In the previous sections, we saw how there are many flaws in security when communicating to other computers. Thankfully, the advent of the firewall brought a little peace of mind to system administrators. First, let’s start out with what a firewall can and can’t do.
Common (and not so common) uses of Firewalls
Different types of firewalls do different things, but there are a few functions that most will do. Some of the more expensive firewalls even offer some advanced functions with fancy terms, like data caching or load balancing. We will get to these terms in the next section- for now let’s review the basics.
Packet filtering was reviewed in the first section. This is a form of security at one of the lowest levels possible - the packet level. The most basic of packet filtering techniques will look at the packet header of each packet, and make decisions based on the source IP address. If the source IP address is known as dangerous, we of course discard the packets.
There have been improvements to this scheme, since hackers have evolved techniques to get around basic packet filtering. The most common is stateful packet filtering. In addition, filtering based on other data in the IP header has become necessary. For instance, there is a fragmentation flag that each packet contains. When information travels from a fast network to a slower network, breaking the information up into smaller packets is necessary. Hackers have found ways to make whole packets look like fragments - and therefore bypassing the firewall’s security. Packet filtering is a very common firewall feature- much less secure than application firewalls.
When each packet is inspected, we are only getting a view of the information at the lowest level. What if we wanted to see what the information forms when it is reassembled? We would use an application firewall, of course.
Application firewalls, aside from their great security benefits, offer a proxy technique. When you want to go to a blocked site at school or work, you most likely use a web proxy. The proxy downloads all the data, and shows you the result. At no point in time is there an actual connection between you and the webpage you are viewing. This technique can be applied to sending and receiving packets, where malicious techniques such as buffer-overflows can cause a security concern.
However, most application firewalls need to know the applications they are inspecting. This means that certain rules will most likely need to be applied per each application that needs to be secured. This might not be a good thing for home users, while trained firewall specialists will learn to appreciate the power from rule-based firewalls.
Network Address Translation
We also reviewed network address translation in previous sections, but there are some things about NAT that we left out. NAT was originally designed to limit the amount of used IP addresses on the internet. With the current IP version of IPv4, around four billion IP addresses are possible. When those are used up, we would run into a very huge problem, as new devices couldn’t connect to the internet.
As a temporary solution, we used NAT. This is a technique that allows all computers on a network to appear to have the same IP address. A NAT device will remove the IP address of outbound data, and apply its own. While this is great for saving IP addresses, it’s also a very nice security bonus. With this setup, hackers won’t be able to view IP addresses on the internal network! If they can’t find it, they can’t hack it.
Logging data is another feature of firewalls that goes largely unappreciated. No one enjoys reading through log files each day, but it is a good way to ensure there haven’t been any hiccups in a network’s security. Logging is very common on university networks, who limit student’s bandwidth or time spent on the internet. We can allocate a specific amount of time or bandwidth thanks to logging- but this is hardly much of a security concern.
For more serious matters, loggers can show evidence of an intrusion, and provide legal evidence. After all, you probably would like to apply for loss in damages, or at least make sure the hacker is punished. This will also show how the hacker did it- and you can likewise fill the hole in your security.
What a Firewall Won’t Do
Firewalls should never be depended on for an all-in-one security device. There are just some things that firewall technology can’t account for. You’ll come to find that the majority of these security threats exist in the physical world- not on the network.
If the attack originates from inside the network, the firewall’s security is already bypassed. After all, the firewall is checking for malicious behavior coming into the network- not originating from it! These kinds of attacks are preventable, thankfully. Successfully applying user permissions will ensure that mainstream users won’t have access to important documents and settings.
Certain types of Trojan horses and viruses also appear as normal internet traffic. This is one of the biggest concerns in most networks. Think about it- we give port 80 traffic (HTTP) rights to access our network. If the malicious code appears as web content, it passes our firewall. Security is a cat and mouse game, though, and we will learn how to protect against this in future sections.
Lastly, we have social engineering. This comes in the form of diving through dumpsters for passwords or server information. Some of the more creative forms of social engineering come through actually tricking your employees into releasing sensitive information. Until real-life firewalls are invented, a little special employee training might be necessary.
The majority of all firewalls will operate as described in this section. Some of the more advanced firewalls will offer some extra protection- and we will take a look at these techniques in the next section. Keep in mind that even the most advanced firewalls are physically limited into what they can do- so they never should be depended on as an all-in-one solution for your security.
Intrusion detection, caching, load balancing, and encryption. These terms sound pretty complex, don’t they? Don’t worry, they are easy to understand. And guess what? These are the advance techniques we will be talking about in the next section!