Introduction
When you are using the Internet, you're using a two-way traffic, which means that you are accessing other networks as well as other networks are accessing yours. Even while surfing you're downloading and uploading data while the data that you view on your screen (browser) is the data that you have downloaded. You are never sure over the Internet (and possibly your local area network) of the fact that whether the content you are viewing on the Internet is perfectly safe or being used to open a portal on your machine through which some third party might channel out crucial information about you. The Internet is filled with hackers who are looking for opportunities like these to step into (or break into) a connected system and may leave everything intact or may damage some data or compromise some crucial information like credit card numbers and passwords. This is the part where the Firewall comes into play.
A Firewall is basically a logical layer between the network connection and your computer whose purpose is to filter out data entering and leaving your system. It's one of the most popular measures to reduce the probability of being compromise by a wondering hacker or some website (which might leak your private information, a lot of sites hosting cracks and serials are of the type). Once the data has entered your system the firewall can't save you if you are compromised. Technically speaking a firewall can be a router (programmed to filter specific type of data), or a PC (combination of hardware and software configured specially for monitoring incoming and outgoing traffic from the host computer). Theoretically all data traveling over the network will pass through the firewall, hence will be monitored according to the firewall's capabilities reducing chances of unauthorized access.
Firewalls are not gateways, but they do often work in association with gateways. One reason for this is that both firewalls and gateways tend to sit between networks. The gateway's job is to translate packets as they move between different network environments; the firewall's job is to filter them. In some cases, however, the gateway and firewall functions will be provided by the same network components. This can happen, for example, if a network is communicating with an alien network, so that the communication requires a gateway. In such a case, however, the filtering and gateway (i.e., translating) elements will still be distinct and will communicate with each other through an internal filter.
Why do you need a firewall?
There are numerous ways of threats through which information regarding your network can be compromised if precautionary measures are not taken. Some of these are, Remote Login, Application Backdoors, SMTP session hijacking, operating system bugs, Denial of Service, Email Bombs, Macros, Viruses, Spam, Redirect bombs, source routing. It's not necessary that a firewall detects and eliminates all of the mentioned threats, but there's a highly reduced chance of security being compromised through these threats when you have a decent firewall setup at the head of your network. A firewall is usually configurable to allow only specific data to be channeled through the network. Although it's always a good plan to setup anti-viruses on all your workstations, firewalls are specialized for network traffic while antiviruses are specialized for local traffic (information flowing within a single workstation). Hence the need for firewalls increases day by day as new and more sophisticated threats keep on floating hence increasing the chances of avoiding detection unless you have an updated firewall.
Where to Get a Firewall?
There are 2 basic ways to obtain a firewall:
1. A Firewall Appliance, is an off-the-shelf product which is usually a router having firewall features. These packages come with a GUI (Graphical User Interface) consisting of usually a web-based interface which allows you to configure the firewall according to your needs (highly secure, moderately secure, low security are some of the predefined configurations presented with the packages).
2. You can set your own firewall by using a server PC and configuring it to act as a firewall. This involves usually installing a robust operating system on that server PC so that the firewall itself does not get compromised. Usually, this computer is connected to the network hub or switch at one end and connected to the main Internet connection so that it's at the entry of all network packets. In this way, all the PCs in the network will be using the firewall's protection.
Types of Firewall:
There are generally 4 basic techniques used by firewalls to ensure the protection of your network.
1. Packet Filtering
If you have a guard at home who is instructed to only allow those people in your home (and out of your home) who are attired in jeans and T-shirts, and to stop everyone else, then you are defining the type of security packets to restrict and allow access to.
Packet filtering works in a similar way. You tell your firewall to block specific types of data packets from entering and leaving the network. It is quite cheap to implement this technique since it doesn't require any sort of intelligent packet sniffing. Restrictions by port number, IPs, packet size, file types etc. are examples of packet filtering. Since this is the simplest way of filtering, it can also be misused and exploited. Consider this example; a robber can enter your home attired in jeans and T-shirt too. Similarly, someone can masquerade a malicious piece of code to enter into your network and then perform its execution.
Hackers can enter fake IP addresses (called IP spoofing) to lure the firewall into thinking that the packet being entering into the network is a legitimate data packet. By creating fake IP's you'll be getting the illusion that you are receiving the file from a trusted source. Another disadvantage of this technique is the fact that it examines each data packet in isolation, meaning that it doesn't know the behavior encapsulated in the packets. In other words it's stateless, and if the hackers find the way to by pass this statelessness, they can exploit this feature very efficiently.
However, Packet Filtering has certain advantages too: They are very efficient: It takes very less system time resources in intercepting a packet, checking it's security contents (those contents for which it is being programmed to check) and based upon the security protocols, either allowing the packet to pass or rejecting it's flow. Other techniques have a more noticeable overhead. They are almost transparent: Usually the user will only know about the packet filter running when he is prompted to allow or reject a packet upon which the firewall is not sure what action to be taken. Other than that it's like the firewall is not even running. This method is very cheap: Almost all routers include this technique.
2. Stateful Packet Inspection
This is sort of an intelligent Packet Filtering technique in the sense that it knows its status while inspecting network data packets. Unlike in the above mentioned technique, this technique involves keeping track of the state of execution of the firewall. This means that if any malicious function has been divided to avoid detection by the firewall, there are chances that the firewall will detect the threat by inspection the individual packets and deducing the functionality encapsulated in them.
From the start of a session to the end of a session, the stateful firewall is able to store the significant attributes of each connection so that it can inspect the packets according to their connection.
The IP Address, Port numbers and the sequence numbers of data packets can prove significant in inspecting the data packets, hence these information are stored in the memory during the session. Initiating the connection takes some CPU intensive resources because it has to perform intensive checking regarding the connection being made. After that all the packets are transferred at quite a rapid pace. After completion of transfer, the session expires and its entry in the state-table is discarded. To make the technique mere intelligent, it can track the time since the connection has stayed idle, hence it can close the connection not responding for quite some time and allot that entry to another connection hence saving resources. Nowadays Stateful Firewalls can be found on small or medium sized networks because of computers being faster and due to their popularity they have become much cheaper.
3. Circuit level Gateway
Such a filter looks not only at source and destination addresses but also at the circuits (temporary paths) that have been established for a connection. Such circuits are established-for example, when using TCP (transport control protocol)-during an initial handshaking session. Such a filter can detect address-spoofing, for example, because such a misleading packet would have no way of getting the circuit information that is set up during the handshaking. While very effective for certain protocols, circuit filters are of limited use with connectionless protocols (such as UDP), which may send packets over various paths.
4. Application Gateway
There's one more approach which is better than the Packet Filtering, Stateful Packet Inspection and the Circuit level Gateway technique. The problem with packet level filters is that they treat all the TCP/IP packets as the same, without any priority. In comparison, the application gateway protocol is far more intelligent than the previous 3 approaches in the way that it holds information about the applications which have generated the specific packets that are to pass through the firewall. An example of this technique is the Web application gateway has information regarding the details and nature of HTTP packets. This information helps it to examine the packets in far more detail than the previous techniques as it knows where the malfunctional injections will be present. So rather than just examining just the source and destination addresses and ports it examines more details and determines whether the packet must be passed on to the network or not.
Application Gateways themselves also work as proxy servers. A proxy server, in short, behaves like an inspector, inspecting all incoming and outgoing traffic on the network. However a proxy server has more functionality too like caching pages, and updating them when being requested. Due to the awareness of application gateways regarding TCP/IP packets, TCP/IP servers can make more intelligent decisions in determining the legitimacy of an incoming or an outgoing packet. As a result they are more secure, efficient than packet filtering, stateful 1 packet inspection and circuit level gateway firewalls, | furthermore packet-filtering firewalls can deal with I only one packet at a time. However, this technique is m more expensive than the other 3. They require more time in being configured and more skill too. Their other disadvantage is the slowing up of processes as they carry out a more detailed checking of the data packets before allowing them to pass.
The Verdict
Like all security measures, firewalls can be useful, but they are not foolproof. They have the advantage of concentrating security measures and issues, making it easier to set up and maintain them. Of course, such centralization also provides an Achilles heel- that is, a point of vulnerability. If an intruder can get around (or, more often, under) the firewall, then an attack is possible. A firewall's effectiveness depends on all traffic going through the firewall. This is not a sufficient condition for security, however. In tunneling, one packet is encapsulated inside another. With this strategy, a packet from an untrusted machine or user could be placed into a packet from a trusted machine, and the latter packet could then be sent through a firewall. Unless the firewall actually takes each packet apart and examines its contents, there is no guaranteed effective protection against tunneling.
No comments:
Post a Comment