- Setting up Auditing & Logging of Files/Objects Using Native Windows File Server Tools - 16th October 2020
- Designing Key Performance Indicators (KPI) - 15th July 2020
- DDOS Attacks and Website Hacking - 6th July 2020
A brief description of what firewalls do and how they work
In this article, another in our series of looking inside the Cloud, we will be looking more closely at Firewalls – their purpose and how they work. A firewall is combination of hardware and software that monitors incoming and outgoing network traffic and permits or blocks that traffic (specifically called data packets) based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) in order to block malicious traffic like viruses and hackers.
At the enterprise level, firewalls are systems with dedicated hardware to filter out malicious data. Most PCs have a software firewall as well, which performs a similar function and who’s setup is also similar. However, we will focus on the Firewalls with dedicated hardware in this article. Please note, in essence, there is very little difference between the two in terms of purpose, and the makeup of filtering rules.
Firewalls carefully analyse incoming traffic based on pre-established rules and filter out traffic coming from unsecured or suspicious sources to prevent attacks. Firewalls user ports to guard against malicious traffic (think of ports as an entry point for traffic and the place where information is exchanged with devices. Further details on ports can be found in our article on ports). The essence of a firewall rule is as follows: “Source address 172.24.0.1 is allowed to reach destination 192.168.0.10 over port 443."
Definition of a Packet
A packet is a single part of a larger piece of data that is transmitted over a network. In networking, the network breaks an larger piece of data into parts of a certain size in bytes. These parts are called packets. Each packet contains the information that will help it get to its destination – the sender's IP address, the intended receiver's IP address, the total number of packets and the number of this particular packet. The packets carry the data in the protocols that the Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet contains part of the body of your message. A typical packet contains around 1,000 to 1,500 bytes.
Types of firewalls
Packet-filtering firewalls, the most common type of firewall, examine packets and prohibit them from passing through if they don’t match an established security rule set. This type of firewall checks the packet’s source and destination IP addresses. If packets match those of an “allowed” rule on the firewall, then it is trusted to enter the network.
Traditional Packet Filtering Firewalls
Packet-filtering firewalls are divided into two categories: stateful and stateless. Stateless firewalls examine packets independently of one another and lack context, making them easy targets for hackers. In contrast, stateful firewalls remember information about previously passed packets and are considered much more secure.
While packet-filtering firewalls can be effective, they ultimately provide very basic protection and can be very limited—for example, they can't determine if the contents of the request that's being sent will adversely affect the application it's reaching. If a malicious request that was allowed from a trusted source address would result in, say, the deletion of a database, the firewall would have no way of knowing that. Next-generation firewalls and proxy firewalls are more equipped to detect such threats.
Next Generation Firewalls (NGFW)
These modern day firewalls combine traditional packet filtering firewall technology with additional functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more. Most notably, it includes deep packet inspection (DPI). While basic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data.
Proxy firewalls filter network traffic at the application level. Unlike basic firewalls, the proxy acts an intermediary between two end systems. The client must send a request to the firewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP, and use both stateful and deep packet inspection to detect malicious traffic.
Network address translation (NAT) firewalls allow multiple devices with independent network addresses to connect to the internet using a single IP address, keeping individual IP addresses hidden. As a result, attackers scanning a network for IP addresses can't capture specific details, providing greater security against attacks. NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of computers and outside traffic.
A Firewall rule basically comprises of the following
Priority number, Direction, Source Address, Protocol, Source Port, Destination Address, Destination Port, Action. With this information, the rule will tell the firewall which type of packet, from where, destined for which device, should be or should not be allowed.
An example is below.
Table 1: Example of a rule to allow inbound and outbound traffic for web servers for a network segment meant to contain only web servers
In this example we are enabling a rule that will allow all our web servers within the web server subnet (10.10.10.x) to receive and send back data (i.e. traffic) for users of our website (details on what are subnets and the notation used for depicting them is in our blog post on IP addresses).
Rule 1 allows in traffic from users, i.e. it enables users to gain access to our web servers and user our website. As this rule is for enabling incoming traffic, the Direction will be set to inbound. IP addresses that should include any IP address are shown as 0.0.0.0. Because our users can be from anywhere in the world, we will use this as the source address of our rule The protocol that web sites use is TCP so we will set that as the entry in the Protocol field. Due to the way operating systems setup connections, the port of our users device can be anything between 1024 to – 65535, so we will set that as the rane in the source port field. Our web servers are hosted in the subnet 10.10.10.x and can have any host address between 0 – 255, thus we will give the destination address as 10.10.10.0/24. In this example, our servers only use encrypted HTTPS protocol, which convention dictates uses port 443, we set that as the value in the port field. Finally, the action the firewall should take when taffic matching this rule is meet is to allow in the data, thus we set the Action field value as allow.
Similarly, we set the reverse values in the rule for the outgoing traffic, i.e. Source will be our web server subnet, destination will be set to all IP addresses, etc.
Finally, for security purposes we disable all other traffic (rules 3 and 4). Because this subnet is meant for web traffic only, and in our example our web servers running our website will never need to initiate communication with the outside world (i.e. they will never need to request data from another entity – not always the case for e.g. commerce web sites would need to connect to PayPal for e.g. for card payments), we have set all other types of communication requests to be disabled.
This leads to two important concepts. The first is that firewall rules are prioritised and the second is that policy of least access.
Prioritisation of Firewall Rules
All firewall rules must be given a priority. The way firewall rules work is that the Firewall searches through all the rules, in order of priority, to see if one matches. If one does match, then the firewall will execute that rule and cease searching for any further rule. Thus, even if a matching rule exists lower down in the priority list, that rule will not be executed.
In our example above, the Firewall, if it receives web traffic, will allow that traffic because of rules 1 and 2. All other traffic will be disabled because they would match rules 3 and 4.
Principle of Least Access
Firewalls, and general security rules, should only enable the minimum amount of traffic (or users, etc.) needed to function successfully. That is why it is important to have rules 3 and 4 that essentially block all traffic unless a prior rule further up in the priority list has been met.
This approach is meant to ensure that only that type of traffic that is strictly needed for something to work is allowed in. It reduces the opportunities (in the security world known as ‘attack surface’) available for people with malicious intent to gain access to our network because it will reduce the access that is allowed to our network. In essence, this approach to security will reduce the attack vectors available to hackers.
Further reading: Please checkout my article on on how to build a web server for putting these concepts to practical use.