Many people think of a firewall as a guard on your network that just works – and in many cases they function without you ever having to explicitly make policies or understand the under-workings. Let’s look at a Microsoft Windows firewall for instance: for the most part these function in the background without you ever having to know the particulars. The odd time you might be prompted to allow an application inbound or outbound; or for the power user, you might be familiar with creating your own policies based on ports, source and destination address. The name Windows ‘Advanced’ Firewall can be a bit misleading as there’s really nothing advanced about it (sorry to pick on you Microsoft). Many of you (who use windows) may not even feel the need to keep the Windows firewall on, because you feel safe running 3rd party software or place your confidence in the onboard firewalls in home routers and such. I would say that you would be smart not to leave these duties to Windows alone as the onboard Windows Firewall is more reminiscent of the systems of yesteryear.
What “is” a firewall in its purest, simplest form: it’s basically a cop that permits or denies traffic based on source IP/subnet, destination IP/subnet and application (port). Your policies can be based on one of these, two or all three. In the early days of internetwork security this was probably sufficient, however as computers and cracking become more widespread vulnerabilities were discovered necessitating a more intelligent firewall. Things like IP Spoofing, DDoS, etc. created the needed for something more elaborate; enter Stateful Packet Inspection.
To understand Stateful Packet Processing we first need to take a look at traditional routing and how it works. Traditionally routers are Layer 3 devices and routing is promiscuous. This means that routing functions by forwarding one packet at a time. Your typical router would handle forwarding based on source and destination IP and therefore would be virtually unaware that packets 4,5 & 6 had anything in common. Additionally, without access control or ‘firewalling’ the role of a promiscuous router is to forward all packets by default. This also meant that the router was unable to detect malformed packets. suspicious packets incoming, repeat packets, etc. This isn’t very useful if you’re trying to protect your network against infiltration and attack (see figure 1A).
Stateful Firewalls, which practice Stateful Packet Inspection, were the answer to this problem. Firewalls were no longer limited to Layer 3 functionality and could now process packets based on Layer 4 (Transport) data inspecting TCP/IP sessions. This allows the firewall some insight and continuity when processing packets. A unidirectional session will be opened with the first packets arrived. The session will be based on source IP. destination IP, source port, destination port, protocol and a session number to handle the entire session flow. Firewalls of today can work all the way up to Layer 7 processing Application Layer data real-time allowing them to monitor internal session protocols and data. Not all modern firewalls perform Layer 7 functions as this is cutting edge, however all should perform Stateful inspection (see figure 1B) as well as one other important feature which didn’t always exist: zone-based firewalling.
Zone-based firewalling was quite a breakthrough because it allowed security devices to deal with issues like IP spoofing. Without zoning, an attacker could potentially spoof an internal IP coming in through the DMZ or internet ingress and if he knew what he was doing the firewall wouldn’t know any better. Zone-based firewalling segregates all sections and provides buffers, much like air-locks or double security gates in a prison. To make things better, if a zone-based firewall detects an IP ingressing from a zone that it doesn’t belong, then it will reject the packet (see figure 2A). Zone-based firewalls are not only great for protecting from outside threats, but they also mitigate curious or malicious threats from the inside. Perhaps a mischievous Deskside Support technician stumbles across the location of the Finance departments shared folders or SharePoint site. Since he’s on the internal network and has the ability to add himself to any Active Directory group, he can have a look at what his peers make and raise a stink if things are a bit uneven. All of the permissions and group membership won’t do a thing if you’re being denied based on your zone and IP (see figure 2B).
Zone-based firewalls, like ACLs and other firewalls, start with an implicit deny. Previously we discussed that promiscuous routing accepts all packets by default – Firewalls work in the opposite way. If nothing is specified from zone to zone, then all will be denied. Although it may be painful to build each and every policy, this method is the most secure. For a situation where you want traffic to flow freely between zones, you can use the infamous permit any any. Where the implicit deny says ‘deny any source to any destination on any port’, the permit is just the opposite. The beauty of zone-based firewalling is how granular you can get. I can allow ONLY your wired IP (not your wireless) to access one specific web server portal only using HTTPs. If I want to provide you with rudimentary troubleshooting, then I may allow ICMP for ping and traceroutes. You will seldom see ICMP allowed inbound from the internet or DMZs but deep within the internal zones it is common.
For years many corporations, ISPs, etc. have been getting by with Stateful Packet Inspection and Zone-based firewalls but the latest and greatest takes things a step further by pushing inspection up Layer 7. Although my experience with these expensive cutting edge firewalls is limited I can lay out the main idea. Social media is a perfect example of why Application Layer firewalls can be very useful. Rather than just restricting or allowing your access to certain resources or external web pages, I may want to provide you access to some, but not all content. Just like you want to provide your kids with satellite TV and internet, you probably want to restrict where they can go. Until recently company firewalls were telling employees that they could not go to Facebook or Twitter; but let’s face it: social media has become a tool for most adapting businesses and anyone with any sense will take advantage of the ‘free’ services that come with them. Because our company is rolling out the hip new young persona we want our employees on our Facebook page, HOWEVER, we do not want our employees playing Farmville or other time-wasting games. Layer 7 firewalls will look deep into the sessions and determine if things like Flash or Java content are activated and will block sessions real-time (see figure 3A).
This is one minor example of how firewalls continue to adapt to malicious and legitimate network traffic in an age of total online presence. So what will be the next big step in firewalls? Isn’t it obvious? The NSA will be implanting personal firewalls in our brain at birth to segregate parts of the brain in an attempt to keep us from connecting the dots and revealing the stranglehold the government has on us…just kidding; that’s crazy talk. But seriously you may want to look into home birth in an old garage in New Mexico – Arnold Schwarzenegger can lend a hand and Eddie Furlong can be your wet nurse (see figure T2.