Security Solutions — part 2

Firewall Fundamentals

What is the purpose of a firewall?

A lot of incoming and outgoing traffic flows daily between our digital devices and the internet they are connected to. What if somebody sneaks in between this massive traffic without getting caught? We would also need a security guard for our digital devices then, who can check the data coming in and going out of them. This security guard is what we call a firewall. A firewall is designed to inspect a network's or digital device's incoming and outgoing traffic. The goal is the same as for the security guard sitting outside a building: not letting any unauthorized visitor enter a system or a network.

Types of Firewalls

1. Stateless Firewall — This type of firewall operates on layer 3 and layer 4 of the OSI model and works solely by filtering the data based on predetermined rules without taking note of the state of the previous connections. This means it will match every packet with the rules regardless of whether it is part of a legitimate connection. It maintains no information on the state of the previous connections to make decisions for future projects.
2. Stateful Firewall — Unlike stateless firewalls, this type of firewall goes beyond filtering packets by predetermined rules. It also keeps track of previous connections and stores them in a state table. This adds another layer of security by inspecting the packets based on their history with connections. Stateful firewalls operate at layer 3 and layer 4 of the OSI model. Suppose the firewall accepts a few packets from a source address based on its rules. In that case, it will take note of this connection in its stated table and allow all the future packets for this connection to automatically get allowed without inspecting each of them. Similarly, the stateful firewalls take note of the connections for which they deny a few packets, and based upon this information, they deny all the subsequent packets coming from the same source.
3. Proxy Firewall — The problem with previous firewalls was their inability to inspect the contents of a packet. Proxy firewalls, or application-level gateways, act as intermediaries between the private network and the Internet and operate on the OSI model's layer 7. They inspect the content of all packets as well. The requests made by users in a network are forwarded by this proxy after inspection and masking them with their own IP address to provide anonymity for the internal IP addresses. Content filtering policies can be applied to these firewalls to allow/deny incoming and outgoing traffic based on their content.
4. Next-Generation Firewall(NGFW) — This is the most advanced type of firewall that operates from layer 3 to layer 7 of the OSI model, offering deep packet inspection and other functionalities that enhance the security of incoming and outgoing network traffic. It has an intrusion prevention system that blocks malicious activities in real time. It offers heuristic analysis by analyzing the patterns of attacks and blocking them instantly before reaching the network. NGFWs have SSL/TLS decryption capabilities, which inspect the packets after decrypting them and correlate the data with the threat intelligence feeds to make efficient decisions.

Rules in Firewalls

A firewall gives you control over your network's traffic. Although it filters the traffic based on its built-in rules, some customized rules can be defined for various networks. The basic components of a firewall's rule are described below:

• Source address: The machine's IP address that would originate the traffic.
• Destination address: The machine's IP address that would receive the data.
• Port: The port number for the traffic.
• Protocol: The protocol that would be used during the communication.
• Action: This defines the action that would be taken upon identifying any traffic of this particular scene.
• Directions: This field defines the rule's applicability to incoming or outgoing traffic.

Types of Actions

The component "Action"from a rule indicates the steps to take after a data packet falls under the category of the defined rule. Three main actions that can be applied to a rule are explained below.

1. Allow — A rule's "Allow" action indicates that the particular traffic defined inside the rule would be permitted.
2. Deny — A rule's "Deny" action means that the traffic defined inside the rule would be blocked and not permitted. These rules are fundamental for the security team to deny specific traffic coming from malicious IP addresses and create more rules to reduce the threat surface of the network.

Directionality of Rules

Firewalls have different categories of rules, each categorized based on the traffic directionality on which the rules are created.

1. Inbound Rules — Rules are categorized as inbound rules when they are meant to be applied to incoming traffic only. For example, you might allow incoming HTTP traffic(port 80 )on your web server.
2. Outbound Rules — These rules are made for outgoing traffic only. For example, blocking all outgoing SMTP traffic(port 25)from all the devices except the mail server.
3. Forward Rules — Forwarding rules are created to forward specific traffic inside the network. For example, a forwarding rule can be created to forward the incoming HTTP(port 80)traffic to the web server located in your network.