Fifty Shades of Firewall
Today we are starting a series of posts dedicated to various types of firewalls. It is going to be a 4-part series. We will kick off by reviewing basic processing-mode categories of firewalls and giving firewall mode overview. In the following posts we will dig deeper in the application level firewalls: WAF and DAF.
In this opening article we are going to discuss the most widely used types of firewalls, their advantages and potential disadvantages as well as review current trends and perspectives of this technology development.
Firewall is the first line of defense against outer and inner attacks and a fundamental component of comprehensive security strategy. Firewalls are used to prevent unauthorized access to local resources playing crucial role in a multi-layered information security system. It can be implemented in hardware and software, or a combination of both. It screens and filters all incoming and outgoing traffic through a single, concentrated security checkpoint and blocks requests that do not meet specified security criteria.
In general, there are two main technologies, according to which firewalls can be categorized: packet filtering and application layer filtering. Each type of firewall filters and controls network traffic in a different way, but these two may partially overlap and can be implemented together in one system.
Most network appliances utilize filtering technology. Packet filters are the most basic traffic control mechanism operating on network layer. They allow to pass or block packets based on the packet header attributes: protocols, source and destination addresses or port numbers. In some cases other header attributes are analyzed, for example to determine whether the packet is a part of new or existing connection. Packet filters are implemented using access control lists (ACLs). When a packet reaches router interface, it is first determined whether the packet can be delivered or not and then it is checked for compliance with the existing rules set – ACL.
Filtering rules are determined based on one of the following principles:
1) Everything that is not explicitly forbidden is allowed
In this case firewall allows packets to pass through as long as they do not match a blocking rule. This approach is more permissive and makes administration easier. Nevertheless failing to define all necessary rules results in improper configuration and leads to ineffectiveness of the security tool.
2) Everything that is not explicitly allowed is forbidden
In this case firewall denies packets to pass through unless they meet one positive filtering rule. This principle provides higher level of protection. From the security view point this option, when passing of the determined packets is allowed and everything else is blocked, would be more preferable. On the one hand this approach speeds up the configuration process since the number of packets which are not allowed is usually much higher than the number of permissible ones. On the other hand every type of allowed interaction requires one or more rules.
* Packet filtering is the fastest firewall technology and it is widely spread.
* By default network firewalls are included into most computer operating systems and network appliances.
* When creating filtering rules it is possible to use information outside header attributes, for example, time and date of the network packet passing.
* Packet filtering is the least secure firewall technology, because it does not inspect traffic on application level, which leads to wide range of security vulnerabilities.
* Packet filters work only with headers and do not inspect the payload of the packet, allowing access through the firewall with a minimal amount of scrutiny.
* Packet filters do not track the state of connections and thus can allow a packet from a source which has no active sessions at the moment.
* Proper configuration requires high system administration skill and deep understanding of the TCP/IP protocol stack.
* Packet filters do not feature auditing of events or alerting mechanisms.
Application firewalls operate at the application layer of the TCP/IP stack. They include software and act as an intermediary between the client and the server. Application layer filtering allows to eliminate direct communication between two nodes. This type of firewall intercepts packets traveling to or from an application and blocks malicious requests based on the specific application information. It disassembles a packet and analyzes its content, including payload, for inconsistencies, invalid or malicious commands.
* Filtering on the application level offers the best level of security. Unlike packet filters application firewalls are able to inspect not only the header but the whole network packet for improper content. Deep inspection of incoming and outgoing traffic ensures greater degree of granular control.
* Application firewalls enable more detailed logging. Log information is very useful for investigation of security incidents and policy implementation.
* Application firewalls have less complicated filtering rules.
* All the mentioned advantages come with bigger cost.
* Application firewalls do not excel at speed and performance. Deep-level examination of packet content takes longer than traditional packet filtering, noticeably slows down network performance, negatively affecting throughput.
Among application layer firewalls there are WAF (Web-application firewalls) designed to protect web applications and servers from web-based attacks; DAF (Database Access Firewalls) aiming at database protection; DNS Application Firewalls, etc.
Firewall Mode Overview
Proxy firewall acts as an intermediary between client and real server and establishes connection on behalf of the client. In order to get content from the external server hosts send requests to firewall, which in turn initiates new connection based on the received request. Requests are evaluated according to the existing set of rules and then firewall blocks or permits connection. If the request doesn’t contain forbidden parameters, firewall grants access to the origin server. After receiving response from server firewall validates it and if the answer is accepted, forwards it to the client which originated the request. Filtering is implemented based on many parameters, including source and destination IP-addresses, attachments, time of request, etc.
Proxy firewall is the most reliable type of firewall. It ensures increased level of security through deep packet filtering, control of requests and detailed logging.
Proxy firewall never allows direct communication between an internal client and the real server of the external service or direct packet forwarding between two nodes. This way internal IP addresses are shielded from external servers and there is a minimal possibility that someone would be able to analyze the topology of intranet using information contained in incoming and outgoing packets.
Using audit records administrators are able to monitor user activity and identify attempts to violate firewall’s security policies. Caching allows to reduce traffic, balance load and cut down on the time it takes for the client to access information.
Reverse Proxy Firewall
In general, reverse proxy is a regular web server with a few additional features including URL redirection. Reverse Proxy Firewall operates the same way as a forwarding proxy with the only difference that a reverse proxy is used to protect servers and not clients. Reverse proxy also resides between the client and the actual server, but it is transparent for the client and acts on behalf of a web server. Clients do not see the reverse proxy, everything looks like they address web server directly, unlike with forwarding proxy where clients know that they are connecting through a proxy.
When a reverse proxy receives a request from a client, it doesn’t process it, but instead redirects it to another server or a set of servers and sends the answer back to the client. Forwarding requests to a set of servers allows to increase performance and balance load. Reverse proxy also caches data to reduce network or server load. To keep its anonymity reverse proxy firewall intercepts requests before they reach the server.
Trasparent Proxy Firewall
Transparent Proxy is also known as Bump in the Wire. It resides on the gateway and intercepts requests from clients. Clients are given the impression that they are connecting to the actual server, they are unaware that there is a proxy server which mediates their requests. Transparent proxy also caches content and doesn’t require any configuration on the client side. In this mode firewall is able to filter traffic between hosts.
Next Generation Firewall
As the enterprise network firewall market continues to evolve software vendors are looking for ways to go beyond traditional firewall capabilities and add functionalities that would immensely increase effectiveness and efficiency of firewalls. Next Generation Firewall is an integrated system which combines traditional firewall technology with other network security functionalities such as Deep Packet Inspection (DPI), Integrated Intrusion Protection System (IPS), SSL and SSH inspection, reputation-based malware detection, etc.
Next Generation Firewalls are expected to integrate several key features:
* continuous application control and protection against sophisticated attacks and intrusions;
* traditional enterprise firewall capabilities: packet analysis, traffic filtering and redirection, connection authentication, protocol and content blocking, data encryption, etc.;
* advanced traffic audit and analysis, including applications;
* integration in third-party enterprise systems and applications (SIEM, Data management systems, etc.);
* regularly updated collection of application and potential threats descriptions.
Gradually more organizations are moving their operations to the cloud and adopting data virtualization technologies. With this next generation firewalls are becoming of higher demand, but the main factor affecting the market development is high cost of initial system deployment and support. Small and medium-sized businesses are hesitant to invest in the technology. That is why vendors that serve this market are focused mainly on large enterprises.
DataSunrise Database Firewall
DataSunrise Database Firewall functions in Reverse Proxy Mode with Transparent Mode on its way. DataSunrise Firewall is a Database Access Firewall and implements detailed auditing and filtering of requests to ensure advanced level of control and database security.
DataSunrise supports all major databases and data warehouses such as Oracle, Exadata, IBM DB2, IBM Netezza, MySQL, MariaDB, Greenplum, Amazon Aurora, Amazon Redshift, Microsoft SQL Server, Azure SQL, Teradata and more. You are welcome to download a free trial if would like to install on your premises. In case you are a cloud user and run your database on Amazon AWS or Microsoft Azure you can get it from AWS market place or Azure market place.
In the upcoming post, dedicated to Web Application Firewalls (WAF) we are going to talk about why companies pay special attention to this technology, how it is different from traditional network firewalls, NGFWs (Next Generation Firewalls) and IPSs (Intrusion Prevention Systems).
- Fifty Shades of Firewall
- WAF. A Knight in Shining Armor
- DAF. Save the Database from the Dragon
- WAF + DAF = Happily Ever After
Read the entire firewall series: