Firewall Types

There are two basic types of firewalls: Application Proxy and Gateway. Gateways are divided into packet filters and stateful inspection firewalls.These differ in function and design and have different uses in network architecture. Never try to have one type of firewall do the duty of another type. It is better to have a well-run and securely configured firewall doing its intended job, than to have something doing a job for which it wasn’t designed.This is an invitation for disaster. Let’s look at these firewalls and how they should be used.

Application Proxy

An application proxy firewall takes apart each packet that comes in, examines it to see if it meets the criteria set, rewrites it, and sends it on its way.The proxy terminates the connection from the outside source and starts a new connection from the proxy to the destination.This offers great protection to the servers, because there is no direct interaction between the source and the destination. In addition, the proxy is greatly hardened against attacks and has a very small attack surface. It is very difficult for a hacker to take control of an application proxy firewall. These firewalls are very specific and a proxy must be written for each supported application.The advantage to this is that you will have the exact needs of your particular application addressed; however, you are at the mercy of the vendor should there be an update to your application that the firewall doesn’t support. Delays may occur in upgrading your application until the firewall vendor catches up. Application proxies are usually “invisible” on the network. Often, they have no IP address themselves, or, if they do, they sometimes masquerade as the destination server.Thus, application proxies may not do address translation.

Gateway

By far, the most commonly deployed firewall is the gateway.This firewall examines the source and destination addresses and ports, and determines if the packet meets the designated rules to pass through the firewall to the servers.There are various levels of gateways. Some are extremely simplistic and only filter packets by port, others can filter by IP address and port, and still others perform various checks on the legitimacy of some or all IPs. Gateways come in two flavors: packet filters and stateful inspection gateways. Let’s examine each in turn. Packet Filters These are basic firewalls with very little flexibility or functionality. Often, these are built into OSs, such as Mac OS X, to provide rudimentary protection for the individual workstation.Windows and Linux have more advanced firewalls built in. Windows firewall has some features of stateful inspection, while Linux has IPChains, which can be used as a full-function firewall (explored in the next article.) Packet filters also have their place in the network architecture. Network routers will function as packet filters.

Technical Description

In its most basic form, a packet filter makes decisions about whether to forward a packet based only on information found at the IP or TCP/UDP layers (transport and network layers, respectively, in the Open Systems Interconnection (OSI) model. In effect, a packet filter is a router with some intelligence. However, a packet filter only handles individual packets; it does not keep track of TCP sessions. Thus, it is poorly equipped to detect spoofed packets that come in through an outside interface.These specifically crafted packets will pretend to be part of an existing session by setting the ACK flag in the TCP header. Packet filters are configured to allow or block traffic according to source and destination IP addresses, source and destination ports, and type of protocol (TCP, UDP, (Internet Control Message Protocol [ICMP], and so on). While rudimentary, packet filters can provide an effective barrier that reduces your attack surface. An attack surface, in network speak, refers to the number of ports you have available for someone to try to exploit. A Web server, which is only serving unencrypted pages, only requires port 80 open to the Internet. Using a packet filter, you can block all incoming traffic except that destined for port 80.

You have just reduced your attack surface from 65535 ports to 1. While any hacker worth their salt will find your single open port, you have greatly reduced their toolset for breaking into your machine. In addition, if there is vulnerability, even a zero-day vulnerability, on one of the other ports, it will be impossible to reach from the outside. Another example of packet filter use involves limiting the IP addresses permitted to contact a server. Let’s assume you have a business that has a specific subnet, 192.168.50.x.Your financial application server should only provide services to this subnet. Simply block all other traffic. Now, the only way someone can get to your application server is to be on your specific subnet. Packet filters usually have their own address and address translation. Some of the specific techniques addressed in the following articles can be applied to packet filters, just be aware of their limitations and potential vulnerabilities. The ultimate example of a simplistic port-only packet filter is the old Microsoft Windows TCP/IP filter available in advanced network properties.This is so simplistic, it is only worthwhile to use in a few cases. In this case, the router selectively blocks certain protocols that are determined to be dangerous, and all other traffic is permitted. In this case, the blocked protocols are insecure because they transmit usernames and passwords in clear text, or, they can be used by hackers to gain control over machines. Simple Network Management Protocol (SNMP) can transfer various commands to devices.These commands range from information gathering to actual control of the devices. IRC is a common protocol used by hackers to communicate with zombies. Blocking this at the border, both incoming and outgoing, removes a control channel for hackers should a machine inside become compromised.

Telnet and FTP are protocols that transmit both data and authentication credentials in clear text.Telnet is a remote command-line protocol and FTP is used to transfer files to and from servers. Better choices are Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) both of which encrypt data and authentication. Simple Message Block (SMB) file sharing, while not insecure in and of itself, has been found to have numerous vulnerabilities in the implementation in Windows and older Linux system.These vulnerabilities can be used to compromise machines, and therefore should be blocked at the border router. Also note the Peer-to-Peer (P2P) file sharing, which is not uncommon in academic settings and should be taken into consideration when designing network security. Pros Packet filters are extremely useful in certain situations. Primarily they should be deployed at the perimeter of your organization where coarse filtering is the best option.

Speed

Packet filters are extremely fast. Since they only examine the destination port and/or the source/destination IP address, they have very little work to do. Simple packet filters are an excellent choice if you have an extremely high traffic resource that must process packets in and out very quickly.A high-traffic Web site is an ideal application for a packet filter.You can also throw a packet filter at your corporate border. Perhaps you only need ports such as SSH (22) or Remote Desktop Protocol (RDP) (3365) open for remote administration and VPN for remote access by users. Perfect. None of the cons below applies to these protocols and you don’t need anything fancy to get the job done.

Rapid Implementation

Quick deployment is also a major plus to packet filters. As long as you know the necessary ports and/or subnets, you can have a packet filter set up in literally minutes. There are no complicated rule sets and no extra protocols to deal with. What ports do you need open and where can the traffic come from? Answer those two questions and you are on your way. While packet filters have the advantages of speed and simplicity, they suffer from problems of security and other limitations that more complicated firewalls do not.

Less Secure

Because packet filters are basic and do simple packet inspection, they are less secure than an application proxy.They pass through anything arriving from a permitted subnet to a permitted port, no questions asked.

Port Limitations

Packet filters do not track where an incoming packet came from, or insure that the return packet goes to the same location (see “Stateful Inspection”).This also means that the conversation cannot be moved from lower static ports to higher dynamic ports. Remember the high dynamic ports we discussed earlier? Many applications use these after making the initial handshake and the two machines agree how to communicate.The application will request a move to higher ports to free up the lower static ports for other initial handshakes.With a packet filter, this requires opening most, if not all, of the dynamic ports, which, of course, makes the firewall useless. The Windows mail application, Outlook, and its corresponding server, Exchange, demonstrate this very well. Initial communications are started on TCP port 135. Once the connection is established and authenticated, Exchange requests that the communication be moved up to ports around 5000. By default, this could include any number of possible ports that would require too many holes in the packet filter. FTP, a “standard” protocol, can behave strangely with a packet filter. Since communication happens on port 21 but data transfer is switched to port 20, many packet filters fail to correctly pass FTP packets; therefore, the file transfer is interrupted. Stateful Inspection The Stateful Inspection gateway is the standard type of firewall deployed to protect servers and other network resources.There are many companies that provide this type of firewall with varying degrees of features (explored in article 4). For now, let’s look at how these firewalls work in general.

Technical Description

Stateful inspection is important to security because it provides a deeper level of filtering than Access Control Lists (ACL’s) found in routers, which may only filter based on header information. Firewalls that perform stateful inspection analyze individual data packets as they traverse the firewall. In addition to the packet header, stateful inspection also assesses the packet’s payload and looks at the application protocol. It can filter based on the source, destination, and service requested by the packet.The term “stateful inspection” refers to the firewall’s ability to remember the status of a connection and thereby build a context for each data stream in its memory.With this information available, the firewall is able to make more informed policy decisions. Stateful inspection is several steps below an application proxy and much better than a packet filter. In this case, the firewall keeps track of the TCP SYN/ACK packets that initiate and continue the conversation between two machines in a connection table. UDP protocols are monitored in a similar fashion, but the table is far less complete, because there is no detailed information. Stateful inspection firewalls also handle protocols such as Generic Route Encapsulation (GRE) and Protocol 47 used in VPN communications, and ICMP. All of these types of firewalls have the concept of “inside” versus “outside.” While there may be several insides that have various levels of security (private, users, DMZ, and so forth), there is only one outside and it is completely untrusted. By default, nothing is permitted to cross the firewall from the outside. Conversely, devices on a higher security interface, such as users, are permitted access to a lower security interface such as DMZ or outside. All of these parameters are configurable; however, before we begin discussing the configuration, let’s get a better understanding of how a firewall decides what can and cannot pass through.