3 Components of a network security system
3.2 Firewall

A firewall is a typical border control mechanism or perimeter defense. The purpose of a firewall is to prevent unauthorized access to or from a network by blocking traffic from the outside or from the inside of this network.

All data entering or leaving the network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. Firewalls can be implemented in both hardware and software, or a combination of both [8].

Firewalls enforce the security policies of an organization by restricting access to specific network resources. In the physical security analogy, a firewall is the equivalent to a door lock on a perimeter door or on a door to a room inside of the building—it permits only authorized users, such as those with a key or access card, to enter. Firewall technology is even available in versions suitable for home use. The firewall creates a protective layer between the network and the outside world. In effect, the firewall replicates the network at the point of entry so that it can receive and transmit authorized data without significant delay. However, it has built-in filters that can disallow unauthorized or potentially dangerous material from entering the real system. Moreover, firewalls provide an important logging and auditing function; often, they provide summaries to the network administrator about what type/volume of traffic has been processed through it, including attempted intrusion.

The National Institute of Standards and Technology (NIST) 800-41, [9] divides firewalls into three basic types: packet filters, stateful inspection and proxys. These three categories, however, are not mutually exclusive, as most modern firewalls have a mix of abilities that may place them in more than one of the three.

Packet filter firewalls are essentially routing devices that include access control functionality for system addresses and communication sessions; they can also filter network traffic based upon certain characteristics of that traffic. They are normally deployed within TCP/IP network infrastructures. Their main strengths are speed and flexibility and the most relevant weakness is their inability to prevent attacks that employ application-specific vulnerabilities (since they do not examine upper-layer data).

Table 1 shows a sample packet filter firewall rule set, adopted from [9]

Source Address

Source Port

Destination Address

Destination Port

Action

Description

1

Any

Any

192.168.1.0

> 1023

Allow

Rule to allow return TCP Connections to internal subnet

2

192.168.1.1

Any

Any

Any

Deny

Prevent Firewall system itself from directly connecting to anything

3

Any

Any

192.168.1.1

Any

Deny

Prevent External users from directly accessing the Firewall system

4

192.168.1.0

Any

Any

Any

Allow

Internal users can access External servers

5

Any

Any

192.168.1.2

SMTP

Allow

Allow External users to send email in

6

Any

Any

192.168.1.3

HTTP

Allow

Allow External users to access WWW server

7

Any

Any

Any

Any

Deny

Everything not previously allowed is explicitly denied

Stateful inspection firewalls, also known dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. These firewalls analyse packets down to the application layer. By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement a much tighter security posture by examining certain values in the protocols headers to monitor the state of each connection over a period of time. Outgoing packets that request specific types of incoming packets are tracked and only those incoming packets constituting a proper response are allowed through the firewall. Each new packet is compared by the firewall to its state table to determine if the state of the packet contradicts its expected state. Traditional stateful inspection firewalls do not inspect the data payload of network packets and they do not have the fine-grained intelligence to distinguish one kind of Web traffic from another (legitimate applications and attacks).

Proxy firewalls, or application gateway firewalls, are a fairly recent addition to mainstream security environments. Proxy firewalls, on the other hand, combine stateful inspection technology with the ability to perform deep application inspections. This capability allows the analysis of protocols at the application layer such as HTTP and FTP and monitor traffic to compare the behaviour of benign protocol activity against observed events to identify deviations (possible signs of attack). This allows a firewall to allow or deny access based on how an application is running over the network.

Next-Generation Firewall (NGFW) is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as a proxy firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory) [10]. In fact, they are, basically, a form of a unified threat management (UTM) solution. The main drawback of NGFW is that usually NGFW tend to use separate internal engines to perform individual security functions; therefore, a packet may be examined several times by different engines to determine whether it should be allowed into the network. That round-robin approach adds latency, which may affect network performance.