No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • Firewalls

    Firewalls are a barrier or logical delineation between two or more zones of trust and comes as both software firewalls and hardware appliances. A firewall can be a divider between a local network and the Internet, internal networks and a demilitarized zone (DMZ) amongst others. It works as a choke point, that is, it is where the traffic enters and exits and has the capability to filer all traffic flowing in and out, and determine if that traffic should be allowed to continue or not. Firewalls are usually placed as a guardian of important resources so that if a compromise does happen, the attacker may not be able to access these important resources and is trapped in the compromised zone. Some firewalls such as the Cisco ASA has the ability to use a concept of trust so that traffic from one connected zone is more trusted that another zone. The effect may be that traffic from the zone with the highest level of trust may flow to the less trusted zone but not the other way around.
    Firewalls can be seen as a form of IDS since all traffic can be monitored and logged when it passed the firewall. A firewall's configuration is mandated by the corporation security policy and will change when corporate needs change and are usually configured to allow only specific kinds of traffic to pass, based on source and destination IP address, destination port, content etc. Firewalls uses rules that determine how traffic will be handled and if no rules matches any given traffic, it should be dropped. It can be configured as a transparent firewall, or it can be configured as a routed firewall that will give the device some of the same features a router possesses.

    A Demilitarized zone is a buffer zone between the public and the private network and it is in place to not only act as a buffer zone, but also as a way to host services that an organization wishes to make publicly available without allowing direct access to the internal network of the organization. This is the zone in which a bastion host has its place. It is not uncommon to have a DMZ divided into separate sub zones or VLANs by using Private VLANS.

    Firewall Configuration...

    Bastion Host
    A bastion host is intended to be the point through which traffic passes and is a computer system that hosts no data other than what it needs to perform its rule which is to protect resources from attack. This type of host has at least two interfaces, one that faces the public network and one that faces the internal network. Some times a different interface is in place for management and one for updates and installations. A bastion host is an untrusted host and usually has the role of a proxy in the DMZ.

    Screened Subnet
    This type of firewall is always multihomed and often has 3 interfaces. One pointing to the Internet, one to the DMZ and one to the internal network. The advantage of this kind of configuration is that the individual areas or zones are separated from each other by being connected to separate interfaces. This is often done with Access Control Lists (ACLs) on a router.

    Multihomed Firewall
    Being a multihomed firewall refers to the fact that the firewall has more than one Interface. Even though a firewall can be configured on-a-stick thus only requiring one interface they are usually not. A multihomed firewall has each interface connected to its own network segment logically and physically and is in place to increase efficiency and reliability on a network. High end firewalls often have more than 3 interfaces and have the ability to connect to several network segments at once.

    Types Of Firewalls
    Firewalls are separated into categories according the the capability of each firewall:

    Packet Filtering Firewall
    This is a limited firewall in that it works at the network level, layer 3 of the OSI model. Typically these firewalls are built into a router as part of is standard feature set. A packet filtering firewall will filter by comparing properties of a packet such as the source and destination IP address, protocol and destination port number. If a given packet does not match a predefined rule, the packet will be dropped else it will be forwarded to the next hop or the destination.

    Circuit-Level Gateway
    This kind of firewall is complex compared to a packet filtering firewall and works at the session layer, layer 5 in the OSI model. It has the capability to detect whether a requested session is valid by checking the TCP handshake between the source and destination host. Circuit-level gateways do not filter individual packets.

    Application-Level Firewall
    These firewalls analyze the application information to make decisions about whether to pass the packet or not. This kind of firewall works on layer 7 in the OSI model.

    Stateful Multilayer Inspection Firewall
    This type of firewall combines the capabilities of packet filtering firewalls, circuit-level gateways and application-level firewalls. They are able to filter packets at the network layer to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. The inability of a packet filtering firewall to check the header of packets to verify if they should be forwarded or not, is handled by stateful packet filtering.

    A proxy-based firewall asks for authentication to pass the packets because it works on the application layer. A content caching proxy optimizes performance by caching frequently accessed information instead of sending a new request to retrieve the same data. This is common when several end users visit the same web resources.
    Certified Security Geek