Most organizations rely on firewalls for their network security needs. A firewall can be defined as a network security system that allows cybersecurity professionals to monitor and control network traffic. In other words, a firewall sets the boundary between the internal and external networks. There are two main types of firewalls:
Network-based firewalls: They are often positioned on the LANs, intranets or WANs of the gateway computers. (HW firewalls)
Host-based firewalls: They are implemented on the network host itself to protect the entire network traffic. Host-based firewalls can be a part of the operating system or an agent application to offer an additional layer of security.
Packet filtering firewall
Packet filtering firewall is a network security technique that is used to control data flow to and from a network using predefined rules.
The packet filtering firewall checks access control lists (ACLs) to separate packets depending upon the upper-layer protocol ID, source and destination port numbers, source and destination IP addresses, and packet transmission route.
The packet filtering firewall analyses for the source and destination IP addresses, source, and destination port numbers, and protocol IDs of IP packets as per an ACL.
The firewall checks for the information contained in the IP, TCP, or UDP header, and then it decides to accept or drop the packet depending upon the ACL.
Additionally, it has a default method, set by users, that allows the packets to pass even if these do not qualify with the ACL.
Packet filtering is usually an effective defence against attacks from computers outside a local area network (LAN). As most routing devices have integrated filtering capabilities, packet filtering is considered a standard and cost-effective means of security.
Working
The information passes through a network in the form of small pieces called packets, which travel independently across IP networks. These small packets travel through a node only if they match with predefined filtering rules otherwise get dropped. Hence, the filtering rules that are defined by the network layer firewalls in a packet filtering firewall prove to be highly efficient in providing security mechanisms.
Packet filtering controls (allows or drops) packet or data transfer based on the following standards.
The address the packet is coming from.
The address the packet is going to.
The application protocols or rules are set to transfer the data.
A packet-filtering firewall can be distinguished into the following types based on the usage of rules:
Static packet filtering firewall: In this type of firewall rules are established manually, and the connection between the internal and external networks is left open or closed at all times until changed manually.
Dynamic packet filtering firewall: This type of firewall is a more intelligent way of filtering as rules may be changed dynamically depending upon the conditions, and ports are open only for a specific time otherwise remain closed.
Stateful packet filtering firewall: It uses a presettable for maintaining a secure connection, and packets pass through in a sequence as approved by the filter rules.
Advantages
Packet filtering is an efficient defence system against intrusions from computers or networks outside a local area network (LAN).
It is also a standard and cost-effective means of protection as most routing devices themselves possess integrated filtering capabilities, so there is no need for setting a new firewall device.
Need only one router: The key advantage of using packet filtering is that it requires the use of only one screening router to protect an entire network.
Highly efficient and fast: The packet filtering router works very fast and effectively and accepts and rejects the packets quickly based upon the destination and source ports and addresses. However, other firewall techniques show more time-consuming performance.
Transparent to users: Packet filtering works independently without any need for user knowledge or cooperation. Users won’t get to know about the transmission of packets until there is something that got rejected. On the contrary, other firewalls require custom software, the configuration of client machines, or specific training or procedures for users.
Built-in packet filtering in routers: Packet filtering capacities are inbuilt in widely used hardware and software routing products. Additionally, now most websites possess packet filtering techniques available in their routers themselves, which also makes this technique the most inexpensive one.
Disadvantages
Filtration based on IP address or Port Information: The biggest disadvantage of packet filtering is that it works on the authentication of IP address and port number and is not based on information like context or application.
Packet filtering is stateless: Another big disadvantage of packet filtering is that it does not remember any past invasions or filtered packets. It tests every packet in isolation and is stateless which allows hackers to break the firewall easily.
No safety from address spoofing: The packet filtering does not protect from IP spoofing, in which hackers can insert fake IP addresses in packets to intrude the network.
Not a perfect option for all networks: The packet filtering firewalls implementation in highly desirable filters becomes difficult or highly time-consuming. Managing and configuring ACLs sometimes get difficult.
PACKET FILTERING FIREWALL EXAMPLE
Packet filters act on the source and destination IP and port addresses that are present in each TCP/IP packet. You can set rules allowing access to only familiar and established IP addresses and denying access to all unknown or unrecognized IP addresses.
For example, if you set rules denying access to port 80 to outsiders, you would block off all outside access to the HTTP server as most HTTP servers run on port 80. Alternatively, you can set packet filtering firewall rules permitting packets designated for your mail or web server and rejecting all other packets.
Despite its weaknesses, packet filter firewalls are widely used for being leveraged and inexpensive. It controls the movement of information/packets according to a set of rules defined by the user and protects the network from unwanted intrusion or attacks. Thus, it acts as a powerful security tool and provides a good level of security to the network.
Proxy Firewall (Application Level Gateways)
A proxy firewall is a network security system that protects network resources by filtering messages at the application layer.
A proxy firewall is also a proxy server, but not all proxy servers are proxy firewalls.
A proxy server acts as an intermediary between clients and servers. It can cache web pages to reduce bandwidth demands, compress data, filter traffic and detect viruses. A proxy server can also be used to hide user information or to connect to services that would be blocked.
On the other hand, a proxy firewall inspects all network traffic to detect and protect against potential threats. It can also detect network intrusion and enforce security policies.
Proxy firewall vs. traditional firewall
A proxy firewall acts as a gateway between internal users and the internet. It can be installed on an organization's network or on a remote server that is accessible by the internal network. It provides security to the internal network by monitoring and blocking traffic that is transmitted to and from the internet.
In contrast, a traditional firewall acts as a gateway between two networks. By blocking unwanted external traffic, a traditional firewall protects the computers and networks behind it from unauthorized access and attacks.
Filtering at the application level
Proxy firewalls filter traffic at the application layer, which is Layer 7 of the Open Systems Interconnection model.
The technology is similar to traditional packet filtering firewalls, but proxy firewalls add an extra level of protection.
A proxy firewall has its Internet Protocol (IP) address, so an outside network connection will never receive packets directly from the sending network.
Proxy firewalls are often used as the first layer of defence in a secure web or application infrastructure. In this regard, they protect the network from external threats, while ensuring that internal web services and applications can be used safely with no impact on performance.
How are proxy firewalls used?
Proxy firewalls protect critical systems from unauthorized access. They act as a barrier between authorized users and unauthorized users. Proxy firewalls can be deployed within a hardware device, such as a router or firewall. They can also help accomplish the following:
ensure that only authorized users have access to the resources of a computer network;
filter out unwanted messages and packets on an internet network; and
protect against network intrusion and espionage.
Proxy firewalls are also used to restrict access to sensitive sites or sites that are only relevant to specific users. For example, a proxy firewall can be used to prevent employees from accessing Facebook or Twitter during working hours, while still allowing them access to their accounts.
Proxies can be installed in the network itself -- between the internet and the internal network -- or on each computer.
Advantages
Security. Proxy firewalls are the most secure type of firewall because they prevent direct network contact with other systems. As previously mentioned, because it has its IP address, the proxy firewall keeps external network connections from receiving network packets directly from the sending network.
Logging capabilities. Proxy firewalls can examine the entire network packet, rather than just the network address and port number. This capability provides extensive logging capabilities -- a valuable resource for security administrators when dealing with security incidents.
Threat assessment. Marcus J. Ranum is given credit for coming up with the idea of a proxy firewall. He described it as an easier way for programmers to assess the threat levels of application protocols and deploy error and attack detection and validity checking.
Control and granularity. Another advantage of proxy firewalls is they offer more control and granularity than other types of firewalls. This is because they can be configured to apply levels of security to individual users and groups and contain access logs for detailed reports on user activities.
Disadvantages
Challenging to use. The main problem with proxy firewalls is that they are difficult to use. Many users disable them when they become frustrated that the applications they are using are unable to access the internet.
Slow performance. Proxy firewalls can slow internet connections. Because they operate as a third party between the internet and the computer or device in use, they establish an additional connection for each outgoing and incoming packet. As a result, the firewall can become a bottleneck and slow performance.
Single point of failure. For the same reason that they slow performance, proxy firewalls can also become a single point of failure in the system.
EXAMPLES OF A PROXY FIREWALL’S WORK
All types of proxy firewalls monitor traffic for layer 7 protocols. This includes protocols like Simple Mail Transfer Protocol (SMTP), HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), etc. The implementation of proxy servers is many times made in the form of dual-homed bastion hosts that run sets of proxy agents. A bastion host is a system that is expected to come under a direct network attack, probably and in most cases from the internet. More examples of protocols for which proxy firewalls work are the Internet Control Message Protocol (ICMP), Domain Name System (DNS), etc.
More often than not, there is only one computer in a proxy firewall network that has a direct connection to the internet. The other computers in this network setup have to access the internet by using that main computer in the form of a gateway. The rest of the process is pretty simple and has been explained before. A working proxy firewall example can be given at this stage. The process would be that the request of a client is received by the gateway inside the firewall, the request is then sent to the remote server outside the firewall. After this, the server’s response is read and sent back to the client on whether or not access has been granted.
Stateful Inspection Firewalls
Technology that controls the flow of traffic between two or more networks.
Stateful inspection firewalls, in addition to verifying and keeping track of established connections, also perform packet inspection to provide better, more comprehensive security.
They work by creating a state table with source IP, destination IP, source port and destination port once a connection is established.
They create their own rules dynamically to allow expected incoming network traffic instead of relying on a hardcoded set of rules based on this information.
They conveniently drop data packets that do not belong to a verified active connection.
Stateful inspection firewalls check for legitimate connections as well as source and destination IPs to determine which data packets can pass through. Although these extra checks provide advanced security, they consume a lot of system resources and can slow down traffic considerably. Hence, they are prone to DDoS (distributed denial-of-service attacks).
Stateful packet inspection is also known as dynamic packet filtering and it aims to provide an additional layer of network security.
This is sometimes called session-level protection because they keep state information for each network session and make allowed/denied decisions based on a session state table.SI Firewalls track the state of sessions and drop packets that are not part of a session allowed by a predefined security policy.
What is the benefit of implementing stateful inspection?
Before stateful inspection became mainstream, similar technology called static packet filtering was in use. This older alternative only checks the headers of the packets to determine whether they should be allowed through the firewall. As a result, a hacker can simply indicate “reply” in the header to extract information from the network. On the contrary, stateful inspection aims to carry out a more sophisticated investigation. That is why it analyzes the application layer of the packets. A dynamic packet filter like stateful inspection can offer a better security posture for networks through recording the session information like port numbers or IP addresses.
In other words, stateful inspection is better at keeping the intruders away from your network since it uses a more refined technology.
No comments:
Post a Comment