What is a Firewall and why it is important for network security?

What is a Firewall and why it is important for network security?

-A firewall is a logical object (hardware and/or software) within a network infrastructure which prevents communications forbidden by the security policy of an organization from taking place, analogous to the function of firewalls in building construction. Often a firewall is also referred to as a packet filter


-The basic task of a firewall is to control traffic between different zones of trust and/or administrative authorities. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and a connectivity model based on the least privilege principle

-the Proper configuration of firewalls demands skill from the administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can lead to a firewall configuration worthless as a security tool and, in extreme situations, fake security where no security at all is left

   How Does a Firewall Work?

Firewalls carefully analyze incoming traffic based on pre-established rules and filter traffic coming from unsecured or suspicious sources to prevent attacks. Firewalls guard traffic at a computer’s entry point called ports, which is where information is exchanged with external devices. For example, “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22."

Think of IP addresses as houses, and port numbers as rooms within the house. Only trusted people (source addresses) are allowed to enter the house (destination address) at all—then it’s further filtered so that people within the house are only allowed to access certain rooms (destination ports), depending on if they're the owner, a child, or a guest. The owner is allowed to any room (any port), while children and guests are allowed into a certain set of rooms (specific ports).

THE NEED FOR FIREWALLS

- Information systems in corporations, government agencies, and other organizations have undergone a steady evolution in terms of using firewall. The following are notable developments:

 • Centralized data processing system, with a central mainframe supporting a number of directly connected terminals

 • Local area networks (LANs) interconnecting PCs and terminals to each other and mainframe.

 • Premises network, consisting of a number of LANs, interconnecting PCs, Servers, and perhaps a mainframe or two.

• Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN).

• Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN Internet connectivity is no longer optional for organizations.

Further explanation:

 -The information and services available are essential to the organization. Moreover, individual users within the organization want and need Internet access, and if this is not provided via their LAN, they will use dial-up capability from their PC to an Internet service provider (ISP). However, while Internet access provides benefits to the organization, it enables the outside world to reach and interact with local network assets. This creates a threat to the organization. While it is possible to equip each workstation and server on the premises network with strong security features, such as intrusion protection, this may not be sufficient and in some cases is not cost-effective.

Consider a network with hundreds or even thousands of systems, running various operating systems, such as different versions of UNIX and Windows. When a security flaw is discovered, each potentially affected system must be upgraded to fix that flaw. This requires scalable configuration management and aggressive patching to function effectively. While difficult, this is possible and is necessary if only host-based security is used. A widely accepted alternative or at least compliment to host-based security services is the firewall.

The firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter. The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and auditing can be imposed. The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function. The firewall, then, provides an additional layer of defense, insulating the internal systems from external networks. This follows the classic military doctrine of “defense-in-depth,” which is just as applicable to IT security.

 FIREWALL CHARACTERISTICS

• Service control:  Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address, protocol, or port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service. 

•  Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall.

• User control: Controls access to a service according to which the user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology, such as is provided in IPsec.

•   Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server.

 TYPES OF FIREWALLS

     Next-generation firewalls (NGFW)

- Combine traditional firewall technology with additional functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more. Most notably, it includes a deep packet inspection (DPI). While basic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data.

                Proxy firewalls:

 




-Filter network traffic at the application level. Unlike basic firewalls, the proxy acts an intermediary between two end systems. The client must send a request to the firewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP and use both stateful and deep packet inspection to detect malicious traffic.



              
         Network address translation (NAT) firewalls

 - Allow multiple devices with independent network address to connect to the internet using a single IP address, keeping individual IP addresses hidden. As a result, attackers scanning a network for IP addresses can't capture specific details, providing greater security against attacks. NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of computers and outside traffic.

              Stateful multilayer inspection (SMLI) firewalls

- To filter packets at the network, transport, and application layers, comparing them against known trusted packets. Like NGFW firewalls, SMLI also examines the entire packet and only allow them to pass if they pass each layer individually. These firewalls examine packets to determine the state of the communication (thus the name) to ensure all initiated communication is only taking place with trusted sources.

Packet Filtering Firewall (rules set):

Packet Filtering Firewall A packet-filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet (Figure 22.1b). The firewall is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet:
 • Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1)

 • Destination IP address: The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2)

 • Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET

 • IP protocol field: Defines the transport protocol

• Interface: For a firewall with three or more ports, which interface of the firewall the packet came from or which interface of the firewall the packet is destined for The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header.

 If there is a match to one of the rules, that rule is invoked to determine whether to forward or discard the packet. If there is no match to any rule, then a default action is taken. Two default policies are possible:

• Default = discard: That which is not expressly permitted is prohibited.
The default discard policy is more conservative. Initially, everything is blocked, and services must be added on a case-by-case basis. This policy is more visible to users, who are more likely to see the firewall as a hindrance. However, this is the policy likely to be preferred by businesses and government organizations.

 • Default = forward: That which is not expressly prohibited is permitted.
The default forward policy increases ease of use for end-users but provide reduced security; the security administrator must, in essence, react to each new security threat as it becomes known. This policy may be used by generally more open organizations, such as universities

• IP address spoofing: The intruder transmits packets from the outside with a source IP address field containing an address of an internal host. The attacker hopes that the use of a spoofed address will allow penetration of systems that employ simple source address security, in which packets from specific trusted internal hosts are accepted. The countermeasure is to discard packets with an inside source address if the packet arrives on an external interface. In fact, this countermeasure is often implemented at the router external to the firewall.

•  Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information. The countermeasure is to discard all packets that use this option. 

•  Tiny fragment attacks: The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a packet filter will make a filtering decision on the first fragment of a packet. All subsequent fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected. 

FIREWALL LOCATION AND TOPOLOGIES:

1.1 Location:

- a firewall is positioned to provide  a protective barrier between an external, potentially untrusted source of traffic and an internal network.:

 DMZ Networks

-Systems that are externally accessible but need some protections are usually located on DMZ networks. Typically, the systems in the DMZ require or foster external connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name system) server. The external firewall provides a measure of access control and protection for the DMZ systems consistent with their need for external connectivity.

The external firewall also provides a basic level of protection for the remainder of the enterprise network. In this type of configuration, internal firewalls serve three purposes:

1. The internal firewall adds more stringent filtering capability, compared to the external firewall, in order to protect enterprise servers and workstations from external attack.


 2. The internal firewall provides two-way protection with respect to the DMZ. First, the internal firewall protects the remainder of the network from attacks launched from DMZ systems. Such attacks might originate from worms, rootkits, bots, or other malware lodged in a DMZ system. Second, an internal firewall can protect the DMZ systems from attack from the internal protected network.

3. Multiple internal firewalls can be used to protect portions of the internal network from each other. For example, firewalls can be configured so that internal servers are protected from internal workstations and vice versa. A common practice is to place the DMZ on a different network interface on the external firewall from that used to access the internal networks.

Virtual Private Networks

-the virtual private network (VPN) offers an attractive solution to network managers. In essence, At each corporate site, workstations, servers, and databases are linked by one or more local area networks (LANs). The Internet or some other public network can be used to interconnect sites, providing cost savings over the use of a private network and offloading the wide-area network management task to the public network provider

a VPN uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet

The most common protocol the mechanism used for this purpose is at the IP level and is known as IPsec. An organization maintains LANs at dispersed locations. A logical means of implementing an IPsec is in a firewall; If IPsec is implemented in a separate box behind (internal to) the firewall, then VPN traffic passing through the firewall in both directions is encrypted. In this case, the firewall is unable to perform its filtering function or other security functions, such as access control, logging, or scanning for viruses. IPsec could be implemented in the boundary router, outside the firewall. 

However, this device is likely to be less secure than the firewall and thus less desirable as an IPsec platform.


TO NOTE: IPsec is a framework of related protocols that secure communications at the network or packet processing layer. It can be used to protect one or more data flows between peers. IPsec enables data confidentiality, integrity, origin authentication, and anti-replay.

A VPN security scenario



Distributed Firewalls


 A distributed firewall configuration involves stand-alone firewall devices plus host-based firewalls working together under central administrative control. Administrators can configure host resident firewalls on hundreds of servers and workstations as well as configure personal firewalls on local and remote user systems. These firewalls protect against internal attacks and provide protection tailored to specific machines and applications. Stand-alone firewalls provide global protection, including internal firewalls and an external firewall


Summary of Firewall Locations and topologies: 

- To define a spectrum of firewall locations and topologies. The following alternatives can be identified: 


• Host-resident firewall: This category includes personal firewall software and firewall software on servers. Such firewalls can be used alone or as part of an in-depth firewall deployment.

• Screening router: A single router between internal and external networks with stateless or full packet filtering. This arrangement is typical for small office/home office (SOHO) applications.

•Single bastion T: Similar to single bastion inline but has a third network interface on bastion to a DMZ where externally visible servers are placed. Again, this is a common appliance configuration for medium to large organizations. 

• Double bastion inline:  where the DMZ is sandwiched between bastion firewalls. This configuration is common for large businesses and government organizations.

 • Double bastion T: The DMZ is on a separate network interface on the bastion firewall. This configuration is also common for large businesses and government organizations and may be required.

• Distributed firewall configuration:  This configuration is used by some large businesses and government organizations.

Embrace your inner geek 👦👧 with our extensive library of technology and IT instructions📗📘📕, read on your favorite device📱💻. 

الحاجة إلى الجدران النارية

جدار الحماية هو كائن منطقي (أجهزة و / أو برامج) ضمن بنية أساسية للشبكة يمنع الاتصالات الممنوعة بموجب سياسة الأمان