Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

DADA/Articles/st33_firewalls.md

Go to file
 
 
Cannot retrieve contributors at this time
Types of Firewall Personal Firewalls In-Bound Connections Out-Bound Connections Network Firewalls Stateless Firewalls Stateful Firewalls Web Application Firewalls Cloud Firewalls Scrubbing Load Balancing Blocking and Inspection Links
188 lines (143 sloc) 8.92 KB
Raw Blame
Open in GitHub Desktop
title
Firewalls

The term "firewall" is not new, and is something most people will have heard of no matter their experience of networking or cyber security.

This familiarity is unfortunately also the cause of some misunderstanding about what a firewall is and what it can do.

The first thing to realise, is that a firewall can be a physical device, a piece of software, or a collaboration between multiple instances of hardware or software, and that it has subtly different meanings and functions in different contexts.

Broadly speaking, all Firewalls monitor and filter network traffic based on a set of rules, and acts as a barrier between networks. The firewall can be configured to allow traffic between the trusted internal network, and the untrusted external network. The method of filtering depends on the type and capabliites of the firewall, as discussed below.

Types of Firewall

Here we will break down the most common types of firewall. The names we use here are probably the most common, but they aren't used universally and the lines between the different types are not always as clear as they are drawn here.

Personal Firewalls

Personal firewalls are most people's experience of a firewall. These are almost universally software rather than hardware, meaning you can download and install it to your local PC, tablet or phone.

A personal firewall defends a single device, such as a PC or mobile phone, by controlling access to and from the network. Commonly this will be by allowing only certain connections from the network to the local device. It may also protect the device by only allowing certain applications from accessing the network.

In-Bound Connections

A typical personal firewall will protect a device from in-bound connections by limiting which network ports can be accessed. A port is simply a number that identifies a service and many common services have port numbers reserved for them. For example, if you send information to a device with the port number set to 80, you are probably expecting the information to be going to a web server. On a personal device, there is often very little need for any incoming connections like this, since it isn't common to run services such as web servers on your laptop or desktop PC. If you do need to have one of these services running, the firewall can be configured to allow connections to that port only.

Some personal firewalls will also limit the source of connections. If you run a back-up service on your desktop, for example, that you use to send files to from other devices in the home, then you can limit incoming connections on the desktop to those on the correct port and coming from a fixed list of devices, specified by IP address, for example, that can access it.

Out-Bound Connections

Some personal firewalls will also limit connections to services from your device to others on the network.

At first, this seems unhelpful, but there has been a growing number of cases where malware has accessed the network to recieve instructions, send out personal files or data, or even launch attacks as part of a network of compromised machines known as a "botnet". So, if you download some software that seems innocuous and it suddenly wants to connect to the outside world, your personal firewall might be the one thing that prevents your device from being used by hackers to attack larger targets.

Network Firewalls

A network firewall performs many of the same functions as a personal firewall, but for the entire network. The firewall is commonly hardware, although software equivalents are also becoming common.

The firewall will be placed in the path between the local network and the wider network or Internet, and will make decisions about which traffic is allowed to pass and which is not.

There are two common types of network firewall: stateless and stateful.

Stateless Firewalls

Stateless firewalls make decisions about each unit of traffic (known as a "packet") based on nothing more than the information it contains, it's source and destination. For example, the firewall might allow incoming packets to port 80 only if they are addressed to the web server. It might also disallow traffic coming from the network to any destination on a black-list in order to prevent people accidentally using sites that distribute malware or try to fool users into revealing personal data.

The firewall might include other controls and features, such as rate limits and so on.

Stateful Firewalls

A stateful firewall does much the same as a stateless firewall but with more information available to it to make decisions. This information is the state of connections in the network.

For example, if the firewall sees a request to close a connection coming from some source we will call A to a destination called B, it can check that there actually was a connection made between A and B. This is useful for preventing another device, C, from forcefully terminating the connection between A and B by sending its own request to end communication. The firewall knows the state of connections in the network and therefore can determine if packets are unusual base don what has been happening recently rather than having to decide solely on that packet's information.

Web Application Firewalls

A web application firewall or "WAF", sits between a web application and the rest of the world. The "application" can be anything from simple web sites to complex on-line applications. Just like the network or personal firewall, the WAF is a security measure that attempts to prevent harmful or malicious traffic. The difference is the level of data that it operates upon.

A WAF understands the protocols used to communicate with web applications. It examines not just simple source and destination information, but the states of connections and information such as which web page was last accessed, the kinds of encryption, authentication and compression being used and so on.

This deeper understanding of the communication protocol allows a WAF to protect against much more nuanced malicious traffic, such as cross-site scripting (CSS) or SQL Injection.

Cloud Firewalls

The term "cloud firewall" is a more recent one and, as with many things related to "cloud", is difficult to define because of how broadly it has been applied. Here, we're using it to group together a number of firewall-type devices and services that operate within the cloud.

Scrubbing

One way to use cloud services to protect your on-line systems is to connect them to the rest of the world through a "scrubbing" service. This works by having the scrubbing service be the public face of your web application, and all traffic passing through it. It can then act as a firewall by redirecting only the traffic that it deems safe into your real web application.

Load Balancing

A load balancing service in the cloud is used to distribute traffic to multiple instances of your web service. This is useful for popular sites. You can do this locally with your own hardware, but the cloud allows rapid scaling without buying more devices.

Although not quite a firewall, load balancing within the cloud is one of the ways people defend against Denial of Service (DOS) attacks. An attacker performing a DOS attack would try to send more traffic than your systems can handle. But with a cloud load balancing and scrubbing service, this would be mitigated quickly.

Blocking and Inspection

Firewalls play an important role even after a network or system has been compromised. We talk a lot in this article about blocking - preventing traffic to or from a certain host or port. But a firewall can also perform inspection.

Traffic inspection allows the firewall to block traffic based not just on the source or destination, or the state of connections. A firewall that inspects the contents of packets is able to decide if the data inside is safe to allow in or out of the network. Blocking could be because the data appears to be malicious, or even because the data appears to be sensitive and should not be allowed to leave.

Inspection like this is known as seep packet inspection and can even require that the firewall intercepts encrypted traffic and decrypts it, essentially performing a man-in-the-middle attack on your own data!

Two of the links below discus deep packet inspection and decrypting traffic. Many people claim decrypting and inspecting is essential for compliance with GDPR, for example. Others have claimed it is a risk, since we are intentionally examining data coming from within the network that was encrypted. What if it the traffic of an emplyee accessing his health records? Read the articles linked below and think about how you feel about the balance between monitoring of traffic and protection from threats.

Links