IS

Firewalls
Isolation and Segmentation
Information Security A y t e k i n G u ze l i s , C I S A , C R I S C
 IS
FW-Firewalls
Companies should build firewalls in their networks for perimeter security.

Firewall: A system or combination of systems that enforces a boundary between two

or more networks, typically forming a barrier between a secure and an open
environment such as the Internet. It applies rules to control the type of networking
traffic flowing in and out.

Effective firewalls should allow individuals on the corporate network to access the
Internet and simultaneously prevent others on the Internet from gaining access to the
corporate network to cause damage.

2
 IS
FW-Firewalls
A Firewall can be in the form of a Hardware or a Software on a Computer, as well. A
Firewall needs to be connected to a minimum of two Network Interfaces, one which
is supposed to be protected (Your Internal Network) and other which is Exposed to
Attacks (Generally Internet). A Firewall can also be considered as a Gateway deployed
between the two networks.

Firewall examines all the data packets passing through them to see if they meet the
rules defined by the ACL (Access Control List) made by the administrator of the
network. Only, If the Data Packets are allowed as per ACL, they will be transmitted
over the Connection.

Firewalls generally also maintain a log of Important Activities in the network. A

Network Administrator can define what is important for him and configure the
Firewall to make the logs accordingly. 3
 IS
FW-Firewalls
Hardware FW: Firewall is installed in a dedicated device. This device only runs the
firewall. Since all resources of the device are available only for the firewall, it filters
the traffic blazingly fast and accurate. It also offers several additional security features
such as encryption and logging.

Hardware firewalls are complex in configuration. Besides configuration, hardware

firewalls also cost a lot of money as they use dedicated device.

Fast speed and max accuracy are the advantages of the hardware firewall while high
cost and complex configuration are the disadvantages of this firewall.

4
 IS
FW-Firewalls
Software FW: Firewall is installed in a regular device. This device runs the firewall as
the application software. Since this firewall accesses device resources in shared
environment through the base system, it provides less speed and accuracy than the
hardware firewall. Unlike hardware firewall, it provides limited features and
functions.

Software firewalls are easier in configuration. Since software firewalls do not require
any additional hardware to run, they do not increase the network cost.

Low cost and easier configuration are the advantages of the software firewall while
slow speed, less accuracy and lack of additional features are the disadvantages of this
firewall.

5
 IS
Types of Firewalls

- Packet Filtering Firewalls

- Circuit Level Gateway Firewalls
- Application level Gateway Firewalls
- Stateful Multilayer Inspection Firewalls
- Next Generation Firewalls

6
 IS
Packet Filtering Firewalls
To route and deliver a data packet across the network, the network layer uses two
addresses; source IP address and destination IP address. Each data packet contains these
addresses. A firewall can be configured to filter the traffic based on these addresses.

Packet Filtering Firewalls are normally deployed on the Routers which connect the Internal
Network to Internet. Packet Filtering Firewalls can only be implemented on the Network
Layer of OSI Model.

Packet Filtering Firewalls work on the basis of rules defines by Access Control Lists. They
check all the Packets and screen them against the rules defined by the Network
Administrator as per the ACLs. If in case, any packet does not meet the criteria then that
packet is dropped and logs are updated about this information.

Administrators can create their ACLs on the basis Address, Protocols and Packet attributes.7
 IS
Packet Filtering Firewalls
Example: A firewall is configured and
placed in that path which connects both
computers. The computer Dell sends a
data packet to the computer HP.

Whether the computer HP will receive this

packet or not is depended how the firewall
is configured.

The computer HP will receive the packet

only if the firewall is configured in such a
manner that allows packets from the host
10.10.10.10 to the host 20.20.20.20.
8
 IS
Packet Filtering Firewalls
Advantage:
The Biggest Advantage of Packet Filtering Firewalls is Cost and Lower Resource
Usage. Best Suited for Smaller Networks.

Disadvantage:
Packet Filtering Firewalls can work only on the Network Layer and these Firewalls
do not support Complex rule based models. Also Vulnerable to Spoofing in some
Cases.

9
 IS
Circuit Level Gateway Firewalls
Circuit level gateways are deployed at the Transport layer of the OSI model and
they monitor sessions like TCP three way handshake to see whether a requested
connection is legitimate or not.

Transport layer uses port numbers to identify the destination application. To

provide the guaranteed data delivery, it also uses a feature known as the Three-
way handshake process. In this process, sender computer setup a temporary
connection with the receiver computer before sending any data.

Major Screening happens before the Connection is Established.

Information sent to a Computer outside the network through a circuit level
gateway appears to have originated from the Gateway. This helps in creating a
stealth cover for the private network from outsiders.
10
 IS
Circuit Level Gateway Firewalls

Example: A server and a workstation are connected through the firewall. Several services are
running in the Server. From these services you only want to allow a single service or few services to
be accessed by the workstation. In this situation, you can configure the firewall in such a way that
it allows only those data packets to pass through it which are intended for the allowed services.
For example, you can configure the firewall to allow a packet only if, it has the destination port
number 80. The port number 80 is associated with the Web service. Once this rule is placed in the
firewall, all traffic will be denied from the workstation except the traffic that is intended for the
web server.
11
 IS
Application Level Gateway Firewalls
Application level gateways work on the Application layer of the OSI model and
provide protection for a specific Application Layer Procotol. Proxy server is the
best example of Application Level Gateways Firewalls.

Application level gateway would work only for the protocols which is configured.
For example, if we install a web proxy based Firewall than it will only allow HTTP
Protocol Data. They are supposed to understand application specific commands
such as HTTP:GET and HTTP:POST as they are deployed on the Application Layer,
for a Specific Protocol.

Application level firewalls can also be configured as Caching Servers which in turn
increase the network performance and makes it easier to log traffic.

12
 IS
Application Level Gateway Firewalls

A firewall is configured using the packet and circuit level filtering to allow web traffic on port 80. This
firewall might allow traffic from an application that establishes a proxy TCP connection across the port
80. To allow only the HTTP traffic and block all proxy traffic on this port, you can configure the firewall
to check the application layer protocol or the contents of each packet. After this, only the genuine
HTTP traffic will be allowed. All proxy traffic from other applications, such as P2P torrent file sharing
program, will be denied.

13
 IS
Stateful Multilayer Inspection Firewall
Besides the above mentioned filters, a hardware firewall also offers several additional
features to filter the traffic. One such a feature is the stateful inspection.

Hardware firewall can be configured to gather and save information about each
packet passing through it. This information can be used to filter the further packets.
Filtering packets based on previously saved information, is known as the stateful
inspection.

This feature is mainly used to deal with the DoS (denial of services) type attack. A DoS
attack occurs when a genuine host accesses a genuine service too much times in very
short period of time.

14
 IS
Stateful Multilayer Inspection Firewall

To deal with DoS attack, the stateful

inspection is used. It can track and log
the number of TCP connections
requests per second from each client
IP address to each server address.
Based on saved information, it can
track the repeated requests. When it
notices that the number of requests
is very large from the small number of
clients, it blocks those clients to help
the server from the DoS attack.

15
 IS
Next Generation Firewall
Next Generation Firewalls (NGFWs) are the newest type of firewall aimed at
addressing two key limitations of earlier variants: 1) the inability to inspect packet
payload and 2) the inability to distinguish between types of web traffic.

An NGFW is an adaptive network security system capable of detecting and blocking

sophisticated attacks.

NGFWs typically perform traditional functions such as packet filtering, stateful

inspection and network address translation (NAT), but introduce application
awareness, incorporate deep packet inspection (DPI) technology and offer varying
degrees of integrated threat protection, such as data loss prevention (DLP), intrusion
prevention system (IPS), SSL/SSH inspection and web filtering.

16