What is a Firewall?
Firewalls are often the first layer of defense in a network. A firewall is a network security device or software that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls are typically deployed as either network firewalls or software-based host firewalls. Network firewalls use either a dedicated hardware device or software on commonly available hardware between two or more networks. Software-based host firewalls are installed directly on a workstation or server.
Firewalls are incorporated into a wide variety of networked devices to filter traffic and lower the risk that malicious packets traveling over the public internet can impact the security of a private network.
When traffic passes through a firewall, it is compared to the rules, which are part of what is called a ruleset, and it is either allowed through or blocked based on the results of that comparison. A well-constructed firewall ruleset always ends in a deny rule that catches anything that isn’t explicitly allowed; this is known as an implicit deny rule. In many firewalls, this isn’t actually a rule seen in the ruleset; instead, the firewall just drops anything that doesn’t match the rules it does have.
There are three common types of firewalls: packet filters, stateful packet inspection firewalls, and application-layer firewalls.
A packet-filtering firewall examines packets in isolation and does not know the packet's context. Packets that match the rules are allowed through. Packets that don’t match the allow rule are dropped. Packet filters have no concept of a conversation between machines, so every packet is checked, and rules have to be created for traffic headed both in and out of the firewall-protected network.
A stateful inspection firewall examines network traffic to determine whether one packet is related to another packet. This technique, called stateful packet inspection, determines whether communications are new, whether they are part of an ongoing connection the firewall already allowed, or whether the traffic doesn’t match any allow rule. If packets sent in are new and not part of an existing conversation, they are checked against the firewall’s rules and, if they are allowed, a new entry is made in the firewall’s state table. If the conversation already exists in the state table, then the firewall simply allows it to continue, and of course, if the traffic is on the deny list, it is blocked.
Stateful firewalls are typically preferable to packet filters because they decrease load and increase throughput by only inspecting new conversations. Fortunately, dedicated firewalls on the market today almost universally support stateful packet inspection. This means that they can apply additional intelligence to their filtering by allowing responses to traffic sent by protected systems, rather than inspecting every packet sent in or out. What stateful firewalls don’t deal with is what the conversations contain, or how they should be carried on; for that, you need an application-layer firewall.
Application-layer firewalls, sometimes called third-generation firewalls, go even further into the packets they filter and examine the content of the packet itself, instead of merely looking at what IP address, port, and protocol the packet uses. This inspection capability allows application-layer firewalls to analyze data by using protocols like HTTP and applications like BitTorrent (a common peer-to-peer file-sharing application) to check if they’re being used in ways that don’t match the rules created by the firewall administrator.
Application layer firewalls improve the overall security of the application infrastructure by preventing attacks that are likely to cause a service outage or cause structural damage to data sources. Application layer firewalls are generally remotely updateable, which allows them to prevent newly discovered vulnerabilities. These firewalls are often more up to date than specific security-focused code included in applications, due to the longer development and testing cycles required to include such code within applications.
Because application-layer firewalls rely on the matching protocols and applications, they are the most likely of the three types of firewalls to unintentionally block desired traffic due to software or operating-system changes.
Most modern firewalls provide at least packet filter and stateful packet inspection filtering, and many next-generation firewalls add even more capabilities, like intrusion prevention or malware detection and filtering, as part of their application-layer filtering capabilities.
Software firewalls can have the same capabilities as other firewalls, and thus typically provide stateful packet inspection or application-layer filtering capabilities.
Hardware firewalls are used more in companies and large corporations. These devices are usually placed between the router and the Internet connection. As they are dedicated security devices, they are optimized to carry out firewall functions and do not use up resources on personal computers.
Hardware firewalls biggest drawback is maintenance, as they are difficult to update and configure correctly.
Host-based firewalls offer improved protection against the threats, and software is widely available for many systems. Linux systems support a kernel-based packet filter that is a suitable tool for constructing host-based firewalls. However, constructing a good set of rules that adequately protects a host is not trivial.
Host-based firewalls have the following advantages:
- Protection Against Firewall Failure – Adding another firewall of different design is helpful in case the primary firewall fails, because most likely the attack or problem that causes the primary firewall failure will not affect the host-based firewall similarly. Multiple firewalls do not offer increased protection against attacks directed at vulnerabilities in applications or operating systems.
- Simplicity – Configuring a host-based firewall is usually far simpler than configuring a perimeter firewall, because the host usually requires support for just a few protocols in order to function. Simplicity makes verification of the rule set simpler as well. (Complexity is the enemy of security.)InformationPerimeter firewalls control the flow of network traffic entering or leaving the host or organization's border or outer boundary, providing a first line of defense against external attacks and blocking access to inappropriate content from inside an organization.
- Protection Against a Wider Number of Threats – The host-based firewall can protect against threats originating from within a corporate network, and can help mitigate the risks of badly configured software on a host.
- Specificity – A host-based firewall can be tuned to support a single set of applications and to block everything else. Perimeter firewalls are usually configured with a rule set designed to support many applications, and consequentially are much more likely to have exploitable weaknesses.
A more specialized form of firewall that has become increasingly popular is the web application firewall, or WAF. Web application firewalls are specifcally designed to filter HTTP and HTTPS (unencrypted and encrypted) website traffic and are intended to prevent attacks on web applications and servers. WAFs typically require specifc knowledge of how an organization’s applications are designed and work to be fully effective, but when properly deployed they can help prevent SQL injection, cross-site scripting (XSS), and other web attacks.
Web application firewalls also often add a number of features that help make website hosting easier. Current WAFs include a wide range of extra abilities:
- The ability to speed up secure web traffc (HTTPS), known as SSL acceleration
- Lookup systems to determine where users are coming from
- Reputation systems that rely on third-party data about what systems have attacked other sites
- Whitelists and blacklists to determine who should have access and which systems should be blocked due to attacks or misuse
- Authentication mechanisms to allow users to sign in to send certain types of traffic through the device
- In-depth reporting and analysis tools
- “Virtual patching,” a capability that filters attack traffic to prevent exploits against known vulnerabilities, thus creating a virtual patch until the application can actually be patched
Did you find this tutorial helpful? Don’t forget to share your views with us.