Cyber security attacks can be targeted at many levels from an individual computer, to an organization’s network, a web site, or data center. These levels of infrastructure can include a range of hardware and software so as you might expect there is a range of firewall solutions to choose from.
What is a firewall?
A firewall is a software system, which may be combined with specific hardware, with the purpose of monitoring and controlling network traffic. This traffic is both incoming and outgoing and may be passing between a computer and a network, or from one network to another.
These networks might be internal to an organization at a single location or distributed over different locations/countries. They might also include the Internet, or most likely a combination of these.
Firewalls are as the name suggests a barrier which has a set of rules governing:
- the source and destination between which connections can be established e.g. MAC addresses, IP addresses, domain names.
- where data can pass through i.e. ports.
- which types of data are allowed i.e. protocols.
These rules are usually held within an ACL (Access Control List).
Which types of firewalls exist?
Firewalls come in two basic forms:
- Host-based – this is usually software-only and is installed on a computer such as a laptop, desktop or server. This can also include being installed on a VM (Virtual Machine).
- Network-based – although still using software these are usually installed on dedicated hardware or a router that resides on a network. These can also be referred to as an Appliance Firewall.
A host-based solution tends to focus on protecting that machine whilst a network-based solution usually focuses on protecting multiple machines or devices connected to a network.
Firewalls can be categorized as a variety of different types depending on their focus/purpose, architecture, coverage, features and more. Here are some of the different types you might encounter when looking for a firewall to suit your needs:
- Packet filtering – usually attached to a router or switch and filters network traffic at a packet level based upon the information being carried. A packet consists of a Header and the Data itself.
- Circuit level – monitors TCP (Transmission Control Protocol) handshakes that take place when a connection is being established between a local and remote device. A check is made that this connection is allowable according to the ACL rules.
- Stateful multilayer – uses a state table to record and track source and destination IP addresses and ports of a connection. Dynamic rules are then used to only allow expected network traffic and packets not belonging to an active connection are dropped.
- Application level or Proxy – performs packet filtering but additionally examine the request characteristics. These are usually setup on entry or exit points in a network e.g. an internal network’s connection to the Internet.
- Cloud or Firewall-as-a-service – a ‘Faas’ is a cloud-based solution that can be used as a proxy server. By using cloud technologies they are easily scalable due to the nature of virtual servers.
- Next generation – a Next Generation Firewall (NGFW) performs deep-packet inspection by combining features from the other firewall types into one solution. Other technologies such as anti-virus & IPS (Intrusion Prevention Systems) may be incorporated.
Types of attacks a firewall can try help defend against
There are many forms of cyber attacks posed to computer users, computer systems, and networks. Firewalls can help counter some of these threats but only as part of an overall security strategy.
Below are some typical types of threats where a firewall can help:
- Data exfiltration – network-based firewalls can help stop the stealing of valuable data by analyzing the outbound data from a network as it attempts to reach a recipient on the Internet.
- DCC – ‘Direct Client-to-Client ‘ connection <<< to do >>>
- DDoS – Distributed Denial of Service attacks attempt to overwhelm network security by bombarding them with multiple simultaneous requests from a number of devices on different subnets. Some firewalls are geared up to block these requests whilst others can exacerbate the situation through packet analysis overload.
- Insider attacks – host-based firewalls can stop individual machines from being attacked whilst network-based firewalls can help stop the spread of an attack to other sub-networks.
- Malware – malicious software such as viruses, trojan horses & worms can be identified and intercepted via Packet Inspection or NGFW’s.
- Rootkit – this is usually a piece of malicious code that is planted in a concealed manner within an operating system. The aim is to gain repeated access and conceal activity. These are often called a ‘backdoor’. In order to prevent these from being placed either unauthorized access needs to be prevented or malware must be intercepted.
- Unauthorized access – firewalls alone are unable to completely stop external aggressors from gaining access to internal accounts or devices. It is possible to restrict access to pre-specified IP addresses and only via certain ports. For a more encompassing solution this needs combining with a VPN (Virtual Private Network) so only secure links can be established and ideally with 2FA (Two-Factor Authentication).
In part two of this article we will look at a range of firewalls covering both host-based and network-based solutions over a range of operating systems and hardware.
Do you have a preference for a particular type of firewall? Which types of attacks are they most effective or ineffective against? Please comment below to share your thoughts and opinions.