Firewalls 1
Introduction
This week's topic in COMSYS 316 focuses on firewalls and intrusion prevention systems (IPS). Before delving into the subject matter, the instructor reminds the class about the ongoing set evaluation online, which provides bonus marks upon submission of proof to the assignment Dropbox.
Firewalls
Importance and Functionality
Firewalls serve as a protection mechanism for local and organizational systems against security threats and are essential in today’s interconnected world. The evolution of information systems from centralized data processing with mainframes to enterprise and cloud computing systems necessitates robust Internet connectivity, which creates new security challenges faced by organizations.
Analogy of Protection
An analogy used to explain firewalls relates to a house that requires protection; just as a solid fence can deter an attacker, a well-configured firewall acts as a safeguard for organizational systems. However, poor configuration can lead to vulnerabilities, allowing attackers to bypass defenses.
Types of Firewalls
The lecture highlights the two main types of firewalls:
External Firewalls: Positioned between the internal network and the Internet, these firewalls are the first line of defense, controlling all inbound and outbound traffic to reinforce perimeter security.
Internal Firewalls: These provide additional protection against threats originating internally, reinforcing a defense-in-depth strategy.
Key Principles of Firewalls
All traffic must be filtered through perimeter firewalls.
Only authorized traffic should pass based on policies defined by security personnel.
Regularly hardening the firewall against attacks is crucial, which involves applying best practices such as firmware updates and security patches.
Firewall Policies
Definition
The heart of a firewall is its access policy, or firewall policy, which comprises rules to filter traffic and protect an organization’s information systems. Two types of filtering are mentioned:
Ingress Filtering: Controls incoming traffic.
Egress Filtering: Controls outgoing traffic.
Policy Development
Firewalls should be developed based on an organization’s specific security risk assessments, and they should start broadly before refining down to more specific implementations compatible with the existing infrastructure.
Approaches to Enforcing Firewall Policies
Disallow List: The default is to allow all packets except those explicitly listed as disallowed. While this approach has the advantage of being more accessible, it poses risks since unknown traffic may pass through.
Allow List: The opposite approach, where all traffic is denied by default unless it’s on an allow list. This method is generally more secure as it explicitly defines what traffic is permitted.
Parameters for Designing Firewall Rules
NIST guidelines offer parameters for firewall policies, including:
IP address and protocol filtering, which looks at source and destination attributes.
Application protocol filtering focused on data exchanges for specific protocols.
User identity verification through secure authentication.
Monitoring of network activity, identifying unusual traffic patterns as potential threats.
Capabilities and Limitations of Firewalls
Capabilities
Provides a single choke point which simplifies security management.
Supports monitoring and auditing functionalities to track security-related events.
Can perform additional functions such as address translation and management functions (e.g., logging usage).
Limitations
Firewalls cannot protect against attacks that do not go through them or from well-placed malicious insiders.
Internal security issues may arise from personal devices that connect to the network.
They may not provide complete security against wireless LAN vulnerabilities.
Types of Firewalls Explained
Packet Filtering Firewalls: These check incoming and outgoing packets based on defined rules regarding IP addresses, ports, and protocols.
Stateful Inspection Firewalls: Extend packet filtering by keeping track of the state of active connections, providing more contextual filtering.
Application Proxy Firewalls: Operate at the application layer to control traffic by using application-specific logic.
Circuit Level Proxy Firewalls: Function at the transport layer and establish a virtual circuit, monitoring connections between hosts.
Packet Filtering Firewalls
The instructor discusses how packet filtering firewalls evaluate packets using sets of rules, permitting or denying traffic based on attributes like source/destination IP addresses and port numbers. Proper logging is important for security analysis but remains limited in depth.
Advantages
Simplicity and fast throughput for network traffic.
Transparency to users.
Weaknesses
Limited to examining the network layer; cannot mitigate application layer attacks.
Vulnerability to TCP/IP stack issues and misconfigurations, which can lead to security breaches.
Unable to address source routing attacks effectively.
Conclusion and Next Steps
The lecture concludes with an overview of the limitations that packet filtering firewalls face, particularly against sophisticated attacks. Further exploration of different firewall technologies and configurations will continue in subsequent classes.
Firewalls 1
Introduction
This week's topic in COMSYS 316 focuses on firewalls and intrusion prevention systems (IPS). Before delving into the subject matter, the instructor reminds the class about the ongoing set evaluation online, which provides bonus marks upon submission of proof to the assignment Dropbox.
Firewalls
Importance and Functionality
Firewalls serve as a protection mechanism for local and organizational systems against security threats and are essential in today’s interconnected world. The evolution of information systems from centralized data processing with mainframes to enterprise and cloud computing systems necessitates robust Internet connectivity, which creates new security challenges faced by organizations.
Analogy of Protection
An analogy used to explain firewalls relates to a house that requires protection; just as a solid fence can deter an attacker, a well-configured firewall acts as a safeguard for organizational systems. However, poor configuration can lead to vulnerabilities, allowing attackers to bypass defenses.
Types of Firewalls
The lecture highlights the two main types of firewalls:
External Firewalls: Positioned between the internal network and the Internet, these firewalls are the first line of defense, controlling all inbound and outbound traffic to reinforce perimeter security.
Internal Firewalls: These provide additional protection against threats originating internally, reinforcing a defense-in-depth strategy.
Key Principles of Firewalls
All traffic must be filtered through perimeter firewalls.
Only authorized traffic should pass based on policies defined by security personnel.
Regularly hardening the firewall against attacks is crucial, which involves applying best practices such as firmware updates and security patches.
Firewall Policies
Definition
The heart of a firewall is its access policy, or firewall policy, which comprises rules to filter traffic and protect an organization’s information systems. Two types of filtering are mentioned:
Ingress Filtering: Controls incoming traffic.
Egress Filtering: Controls outgoing traffic.
Policy Development
Firewalls should be developed based on an organization’s specific security risk assessments, and they should start broadly before refining down to more specific implementations compatible with the existing infrastructure.
Approaches to Enforcing Firewall Policies
Disallow List: The default is to allow all packets except those explicitly listed as disallowed. While this approach has the advantage of being more accessible, it poses risks since unknown traffic may pass through.
Allow List: The opposite approach, where all traffic is denied by default unless it’s on an allow list. This method is generally more secure as it explicitly defines what traffic is permitted.
Parameters for Designing Firewall Rules
NIST guidelines offer parameters for firewall policies, including:
IP address and protocol filtering, which looks at source and destination attributes.
Application protocol filtering focused on data exchanges for specific protocols.
User identity verification through secure authentication.
Monitoring of network activity, identifying unusual traffic patterns as potential threats.
Capabilities and Limitations of Firewalls
Capabilities
Provides a single choke point which simplifies security management.
Supports monitoring and auditing functionalities to track security-related events.
Can perform additional functions such as address translation and management functions (e.g., logging usage).
Limitations
Firewalls cannot protect against attacks that do not go through them or from well-placed malicious insiders.
Internal security issues may arise from personal devices that connect to the network.
They may not provide complete security against wireless LAN vulnerabilities.
Types of Firewalls Explained
Packet Filtering Firewalls: These check incoming and outgoing packets based on defined rules regarding IP addresses, ports, and protocols.
Stateful Inspection Firewalls: Extend packet filtering by keeping track of the state of active connections, providing more contextual filtering.
Application Proxy Firewalls: Operate at the application layer to control traffic by using application-specific logic.
Circuit Level Proxy Firewalls: Function at the transport layer and establish a virtual circuit, monitoring connections between hosts.
Packet Filtering Firewalls
The instructor discusses how packet filtering firewalls evaluate packets using sets of rules, permitting or denying traffic based on attributes like source/destination IP addresses and port numbers. Proper logging is important for security analysis but remains limited in depth.
Advantages
Simplicity and fast throughput for network traffic.
Transparency to users.
Weaknesses
Limited to examining the network layer; cannot mitigate application layer attacks.
Vulnerability to TCP/IP stack issues and misconfigurations, which can lead to security breaches.
Unable to address source routing attacks effectively.
Conclusion and Next Steps
The lecture concludes with an overview of the limitations that packet filtering firewalls face, particularly against sophisticated attacks. Further exploration of different firewall technologies and configurations will continue in subsequent classes.
