Posted by Jarren Long at 2016-11-20 08:30:50

Another research paper from the beginning of 2011...

In the early 1980's, networking technology was becoming more widespread, and the need for higher security for large corporate networks was becoming greater. Though the specific year is under dispute, the first firewall was created near the end of the decade. Thirty years later, the modern firewall has evolved into a sophisticated protection device for personal and corporate networks worldwide. Every day, these tailor-made software applications and devices fend off hundreds to thousands of attacks from outside users, acting as a "front gate" to filter out suspicious activity.

A firewall is a system that is designed to prevent unauthorized access to a private network, and is usually considered the first line of defense in a secure network. In most cases, these unauthorized access attempts originate from outside the private network. However, attacks from inside the network are also possible, in which case a firewall can help reduce the attack surface by segmenting the intranet, possibly slowing down the intruder. Firewalls work by examining every unit of data that enters or leaves the network, and matching it against a rule set that determines if the data meets specific requirements to be allowed through the firewall to it's destination.

Firewall solutions can fall into one of two broad categories: hardware and software. A hardware firewall is a physical device that can be strategically placed in the network based on the filtering rules to be applied to the traffic across a specific network segment. These physical devices can be anything from a proprietary "firewall in a box," which resembles an inline repeater, to a dedicated PC with a stripped down operating system running a firewall software solution. Hardware firewalls are generally placed at the beginning of the internal network, between the building's point of presence and the first LAN device on the network. This allows the device to filter all incoming and outgoing data for the entire network. Software firewalls perform the exact same tasks as hardware solutions, but run as a software application or service on end devices, such as workstations and servers. These software solutions are optimally designed to protect a single device, but can also be used in the same manner as a hardware device to filter all traffic for a network.

Firewalls can also be sub categorized based on how they operate. At this time, there are six major operation roles that a firewall can fulfill:

  • Packet Filter: The firewall will analyze every packet it receives and matches it against a rule set If the packet meets the rule set's criteria, the packet will be forwarded to it's destination.
  • Protocol Filter: The Firewall will filter traffic based on the protocol that is being used for transmission. For example, this could allow the firewall to block all UDP traffic, while allowing TCP traffic on ports 0-1024.
  • Proxy Server: Proxy servers use Network Address Translation (NAT) to effectively hide a private network's public IP address from the work by altering the IP address in each packet to make it appear to have a different address, and routes inbound traffic destined to the proxy address to the private network.
  • Application gateway: Filter traffic based on the applications and services running on the network, such as telnet and FTP.
  • Circuit-level Gateway: This style of firewall can filter traffic at the Data-Link layer when a connection is established over a network segment. After the connection is established, the firewall will allow all traffic to flow across the segment.

Note that firewall roles, specifically packet and protocol filters, can run in one of two modes: stateful, where the firewall can determine the state of the connection and packet order, and stateless, where each packet is inspected without any knowledge of the connection's status or other packets sent and received. These roles are often combined within a single firewall solution to increase the protective qualities of the product. By working together, each role can be used to help prevent different methods of attack.

Now that we understand how a firewall filters traffic, we can discuss what they are designed to defend against. Every day, millions of networks across the world are penetrated by a variety of attacks. While there are hundreds of reasons, oftentimes the motivating factor for these attacks is for profit, be it monetary or information gain. Sometimes, it can be as simple as a disgruntled employee "getting revenge" on their employers. Regardless of the reason, the purpose of a firewall is to reduce the attack surface, attempt to prevent intrusions, and to monitor and log any attempts to break into the network.

There are dozens of methods a "Hacker" (a person who exploits vulnerabilities in a system or application to gain entry) can use to penetrate a network. Some of the more common methods include the utilization of Virus', Trojan Horses, Worms, Root kits, and Scanners to gain access to an internal network. Hackers can also exploit vulnerabilities in applications, network protocols, and even hardware to gain access. After an intruder has gained access to a network, they have the potential to wreak havoc by gaining administrative privileges, which can be used to steal and destroy information, vandalize websites, deny services to legitimate users, and even destroy critical hardware. In most cases, these intruders also open up more holes in the network perimeter so they can return at a later time.

Firewalls are designed to allow and deny, as well as monitor all incoming and outgoing connections that they are responsible for. A firewall will usually block all unused and disabled ports by default, reducing the attack surface substantially. For active ports, the firewall can be configured to either filter traffic based on a rule set, or ignore the port and allow all traffic. The same method is used for building application and system service connection rules. After all ports are configured, the firewall begins monitoring and filtering all connections.

When an attempt to break into a network or device is detected, most firewalls will immediately begin logging all activity that is originating from the suspicious IP (if they are not already logging network connections). Some of the more advanced firewalls are able to immediately notify the network administrator via email, phone, or text message when an intrusion attempt is detected. Some of the attacks that can trigger a firewall's intrusion alarm include:

  • Eavesdropping: The first step a hacker usually takes to enter a secured network is to gather information about his target. A hacker can use a variety of tools to accomplish this, such as key loggers, protocol analyzers, and even Social Engineering to gain user names, passwords, and other information about the network.
  • Unauthorized Network Access: When an unauthorized user connects to and gains access to a network service that they do not have permission to use. This can be caused by a lack of, misconfigured, or insufficient user privileges implemented by the network administrator. Even when permissions are correctly configured, attackers can get around them using alternate methods.
  • Exploiting Security Vulnerabilities: Many applications and services implemented in today's networks are full of security holes. Buffer overflows and under runs are a good example of software vulnerabilities, which represent the majority of "bugs" in most software. By injecting the right sequence of data into an unsecured application, an attacker can gain access to system applications and services, thus having the ability to take over the machine.
  • Spoofing: This is a complex attack that usually requires packet capturing and injection software to craft and send fake IP packets. By capturing packets from a live connection to a private network, a hacker can craft packets to match the connection's parameters, inject them, and eventually hijack the connection.
  • Denial of Service (DOS): Using a bot net and specialized applications, a hacker can deny service to a private network by having hundreds to thousands of "zombie" computers all attempt to connect to the network to overload services. This leads to a denial of network services to legitimate users.

Firewalls have played a vital role in network security for over three decades, acting as the gatekeeper for the connections it manages. By filtering traffic, securing ports, and monitoring and logging connections, a well-configured firewall can successfully prevent most attempts to penetrate a network. A firewall, in conjunction with other common network security measures, make up the foundation of a well-formed security plan to help ensure network security. While there are always going to be unpreventable Zero-Day attacks and missed security bugs in software, firewalls will continue to stand at the front lines to defend networks for years to come.