I. Background of Firewall

by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
 
Any device that controls network traffic for security reasons can be called a firewall. It puts up a barrier that controls the flow of traffic between networks and is able to protect the boundary of a university’s internal network whilst it is connected to other networks (e.g. the Internet, third-parties’ private networks).
 
The safest firewall would block all traffic, but that defeats the purpose of making the connection. Therefore, the key function of a firewall is to strictly control selected traffic in a secured manner.
 
There are three major types of firewalls that use different strategies for protecting internal networks from external or internal threats. 

 


Screening Router

Also known as "Packet Filters", the Screening Router is the first generation of firewall devices built on network routers and operate in first three levels of OSI reference model. The device checks for matches to any of the packet filtering rules pre-configured, and drops or rejects the packet accordingly. 

Network administrators are required to define a set of rules to instruct the Screening Routers to filter out packets. As most of the applications communicate over the Internet today uses well know ports for particular type of traffic, such as 80 for HTTP and 20 for FTP, the Screening Routers can easily distinguish between, and thus control, those types of traffics unless non-standard ports are used.

 

The major weakness of Screening Routers is its "stateless" nature - no information on the connection state is examined. Instead, only the low-level information contained in the packet itself will be filtered, such as source/destination address, protocol types, port numbers, etc.
 
Proxy Server Firewall
 
A Proxy Server Firewall operates at the upper levels of the OSI protocol stack (i.e. all the way up to the application layer) and provides internal terminals with proxy services to external networks. Messages from internal terminals are relayed by the Proxy Server Firewall to external destinations. A major benefit of deploying Proxy Server Firewalls is that they are able to hide the internal network information or structure through changing the IP addresses of outgoing packets.
 
Furthermore, Proxy Server Firewalls is able to look at more detailed information inside the packets, which enables more sophisticated monitoring and control of traffic flows at the network boundary. However, degradation of performance and reduction in the transparency of access to other networks are the possible by-products of using Proxy Server Firewalls.
 
There are two types of Proxy Server Firewalls:
  • Circuit-Level Firewall
    A Circuit-Level Firewall works at the session layer of the OSI model. They monitor TCP handshaking between the packets to determine if a requested session is legitimate.

A virtual "circuit" is established between the internal terminals and the proxy server. "Network Address Translation" technique is used, where requests from the external networks go through this "circuit" to the proxy server, and the proxy server relays those requests to the external networks after changing the IP addresses of the packets. All packets delivered by the Circuit-Level Firewall are tagged with public IP addresses and the internal private IP addresses are not exposed to potential intruders. There is no way for a remote terminal to determine the internal private IP addresses of the universities.

  •  

    Application-Level Firewall

    An Application-Level firewall provides all the Circuit-Level firewall features and also provides extensive packet analysis.
    Not only does the firewall evaluate IP addresses, it decides whether to drop a packet or send them through based on the application information available in the packet, which stops hackers from hiding information in the packets. Such function is achieved via setting up multiple proxies on a single firewall for difference applications, and examines the data or connection at Application Layer based on tailor-made rule(s) for each application. Because they are application aware, more complex protocols like H.323, SIP and SQL can be handled.

Stateful Inspection Firewall

Being the third generation of firewall architecture, Stateful Inspection Firewalls work at multiple layers of OSI reference model, including Network Layer, Transport Layers and Application Layers, and is also known as "Dynamic Packet Filtering" firewalls.

A Stateful Inspection Firewalls monitor the state of active connections, analyses the traffic patterns down to the Application Layer and detects abnormalities based on the analysis results. For illustration, incoming and outgoing packets are monitored over a period of time by the Stateful Inspection Firewall. Outgoing packets that request specific types of incoming packets are tracked and only those incoming packets constituting a proper response are allowed to pass through the firewall.
 
The dynamic feature of Stateful Inspection Firewall enables more accurate filtering of packets by considering the context of the traffic. However, some Stateful Inspection Firewalls are implemented to allow direct connection between internal and external terminals as they rely on algorithms to recognise and process application layer data instead of relying on proxies, thus exposing internal IP addresses to potential hackers. Some firewall vendor incorporate stateful inspection and server proxy techniques together for added security.
 
Key Benefits Achieved through Firewall
  • Inbound and Outbound Filtering - Traffic filtering is the primary and most important function of a firewall. Inbound filtering processes inbound data towards the internal IT environment of the university and rejects any unsecured / malicious content. Outbound filtering can prevent the spread of malware originated from internal hosts and terminates certain types of communication prohibited by the university's information security policy. E.g. Peer-to-Peer, Streaming, etc. This function can also be modified to allow certain external terminals to reach the internal network or for certain data to be released to the external networks.
     
  • Stealth Mode - Firewalls not only block unauthorised requests to the information systems or personal computers within the university, but also avoid sending responses to probing activities committed by hackers, making them in "Stealth Mode" and reducing the exposure to further malicious attacks.
     
  • Privacy and Sensitive Data Protection - Many firewalls now have the ability to block spyware, hijackers, and adware from reaching the university's internal terminals. It prevents authorised leakage of private data or sensitive information of the university and its members.
     
  • Intrusion Detection - Firewalls can detect various intrusion activities via scanning incoming data for signatures of known method, record any suspicious events and notify users when such attacks are recognised. Firewall notifications and logs allow users or IT security staff of the university to timely detect any possible penetration attempts on the university's information systems and resources and prepare corresponding mitigating measures. 

 

References:
http://www.windowsecurity.com/whitepapers/General_Firewall_White_Paper.html
http://www.windowsecurity.com/articles/A_firewall_in_an_IT_system.html
http://windowsupdate.microsoft.com/
http://www.bleepingcomputer.com/tutorials/tutorial60.html