Firewall: A firewall can be hardware or software for protecting against unauthorised access to a network.

DMZ (demilitarised zone): A physical or logical subnet that separates a local area network (LAN) from other untrusted networks

• Basic Firewalls operate at the lower levels, 3 & 4
• Advanced Firewalls can filter at all layers
• As firewalls evolved, they filtered on more layers

Networks can be segregated and have different Trust Levels / Risk Levels

• Create different Security Zones
• Untrusted Internet has the highest risk so the lowest Trust Level
• Internal Network might browse the internet so has a higher risk than a local server network.

• Small Organisation / Home User
• No Services to provide
• Segregating internal networks
• 2 security zones

• Providing Services to external network
• Server Placed on DMZ network
• Firewall creates 3 Security Zones
• External/DMZ/Internal

• Different Services provided to external network on different DMZs
• Firewall creates different Security Zones for different services

• Many Security Zones
• Layered protection using different rules for e-Commerce servers traffic between zones.

• Default Rules the same:
• Higher trust zone to lower allowed to initiate connection + allows return traffic
• Lower to higher trust zone not allowed to initiate connection
• Firewall Rules Out -> DMZ have been added to allow access to web server

Firewalls are routers: 

they de-capsulate packets and compare IP / TCP header values to rules

Stateless Packet Filtering

• Firewall de-capsulates each packet
• Reads fields of IP/TCP packet header field values
• Source/Destination IP Address
• Source/Destination TCP/UDP Port
• Compare values against filtering rules in the firewall
• Each rule checked against packet’s values
• If values match rule - rule determines what to do with packet
• Packet passed through firewall or dropped depending on rule action

• Each packet is filtered individually
• No idea of Conversation - or TCP Session
• No inspection of Payload

Stateful Firewalls filter for Application, IP and TCP packet details. They remember previous data packets, and keep track of connections.

Stateful Packet Filtering

• Firewall rules are the same as stateless, but additionally track connection state
• Checks packet in context of connection
• State of traffic flows tracked
• Maintains cache about current connections
• State Table used to record initiated connections (once they have been passed by firewall rules)
• State Table checked for return traffic matching stored connection
• Match allowed through
• No match - check packet against firewall rules

• Speeds up return traffic processing
• Application Payload Content of Packet still not examined!

Application Inspection

Deal with complex protocols

FTP, VoIP protocols

• Multi channel protocol support
• FTP outgoing control session packet payload contains negotiated data channel port number (PORT command)
• Inspection Firewall can read this and allow traffic from the server to the data channel port number on the client system

ICMP

• ICMP error packets returned from intermediate network devices, or which do not match outgoing packet
• ICMP Time exceeded/host unreachable packets

Proxy Server: Routing packets through a proxy server so there is no direct connection between the computer on the LAN and the Internet.

Issues

• Very processing intensive - slow
• Proxy service may be attacked
• Thousands of applications
• Not enough application proxies for the applications that exist

• Specific Type of Proxy Firewall
• Placed in front of a Web Server
• Monitors, filters or blocks the HTTP traffic to and from a Web application
• Validation of HTTP protocol –compliance to Protocol RFC
• Protocol Anomaly Detection (PAD)
• Mitigate XSS, SQL injection, session hijacking, and in some cases zero-day threats, as only valid HTTP allowed –closed security stance
• Commonly used for compliance - PCI-DSS
• Combine with lesser Firewall

• Content filtering - Black/white list URL filtering of Web traffic, web script filtering
• Cache Web pages
• User Authentication

• Web caching/user authentication
• Web content filtering/URL Black/White listing

• Proxy decapsulates packet, layer by layer, on incoming interface
• Filter on any/all of the layers including payload - validate application protocol
• Build packet back up on outgoing interface

• Proxy typically dedicated to single application
• Can help take load from main firewall
• Often non time sensitive protocols - SMTP, HTTP
• No direct connection to internal mail server
• SMTP protocol validation before gets to mail server

Hybrid/Next Gen Firewalls (NGFW)

• Move from firewalling to all inclusive security devices
• Combine multiple defences into one box
• Powerful devices possibly including Stateful Inspection Firewalling, Application layer Firewalling, Protocol Anomaly Detection, SSL decryption, Intrusion Prevention System (IPS), Antivirus filtering, URL Filtering, Virtual Private Network (VPN) Termination
• Can be less complex to administer/manage
• Single point of failure
• If vulnerable to attack –single point of compromise
• Due Diligence needed!

• Many firewall companies are now also selling security device boxes as virtual appliances
• Integrate with virtualisation hypervisors
• Firewalling done in software
• Can place in network infrastructure as a VM, or built into Hypervisor
• Hypervisor firewall can firewall individual VMs
• Cisco, Jupier, Palo Alto, Fortinet, PfSense!