Guide to Network Defense and Countermeasures - Chapter 9: Firewalls

Definition: A firewall is a hardware or software solution configured to block unauthorized network access.
Firewalls have limitations:
- They cannot protect against malicious insiders who may send proprietary information outside the organization or copy confidential information to disk.
- They also cannot protect connections that bypass them, such as remote dial-up connections.

A network firewall consists of a combination of multiple software and hardware components. The term 'firewall perimeter' might be more descriptive.
Historical Context: The earliest firewalls utilized packet filtering, with a single packet-filtering router placed at the network perimeter.
Consumer Firewalls: Examples include Norton Security Suite Firewall and ZoneAlarm.

Personal Firewalls: Establish rules for blocking traffic on a case-by-case basis; often prompt the user regarding whether traffic should be allowed.
Example: Check Point NGX firewall is designed to protect and monitor large-scale networks.
Firewall Appliances: Self-contained hardware devices added to networks, such as the Cisco PIX.

Firewalls are not a standalone solution. They cannot protect from internal threats and thus require:
- A strong security policy and employee education.
- A policy that includes strict procedures for keeping patches updated and checking for vulnerabilities.
- Combination with other technologies such as antivirus software and Intrusion Detection and Prevention Systems (IDPS).
Defense in Depth (DiD): A layered defense strategy that encompasses an IDPS, firewalls, antivirus software, access control, and auditing.

Core Functions of Firewalls:
- Filtering: Controls what data can pass through the firewall.
- Proxying: Acts as an intermediary between users and the services they access.
- Logging: Records actions and traffic that pass through the firewall.
Types of Firewalls: The following sections cover the two main categories:
- Software-based firewalls
- Hardware-based firewalls

Description: Software firewalls are programs that may be integrated with hardware devices to strengthen security; they require extensive configuration.
Free Firewall Programs: Often have inadequate logging and configuration capabilities. Popular options include:
- Netfilter
- ZoneAlarm

Personal Firewalls: Positioned between the Ethernet adapter driver and the TCP/IP stack, these firewalls inspect traffic flow. Popular examples include:
- CA Internet Security Suite
- Norton Internet Security
- Kaspersky Internet Security
These options typically do not offer extensive firewall protection.
Enterprise Firewalls: Offer centralized management and can manage multiple installations from one location. Examples include:
- Check Point NGX
- Proventia Security Products
Features may include user authentication, NAT, and encryption.

Advantages:
- Do not rely on conventional operating systems, leading to generally better scalability than software firewalls.
- Capable of handling larger data volumes with faster throughput.
Disadvantages:
- They do rely on non-conventional operating systems and can be more expensive than software solutions.
Examples:
- Cisco ASA Series
- Fortinet FortiGate Series
- Barracuda NG Firewall

Type of Firewall	Advantages	Disadvantages
Software Freeware	Small file size, ease of installation	Minimal features, lack of support
Software Commercial Personal	Economical, auto-configuration for novice users	Less robust than enterprise products
Software Commercial Enterprise	Installed on a dedicated host for security, centralized admin	Can be costly and complex to configure
Hardware Appliances	More scalable, faster throughput	Expensive and difficult to patch

Firewalls utilize different packet filtering strategies, which depend on component positions within the network perimeter.

Process: This filtering method determines whether to allow or block packets based on their protocol headers.
Common Header Features:
- IP address
- Ports
- TCP flags
Advantages: Cost-effective and simple.
Disadvantages: Hard to maintain, susceptible to IP spoofing, and lacks authentication.

Description: Maintains a record of connections established between internal hosts and other computers using a state table.
Function: Allows inbound packets known to be part of connections that have already been established.
Advantages: More secure than stateless filtering.

A state table might record all established connections with source IPs, destination IPs, ports, and connection states.

Recognized as one of the most user-friendly packet filters, allowing detailed control over traffic:
- Control Over Program Traffic: Windows Firewall allows users to limit program-specific traffic and create detailed rules based on protocols, ports, and IP addresses.

Placement Considerations:
- Firewalls should be placed between the Internet and a host to track all inbound/outbound traffic.
- Operation between a proxy server and the Internet to handle traffic securely while hiding internal IP addresses.

Rule Base Definition: A rule base dictates how a firewall reacts to various types of traffic.
Best Practices for Rule Base:
- Align with the organization’s security policy.
- Maintain simplicity to ensure quick processing.
- Specify access restrictions to internal network ports and subnets.
- Control access to Internet services effectively.

Rules should allow certain types of traffic, restrict others, and maintain clear operational orders.

Firewall Functionality: Firewalls act as protective tools against unauthorized access.
Importance of Configuration: They need to be configured correctly to avoid potential vulnerabilities while allowing necessary traffic.
Foundation for Rule Bases: Rule bases should be concise and reflect the organization’s security posture and policies effectively, ensuring comprehensive yet manageable control over network traffic.