Almost all small, medium and large organizations use the internet and have a connection to a company’s network. At the boundary of the organization network, there must be a partition between the external and internal network that is essential for network security. The internal corporate network is known as the trusted zone while the external network is known as the untrusted zone. A Firewall is a network device that protects organizations’ networks from intruders from inside and outside.
All data packets entering or leaving the internal network pass through the firewall. It inspects each packet and blocks any untrusted traffic.
Installing a firewall at the network boundary is like aggregating the security at a single point. Firewalls are an important element in the quest to achieve network security for many reasons.
- To protect an internal network and the host.
- The untrusted Zone contains criminals, users from competing companies, ex-employees, espionage from unknown countries etc.
- To stop an attacker from launching DoS attacks on network resources.
- To prevent illegal modification/access to organization internal data by intruders.
Firewalls are of three basic types:
- Packet Filtering (Stateless and Stateful).
- Application-level gateway
- Circuit Level Gateway.
In Packet filtering firewalls, the trusted zone connects to the untrusted zone via a router firewall. The firewall examines and filters data packet-by-packet. This type of the firewall allows or blocks the data packets based on the source or destination IP address, Port numbers and/or other parameters within the IP header. One can base the final decision on other factors besides IP header fields such as ICMP message type, TCP SYN, and ACK bits etc.
Packet filtering rules have a two-part selection criterion and action filed. The selection criterion is used as a condition and pattern matching for decision-making. The action filed defines the action to be taken if an IP packet meets the selection criteria. The action can allow or block the packet across the firewall.
Packet filtering is achievable through the configuration of an access list on a router or a switch. ACL defines a table of packet filter rules. Firewalls apply to access control lists from top to bottom for each incoming data traffic. They find a matching criterion and allow or block the individual packets.
The stateless firewall looks at the packet and allows it if it meets the action rule defined in ACL even if it is not part of any established ongoing communication. As a result, such firewalls are interchanged by stateful firewalls in modern networks. This firewall provides a deep inspection method over ACL based packet examination methods of stateless firewalls.
Stateful firewall monitors the connection setup and teardown process to keep a check on connections at TCP/IP level. This allows them to keep track of connections at any given point in time. They reference the rule base only when there is a request for a new connection. Packets belonging to an existing connection are compared to the firewall’s state table of open connections, and a decision to allow or block is taken.
This process saves time and offers added security. None of the packets are allowed to intrude on the firewall unless it belongs to an already established connection. It can timeout inactive connections at the firewall after which it no longer admits packets for the connection.
The application-level gateway acts as a relay node for the application-level traffic. They cut off incoming and outgoing packets, run proxies that copy and forward information across the gateway, and function as a proxy server, thus stopping any direct connection between a trusted server or client and an untrusted host.The proxies are application specific. They can filter packets at the application layer of the OSI reference model.
Application specific proxy accepts packet by specified application only for which they copy, forward and filter. For instance, only Telnet proxy can copy, forward and filter telnet traffic. Incoming and outgoing packets cannot access services that have no proxies configured if the network relies on the application-level gateway. i.e. If the application gateway runs FTP and Telnet Proxies then, packets generated by that service can pass through the firewall while the blocking of the rest of the services occurs.
Application level filtering:
Instead of copying and blindly forwarding the packets across the gateway, an application level proxy gateway inspects and filters individual packets. At the application layer, the content of packets is verified. Application-specific proxies check each packet that passes through the gateway.
Application gateways can restrict specific actions from occurring. For instance, one could configure the gateway to prevent users from performing the FTP put command. This can prevent modification of the information stored on the server by an attacker. Despite that, application-level gateways can be transparent. Many deployments require user authentication before users can access an untrusted network, which can reduce true transparency. Authentication may be different depending on whether a user comes from the trusted network or from the untrusted network. For trusted networks, a simple list of IP addresses can have permission to connect to external applications. However, implementation of a strong untrusted zone authentication is necessary.
An application gateway relays TCP segments between the two TCP connections in the two directions. (Client<-> Proxy <-> Server). For outbound packets, the gateway may replace the source IP address by its own IP address. The process is referred to as NAT (network address translation). It makes sure that there is no exposure of the internal IP address to the internet.
The Circuit-level gateway works at the session layer of the OSI reference model. It is a small layer between the application layer and the transport layer of the TCP/IP stack model. They monitor TCP handshaking between packets to determine whether a requested session is legal.
Just like the Application layer, the circuit-level gateway also does not permit an end to end TCP connection across the gateway. Circuit-level gateway sets up two TCP connections and relays the TCP segment from one network to the other. However, it does not inspect the application data like the application gateway. As a result, it is known as pipe proxy. The Circuit-level gateway is a virtual circuit between the proxy server and internal client.
For example, when a user web page access request passes through the circuit gateway, an exchange of basic internal user information, such as IP addresses occurs for proper feedback. Then, the proxy server forwards the request to the web server. When it receives the request, the external server sees the proxy server’s IP address but does not receive any internal user information. The web or real server sends the proxy server a proper response subsequently forwarded to the client or end-user via the circuit-level gateway.
Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/
Finally, check out my other article on How to achieve PCI Compliance.