What is a Firewall?
A Firewall is a Network Security System that Monitors and Controls the incoming and outgoing network traffic based on the predetermined security rules or more accurately ACL i.e “Access Control List”. It is like a safety barrier b/w the secured and trusted Private Network and the untrusted Public Network such as the internet where malicious virus and hackers relentlessly try to get access of our important and personal data.
How Does it Work?
Firewall resides at the junction or gateway b/w two networks ( i.e Private and Public Network ). Generally, firewalls work at layer 3 and layer 4 of OSI model (i.e Network and Transport Layer repspectively). It examines all the incoming and outgoing traffic and blocks those that do not meet the criteria of the specified security rules ( i.e ACL ). This rule can be based on a number of things such as :
i) IP Address
ii) Domain Names
iii) Protocols
iv) Programs
v) Ports
vi) Key words
etc…
Firewall has been the first line of defense in network security for over 25 years now. It filters the incoming traffic by the rules that is configured and customised by the Network Administrator. He decides what comes in and what goes out of the internal network. So it is a very important job. It is essential for homes and small businesses to have a strong configured firewall on their system. It is more important specially for the big organizations as there are a lot more servers and computers are attached with it and firewall keeps them safe by blocking or denying the malicious traffic.
Types of Firewall :
Firewalls either can be Hardware, Software or BOTH depending on their structure. Each type of firewall has different functionality but the same purpose.
However, it is best practice to have both, Hardware and Software Firewall to achieve maximum possible protection.
Hardware Firewall :
A hardware firewall is either a dedicated stand-alone hardware device or it comes as a part of a router. It is a physical device that attaches between a computer network and a gateway. For example- a broadband router. The network traffic is filtered using the packet filtering technique. It is used to filter out the network traffic for large business networks.
Software Firewall :
A software firewall is a Software program installed on a computer, just like normal software. It is generally used to filter traffic for individual home users or small businesses. It only filters traffic for the computer on which it’s installed, not for the network.
Besides, there are many other types of firewalls depending on their features and the level of security they provide. The following are types of firewall techniques that can be implemented as software or hardware:
- Packet-filtering Firewalls
- Circuit-level Gateways
- Application-level Gateways (Proxy Firewalls)
- Stateful Multi-layer Inspection (SMLI) Firewalls
- Next-generation Firewalls (NGFW)
- Threat-focused NGFW
- Network Address Translation (NAT) Firewalls
- Cloud Firewalls
- Unified Threat Management (UTM) Firewalls
- Packet-filtering Firewalls :
Packet filtering firewalls work at the Network layer of the OSI model. They are usually a part of the router. In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop a packet or forward it, or send a message to the originator. We have already talked about the ACL in the “ How does it work? ” section of this article.
- Circuit-level Gateways :
Circuit-level Gateways work at the 5th layer or Session layer of the OSI model or more specifically TCP layer of the TCP/IP. Information passed to a remote computer through a circuit-level gateway appears to have originated from the gateway. They monitor requests to create sessions, and determine if the sessions will be allowed. Circuit proxy firewalls allow or prevent data streams; they do not filter individual packets.
- Application-level Gateways (Proxy Firewalls) :
Application-level Gateways (proxies) can filter packets at the 7th layer or Application Layer of the OSI model. Incoming and outgoing traffic is restricted to services supported by proxy; all other service requests are denied. Application-level Gateways configured as a web proxy prohibit FTP, gopher, telnet or other traffic. It examines traffic and filter on application-specific commands such as http:post and get.
- Stateful Multi-layer Inspection (SMLI) Firewalls :
Stateful Multi-layer Inspection Firewalls combine the aspect of the other three types of firewalls (i.e Packet Filtering, Circuit-level Gateways and Application-level firewall) . They filter packets at the network layer of the OSI model to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. In most cases, SMLI firewalls are implemented as additional security levels. These types of firewalls implement more checks and are considered more secure than stateless firewalls. This is why stateful packet inspection is implemented along with many other firewalls to track statistics for all internal traffic.
- Next-generation Firewalls (NGFW) :
Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.
According to Gartner, Inc.’s definition, a next-generation firewall must include:
- Standard firewall capabilities like stateful inspection
- Integrated intrusion prevention
- Application awareness and control to see and block risky apps
- Upgrade paths to include future information feeds
- Techniques to address evolving security threats
While these capabilities are increasingly becoming the standard for most companies, NGFWs can do more.
- Threat-focused NGFW :
According to Cisco :
These firewalls include all the capabilities of a traditional NGFW and also provide advanced threat detection and remediation. With a threat-focused NGFW one can:
- Know which assets are most at risk with complete context awareness.
- Quickly react to attacks with intelligent security automation that sets policies and hardens one’s defenses dynamically.
- Better detect evasive or suspicious activity with network and endpoint event correlation.
- Greatly decrease the time from detection to cleanup with retrospective security that continuously monitors for suspicious activity and behaviour even after initial inspection
- Ease administration and reduce complexity with unified policies that protect across the entire attack continuum.
- Network Address Translation (NAT) Firewalls :
Network Address Translation separates IP addresses into two sets and enables the LAN to use these addresses for internal and external traffic respectively. It also works with router ,the same as packet filtering does. NAT will also modify the packets the router sends at the same time. It has the ability to change the address of the packet and make it appear to have arrived from a valid address. It limits the number of public IP address an organization can use.
Network address translation or NAT firewalls are primarily designed to access Internet traffic and block all unwanted connections. These types of firewalls usually hide the IP addresses of our devices, making it safe from attackers. When multiple devices are used to connect to the Internet, NAT firewalls create a unique IP address and hide individual devices’ IP addresses. As a result, a single IP address is used for all devices. By doing this, NAT firewalls secure independent network addresses from attackers scanning a network for accessing IP addresses. This results in enhanced protection against suspicious activities and attacks.
- Cloud Firewalls :
As the name implies, a cloud firewall is a firewall that is hosted in the cloud. The most significant advantage of cloud firewalls is scalability. Because cloud firewalls have no physical resources, they are easy to scale according to the organization’s demand or traffic-load. If demand increases, additional capacity can be added to the cloud server to filter out the additional traffic load. It is also known as FaaS or Firewall-as-a-Service.
Cloud firewalls block cyber attacks directed at the cloud platforms and infrastructure. Cloud-based firewalls form a virtual barrier around cloud platforms, infrastructure, and applications, just as traditional firewalls form a barrier around an organization’s internal network. Deploying a cloud firewall is like replacing a bank’s local security cameras and a physical security guard with a global 24/7 security centre that has a centralized staff and security camera feeds from all the places where a bank’s assets are stored.
- Unified Threat Management (UTM) Firewalls :
A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use.
Firewall Limitations :
- A firewall does not prevent the network from new viruses, backdoor and insider attacks.
- A firewall cannot do anything if the network design and configuration is faulty.
- A Firewall is not an alternative to antivirus or anti-malware.
- They can not prevent social engineering threats.
- A firewall does not prevent password misuse.
- A Firewall does not block attacks from a higher level of the protocol stack.
- A firewall does not protect against attacks from dial-in connections and attacks originating from common ports or applications.
- They are unable to understand tunneled traffic.
Some questions related to Firewall :
- What is Implicit Deny ?
By default if the traffic is not explicitly allowed within the Access Control List, the firewalls are configured to drop the connection. This is what Implicit Deny is.
2. What is the difference b/w Firewall DENY and DROP?
When a Firewall is set to DENY a connection, it blocks the connection and sends a “Reset (RST)” packet to the requester ( i.e the source).
When the Firewall is set to DROP a connection, it just drops the request without sending any message to the requester.
That’s why this is good practice to Deny OUTBOUND traffic & Drop INBOUND traffic so that a malicious hacker will not know the presence of the firewall.
3. When we can write ACL(s) in a Router, why do we need a Firewall?
Primary function of a router is to route the network traffic. If we add packet filtering system such as a firewall on to the router, it will slow down the whole network. Hence, it is a good practice to separate filtering and routing functionality.
Conclusion :
Although Firewall has some limitations but it is vital and essential part of the network Security irrespective of home, small or big organizations in question. It protects the important secret data from the outside threat. So, everyone should have a Firewall configured on their system.
This is it for now. I hope it all made sense. If you have any questions or suggestions for me, please let me know. I will be back with a new topic. Until next time.
Peace…
