Firewall
Firewall is a network security device, either hardware or software based, which monitors all incoming and outgoing traffic and based on defined set of security rules it accept, reject or drop that specific traffic.
Accept : allow the traffic
Reject : block
the traffic but reply with an “unreachable error”
Drop : block
the traffic with no reply
Firewall establishes a barrier between secured internal networks and outside untrusted network, such as Internet.
History and Need for Firewall
Before Firewalls, network security was
performed by Access Control Lists (ACLs) residing on routers. ACLs are rules
that determine whether network access should be granted or denied to specific
IP address.
But ACLs cannot determine the nature of packet it is blocking. Also, ACL alone
does not have the capacity to keep threats out of the network. Hence, Firewall
was introduced.
Connectivity to the Internet is no longer optional for organizations. However, accessing Internet provides benefits to the organization; it also enables the outside world to interact with internal network of the organization. This creates a threat to the organization. In order to secure the internal network from unauthorized traffic we need Firewall.
How Firewall Works
Firewall match the
network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. For example, Rules
are defined like any employee from HR department cannot access the data from
code server and at the same time other rule is defined like system
administrator can access the data from both HR and technical department. Rules
can be defined on firewall based on the necessity and security policies of the
organization.
From the perspective of a server, network traffic can be either outgoing or
incoming. Firewall maintains distinct set of rules for both the cases. Mostly
the outgoing traffic, originated from the server itself, allowed to pass.
Still, setting rule on outgoing traffic is always better in order to achieve
more security and prevent unwanted communication.
Incoming traffic is treated differently. Most traffic which reaches on firewall
is one of these three major Transport Layer protocols- TCP, UDP or ICMP. All
these types have a source address and destination address. Also, TCP and UDP
have port numbers. ICMP uses type
code instead of port number which identifies purpose of that
packet.
Default
policy: It
is very difficult to explicitly cover every possible rule on firewall. For this
reason, firewall must always have a default policy. Default policy only consist
action (accept, reject or drop).
Suppose no rule is defined about SSH connection to the server on firewall. So,
it will follow default policy. If default policy on firewall is set to accept, then any computer
outside of your office can establish SSH connection to the server. Therefore,
setting default policy as drop (or
reject) is always a good practice.
Generation of Firewall
Firewalls can be categorized based on its generation.
First
Generation- Packet Filtering Firewall : Packet filtering firewall is used to
control network access by monitoring outgoing and incoming packet and allowing
them to pass or stop based on source and destination IP address, protocols and
ports. It analyses traffic at the transport protocol layer (but mainly uses
first 3 layers).
Packet firewalls treats each packet in Isolation. They have no ability to tell
whether a packet is part of an existing stream of traffic. Only It can allow or
deny the packets based on unique packet headers.
Packet filtering firewall maintains a filtering table which decides whether the packet will be forwarded or discarded. From the given filtering table, the packets will be Filtered according to following rules:
Second Generation- Stateful Inspection Firewall : Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection state of packet, unlike Packet filtering firewall, which makes it more efficient. It keeps track of the state of networks connection travelling across it, such as TCP streams. So the filtering decisions would not only be based on defined rules, but also on packet’s history in the state table.
Third
Generation- Application Layer Firewall : Application layer firewall can inspect
and filter the packets on any OSI layer, up to application layer. It has
ability to block specific content, also recognize when certain application and
protocols (like HTTP, FTP) are being misused.
In other words, Application layer firewalls are hosts that run proxy servers. A
proxy firewall prevents direct connection between either side of firewall, each
packet has to pass through the proxy. It can allow or block the traffic based
on predefined rules.
Note: Application layer firewalls can also be used as Network Address Translator(NAT).
Next Generation Firewalls (NGFW) : Next Generation Firewalls are being deployed these days to stop modern security breaches like advance malware attacks and application layer attacks. NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH inspection and many fuctionalities to protect the network from these modern threats.
Types of Firewall
Firewalls are
generally of two types: Host-based and Network-based.
Host- based Firewalls
: Host-based firewall are installed on each network node
which controls each incoming and outgoing packet. It is a software application
or suit of applications, comes as a part of operating system. Host-based
firewalls are needed because network firewalls cannot provide protection inside
a trusted network. Host firewall protects each host from attacks and
unauthorized access.
Network-based Firewalls : Network firewall function on network level. In other words, these firewalls filters all incoming and outgoing traffic across the network. It protects the internal network by filtering the traffic using rules defined on firewall. A Network firewall might have two or more network interface cards (NICs). Network-based firewall is usually a dedicated system with proprietary software installed.
Both types of firewall have their own advantages.