Firewalls
February 7, 2012Firewalls: In this section we will take a look at the 3 basic types of firewalls – packet filters, proxy firewalls and the stateful inspection firewalls – and will look at the pros and cons of each.
Packet filters: These are basically screening routers that control the flow of data in and out of a network by looking at information in the packet header:
- Source Address
- Destination Address
- Protocol used for transferring the data
The firewall is programmed to allow or deny the traffic based upon the protocol and source & destination addresses. A policy could look something like this:
Interface |
Source | Interface | Destination | Protocol | Action |
Comments |
External | 10.1.1.0/24 | Internal | ANY | ANY | DROP | Anti-Spoofing rule |
External | ANY | Internal | 10.1.1.11 | HTTP | ACCEPT | Inbound HTTP to Web server |
Internal | 10.1.1.11 | External | Any | HTTP | ACCEPT | Outbound HTTP |
Internal | 10.1.1.0/24 | External | ANY | Telnet | ACCEPT | Outbound Telnet |
ANY | External | ANY | Internal | ANY | DROP | Drop all not explicitly allowed |
Packet filters are very efficient and cost effective since a single screening router can protect an entire network by acting as a choke point. They are considered to be the most effective against certain types of attacks such as the IP Spoofing attack. (For example: A rule to deny all inbound traffic that has source address from the internal network will take care of hackers trying to spoof IP addresses from the internal network.)
Another advantage is the ease of availability, since most routers come with basic packet filtering capacity. However their filtering capacity is limited to the information they get from the network layer which is the source and destination address and the protocol information. As a result they are not able to analyze the data within the packet. It is easy for a packet with a malicious data to pass through. Another disadvantage is that it is not possible do to partial filtering. Meaning you cannot set a rule to allow only a specific user to connect to the ftp server or to transfer only specific files. There is also a possibility of incorrectly configuring a packet filter thereby generating security holes in the network.
Proxy Firewalls: These types of firewalls work as transfer agents between the internal host and the external server. The idea is to protect the internal host from being directly exposed to the outside world. The proxy firewall accepts requests from the internal hosts for connections to the outside world, changes their IP addresses and sends the request with the changed IP to the outside server. It maintains a table for relating the internal IP with the translated IP so that when it receives a response from the outside server it can direct that to the appropriate internal host.
There are two types of proxy firewalls; Circuit-level proxies and Application-level proxies.
Circuit-level proxies: It creates a circuit (connection) between the internal host and the outside server by acting as an agent without interpreting the application level information. It is more like a packet filter with the ability to hide the client. The advantage of circuit-level proxies is that they can be implemented with a large number of protocols as they don’t have to comprehend the information at the protocol level. The disadvantage is that once a connection is established it is always possible to send malicious data in the packets.
Application-level proxies: Also known as Application Gateway or Application Firewall, it performs all the basic functions of the circuit-level proxy with better traffic monitoring. The application gateway is able to comprehend information at the higher levels in the TCP/IP stack up to the application layer. The features of an Application-level proxy can be summarized in the following points:
Does not allow direct connections between an internal host and an external server under any circumstances.
- It can understand and interpret commands in the payload portion of the packets. (Which even stateful inspection firewalls are not able to do.)
- It provides a robust authentication and logging mechanism.
Although considered to be the most secured and advanced firewalls they still have some limitations.
- You may need a different proxy for each of the protocols.
- Certain type of protocols may not be supported.
- Large amount of information from a large number of packets have to be analyzed, which may lead to high processing time and overheads.
In general proxy firewalls provide reliable security with good logging mechanisms. They however suffer from the following disadvantages:
- Not all applications are designed to use a proxy
- The proxy setup can be complicated
- They usually require modified clients and/or modified procedures
Stateful Inspection Firewalls: Traffic decisions are made by not only looking at the packet contents but also by correlating the incoming traffic to the earlier outgoing requests. It does so with the help of a dynamic state table. The state table keeps a record of past communications such as a request made for a particular file by the internal host along with the source and destination address, port numbers and so on. This record is called a state. When the external server responds with a file the firewall does a state table look up to decide whether such a request had been made and if it has been, the packet is allowed in or else is discarded by the firewall. Of course this is subject to all the other security criteria being met.
For example, we can say that only outgoing traffic is enabled whereas the incoming traffic is disabled unless specifically requested. Most basic attacks such as port scanning are immediately taken care of at the firewall.
Disadvantages:
- No application level security is provided.
- Stateful inspection is possible only for connection oriented-protocols such as the TCP.
- Stateful Inspection firewalls do not look at the packets as closely as an application gateway firewall and it also does not provide any verification of protocols.
www.bestitdocuments.com