Firewalls for Security

(OBJ 3.2)

Firewall

• A network security device or software that monitors and controls network traffic based on security rules
• Firewalls can be hardware appliances or specialized software installed on a device to control network traffic
• Protects networks from unauthorized access and potential threats
  • Screened Subnet (Dual-homed Host)
    
    • Acts as a security barrier between external untrusted networks and internal trusted networks using a protected host with security measures like a packet-filtering firewall
• Types of firewalls are classified based on how much filtering is done or how much strict is your firewall
  • A firewall with in-depth inspection may slow down the device due to the time taken for each packet to pass through all the ACL rules

Types of Firewalls

• Packet Filtering Firewalls

  • Inspect packet headers for IP addresses and port numbers
  • Limited in inspection, operates at Layer 4 (Transport Layer)
  • The most efficient firewall in terms of maximizing your throughput
    • Minimum level of inspection, they're only going to inspect the header of the packet to determine if the packet is going to be allowed or denied based upon the IP address and the port number in the packet.
  • Cannot prevent certain attacks due to limited inspection capabilities in the packet header

• Stateful Firewalls

  • Track all inbound and outbound connections and requests, allowing return traffic for outbound requests
  • In addition to a simple header inspection that's being performed by the packet filtering firewall, a Stateful Firewall will also know if an outbound request is made from our network. And then it's going to use that information to determine if it's going to allow or accept traffic coming into the network from a remote host going towards your network.
    • "Remembers that you asked the information that I am now presenting to you"
  • Operates at Layer 4, with improved awareness of connection state

• Proxy Firewalls

  • Acts as an intermediary between internal and external connections
  • Make connections on behalf of endpoints, enhancing security
  • Two Types of Proxy Firewalls
    • Circuit level (Layer 5)
      • Like a SOCKS firewall, operates at the Layer 5 of the OSI model
    • Application level (Layer 7)
      • Layer 7 firewall
      • Conducts various proxy functions for each type of application at the Layer 7 of the OSI model
      • Example:
        • Can be used to read and filter HTTP traffic differently that it would do for FTP traffic.
        • Uses a deeb packet analysis
          • Creates a larger impact to the performance and efficiency of our firewalls
          • Allows traffic to go through the network much more slowly
      • Best position ed inside of your network when they're located as closely as possible to the application server that you're trying to protect

• Kernel Proxy Firewalls

  • Minimal impact on network performance, full inspection of packets at every layer
  • Placed close to the system they protect for the best and most efficient use of them

Firewall Evolutions

• Next Generation Firewall (NGFW)

  • Application-aware
    • distinguish between different types of traffic
    • Aims to address the limitations of traditional firewalls by being more aware of applications and their behaviors
  • Conduct deep packet inspection and use signature-based intrusion - protection measures
  • Operate fast within minimal network performance impact
  • Offer full-stack traffic visibility
    • More granular control over the traffic
  • Can integrate with other security products
    • Can be a problem if organizations become reliant on a single vendor due to firewall configurations tailored to one product line
  • Much more complex to manage but do add a lot of security

• Unified Threat Management (UTM) Firewall

  • Combines multiple security functions in a single device or network appliance
  • Functions include
    • Firewalls
    • Intrusion Detection - Prevention
    • Gateway antivirus and antispam
    • Virtual Private Network (VPN) concentration
    • Content filtering
    • Load balancing
    • Data loss prevention
  • Reduces the number of devices that managers need to learn and maintain
  • Advantages of UTM Firewalls
    • Lower upfront costs, maintenance, and power consumption
    • Simplified installation and configuration
    • Full integration with multiple benefits
  • Disadvantages of UTM Firewalls
    • Are a single point of failure
      • If that device fails, you lose all functions attached to it
      • We could lose our entire security stack
    • UTM lacks the depth of specialized tools and occasionally exhibits less efficient performance
      • UTMs use separate individual engine
      • NGFW uses a single more efficient engine

• Web Application Firewall (WAF)

  • Focuses on inspecting HTTP(S) traffic
  • Prevents common web application attacks like cross-site scripting and SQL injections
  • WAF can function as standalone appliances or as software integrated into web servers
  • Can be placed
    • In-line (live attack prevention)
      • Device sits between the network firewall and the web servers
      • Can prevent live attacks but they will also slow down your web traffic, and sometimes, they'll block legitimate traffic by mistake.
    • Out of band (detection)
      • Device receives a mirrored copy of web server traffic
      • Using a mirror or SPAN port off of a switch
      • This is a very non-intrusive way to conduct your web application filtering, but in this configuration it cannot block live web traffic.
      • It works more like an intrusion detection system
        • It sees all this information and it can alert on it but it cannot directly prevent it.

Layer based Firewalls

• Layer 4 Firewall
  • Operates at the transport layer
  • Filters traffic based on port numbers and protocol data
• Layer 7 Firewall
  • Operates at the application layer
  • Inspects, filters, and controls traffic based on content and data characteristics