Open in app

Sign in

Write

Sign in

Firewall Overview

Dan Covic
7 min readJul 10, 2023

This article will give you a glimpse of the nature and functionality of a firewall.

Introduction

In the broadest sense, firewall is a mechanism that allows you to govern the traffic that goes through it, thereby allowing you to dictate what kind of traffic is allowed, or denied, between the firewalled infrastructure and the outer network.

To ensure that it’s working effectively, a firewall has to be configured properly. A poorly configured firewall will just become another vulnerability.

It is an essential component of IT security, the first line of defense from the network outside the protected perimeter.

Rules and Policies

A rule controls what kind of traffic is allowed, or denied.

For example, let’s take a look at a rule allowing inbound TCP traffic on port 8080 (Linux & Windows).

On Linux, the most common tool to manage the firewall is iptables, which will be used for the example below.

  • iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT

Let’s break it down:

  • -A INPUT: Append a new rule to the end of the INPUT chain.
  • -i eth0: The interface from which the traffic would come through.
  • -p tcp: Specified protocol.
  • --dport 8080: Destination port to which the traffic arrives.
  • -j ACCEPT: Action for the configured rule.

On Windows, while you could use Windows Defender Firewall GUI to manage firewall rules, when working with rules in bulk, you would be better off using PowerShell to accomplish that.

The following example will use PowerShell Splatting to create a firewall rule:

firewall rule

Let’s break it down:
Name, DisplayName, Description: Parameters taking in descriptive information, where Name and DisplayName are trying to adhere to the default Windows Firewall naming scheme.
Enabled: Status of the rule, showing whether the rule will be enabled. (You can create rules and decide to enable them later at some point.)
Profile: Windows Firewall Profiles that will be affected by the rule.
Direction: Direction of the traffic for the rule.
Action: Parameter that dictates whether the traffic will be allowed or denied based on this rule.
Protocol: Specified protocol.
LocalPort: Local port you direct the rule to.

A ruleset is a collection of rules describing the traffic flow and a policy states how the rulesets should behave, in terms of how loose or strict the traffic constraints should be and what kind of traffic should be allowed.

Below are examples of default iptables (main and nat tables) and Windows Defender Firewall policies:

When using appliances, the GUI interfaces and shell firewall management syntaxes vary from vendor to vendor.
On Windows and Linux you can also use various third-party firewalls.

Firewall States

Stateless and stateful firewall types describe what aspects of the transport layer they use to filter traffic.

Stateless firewalls filter packets one by one and look only for source and destination information. They lack full visibility into the traffic that goes through.

Stateful firewalls filter sessions of packets. The connection initiating packets determine whether the rest of the packets are allowed through without further inspection. Both firewall types have their pros and cons.

There are also the Next-Generation firewalls, which use more advanced techniques to detect and prevent more complicated attacks.

Stateless Firewall

Stateless firewalls will make a decision to drop a packet by comparing each packet against an access control list individually. A benefit of this approach is that it is not very resource-intensive. Since stateless firewalls only deal with a single packet at a time and they lack full session visibility, they are unable to protect against any attack that gets split up into multiple packets.

This means that if fishy traffic would be going through approved ports, let’s say port 80, a stateless firewall would happily let it through since the rule says that incoming port 80 is allowed.

Stateless firewalls operate in Layer 3 in the OSI Model model and can also be called network firewalls.

Stateful Firewall

The Stateful firewall, in addition to the rules already described for the stateless firewall, also analyzes traffic streams. This allows stateful firewalls to understand the TCP connection type or whether a packet is fragmented.

A stateful firewall will determine whether the packets are related, thus once the first packets have been granted passage, it would start a session in which the following packets belonging to that particular session are given faster passage since the session initiating packet matched the defined rules.

This means that when the malicious packets would have gotten through port 80 before, they are now being scrutinized further and if the firewall sees that something is off within the application layer, the connection would be dropped.

Note: The application layer is the 7th layer in the OSI Model.

Due to additional processing, stateful firewalls are not well suited for handling large amounts of connections and present an easier target for DDoS attacks. Thus, having a beefier stateless firewall to do the simple heavy lifting, would be the preferred way to go.

NOTE: DDoS attack — Distributed Denial of Service attack is a scenario where many internet-connected devices are pointed toward a single attack surface and by overwhelming the victim, the attacked service will no longer be functional/available.

Next-Gen

Next-Generation Firewalls (NGFW) are taking the old single-purpose service to a new level, by adding features useful in a modern networking environment, such as Intrusion Detection and Prevention Systems (IDPS), Deep Packet Inspection (DPI), visibility of the entire network, ability to communicate with other security and/or reporting tools and more, thereby providing a more comprehensive all-in-one solution.

Often, firewall is seen as too narrow of a term for it and these solutions are called security solutions, a more generic term encompassing an array of security features crammed in a single package.

Allow and Block Listing

There are two main approaches on how to manage your firewall policies.

  • Default Allow: In this case, everything is allowed unless specifically denied. You block a malicious IP address or a set of malicious IP addresses. Configuring your firewall this way does not take much effort, but in terms of security, it does not provide the best protection either. The attacker will just assume a new IP address if they are determined to get in.
  • Default Deny: Everything is blocked except the traffic that has been explicitly defined in the rulesets. This takes a great amount of effort, especially when trying to implement it in a large environment. The firewall rulesets have to be constantly updated and you must have the knowledge to distinguish the necessary traffic, so you would not end up in a scenario where you are blocking your own employees and/or company partners, instead of potential malicious actors.

Firewall Form Factors

Depending on the use cases, there are different options to choose from when deciding, which kind of firewall you need for a particular scenario.

  • Small combo devices: The router in your home has a built-in firewall, which could be configured and managed by your ISP if the device has been purchased/rented from an ISP. Depending on the ISP, they may give you access to your device, so you can manage the firewall yourself, or you could also buy your own device and manage it yourself.
  • These little and cheap devices are meant for a very small user base. They are suitable for home use and could also handle a small office.
  • Software-defined networking: In the age of cloud computing, users are presented with the ability to manage virtual firewalls, via GUI and possibly via API in the cloud environment.
  • Appliances: For a larger environment with a lot of traffic, you may want to consider purchasing a firewall in a form of an appliance. Appliances have traditionally been rack-mounted hardware, although today they can also be software packages. Depending on your networking needs, you may want to use a third-party firewall product when working inside a software-defined network, instead of the default offering.
  • Appliances are usually black boxes with set hardware and fixed software. The manufacturer will provide support for the hardware and the OS on it, while the consumer will have limited access to the core function of the device. The user can access a set of functionality on the shell or via the web interface.
    NOTE: Black box: A device the consumer does not have full access to, thus making it difficult for the consumer to know what is going on inside it. The consumer relies on the service provider to keep the appliance running.
  • These appliances are usually tiered. The more you are willing to pay, the more performance you will get. You should spend some time figuring out how powerful a firewall you need for your environment.
  • OS integrated firewall: Every desktop and server Operating System has firewall functionality built into it, allowing further protection from possible threats within the network. These are by default very permissive, allowing either a lot of traffic through or all of it.
  • NOTE: While having an additional firewall on the host in addition to the network firewall may seem a bit excessive to some, having overlapping controls to protect sensitive information may be necessary, or even required, depending on the policies and/or legal requirements in place.
  • Web Application Firewall (WAF): These firewalls are made to handle HTTP traffic in particular. A higher-level firewall may or may not know about the specific attacks performed against a web server, while a WAF can be configured to mitigate any possible vulnerabilities on the website.

That’s a wrap!

Source: RangeForce

Cybersecurity
Information Security
Hacking
Firewall Security

--

--

Dan Covic

Written by Dan Covic

152 Followers

A disciple of curiosity, experience and knowledge

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams