Firewall Basics
by stevecronin

Firewall - Customizable security system to prevent unauthorized access to a network and/ or a system monitor that logs incoming and outgoing information on a network. Firewalls act like a traffic barrier.

|YOUR NETWORK| - |FIREWALL| - |INTERNET|

Firewalls work on different layers of the OSI model, depending on the type.

-Network/ Transport Firewall
-Application Firewall
-Combination Firewall
-Personal Firewall

Network/ Transport Firewall

A Network/ Transport firewall, when using Packet Filtering at the network and transport layers, looks at the header of incoming/ outgoing packets to decide whether to allow the packet to be transmitted, or for it to be discarded. The firewall's decision is based a pre configured set of rules made in place by the manufacturer (Default Rules) or the user (Customized Rules). Rules can be customized based Network/ Transport layer functions. (Such as IP addresses and ports). Packet Filtering looks for suspicious packets that aren’t coming from a valid IP address or aren’t using the proper port. It is the fastest of the packet screening methods because of the scanning done at the lower/ mid levels of the OSI model. A Network/ Transport firewall using Packet Filtering contains logging capabilities.

|YOUR NETWORK| - |OUTGOING PACKET| - |FIREWALL| - |OUTGOING PACKET| - |INTERNET|
|YOUR NETWORK| - |INCOMING PACKET| - |FIREWALL| - |INCOMING PACKET| - |INTERNET|

Packet filtering firewalls are prone to the following attacks:

-IP Spoofing
Sending data from a spoofed (faked) address so the firewall sees your machine as a trusted one.

-Buffer overruns
These occur when a program connected to the internet receives a connection from someone on the internet into a buffer and doesn't check to see if the data exceeds the allotted amount appointed by the buffer. This exceeded data allows a hacker to input/ execute malicious code to tamper with/ gain access to your machine.

-ICMP (Internet Control Message Protocol) tunneling
Hiding data in a valid ICMP packet.

A Network/ Transport firewall, when using Stateful Packet Inspection, scans the packet header information to make sure that the packet is from a legitimate connection, and that the protocols are working the way they are supposed to. The difference from Packet Filtering is Stateful Packet Inspection looks at the packet header at the Network, Transport, Session, Presentation, and Application layers of the OSI model. Also, not only can the rules be customized based on IP addresses, protocols, and ports, but the Connection State can be regulated as well, therefore stateful packet inspection is able to protect against unauthorized access. Sateful packet inspection is also able to recognize protocols in the packet header, because of the scanning taking place in the application layer. A Network/ Transport firewall using Stateful Packet Inspection contains logging capabilities.

Application Firewall

An application firewall works at the application layer of the OSI model and acts like a proxy and breaks the client/ server model, thus hiding your network from others.

When a machine from another network, or a machine connected to you by the Internet, sends a request to yours, a connection is made with the application firewall. The application firewall then rebuilds the request to send to your machine. When your machine responds to the sending machine, it sends its response to the application firewall, which then rebuilds the response to transfer to the sending machine.

|YOUR NETWORK| <----> |APPLICATION FIREWALL| |INTERNET|
|YOUR NETWORK| |APPLICATION FIREWALL| <----> |INTERNET|

Because Application firewalls only work at the application layer, they are able to focus their scanning. An Application firewall can identify text, graphics, source code, etc. Having a more in depth look in packets provides better security because the content removal decision is more precise. Having this type of firewall in place, however, significantly reduces network performance. Because all incoming/ outgoing traffic is scanned at the application layer, inspection time is longer. Processing power is greater, and this process can serve as a network bottleneck.

Application Firewalls are prone to the following attacks:

-Denial of Service (DDoS)
Forcing too much data on the firewall to render it inactive.

Combination Firewall

Combination firewalls combine specific features (chosen by vendor) of Network/ Transport firewall and Application firewall to fit specific needs.

Personal Firewall

A Personal Firewall is not a firewall by definition, Firewall - Customizable security system to prevent unauthorized access to a network and/ or a system monitor that logs incoming and outgoing information on a network, however they are marketed as one.

Personal Firewalls protect singular devices, such as a single computer, from unauthorized access. They do not protect an entire network.

It is important to understand that firewalls are not the one and only security solution for your network; it is a security addition. Your network still has to be locked down by taking the proper security procedures with your OS and any other software; Updates for any of these are crucial. Coding mistakes in programs are often used to make the program do something it is not supposed to. If an exploit is found, anybody can easily gain access to your system that has the information. This is why it is always important to update when a software company comes out with a new patch fixing these exploits. A firewall will not protect you from them.

Firewall topology is also important, incorrect setup could leave some devices on your network unsecured.


Host Firewall Topology

This firewall topology has a computer with an installed firewall managing your network. All incoming/ outgoing traffic is redirected to pass through that machine.

|YOUR NETWORK| - |HUB| - |ROUTER| - |INTERNET|

|Host Firewall|

DMZ Topology

This firewall allows a section of your network to have specific services open that you would not want open on your main network, this can be useful for allowing a group of machines host certain content on the internet, or run servers. (Example: Counter-Strike/ Warcraft/ Starcraft servers) This topology can also be used as a front for a network that doesn't want to be seen.

|WEB SERVER|

|YOUR NETWORK|ROUTER|UNPROTECTED NETWORK|ROUTER|INTERNET|

|FIREWALL|

Physical Firewall Topology

A separate firewall unit that is placed physically in your network. (Not logically)

|YOUR NETWORK| - |PHYSICAL FIREWALL| - |INTERNET|


CISCO PIX Firewalls Overall Features

-OSPF (Open Shortest Path First Dynamic Routing)
-NAT (Network Address Translation)
-PAT (Port Address Translation)
-Content Filtering
-URL Filtering
-Advanced Authentication
-Advanced Authorization
-Accounting Intergration (RADIUS/TACACS+)
-DHCP (Dynamic Host Configuration Protocol Client)
-Server
-Relay (Device that connects two or more networks, such as a bridge.)
-P2P (Point to Point protocol over ethernet)
-VPN (Virtual Private Network) Support
-Tunneling (Secure line from Network to Network over the Internet)
-Layer Two Tunneling
-P2P Tunneling Protocol
-Configurable 56 bit DES (Data Encryption Standard), 168 bit 3DES (Triple Data Encryption Standard), and 256 bit AES Encryption (Advanced Encryption Standard).
-DDoS Attack Prevention

High End/ Low End Scale Comparison Models

CISCO PIX 535 - Ideal for Large Businesses and Service Providers

Price: ~$15000

-Three rack unit design
-Supports up to ten 10/100 fast Ethernet interfaces or nine gigabit interfaces.
-Delivers 1.7 Gbps of firewall throughput with the capability to handle more than 500,000 simultaneous sessions.

CISCO PIX 501 - Ideal for Small Office/ Home Users.

Price: ~$400

-Includes four port 10/100 switch
-60 Mbps of firewall throughput


OSI Model -Firewall Layer- Overview

|APPLICATION| - |APPLICATION FIREWALL| - |STATEFULL INSPECTION|
|PRESENTATION| - |STATEFULL INSPECTION|
|SESSION| - |STATEFULL INSPECTION|
|TRANSPORT| - |PACKET FILTERS| - |STATEFULL INSPECTION|
|NETWORK| - |PACKET FILTERS| - |STATEFULL INSPECTION|
|DATA LINK|
|PHYSICAL|