Firewalls
What is a firewall?
I'm sure you all know what a firewall is, but let's give it a basic definition. It is essentially a device that is designed to stop traffic flowing. I like to think of it like an inverse of a router, a router is generally designed to get traffic from one place to another, and a firewall is generally designed to stop traffic going from one place to another. Obviously this is a very simplistic view of things but it's handy to keep in mind when we think about the core concepts behind firewalls.
Typically a firewall is placed at a border of a network which is controlled by you, and a network which is not controlled by you. In larger organisations firewalls can also be used to segment different parts of the network. However there is one thing we must keep in mind; which is that we can't just simply place a firewall at the edge and let that be our only line of defense. If that firewall were to be compromised, we want a comprehensive security infrastructure in place that can mitigate the effect of a firewall being compromised.
There are five different methodologies firewalls can use (and many use multiple, if not all, of these)
- Static packet filtering – based on layers 3 and 4 of the OSI model. It does not maintain a session table so every flow of traffic must be configured individually.
- Application layer gateway – can operate at layer 3 and higher. This acts as a proxy between a client and server, no traffic flows directly between the two without first passing through the gateway. It has the potential to deeply analyse every packet that passes between the client and server, but can be very resource intensive.
- Stateful packet filtering – What we think of as firewalls. Maintains sessions tables so that return traffic doesn't have to explicitly allowed. However these can still be bypassed by application layer attacks, for example, it is possible to tunnel attack traffic over ports that are allowed.
- Application inspection – Can analyse protocols up to layer 7 but does not act as a proxy
- Transparent firewalls – Kind of act like a hidden firewall, they exist at layer 2 instead of a layer 3 hop like a traditional firewall.
Network Address Translation (NAT)
NAT is the process of translating one address to another address. It is typically used to translate a private IP address on an internal LAN, to a publicly routable IP address. That is why if you see your IP on your local machine as 192.168.1.5, if you view your IP on the internet it will be something completely different. NAT is heavily implemented on firewalls because firewalls so often act as the border between a private network and the internet. In order to understand NAT you'll need to understand these 4 terms:
- Inside local – the real, private IP on a host
- Inside global – the IP that the host is mapped to on the internet
- Outside local – the mapped IP address of a server as it appears to an inside host
- Outside global – the real, public IP of the outside server.
We can also use port address translation (PAT) in order to translate multiple internal private IP's to one public IP. The translating device uses the port numbers to keep track of the translations.
Firewall design
Here are some best practices to consider when deploying a firewall:
Firewalls should be placed at security boundaries
Primary, but not the only, security device
Firewalls should be written so that they deny all traffic not explicitly permitted instead of the other way around.
All technologies surrounding the firewall must be secure as well, including the routers and switches which connect to it, as well the physical security of the device.
All changes should be documented and subject to a change control so management can always have an accurate view of the state of the firewall.
When we design our firewalls we need to think in terms of enabling the function of the business, we can't simply block all traffic in the name of security, we need to use a firewall to protect from attack so that the business can continue to function.
No comments:
Post a Comment