Types of Firewalls

Firewalls are probably one of the most common things people think of when it comes to security. We're going to look at the many different ways that firewalls protect systems, look at the different architectures of firewalls, and look at the different ways in which they protect these systems from certain classes of attacks. Firewalls are a very fundamental element of security management, and it's one of the things we most often think of when we hear about information system security. Firewalls have become so prevalent that these days, even at home, you'll often find multiple firewalls. Windows has a built-in firewall, most home routers have a built-in firewall, and once we get to corporate networks, we usually have multiple firewalls, often very high-end hardware that protects the various systems on the network. Firewalls are the backbone of security controls. There are many different firewall architectures out there, and we'll look at some of them shortly. Very often, firewalls are located between different network segments. You may find a firewall properly configured to allow web traffic through, but that won't stop an attacker from delivering the payload over HTTP using port 80.

Firewalls tend to control the bidirectional flow of traffic, so imagine a firewall in front of an organization separating it from the public internet. It needs to be able to block inbound traffic to try to deter intruders, but it also needs to be able to allow outbound traffic because people need to browse the web, send emails, and have a connection that goes beyond the network.

Firewall implementations

We often use the term firewall, but it can mean very different implementations of the concept, and probably one of the most basic firewall applications is the Windows firewall built into modern versions of operating systems. It's a pretty basic firewall. It will determine the allowed ingress classes and egress classes. It is a firewall host that runs on computers. Imagine that your computer is on your own trusted network, but you still have a firewall between your machine and any other machine in it. Often, you'll have several different classes of firewalls for different points in your network environment. I'm only talking about a small home network, but the same is true for organizational networks. One thing that is very different between a personal decision and a corporate environment is this. In the enterprise, you will see equipment such as a Cisco firewall. It's a physical rack-mounted device, and this class of machine is designed for the network segmentation we talked about earlier. It is designed to be placed between public network segments and private network segments. We also see hardware firewalls built into devices such as home routers, except that they are designed for a completely different class of use, but the premise of having a firewall that is just a software product compared to a firewall that is a dedicated piece of infrastructure is the same. Indeed, many of the things that these two different classes of firewalls do are also very similar. For example, most of them perform simple packet filtering.

Firewall Architecture

We're going to look at three different firewall architectures, but I want to start with a definition, and it's important, and it applies not just to firewalls, but to any host that's fully under attack. The concept behind a bastion firewall is that it will be a firewall facing the public network. There is no protection against him. It should bear all the consequences of an attack directed at the network. The host bastion is a critical piece of infrastructure simply because it is the first line of defense. This is a term that is used not only for firewalls, but for any asset that is completely susceptible to attack. It sits between the internet and the internal network, acting as the first line of defense, and is completely unsecured. A bastion host could still have a couple of different implementations, so for example it could be a single-network firewall so that it has one network interface and all traffic goes in and out through that interface and then the software would do the filtering. It can be dual-network to have two network interfaces, and indeed, this is a more typical implementation, especially in commercial-grade products. We're talking about external traffic coming into one port and internal traffic coming through the other. We still have software to filter and determine which traffic goes through and what is dropped, but we do have a lot of network segmentation thanks to two network adapters, also known as network interface cards. This is the bastion node firewall, so let's move on to the next one, called the shielded subnet firewall. A shielded subnet firewall is also called a triple firewall, which will have three network interfaces and divide traffic into three logical network segments. There's a public internet, an internal network, so it's going to be the same as a typical dual-connect bastion.

A little bit about the DMZ

The idea behind the DMZ is that we're talking about a network of demilitarized zones. To put it simply, a DMZ is nothing more than a separate subnet in a network. It contains assets that you want to put on public display, so it should be accessible online. The same subnet will also be available to the internal network, although different services may be available for each. This is a common structure for an organization where they have assets that they would like to expose to the public, and they have other assets, namely their internal network, that they want to separate. The firewall of the shielded subnet must be able to provide these access controls. With both types of firewalls, we still want traffic to flow in all directions. For example, we want the internal network to be able to send HTTP requests to the internet, so the firewall has to let that traffic through, and then we need responses, so it has to allow HTTP on port 80 and inevitably port 443 for HTTPS, it has to allow that traffic to go back to the internal network. This is again a bi-directional flow of traffic. In this case, you must also allow HTTP requests from the Internet to pass through the perimeter network and then return those responses. In such a model, however, we may not want the Internet to create FTP connections to the perimeter network. It's okay if the internal FTP network is connected to the DMZ, because they are the ones who control the assets on these external websites, but this should be separate from the Internet itself as a whole. A shielded subnet firewall must juggle a whole bunch of different rules in terms of where traffic can come from and where, as well as ports and protocols.

Packet Filtering Firewalls

A packet filtering firewall is one of the most common security control implementations today. You'll usually see it implemented as a bastion node model facing attackers without any other line of defense in front of it. A packet filtering firewall is pretty straightforward in many ways. We have the initial inbound traffic, a set of packet-level controls, and then the valid passing traffic. Let's take a closer look at these controls. For example, a packet-filtered firewall can detect valid source and destination IP addresses. In one place, you can see that if there is malicious traffic originating from a particular IP address, a packet filtering firewall can blacklist it and block any requests coming from that particular IP address. The structure of the TCP header itself is also something that a packet-filtering firewall can look at. For example, what are the source and destination ports? Should the firewall allow port 80 for HTTP and port 443 for HTTPS? Is there anything else not allowed? Protocols; HTTP is good. Maybe SMTP is good too, but anything else, like FTP or ICMP, will be blocked? It's pretty rudimentary, although you might want to block things like FTP because you're worried that it might be used to exfiltrate data, there could also be attacks that come over HTTP and a packet filter firewall will miss that attack because it doesn't look at the data itself and also doesn't look at any other information in those request headers. It's a very rudimentary control, but it's the first line of defense. Next, let's look at other firewalls that can then be located behind the network, but remember that they must take into account traffic coming from the other side.

What about the traffic coming from the backend server and coming back to the client? This is important because what if an attacker has compromised the server itself, and now they are trying to exfiltrate the data. A packet-filtered firewall can limit an attacker's ability to send this data back from the network. A packet-filtered firewall will either skip the request or discard it, so it won't get through at all. It's a very simplistic implementation that isn't particularly intelligent, but one of the reasons packet filtering firewalls remain common is that they're also inexpensive.

Gateway Firewall

From the point of view of the OSI model, also known as the model of interaction between computer networks and open systems, the checkpoint at which various attacks and controls are carried out is the transport layer. The transport layer is also known as the fourth layer, and this is where TCP requests are forwarded back and forth, for example. When we talk about the gateway firewall at the link level, we're going to go up the stack a little bit. We're talking about the session layer, also known as layer 5, and it's there as a bridge between the application layer and the transport layer, so it's a higher-level, more abstract concept than what we're just looking at in TCP. Many times when you're browsing the internet, you're communicating through a gateway firewall at the link level. It is very likely that in addition to a packet filtering firewall, a firewall can also perform multiple roles. The role of a gateway firewall at the link level is to transfer requests between two separate hosts, such as a client and a server. We can see how the TCP request arrives at the firewall and then is passed on to the server. In this example, imagine that the firewall acts as a gateway, and then the response is returned through that firewall and eventually back to the client. The important thing here is that these two endpoints, the client and the server, never establish a direct connection. Everything goes through the gateway firewall at the link level. Therefore, this firewall creates two connections: one to the client and one to the server. It sits there and monitors things like the TCP three-way handshake, and that way it can establish whether that request is legitimate or not.

For example, someone is trying to extract data from the network and, as with a packet filtering firewall, the gateway firewall at the link level will still allow a large amount of data to pass through, which could potentially be used for malicious purposes. For example, if the gateway is designed to provide HTTP communication, and the client is actively exploiting the risk of SQL injection on the server itself, then the firewall will allow requests and responses over legitimate HTTP traffic, at least from a compliance perspective. to the expected firewall structure. For example, if it's HTTP on port 80, it will skip it, but it won't provide any packet-level protection. It simply confirms that these connections are legitimate. Another firewall model that you usually see in things like home cable modems and routers, and you'll often see it implement NAT, also known as network address translation, so you can have multiple clients sitting behind that firewall and they're all using the same internet output. Like a packet filtering firewall, it's an important part of the infrastructure, but it's very primitive. Things get more complicated when we move on to the application layer gateway firewall.

Application Firewalls

This firewall is much higher in this OSI model. It's at the seventh layer, right at the top of the OSI stack. Often, you can see this referred to as a proxy, especially inside corporate networks, and they also include authentication to determine who the customer is. In some ways, it's similar to a link-level gateway firewall in the sense that it will relay these requests back and forth between two different hosts, but differs in that it's on the stack. For example, we can see how it intercepts HTTP traffic, but it's not just HTTP, it can sit there and look at FTP, SMTP, or other application-specific protocols. An important feature of the Application Layer Gateway Firewall is the ability to inspect the contents of traffic. Depending on the direction of traffic, this class of firewalls can perform a variety of tasks. When it acts as a gateway, when the client is inside the corporate network and sends external requests, it can do things like block certain sites. On the other hand, when it sits in front of an asset such as a server, it can check the content of the traffic, it can start looking for typical attack patterns. That's what, for example, Cloudflare does with its firewall as a service product. It asks questions like: Is this query a potential SQL injection attack? An application layer gateway firewall that resides in the seventh layer and is able to interpret and understand the contents of these requests can be much more efficient than simple implementations such as a packet filtering firewall. It will transfer data back and forth, just like other firewalls. It should be able to accept requests and then respond accordingly, but it can do so with a higher level of complexity.

Another example: if SMTP traffic goes back and forth through this firewall, it can allow the welcome comment that the client uses to identify itself on the server, but then it can block the validation command, which is often used to establish whether the server has a specific address or not. Same port, same protocol, but much more granular control in terms of what traffic goes through the firewall. So it's a higher state of awareness of what the traffic is doing and then what's considered good and what's bad. There's another firewall model that I want to share with you, and that's the multi-level state firewall.

Stateful firewalls

The stateful multi-level inspection firewall is another evolution of the previous models we've talked about. Typically, it combines aspects of the last three firewall models we've reviewed: packet filtering, link-level gateway, and application-level gateway. We're going to talk about inspections that take place at several levels of communication. We'll talk about the TCP/IP model as opposed to the OSI model, but logically both cover the same aspects of the network. What's important is that when we talk about stateful layered validation, we're talking about the entire stack, which is the ability to go all the way from that low level of TCP packets to application communication protocols. This means that this firewall model can do all the things we've talked about so far. For example, inspect the content of HTTP requests, but because it is stateful, it can also work with packets and requests and perform actions such as resolving packets only from known active connections. He has to look at the broader concept that is connection. This gives it the ability to do things like stateful packet inspection, also known as SPI, so instead of handling each individual network packet individually, such as a stateless firewall, it can take a stateful approach and look at packets more holistically. Previously, we looked at a model such as a packet filtering firewall, which is stateless and does not know whether a packet is part of an existing connection or not. Therefore, the stateful model supports connectivity. All of this means that a stateful multi-level inspection firewall can begin to make filtering decisions based on aggregate data—that is, not just the information that's flowing through it right now, and not just individual packets.

This brings us to four levels of firewall complexity. Packet Filtering, Link-Level Gateway, Application-Level Gateway, and Stateful Multi-Layer Firewall. All of these classes of firewalls are manufactured by many different manufacturers, with many different products designed for a wide variety of audiences. There are a huge number of firewall products out there. One of the things an adversary wants to do very early on is figure out which firewall stands between him and his target.

Next-Generation Firewalls

A new generation of firewalls appeared on the market relatively recently. Companies such as Cisco or Palo Alto are already using many next-generation firewall concepts. Next-generation firewalls will always include a stateful firewall. They'll cover the firewall, so that's going to be the core of it, but it's also going to add the idea of application awareness. Application awareness means that our firewall can distinguish between an HTTP message being sent to a website and someone putting malicious code in an HTTP message to try and carry out an attack. In addition, it comes with user controls, which are not designed to control users, but rather to determine what our users have access to. When we use these next-generation firewalls at the edge of our internet, we get a lot of control over what specific resources on the internet our users can access. We hope that this will help us to control and prevent users from switching to knowingly malicious Internet resources. For this, we also have intrusion detection systems built into the next-generation firewall. For example, URL filters to prevent users from going to malicious websites, or if we want, we can control which sites a user can go to.