Firewall

Among the tasks that firewalls solve, the main one is to protect network segments or individual hosts from unauthorized access using vulnerabilities in the OSI network model protocols or in software installed on network computers. Firewalls allow or block traffic by comparing its characteristics with predefined patterns ^[3] .

The most common place for installing firewalls is the perimeter boundary of the local network to protect internal hosts from outside attacks. However, attacks can also start from internal hosts - in this case, if the host being attacked is located on the same network, the traffic will not cross the network perimeter boundary and the firewall will not be involved. Therefore, at present, firewalls are placed not only at the border, but also between different network segments, which provides an additional level of security ^[4] .

The first devices that perform the function of filtering network traffic appeared in the late 1980s, when the Internet was an innovation and was not used globally. These devices were routers that inspect traffic based on the data contained in the headers of the network layer protocols. Subsequently, with the development of network technologies, these devices were able to filter traffic using data from protocols of a higher transport level . Routers can be considered the first hardware-software implementation of the firewall ^[5] .

Software firewalls appeared much later and were much younger than antivirus programs . For example, the Netfilter / iptables project (one of the first software firewalls built into the Linux kernel since version 2.4) was founded in 1998. Such a late appearance is understandable, since for a long time the antivirus solved the problem of protecting personal computers from malware. However, in the late 1990s, viruses began to actively use the lack of firewalls on computers, which led to increased user interest in this class of devices ^[6] .

Traffic filtering is based on a set of pre-configured rules called ruleset . It is convenient to imagine a firewall as a sequence of filters that process an information stream. Each of the filters is designed to interpret a single rule. The sequence of rules in a set significantly affects the performance of the firewall. For example, many firewalls consistently compare traffic with rules until a match is found. For such firewalls, the rules that correspond to the largest amount of traffic should be placed as high as possible in the list, thereby increasing performance ^{[7] [8]} .

There are two principles for processing incoming traffic. The first principle reads: “What is clearly not prohibited is permitted.” In this case, if the firewall received a packet that does not fall under any rule, then it is passed on. The opposite principle - “What is clearly not allowed is forbidden” - guarantees much greater security, since it prohibits all traffic that is clearly not allowed by the rules. However, this principle turns into an additional burden on the administrator ^{[7] [8]} .

Ultimately, firewalls perform one of two operations on incoming traffic: skip the packet further ( allow ) or discard the packet ( deny ). Some firewalls have another operation - reject , in which the packet is discarded, but the sender is informed about the unavailability of the service he was trying to access. In contrast, during the deny operation, the sender is not informed about the unavailability of the service, which is safer ^{[7] [8]} .

Until now, there is no single and universally accepted classification of firewalls ^[9] . However, in most cases, the supported layer of the OSI network model is the main characteristic when classifying them. Given this model, the following types of firewalls are distinguished ^{[10] [11]} :

1. Managed Switches
2. Batch filters.
3. Session Layer Gateways
4. Application Level Intermediaries.
5. Inspectors state.

Managed Switches

Managed switches are sometimes classed as firewalls, as they filter traffic between networks or network nodes. However, they work at the data link level and share traffic within the local network, which means they cannot be used to process traffic from external networks (for example, from the Internet ) ^[11] .

Many manufacturers of network equipment, such as Cisco , Nortel , 3Com , ZyXEL , provide in their switches the ability to filter traffic based on the MAC addresses contained in the frame headers. For example, in the Cisco Catalyst family of switches, this feature is implemented using the Port Security mechanism. ^[12] . However, this filtering method is not effective, since the MAC address installed in the network card is easily changed programmatically, since the value specified through the driver has a higher priority than the one wired to the board ^[13] . Therefore, many modern switches allow you to use other parameters as a sign of filtering - for example, VLAN ID. The technology of virtual local area networks ( Eng. Virtual Local Area Network ) allows you to create groups of hosts whose traffic is completely isolated from other network nodes ^[14] .

When implementing security policies within the corporate network , which are based on managed switches, they can be a powerful and fairly cheap solution. By interacting only with data link protocols, such firewalls filter traffic at a very high speed. The main disadvantage of this solution is the inability to analyze protocols of higher levels ^[15] .

Batch Filters

Packet filters operate at the network level and control the flow of traffic based on the information contained in the packet header. Many firewalls of this type can operate with protocol headers and higher, transport , level (for example, TCP or UDP ). Packet filters were one of the first to appear on the firewall market and to this day remain the most common type of them. This technology is implemented in the vast majority of routers and even in some switches ^[16] .

When analyzing the network packet header, the following parameters can be used ^[10] :

• IP address of source and destination;
• type of transport protocol;
• service header fields for network and transport layer protocols;
• source and destination port .

Quite often it is necessary to filter fragmented packets, which makes it difficult to identify some attacks . Many network attacks exploit this firewall vulnerability by passing packets containing forbidden data as fragments of another trusted packet. One way to deal with this type of attack is to configure the firewall in such a way as to block fragmented packets ^[17] . Some firewalls may defragment packets before forwarding to the internal network, but this requires additional resources on the firewall itself, especially memory. Defragmentation should be used very reasonably, otherwise such a firewall could easily become a victim of a DoS attack itself ^[18] .

Packet filters can be implemented in the following network infrastructure components ^[18] :

• border routers;
• Operating Systems;
• personal firewalls .

Since packet filters usually only check data in the headers of the network and transport layers, they can do this quite quickly. Therefore, packet filters embedded in edge routers are ideal for deploying on the edge of a network with a low degree of trust. However, packet filters do not allow the analysis of protocols of higher layers of the OSI network model. In addition, packet filters are usually vulnerable to attacks that use network address spoofing . Such attacks are usually performed to bypass access control by a firewall ^{[19] [20]} .

Session Layer Gateways

The session level firewall eliminates the direct interaction of external hosts with a host located on the local network, acting as an intermediary ( English proxy ), which responds to all incoming packets and checks their validity based on the current connection phase. The session layer gateway ensures that no network packets are skipped if it does not belong to a previously established connection. As soon as a request for establishing a connection arrives, the relevant information is placed in a special table (sender and receiver addresses, used network and transport layer protocols, connection status, etc.). If the connection is established, the packets transmitted within the framework of this session will simply be copied to the local network without additional filtering. When the communication session ends, information about it is deleted from this table. Therefore, all subsequent packets “pretending” to be packets of the already completed connection are discarded ^[21] .

Since this type of firewall eliminates direct interaction between the two nodes, the session layer gateway is the only connecting element between the external network and internal resources. This creates the appearance that the gateway answers all requests from the external network and makes it virtually impossible to determine the topology of the protected network. In addition, since contact between nodes is established only if it is admissible, the session-level gateway prevents the possibility of a DoS attack inherent in packet filters ^[22] .

Despite the effectiveness of this technology, it has a serious drawback: like all the above classes of firewalls, the gateways of the session level do not have the ability to check the contents of the data field, which allows an attacker to transfer “ Trojan horses ” to the protected network ^[23] .

Application-Level Intermediaries

Application-level firewalls, like session-level gateways, eliminate the direct interaction of two nodes. However, operating at the application level, they are able to "understand" the context of the transmitted traffic. Firewalls implementing this technology contain several application proxies , each of which serves its own application protocol. Such a firewall is able to detect in transmitted messages and block nonexistent or unwanted sequences of commands, which often means a DoS attack, or prohibit the use of certain commands (for example, FTP PUT, which allows the user to write information to the FTP server).

The application layer mediator can determine the type of information transmitted. For example, this allows you to block a mail message containing an executable file. Another feature of this type of firewall is to validate input arguments. For example, a username argument of 100 characters or containing binary data is at least suspicious.

Application layer middlemen are able to authenticate the user and also verify that the SSL certificates are signed by a specific center . Application layer firewalls are available for many protocols, including HTTP , FTP, mail ( SMTP , POP , IMAP ), Telnet and others ^{[24] [25]} .

The disadvantages of this type of firewalls are the high cost of time and resources for the analysis of each packet. For this reason, they are usually not suitable for real-time applications. Another disadvantage is the impossibility of automatically connecting support for new network applications and protocols, since each of them requires its own agent ^[26] .

Status Inspectors

Each of the above types of firewalls is used to protect corporate networks and has several advantages. However, it would be much more efficient to collect all these advantages in one device and get a firewall that filters traffic from the network to the application layer. This idea was implemented in state inspectors combining high performance and security. This class of firewalls allows you to control ^[27] :

• each transmitted packet is based on a rule table;
• each session based on a state table;
• each application is based on developed intermediaries.

By filtering traffic according to the principle of a session level gateway, this class of firewalls does not interfere with the process of establishing a connection between nodes. Therefore, the performance of the state inspector is much higher than that of the application layer intermediary and the session layer gateway, and is comparable to the performance of packet filters. Another advantage of state inspectors is transparency for the user: no additional configuration is required for client software. These firewalls have great expandability. When a new service or a new application layer protocol appears, it is enough to add several templates to support it. However, state inspectors, in comparison with application level intermediaries, are characterized by lower security ^[28] .

The term state inspector, introduced by Check Point Software , is so loved by network equipment manufacturers that almost every firewall is now considered a technology, even if it does not fully implement it.

There are two versions of the implementation of firewalls - software and hardware-software. In turn, the hardware-software version has two varieties - in the form of a separate module in a switch or router and in the form of a specialized device.

Currently, a software solution is more often used, which at first glance looks more attractive. This is because for its application, it would seem, it would be enough just to purchase firewall software and install it on any computer available in the organization. However, as practice shows, an organization does not always have a free computer, and even that meets quite high requirements for system resources. After the computer is still found (most often purchased), the installation and configuration of the operating system, as well as the firewall software itself, follows. It is easy to see that using a conventional personal computer is far from as simple as it might seem. That is why specialized software and hardware systems, called the security appliance , based on, as a rule, FreeBSD or Linux , "trimmed" to perform only the necessary functions, began to become more widespread. The advantages of these solutions are ^[29] :

• Ease of implementation: these devices have a pre-installed and configured operating system and require a minimum of settings after deployment to the network.
• Easy to manage: these devices can be controlled from anywhere using standard protocols such as SNMP or Telnet , or through secure protocols such as SSH or SSL .
• Performance: these devices work more efficiently, since all unused services are excluded from their operating system.
• Fault tolerance and high availability: these devices are designed to perform specific tasks with high availability.

The firewall allows you to filter only the traffic that it is able to "understand." Otherwise, it loses its effectiveness, as it is not able to consciously decide what to do with unrecognized traffic. Protocols exist, such as TLS , SSH , IPsec, and SRTP , which use cryptography to hide content, which is why their traffic cannot be interpreted. Also, some protocols, such as OpenPGP and S / MIME , encrypt application layer data, which makes it impossible to filter traffic based on the information contained in this network layer. Another example of the limitations of analyzing firewalls is tunneling traffic, since filtering it is not possible if the firewall "does not understand" the tunneling mechanism used. In all of these cases, the rules configured on the firewall must explicitly determine what to do with traffic that they cannot interpret. ^[thirty]

Books

• Lebed S.V. Firewall. Theory and practice of protecting the external perimeter. - MSTU them. N.E. Bauman, 2002 .-- 306 p. - ISBN 5-7038-2059-6 .
• Chapman ml. D.V., Fox E. Cisco Secure PIX Firewalls = Cisco® Secure PIX® Firewalls. - Williams, 2003 .-- 341 p. - ISBN 5-8459-0463-3 .
• Mayvold E. Lecture 10 “Firewalls” // Network Security: Information . - INTUIT, 2006. - ISBN 978-5-9570-0046-9 .
• Shangin V.F. Information security in computer systems and networks. - INFRA-M, 2011 .-- 416 p. - ISBN 978-5-16-003132-3 .
• Faronov A. E. Fundamentals of information security when working on a computer. - INTUIT, 2016 .-- 155 p.
• Laponina O. R. Firewall. - Binom, 2014 .-- 343 p. - ISBN 5-94774-603-4 .

Articles

• K. Ingham, S. Forrest. A History and Survey of Network Firewalls .
• Cisco Configuring Port Security
• Edgar D Cardenas. MAC Spoofing - An Introduction . - 2003.