Firewalls
A firewall provides a single point of defense between networks and protects one network from the others.
It is a system or group of systems that enforces a control policy between two or more networks (access control, flow control, and content control).
It is a network gateway that enforces the rules of network security.
Minimizes local vulnerabilities.
Evaluates each network packet against the policies of network security.
Can monitor all the network traffic and alert to any attempts to bypass security or to any patterns of inappropriate use.
Can be hardware or software-based.
Security/Network Services
NAT (Network Address Translation).
Authorization.
Flows (packet filtering).
Users (application and circuit level).
Redirecting.
To specific machines.
Proxying.
Content analysis.
Secure communication.
Site-to-site VPN.
IPsec.
Remote-access VPN.
DoS and DDoS detection and defense.
Types
Network-Level Firewalls (L2/L3).
Packet filtering.
Inspecting packet headers and filtering traffic based on.
the IP address of the source and the destination, the port, and the service (L3).
source and the destination MAC addresses (L2).
Circuit-Level Firewalls (L4).
Monitor TCP handshaking between packets to make sure a session is legitimate.
Traffic is filtered based on specified session rules.
Application-Level Firewalls (L4+).
Application-level firewalls are sometimes called proxies.
Looking more deeply into the application data.
Consider the context of client requests and application responses.
Attempt to enforce correct application behavior and block malicious activity.
Application-level filtering may include protection against Spam and viruses as well, as blocking undesirable Web sites based on content rather than just their IP address.
Slow and resources consuming tasks.
Stateful Multi-level Firewalls (L*).
Filter packets at the network level and they recognize and process application-level data.
Since they don't employ proxies, they have reasonably good performance even performing deep packet analysis.
Host Level / Personal Firewalls.
Act only within a specific host.
Filter all communication layers.
Control OS processes/applications.
Deploying
A network must be protected at multiple levels and locations.
Stateful vs. Stateless
Stateless firewalls
Controls traffic by applying rules to single frames/packets.
Does not need to track traffic flows/sessions.
Rules-based on specific values on frames/packet available headers.
Set of basic permit/deny actions for input and output based on IP addresses, UDP/TCP ports, etc...
Usually called ACL (Access List).
They are fast and consume very low computing resources.
Perform well under heavy traffic load.
Ideal for defense against DDoS attacks in the first line of network defense.
Cost-effective compared with stateful firewall types.
Stateful firewalls
Monitor all traffic flows/sessions.
Controls traffic based on the connection state of a flow/session.
Automatic bidirectional rules (reflexive rules).
The connection state is maintained in a state table.
State tables must be synchronized with other firewalls when in a redundant scenario (load balancing) or high-availability scenario (backup upon failure).
Zones/Group
A network can be divided into multiple zones/groups with different security levels.
Collections of IP addresses, networks, or ports.
Once created, a group can be referenced by firewall rules as either a source or destination.
Example: a Demilitarized Zone (DMZ) is a perimeter network outside the protected internal/private network.
Used to place public servers/services.
The DMZ is a "semi-protected" Zone.
It must be assumed that any machine placed on the DMZ is at risk.
Virtual Instances
Firewalls may have (theoretical) isolated instances to handle different zones/groups.
Each instance is a virtual device that can perform flow control, switch, and/or routing.
Placement (with Redundancy)
Last updated
