastion host.
Screened subnet firewall provides additional layer of protection through establishing a new network segment (aka DMZ). Furthermore, the bastion host that functions as a proxy for the DMZ servers is protected via interior and exterior routers.
Demilitarized Zone (DMZ)
The Demilitarized Zone (DMZ) is a separate segment that contains presentational serves and is isolated from the rest of the internal network. Furthermore, DMZ is a special purpose network segment that we establish for unknown users to access specific organizational systems.