st33_firewalls.md

---
title: "Firewalls"
---

The term "firewall" is not new, and is something most people will have
heard of no matter their experience of networking or cyber security.

This familiarity is unfortunately also the cause of some
misunderstanding about what a firewall *is* and *what it can do*.

The first thing to realise, is that a firewall can be a physical
device, a piece of software, or a collaboration between multiple
instances of hardware or software, and that it has subtly different
meanings and functions in different contexts.

Broadly speaking, all Firewalls monitor and filter network traffic
based on a set of rules, and acts as a barrier between networks.  The
firewall can be configured to allow traffic between the *trusted*
internal network, and the *untrusted* external network. The method of
filtering depends on the type and capabliites of the firewall, as
discussed below.

# Types of Firewall

Here we will break down the most common types of firewall. The names
we use here are probably the most common, but they aren't used
universally and the lines between the different types are not always
as clear as they are drawn here.

## Personal Firewalls

Personal firewalls are most people's experience of a firewall. These
are almost universally software rather than hardware, meaning you can
download and install it to your local PC, tablet or phone.

A personal firewall defends a single device, such as a PC or mobile
phone, by controlling access to and from the network.  Commonly this
will be by allowing only certain connections from the network to the
local device. It may also protect the device by only allowing certain
applications from accessing the network.


### In-Bound Connections

A typical personal firewall will protect a device from in-bound
connections by limiting which network ports can be accessed.  A port
is simply a number that identifies a service and many common services
have port numbers reserved for them.  For example, if you send
information to a device with the port number set to 80, you are
probably expecting the information to be going to a web server.  On a
personal device, there is often very little need for any incoming
connections like this, since it isn't common to run services such as
web servers on your laptop or desktop PC.  If you *do* need to have
one of these services running, the firewall can be configured to allow
connections to that port only.

Some personal firewalls will also limit the *source* of connections.
If you run a back-up service on your desktop, for example, that you
use to send files to from other devices in the home, then you can
limit incoming connections on the desktop to those on the correct port
and coming from a fixed list of devices, specified by IP address, for
example, that can access it.

### Out-Bound Connections

Some personal firewalls will also limit connections to services from
your device to others on the network.

At first, this seems unhelpful, but there has been a growing number of
cases where malware has accessed the network to recieve instructions,
send out personal files or data, or even launch attacks as part of a
network of compromised machines known as a "botnet".  So, if you
download some software that seems innocuous and it suddenly wants to
connect to the outside world, your personal firewall might be the one
thing that prevents your device from being used by hackers to attack
larger targets.


## Network Firewalls

A network firewall performs many of the same functions as a personal
firewall, but for the entire network. The firewall is commonly
hardware, although software equivalents are also becoming common.

The firewall will be placed in the path between the local network and
the wider network or Internet, and will make decisions about which
traffic is allowed to pass and which is not.

There are two common types of network firewall: stateless and
stateful.

### Stateless Firewalls

Stateless firewalls make decisions about each unit of traffic (known
as a "packet") based on nothing more than the information it contains,
it's source and destination.  For example, the firewall might allow
incoming packets to port 80 only if they are addressed to the web
server. It might also disallow traffic coming from the network to any
destination on a black-list in order to prevent people accidentally
using sites that distribute malware or try to fool users into
revealing personal data.

The firewall might include other controls and features, such as rate
limits and so on.

### Stateful Firewalls

A stateful firewall does much the same as a stateless firewall but
with more information available to it to make decisions.  This
information is the *state* of connections in the network.

For example, if the firewall sees a request to close a connection
coming from some source we will call A to a destination called B, it
can check that there actually was a connection made between A and B.
This is useful for preventing another device, C, from forcefully
terminating the connection between A and B by sending its own request
to end communication.  The firewall knows the *state* of connections
in the network and therefore can determine if packets are unusual base
don what has been happening recently rather than having to decide
solely on that packet's information.

## Web Application Firewalls

A web application firewall or "WAF", sits between a web application
and the rest of the world.  The "application" can be anything from
simple web sites to complex on-line applications.  Just like the
network or personal firewall, the WAF is a security measure that
attempts to prevent harmful or malicious traffic.  The difference is
the level of data that it operates upon.

A WAF understands the protocols used to communicate with web
applications. It examines not just simple source and destination
information, but the states of connections and information such as
which web page was last accessed, the kinds of encryption,
authentication and compression being used and so on.

This deeper understanding of the communication protocol allows a WAF
to protect against much more nuanced malicious traffic, such as
cross-site scripting (CSS) or SQL Injection.

## Cloud Firewalls

The term "cloud firewall" is a more recent one and, as with many things related to "cloud", is difficult to define because of how broadly it has been applied.  Here, we're using it to group together a number of firewall-type devices and services that operate within the cloud.

### Scrubbing

One way to use cloud services to protect your on-line systems is to connect them to the rest of the world through a "scrubbing" service.  This works by having the scrubbing service be the public face of your web application, and all traffic passing through it.  It can then act as a firewall by redirecting only the traffic that it deems safe into your real web application.

## Load Balancing

A load balancing service in the cloud is used to distribute traffic to multiple instances of your web service.  This is useful for popular sites. You can do this locally with your own hardware, but the cloud allows rapid scaling without buying more devices.

Although not quite a firewall, load balancing within the cloud is one of the ways people defend against Denial of Service (DOS) attacks.  An attacker performing a DOS attack would try to send more traffic than your systems can handle.  But with a cloud load balancing and scrubbing service, this would be mitigated quickly.

# Blocking and Inspection

Firewalls play an important role even *after* a network or system has
been compromised.  We talk a lot in this article about *blocking* -
preventing traffic to or from a certain host or port.  But a firewall can also perform *inspection*.

Traffic inspection allows the firewall to block traffic based not just
on the source or destination, or the state of connections. A firewall
that inspects the contents of packets is able to decide if the data
inside is safe to allow in or out of the network. Blocking could be
because the data appears to be malicious, or even because the data
appears to be sensitive and should not be allowed to leave.

Inspection like this is known as *seep packet inspection* and can even
require that the firewall intercepts encrypted traffic and decrypts
it, essentially performing a man-in-the-middle attack on your own
data!

Two of the links below discus deep packet inspection and decrypting
traffic.  Many people claim decrypting and inspecting is essential for
compliance with GDPR, for example.  Others have claimed it is a risk,
since we are intentionally examining data coming from within the
network that was encrypted. What if it the traffic of an emplyee
accessing his health records?  Read the articles linked below and
think about how you feel about the balance between monitoring of
traffic and protection from threats.

# Links

- https://www.owasp.org/index.php/Web_Application_Firewall
- https://www.a10networks.com/blog/ssl-inspection-imperative-under-gdpr
- https://security.ias.edu/deep-packet-inspection-dead-and-heres-why
<!--  LocalWords:  WAF
 -->
	---
	title: "Firewalls"
	---

	The term "firewall" is not new, and is something most people will have
	heard of no matter their experience of networking or cyber security.

	This familiarity is unfortunately also the cause of some
	misunderstanding about what a firewall is and what it can do.

	The first thing to realise, is that a firewall can be a physical
	device, a piece of software, or a collaboration between multiple
	instances of hardware or software, and that it has subtly different
	meanings and functions in different contexts.

	Broadly speaking, all Firewalls monitor and filter network traffic
	based on a set of rules, and acts as a barrier between networks. The
	firewall can be configured to allow traffic between the trusted
	internal network, and the untrusted external network. The method of
	filtering depends on the type and capabliites of the firewall, as
	discussed below.

	# Types of Firewall

	Here we will break down the most common types of firewall. The names
	we use here are probably the most common, but they aren't used
	universally and the lines between the different types are not always
	as clear as they are drawn here.

	## Personal Firewalls

	Personal firewalls are most people's experience of a firewall. These
	are almost universally software rather than hardware, meaning you can
	download and install it to your local PC, tablet or phone.

	A personal firewall defends a single device, such as a PC or mobile
	phone, by controlling access to and from the network. Commonly this
	will be by allowing only certain connections from the network to the
	local device. It may also protect the device by only allowing certain
	applications from accessing the network.


	### In-Bound Connections

	A typical personal firewall will protect a device from in-bound
	connections by limiting which network ports can be accessed. A port
	is simply a number that identifies a service and many common services
	have port numbers reserved for them. For example, if you send
	information to a device with the port number set to 80, you are
	probably expecting the information to be going to a web server. On a
	personal device, there is often very little need for any incoming
	connections like this, since it isn't common to run services such as
	web servers on your laptop or desktop PC. If you do need to have
	one of these services running, the firewall can be configured to allow
	connections to that port only.

	Some personal firewalls will also limit the source of connections.
	If you run a back-up service on your desktop, for example, that you
	use to send files to from other devices in the home, then you can
	limit incoming connections on the desktop to those on the correct port
	and coming from a fixed list of devices, specified by IP address, for
	example, that can access it.

	### Out-Bound Connections

	Some personal firewalls will also limit connections to services from
	your device to others on the network.

	At first, this seems unhelpful, but there has been a growing number of
	cases where malware has accessed the network to recieve instructions,
	send out personal files or data, or even launch attacks as part of a
	network of compromised machines known as a "botnet". So, if you
	download some software that seems innocuous and it suddenly wants to
	connect to the outside world, your personal firewall might be the one
	thing that prevents your device from being used by hackers to attack
	larger targets.


	## Network Firewalls

	A network firewall performs many of the same functions as a personal
	firewall, but for the entire network. The firewall is commonly
	hardware, although software equivalents are also becoming common.

	The firewall will be placed in the path between the local network and
	the wider network or Internet, and will make decisions about which
	traffic is allowed to pass and which is not.

	There are two common types of network firewall: stateless and
	stateful.

	### Stateless Firewalls

	Stateless firewalls make decisions about each unit of traffic (known
	as a "packet") based on nothing more than the information it contains,
	it's source and destination. For example, the firewall might allow
	incoming packets to port 80 only if they are addressed to the web
	server. It might also disallow traffic coming from the network to any
	destination on a black-list in order to prevent people accidentally
	using sites that distribute malware or try to fool users into
	revealing personal data.

	The firewall might include other controls and features, such as rate
	limits and so on.

	### Stateful Firewalls

	A stateful firewall does much the same as a stateless firewall but
	with more information available to it to make decisions. This
	information is the state of connections in the network.

	For example, if the firewall sees a request to close a connection
	coming from some source we will call A to a destination called B, it
	can check that there actually was a connection made between A and B.
	This is useful for preventing another device, C, from forcefully
	terminating the connection between A and B by sending its own request
	to end communication. The firewall knows the state of connections
	in the network and therefore can determine if packets are unusual base
	don what has been happening recently rather than having to decide
	solely on that packet's information.

	## Web Application Firewalls

	A web application firewall or "WAF", sits between a web application
	and the rest of the world. The "application" can be anything from
	simple web sites to complex on-line applications. Just like the
	network or personal firewall, the WAF is a security measure that
	attempts to prevent harmful or malicious traffic. The difference is
	the level of data that it operates upon.

	A WAF understands the protocols used to communicate with web
	applications. It examines not just simple source and destination
	information, but the states of connections and information such as
	which web page was last accessed, the kinds of encryption,
	authentication and compression being used and so on.

	This deeper understanding of the communication protocol allows a WAF
	to protect against much more nuanced malicious traffic, such as
	cross-site scripting (CSS) or SQL Injection.

	## Cloud Firewalls

	The term "cloud firewall" is a more recent one and, as with many things related to "cloud", is difficult to define because of how broadly it has been applied. Here, we're using it to group together a number of firewall-type devices and services that operate within the cloud.

	### Scrubbing

	One way to use cloud services to protect your on-line systems is to connect them to the rest of the world through a "scrubbing" service. This works by having the scrubbing service be the public face of your web application, and all traffic passing through it. It can then act as a firewall by redirecting only the traffic that it deems safe into your real web application.

	## Load Balancing

	A load balancing service in the cloud is used to distribute traffic to multiple instances of your web service. This is useful for popular sites. You can do this locally with your own hardware, but the cloud allows rapid scaling without buying more devices.

	Although not quite a firewall, load balancing within the cloud is one of the ways people defend against Denial of Service (DOS) attacks. An attacker performing a DOS attack would try to send more traffic than your systems can handle. But with a cloud load balancing and scrubbing service, this would be mitigated quickly.

	# Blocking and Inspection

	Firewalls play an important role even after a network or system has
	been compromised. We talk a lot in this article about blocking -
	preventing traffic to or from a certain host or port. But a firewall can also perform inspection.

	Traffic inspection allows the firewall to block traffic based not just
	on the source or destination, or the state of connections. A firewall
	that inspects the contents of packets is able to decide if the data
	inside is safe to allow in or out of the network. Blocking could be
	because the data appears to be malicious, or even because the data
	appears to be sensitive and should not be allowed to leave.

	Inspection like this is known as seep packet inspection and can even
	require that the firewall intercepts encrypted traffic and decrypts
	it, essentially performing a man-in-the-middle attack on your own
	data!

	Two of the links below discus deep packet inspection and decrypting
	traffic. Many people claim decrypting and inspecting is essential for
	compliance with GDPR, for example. Others have claimed it is a risk,
	since we are intentionally examining data coming from within the
	network that was encrypted. What if it the traffic of an emplyee
	accessing his health records? Read the articles linked below and
	think about how you feel about the balance between monitoring of
	traffic and protection from threats.

	# Links

	- https://www.owasp.org/index.php/Web_Application_Firewall
	- https://www.a10networks.com/blog/ssl-inspection-imperative-under-gdpr
	- https://security.ias.edu/deep-packet-inspection-dead-and-heres-why
	<!-- LocalWords: WAF
	-->