Firewall Technology PDF
Document Details
Uploaded by SkilledHawk
Nauman H. Ansari
Tags
Summary
This document provides an overview of different firewall types, including packet-filtering, stateful inspection, proxy, NGFW, and WAF. It describes their functionalities, layers, key features, and use cases. The document also touches upon network segmentation and firewall configuration requirements.
Full Transcript
Firewalls Nauman H. Ansari Firewall A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined Administered network set of security rules....
Firewalls Nauman H. Ansari Firewall A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined Administered network set of security rules. trusted “good guys” Firewalls have been a first line of Public network defense in network security for over 25 years. They establish a untrusted “bad guys” barrier between trusted and untrusted outside networks, such as the Internet. Isolates organization's network from large Internet A firewall can be hardware, software, or both. isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others Firewalls Types of Firewalls NIST 800-41 Rev. 1 provides guidelines on firewalls and categorizes them into several types based on functionality: 1. Packet-Filtering Firewall 2. Stateful Inspection Firewall 3. Proxy Firewall 4. Next-Generation Firewall (NGFW) 5. Web Application Firewall (WAF) Packet-Filtering Firewall These inspect individual packets and decide whether to allow or deny them based on predefined rules (e.g., IP address, port). Layer: Network Layer (Layer 3) Function: Filters traffic based on IP addresses, ports, and protocols. Key Feature: Basic filtering, without tracking the state of connections. Use Case: Simple, low-cost protection for small networks. Access Control List (ACL) Access Control List (ACL) is a set of rules that control network traffic and limit access to network resources. Function: Determines which packets are allowed or denied through the firewall. Steps: 1. Access the firewall management console. 2. Navigate to the ACL settings. 3. Enter the rules in the order presented. 4. Save and apply the configuration. Firewall Scenario Scenario: A small company wants to secure its network. Network Setup: Internal Network: 192.168.1.0/24 External Network: Internet Services Needed: Web Server (HTTP/HTTPS) - 192.168.1.10 Email Server (SMTP) - 192.168.1.20 Goal: Allow only specific traffic to and from these servers. ACL Rules Stateful Inspection Firewall These monitor the state of active connections and allow or block traffic based on the context of the traffic. Layer: Network and Transport Layers (Layer 3 and 4) Function: Tracks the state of active connections and makes decisions based on the connection state. Key Feature: Context-aware security by maintaining connection states. Use Case: Provides a higher level of security compared to packet-filtering firewalls. By tracking connection states, the firewall can reduce the need for complex, explicit ACL rules for every connection stage (e.g., TCP SYN, SYN-ACK, etc.), simplifying management and improving performance. Stateless vs Stateful Firewall Proxy Firewall (Application- Level Gateway) Proxy firewalls work at the application layer, acting as intermediaries between internal users and external servers. They inspect and filter traffic based on specific application-level protocols (e.g., HTTP, FTP). Layer: Application Layer (Layer 7) Function: Acts as an intermediary between clients and servers, inspecting traffic for specific applications. Key Feature: Deep inspection of application-layer data; no direct connection between external and internal systems. Use Case: Provides robust protection for specific applications like web or email servers. Next-Generation Firewall (NGFW) These integrate multiple functions such as deep packet inspection, intrusion prevention, and application-level traffic filtering, combining stateful inspection with more advanced capabilities. Layer: Multiple Layers (Network, Transport, and Application Layers) Function: Combines stateful inspection, deep packet inspection, and application-layer traffic analysis. Key Feature: Advanced security features like intrusion prevention, malware detection, and application awareness. Use Case: Modern enterprise networks requiring comprehensive and adaptive security. Web Application Firewall (WAF) Specifically protect web applications by filtering and monitoring HTTP traffic, focusing on web-specific threats like cross-site scripting (XSS) and SQL injection attacks. Layer: Application Layer (Layer 7) Function: Specifically protects web applications by inspecting and filtering HTTP/HTTPS traffic. Key Feature: Protects against web-specific threats such as SQL injection, cross-site scripting, and DDoS attacks. Use Case: E-commerce websites, online services, and any web application needing protection from web-based attacks. Designing Network Segmentation Firewall Selection for an Enterprise Firewall Configuratio n Requiremen t Types of Firewalls Packet-filtering Firewalls Packet Filtering Firewall is a firewall technique used to control network access by monitoring outgoing and incoming traffic packet-by-packet and allowing them to pass or drop based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type Data packets are analyzed and compared against the configuration rules or "access-list." The firewall then determines what is allowed or denied access to your environment. A packet filtering firewall is the most basic type of firewall. It acts like a management program that monitors network traffic and filters incoming packets based on configured security rules. While packet-filtering firewalls can be considered a fast solution without many resource requirements, they also have some limitations. Because these types of firewalls do not prevent web-based attacks, they are not the safest. Packet-filtering Firewalls Packet Filtering Firewall is a firewall technique used to control network access by monitoring outgoing and incoming traffic packet-by-packet and allowing them to pass or drop based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type Data packets are analyzed and compared against the configuration rules or "access- list." The firewall then determines what is allowed or denied access to your environment. A packet filtering firewall is the most basic type of firewall. It acts like a management program that monitors network traffic and filters incoming packets based on configured security rules. Layer: Network Layer (Layer 3) Function: Filters traffic based on IP addresses, ports, and protocols. Key Feature: Basic filtering, without tracking the state of connections. Use Case: Simple, low-cost protection for small networks. Stateless Inspection subtitle (10).txt Stateless Inspection Stateless Inspection Stateful Inspection subtitle (9).txt If we have both stateless and stateful So what happens if we have both a stateless and stateful inspection? The stateless inspection is going to be performed first and then the stateful data will be evaluated. What we have here is a diagram that is specific to a Juniper firewall. This is the flow that the packet will follow. If we have an incoming packet that matches the session, the firewall will evaluate the screens, it will see the type of traffic and it will match it against a session, then that or other services that are required will be applied. Some of the service is shown are app track, App DoS, App QoS, App FW, and IDP, which are some of the more advanced security services. If the incoming packet doesn't match an existing session, then a different flow will be followed. First, screens will be applied. Screens are basically just filters that will protect against flow or denial of service attacks. Then static NAT will be applied if that is required, then the destination NAT if it is configured, then the routing and the policy evaluation will be conducted. So depending on the incoming and outgoing interfaces that are defined after we know what the route should be, the zones will be defined, and then we'll see if there is a policy that will allow or discard the traffic. In some cases, we might see a reverse static NAT. The source NAT is gone after the policy evaluation. When you are a network administrator, this type of flow is really good to have in mind. Then services will be applied and the session will be built. So you can see when an incoming packet doesn't match an existing session, the path through the firewall is longer. If the packet matches an existing session, it's path is shorter because the firewall already knows what this packet is doing. Stateful Inspection Firewalls Stateful Inspection techniques allow the analysis of traffic flow patterns according to state, port, and protocol. The firewall monitors activity on a connection from open to close. Next, the firewall keeps track of known, trusted packets to Layer: Network and Transport Layers (Layer 3 authorized data from the website and 4) or app versus any data from Function: Tracks the state of active unauthorized sources. connections and makes decisions based on the connection state. It monitors all activity from the Key Feature: Context-aware security by opening of a connection until it is maintaining connection states. closed. Filtering decisions are made Use Case: Provides a higher level of security based on both administrator- compared to packet-filtering firewalls. defined rules as well as context, which refers to using information from previous connections and An early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support. The firewall prevents direct network connections and Layer: Application Layer (Layer 7) acts as an intermediary between your server and end- Function: Acts as an intermediary user requests. Entire packets are examined and either between clients and servers, inspecting blocked or allowed based on set rules. traffic for specific applications. Unlike basic firewalls, these firewalls transfer requests Key Feature: Deep inspection of from clients pretending to be original clients on the application-layer data; no direct web-server. This protects the client's identity and connection between external and internal other suspicious information, keeping the network safe from potential attacks. Once the connection is systems. established, the proxy firewall inspects data packets Use Case: Provides robust protection for coming from the source. If the contents of the specific applications like web or email incoming data packet are protected, the proxy firewall Application- servers. transfers it to the client. This approach creates an level Gateways additional layer of security between the client and many different sources on the network. (Proxy Firewalls) Next Generation Firewall (NGFW) A next generation firewall (NGFW) is, as Gartner defines it, a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” This may also provide antivirus functionality and website filtering. Many of the latest released firewalls are usually defined as 'next-generation firewalls'. However, there is no specific definition for next-generation firewalls. NGFW monitors the entire transaction of data, including packet headers, packet contents, and sources. NGFWs are designed in such a way that they can prevent more sophisticated and evolving security threats such as malware attacks, external threats, and advance intrusion. Deep Packet Inspection Deep Packet Inspection (and filtering) enables advanced network management, analyze network usage, troubleshoot network performance, ensure that data is in the correct format, check for malicious code, eavesdropping, and internet censorship, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these (the IP header) for normal operation. DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases. Although DPI has been used for Internet management for many years, some advocates of net neutrality fear that the technique may be used to reduce the openness of the Internet. Building Firewall Policies for East West Traffic Data Center Segmentation Future Proof your Work – Security Policy in a Segmented Network Define and Enforce Network Segmentation and Security Zoning Access Control Lists (ACL) ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs source dest source dest flag action protocol address address port port bit outside of any allow 222.22/16 TCP > 1023 80 222.22/16 allow outside of 222.22/16 TCP 80 > 1023 ACK 222.22/16 outside of allow 222.22/16 UDP > 1023 53 --- 222.22/16 allow outside of 222.22/16 UDP 53 > 1023 ---- 222.22/16 deny all all all all all all NGFW – Application and User Aware Policies NGFW offers two advantages to regain control of some aspects of firewall management: 1- Application Awareness based filtering 2- Use Identity based filtering NGFW: Whitelisting and Blacklisting Policy Considertations Firewall and IPS Placement in Network Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others administered public network Internet trusted “good guys” untrusted “bad guys” firewall Network Security 8-47 Firewalls: why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters stateful packet filters application gateways Network Security 8-48 Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type 8-49 Network Security Stateless packet filtering: example example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Network Security 8-50 Stateless packet filtering: more examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, Drop all incoming TCP SYN packets except those for institution’s to any IP except 130.207.244.203, public Web server only. port 80 Prevent Web-radios from eating Drop all incoming UDP packets - up the available bandwidth. except DNS and router broadcasts. Prevent your network from being Drop all ICMP packets going to a used for a smurf DoS attack. “broadcast” address (e.g. 130.207.255.255). Prevent your network from being Drop all outgoing ICMP TTL expired tracerouted traffic Network Security 8-51 Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs source dest source dest flag action protocol address address port port bit outside of any allow 222.22/16 TCP > 1023 80 222.22/16 allow outside of 222.22/16 TCP 80 > 1023 ACK 222.22/16 outside of allow 222.22/16 UDP > 1023 53 --- 222.22/16 allow outside of 222.22/16 UDP 53 > 1023 ---- 222.22/16 deny all all all all all all Network Security 8-52 Stateful packet filtering stateless packet filter: heavy handed tool admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: source dest source dest flag action protocol address address port port bit allow outside of 222.22/16 TCP 80 > 1023 ACK 222.22/16 stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense” timeout inactive connections at firewall: no Network Security 8-53 Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet source dest source dest flag check action proto address address port port bit conxion outside of any allow 222.22/16 TCP > 1023 80 222.22/16 allow outside of 222.22/16 TCP 80 > 1023 ACK x 222.22/16 outside of allow 222.22/16 UDP > 1023 53 --- 222.22/16 allow outside of 222.22/16 x UDP 53 > 1023 ---- 222.22/16 deny all all all all all all Network Security 8-54 Application gateways gateway-to-remote host telnet session host-to-gateway telnet session filters packets on application router and filter application data as gateway well as on IP/TCP/UDP fields. example: allow select internal users to telnet outside. 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. Network Security 8-55 Application gateways filter packets on host-to-gateway application telnet session application data as gateway router and filter well as on IP/TCP/UDP fields. example: allow select gateway-to-remote internal users to host telnet session telnet outside 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not Network Security 8-56 Limitations of firewalls, gateways IP spoofing: router filters often use all or can’t know if data nothing policy for “really” comes from UDP claimed source tradeoff: degree of if multiple app’s. communication with need special outside world, level treatment, each has of security own app. gateway many highly client software must protected sites still know how to contact suffer from attacks gateway. e.g., must set IP address of proxy in Web browser Network Security 8-57 32-4 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system, we need firewalls. A firewall is a device installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. Topics discussed in this section: Packet-Filter Firewall Proxy Firewall 32.59 Figure 32.22 Firewall 32.60 Figure 32.23 Packet-filter firewall 32.61 Note A packet-filter firewall filters at the network or transport layer. 32.62 Figure 32.24 Proxy firewall 32.63 Note A proxy firewall filters at the application layer. 32.64 https://www.javatpoint.com/types-of-firewall Enterprise and Infrastructure Security Security Awareness, Compliance, Assessments, and Risk Summarize the basics of social engineering and phishing attacks Discuss techniques for creating effective security awareness programs Explain governance, risk, and compliance (GRC) platforms Analyze the NIST and PCI-DSS frameworks Differentiate relative challenges of security and compliance Hybrid Cloud Security Describe the enterprise shift to hybrid cloud architectures Examine how micro-segmented workloads operate Describe defense in depth in the context of cloud security Analyze how architectures evolve to secure, distributed, virtualized hybrid cloud Describe hyper-resilience in distributed cloud policy enforcement Blockchain, Anonymity, and Critical Infrastructure Protection Summarize the basics of hash functions and how they generally work Explain blockchain, including mining and chaining techniques for integrity Explain onion routing and the Tor browser Analyze Chaum's binding techniques for anonymity Differentiate between critical and non-critical infrastructure for cyber protection Mobility Security and Deception Discuss the basics of mobile security including apps and infrastructure Explain the differences between IoT and ICS security and threats Examine how to deal with IMSI catching in mobile services Summarize the use of deception in cyber security Develop a lifelong learning plan for potential careers in cyber security Stateful Multilayer Inspection Firewalls (SMLI) Stateful Multilayer Inspection Firewalls filter data packets at the network, transport, and application layers. SMLI firewalls examine entire data packets and compare them against trusted ones. These types of firewalls only allow data packets to pass if they pass the filters at each layer individually, ensuring all communication takes place with trusted sources. In simple words, when a user establishes a connection and requests data, the SMLI firewall creates a database (state table). The database is used to store session information such as source IP address, port number, destination IP address, destination port number, etc. Connection information is stored for each session in the state table. Using stateful inspection technology, these firewalls create security rules to allow anticipated traffic. In most cases, SMLI firewalls are implemented as additional security levels. These types of firewalls implement more checks and are considered more secure than stateless firewalls. This is why stateful packet inspection is implemented along with many other firewalls to track statistics for all internal traffic. Doing so increases the load and puts more pressure on computing resources. This can give rise to a slower transfer rate for data packets than other solutions. Next-Generation Firewalls (NGFW) While traditional firewalls only inspect packet headers, Next-Generation Firewalls combine conventional firewall technology with additional functionality. Like SMLI firewalls, Next-Gen Firewalls analyze data within the packets to identify and stop malicious data more effectively. An NGFW includes additional functionality such as: Encrypted traffic verification. Intrusion prevention. Antivirus. Website filtering. Intrusion prevention. Deep packet inspection (DPI). Many of the latest released firewalls are usually defined as 'next-generation firewalls'. However, there is no specific definition for next-generation firewalls. This type of firewall is usually defined as a security device combining the features and functionalities of other firewalls. These firewalls include deep-packet inspection (DPI), surface-level packet inspection, and TCP handshake testing, etc. NGFW includes higher levels of security than packet-filtering and stateful inspection firewalls. Unlike traditional firewalls, NGFW monitors the entire transaction of data, including packet headers, packet contents, and sources. NGFWs are designed in such a way that they can prevent more sophisticated and evolving security threats such as malware attacks, external threats, and advance intrusion. Types of Firewall Unified threat management (UTM) firewall A UTM device typically combines the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use. Next-generation firewall (NGFW) Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks. According to Gartner, Inc.’s definition, a next-generation firewall must include: Standard firewall capabilities like stateful inspection Integrated intrusion prevention Application awareness and control to see and block risky apps Upgrade paths to include future information feeds Techniques to address evolving security threats https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
