Skip to main content

Firewalls

Firewall: network access control system that verifies all the packets flowing through it.

Its main functions are usually:

  • IP packet filtering
  • Network address translation (NAT)

Must be the single enforcement point between a screened network and outside networks.

A firewall checks all the traffic flowing through it, and only the traffic flowing through it.

Powerless against insider attacks (unless the network is partitioned somehow). In general, powerless against unchecked paths.

The firewall itself is a computer: it could have vulnerabilities and be violated. Most of the times

  • It's a single purpose machine, an embedded appliance with just a firmware.
  • Usually offers few or no services

Firewall rules

A firewall is a stupid “bouncer at the door”:

  • Just applies rules
  • Bad rules = no protection

Firewall rules are essentially the implementation of higher-level security policies.

Policy must be built on a default deny base.

Firewall taxonomy

We divide them depending on their packet inspection capability.

Network layer firewalls

Packet filters firewall (network)

Packet by packet processing.

Decodes the IP (and part of the TCP) header:

  • SRC and DST IP
  • SRC and DST port
  • Protocol type
  • IP options

Stateless:

  • cannot track TCP connections.
  • No payload inspection.

Regardless of the specific syntax, every network packet filter allows to express the following concept: if (packet matches certain condition) do this.

Stateful packet filters firewall (network-transport)

Include network packet filters, plus:

  • keep track of the TCP state machine
    • after SYN, SYN-ACK must follow
  • we can track connections without adding a response rule.
  • Make deny rule safer

CONS: Performance bounded on a per-connection basis, not on a per-packet basis. The number of simultaneous connections are just as important as packets per second.

A session is an atomic, transport-layer exchange of application data between 2 hosts.

Main transport protocols:

  • TCP (Transmission Control Protocol)
    • session =~ TCP connection
  • UDP (User Datagram Protocol)
    • session = this concept does not exist

Session-handling is fundamental for NAT.

NAT Session Initialization (TCP):

In UDP a “session” can be inferred for NAT and controls:

Some protocols (e.g., DCC, RDT, instant messengers, file transfer) transmit network information data (e.g., port) at application layer.

For instance, FTP uses dynamic connections:

  • Allocated for file uploads, downloads, output of commands
  • "PORT" application command

Application layer firewalls

Circuit level firewalls (transport-application)

Relay TCP connections.

Client connects to a specific TCP port on the firewall, which then connects to the address and port of the desired server (not transparent!).

Essentially, a TCP-level proxy.

Only historical example: SOCKS

Application proxies (application)

Same as circuit firewalls, but at application layer.

Almost never transparent to clients:

  • May require modifications
  • Each protocol needs its own proxy server

Inspect, validate, manipulate protocol application data (e.g., rewrite HTTP frames)

Can authenticate users, apply specific filtering policies, perform advanced logging, content filtering or scanning (e.g., anti-virus/spam).

Can be used to expose a subset of the protocol:

  • to defend clients,
  • to defend servers (“reverse proxy”).

Usually implemented on COTS OSs.