Firewalls are used to protect computers from being hacked. A firewall is a system or group of systems that enforces an access control plan between two or more networks. In general, a firewall restricts access between trusted and untrusted networks. Most often, firewalls protect a trusted corporate network from the untrusted Internet. Firewalls also protect a sensitive corporate subnet from a more public subnet. The firewall can block or permit traffic depending upon its configuration.
The Access Control Plan is implemented through the firewall’s configuration. By allowing only emails to enter the system, some firewalls prevent all other forms of network security threats. The firewall implements security rules. It can be configured to permit only public FTP traffic to a particular computer in a network. Through a well configured firewall, the company can control the flow of traffic to its website and the files that are allowed to be transferred out of the network and so on.
Firewalls are usually configured to check unauthorized logins. More elaborate firewalls can block traffic from the outside to the inside while at the same time allowing users inside to communicate freely with the outside. Firewalls provide an important logging and auditing function; and can provide detailed logs of traffic passing through it. Firewall logs are critically important data and can be used as evidence in a court of law in most countries.
Firewall filters can be added or removed based on some conditions such as IP addresses, domain names or protocols. The protocol is the pre-defined way of how the client and server will communicate with each other. The http is the Web’s protocol. Some common protocols that you can set firewall filters for include: IP (Internet Protocol), TCP (Transmission Control Protocol), HTTP (Hyper Text Transfer Protocol), FTP (File Transfer Protocol), UDP (User Datagram Protocol that is used for information that requires no response, such as streaming audio and video), ICMP (Internet Control Message Protocol that is used by a router to exchange the information with other routers), SMTP (Simple Mail Transport Protocol), SNMP (Simple Network Management Protocol) and Telnet which is used to perform commands on a remote computer.
It is also possible to set up an exclusive protocol for one or two machines. Some operating systems come with a firewall built in. A software firewall can be installed on the computer that has an Internet connection. This computer is considered a gateway because it provides the only point of access between the home network and the Internet. With a hardware firewall, the firewall unit itself is normally the gateway. The three main firewall technologies are packet filter, proxy, and stateful inspection. Modern firewalls often use a hybrid of these technologies.
Packet Filtering
Packet-filtering systems route packets between trusted and untrusted networks. They help enforce an organization’s Access Control Plan by selectively allowing or denying packets based on the content of the policy. If installed properly, a packet filter will be nearly transparent to users. Packet filters are not very secure in nature because they do not recognize the application layer, and do not understand the context of a communication. This makes them capable of being fooled by hackers. In the past, packet filters were implemented mainly on routers and filtered packets using such characteristics as the destination Internet Protocol (IP) address. A router with packet-filtering capability is called a screening router. A screening router functions at the network level and makes it possible to control network traffic without making changes to applications.
Proxy Servers
Proxy firewalls function at the application layer. A proxy accepts users’ requests for Internet services (such as FTP and HTTP) and forwards them to the actual services. The proxies act as gateways, making the physical connection to the outside server. Subsequently, proxies are sometimes known as application-level gateways. Proxy servers reside between systems on the internal network and the servers on the Internet. The proxy server handles all communications between the internal systems and Internet servers.
When using proxy servers, each communication requires two connections: one from the client to the proxy server and one from the proxy server to the Internet server. Moreover the proxy server needs a different application process for each protocol (FTP, Telnet, HTTP, etc.). This requirement is an obstacle when it comes to supporting new protocols and technologies. Also, because each request requires a new proxy connection, scalability and throughput are limited.
Using FTP over a proxy server requires two components: a proxy server and a proxy client. The proxy server runs on the firewall system. The proxy server receives requests from the proxy client and decides whether the request should be approved or denied based on its configured security policy or the Access Control Plan. If the request is approved, the proxy server proceeds to relay requests from the proxy client to the Internet server. The proxy server then relays replies from the Internet server to the proxy client.
Proxy servers hide the source address of the communication thereby protecting the network from intruders. However, this same ability encourages hackers to use proxies to hide their IP addresses when attacking a server. It is interesting to note that a proxy server can take policy decisions because it recognizes network protocols and resides at the application layer. For example, an FTP proxy will refuse to let users download files from anywhere except a list of trusted sites. Some proxy servers might even allow administrators to define different policies for different systems instead of enforcing the same policy with everyone. Proxy servers are a good choice for high-security, low-traffic environments. For a high-traffic environment, the third technology stateful inspection is more useful.
Stateful Inspection
Stateful inspection is referred to as dynamic packet filtering. In stateful inspection, the packet is analyzed at the network layer. Here, the firewall tracks active TCP sessions through state tables. User-defined Access Control Plans determine which sessions are permitted to be established, and the packets associated with active sessions are permitted to pass through the firewall. This filtering is much more accurate than in the case of traditional packet-filter firewalls.
The firewall pulls state-related information from each packet and stores it in dynamic state tables. Then, to determine whether to allow or deny the request, the firewall evaluates all connections against the rule base and this state table. Using this approach, stateful-inspection firewalls are more scalable and extensible than proxy servers and basic packet filters. From the outside, stateful-inspection firewalls appear to be proxy servers because all communications seem to originate from a single host.
From the inside, they appear to be a basic packet filter because communications seem to be occurring directly with the remote system. Stateful inspection achieves this by using state tables and rewriting packets. However, as stateful inspection does not examine the entire packet, malformed packets can make it through the inspection, attacking servers behind the firewall.
Packet filtering, stateful inspection and proxy servers have different valuable functionalities for a corporate firewall. The recent trend is to develop hybrid firewalls, by combining proxy services with stateful inspection. Many firewalls today also come equipped with special features, such as Network Address Translation (NAT) and high availability (HA). Network Address Translation (NAT) involves changing the IP address on a packet that is used on one network to a different IP address known to another network. This results in an additional level of security. HA gives you the opportunity to run two firewalls side by side. NAT and HA are two common firewall features.