How Firewalls Mitigate Attacks
Network Security is the process by which digital information assets are protected. If the network security is compromise, severe consequences could occur such as loss of confidential information . To protect the networks the goal of security should be maintain integrity, protect confidentiality and ensure availability . To begin the network security process, you have to first develop security policy and access rules. This policy must identify clearly the network security objectives of the organization. Network Security includes security management, computer system security, data security, and network devices security .
Due to the tremendous growth of E-business and the internet all small or large organizations finding it very important to have web presence to compete in today’s market. But connecting to the internet means that company’s private network will be connected to the outside world . This makes the private network vulnerable to attacks from the internet. As in the case of E-business Company’s web server must connect to the internet to provide WebPages to customers. This makes the web or file server susceptible to attacks. The network engineering must defend the network against threats such as viruses, worm, Trojan horse, theft of information, misuse of resources, access control. Now a day’s access to the Internet without the firewall is same as leaving your house door open to let anyone come inside. As the information theft or identify theft is all time high, computers networks need protection.
To provide defence from the intruders or hackers a special device was needed. That is why the device called Firewall was introduced in back in 1988 . Currently there are many different kinds of firewalls in the market. These firewalls not only different in cost but their functionalities are different as well. For an organization it is hard to pick up one firewall and considered protected against attacks. This report explain you different types of firewalls and their functionality.
The following figure displays the firewall is placed between the Internet and the private network to provide network security and protecting from attacks.
Network Security Policy:
As everyone want to protect their network and the information in the network so we should have some kind of rules to define that what is acceptable or what is not acceptable on the network . To apply these rules or procedures we first need to have a security policy. Having a good and detailed security is the excellent start of network security. After the creation of policy we need implement this security policy to provide the technical control. Because if this hardware or software devices is needed to provide the protection. A firewall is used to apply this security policy on the network
Securing Network with Firewall:
Technical controls are the most important part of the network security program because it provides a protection against the attacks and keeps network safe. Firewall is one of the main types of device to provide technically or physically control the network traffic.
What is a firewall:
The term firewall originally comes from firewalls which protect the fire from spreading to the other part of the building. A firewall is a device in the network which divide or separate the trusted network (Private network) form the untrusted network (outside network). The firewall can be special devices such as hardware firewall or may be computer runing firewall software.
The main aim of the firewall implementation is to protect the network from countless threats and only allow authoried traffic going in or out of the networks. Firewall can be used as standalone devices or can be configure on gateway router on the network such as Cisco PIX firewall .
The following figure display the firewall filter traffic by letting only authorized traffic in the network and rejecting unauthorized traffic at the network boundary.
How Firewalls mitigate attacks?
The main aim of the firewall technology is to protect the sensitive information moving between the two networks . In a real world scenario firewall is placed between a private network and internet to prevent attacks. Firewall is one of the most essential barriers that can defend computer networks from many threats. The firewall at the perimeter of the network is the first line of defence against external attacks. To mitigate the attacks the firewall divides the network into two zones:
Trusted Zone: authorized users in the private network or a private network.
Least trusted Zone: users from the Internet trying to access the private network.
The simple firewall job is to either permit or deny the traffic based on the access rules .
Permit: the authorized traffic is allowed in the network according to the predefined access rules.
Deny: the unauthorized traffic stop at the firewall and information is sent to network administrator or discarded.
The above figure displays that hoe firewall filter the traffic according to the specified criteria.
Protecting network with Firewall:
Firewalls filter the traffic transfers between two or more than two networks. It can divide the network into protected or unprotected areas.
The firewall consider as good firewall if it can protect network from following vulnerabilities:
Firewall should provide protection against attacks from outside the network. E.g. internet.
Firewall should protect the network from any type of internal attacks.
Firewall should grant access to the users according to the access privilege level users posses .
Firewall should stop unauthorised users to access the resources.
Hardware and Software Firewalls:
There are two main categories of firewalls: Hardware firewall and Software firewall . Depending on the network requirements different firewall is used. Each of these firewalls has its own benefits. Both of these firewalls have the same aim of providing the secure communication. In the organization you can you either hardware or software or for better results combination of hardware and software firewall can be used.
As the name hardware explain itself that it is a hardware firewall device. The hardware firewall is a special device which is normally placed near the gateway router of the network or between two networks to control the traffic flow. Before placing it on the network it is configure with the access policy or security rules on the firewall. When it activated on the network it controls of the network traffic going in or out of the network. The hardware firewall examine the incoming packet and compare with the access rules to decide either allow or discard the packet . It is mostly used in large businesses and best suit for multinational companies.
The following figure displays the hardware firewall providing network security form the Internet.
Hardware firewall has different operating system which is the independent of normal system such as Microsoft OS. Microsoft windows operating systems and other common OS have much vulnerability . But hardware firewalls don’t use common OS so it is hard for attacker to have successful attack.
The other benefit of this is it faster than the other types of firewalls and easy to implement on the network .
The main disadvantage of the hardware firewall is that it is one point of failure. If the hardware firewalls fail than all the traffic on the network will stop. No traffic can go in or out of the network. The other disadvantage is that if attacker hack the firewall he can control the traffic going in or out of the network.
The most hardware firewalls cost more than the software firewall and specially trained staff is required to manage the device make the overall cost higher.
Also most of these hardware firewalls are designed by different companies so that each of these needs different configuration and maintenance. The network administrative needs to learn about that specific firewall before placing it into the network and must have knowledge of how to administer the firewall deceive .
Software firewall is a special software firewall program that can be install on the devices such as router, server or PC. Once it is installed and configure properly it works that same way as hardware firewall. It examines the traffic and allows or denies access according to the predefined access rules to determine whether the packet has permission to access the network or not.
The consideration must be taken when installing the software firewall on the existing devices because software firewall going to use the CPU and other resources on the devices . Make sure the device have sufficient hardware resources to provide excellent performance in this environment. If there are not enough resources available for software firewall to operate, this can impact the network performance.
Also as the attacks and vulnerabilities changes because attacks try different or new methods to attacks on the network so that the software firewall need to upgraded to provide the complete protection against new threats on the networks. It is best suitable for small businesses and home networks. Because it is easy to implement and no special hardware is required.
The following figure displays the computer or router running the software firewall providing network security.
As the software firewall can be installed on the existing network devices so it normally cost less than the hardware firewall. There are many free software firewall programs on the internet which can be downloaded on the PC for free.
Software firewalls share the system resources with other applications running on the computer. It can impact the performance of the computer if there are no enough resources.
Most of the times software firewall companies give free firewall application provide basic network protection only. To get the full protection against all attacks you have to pay for the advance services.
The other disadvantage of the software firewall is run on existing operation system, so it can be very vulnerable to have same king of attacks as on operating systems .
Different Types of Firewalls:
After defining the two major categories of firewall, now the next part of the report explain the types of firewall based upon how firewall filter packets and its behaviour in the network security. In this report TCP/IP model is used to define the process of how packets are treated and filter by different types of firewalls.
This was the first type of firewall to protect the networks. Packet filtering firewall check the source and destination IP address of the packet and let the packets in or out according to the security policy of the organization . Normally gateway router on the network edge is used to filter these packets. Access control list (ACL) can be configured on the router to act like packet filtering firewall. Based on the access rules router can allow or deny access into the network.
The following figure displays the incoming coming packet can be filter based on the specified rules such as IP address, packet types and port number.
It the simplest form of the firewall and easy to implement on the network. When Packet filtering firewall is placed in the network it will not slow the network down and users of the network will not feel the difference in network performance.
This was the first type of firewall introduced for the networks. As it check the layer 3 address in the packet and let the packet in or denied access according to the security policy. IP spoofing is technique to spoof the IP address to any IP address you like to change. Hackers can use IP spoofing software to get the access through the packet filtering firewall.
The other problem with packet filtering firewall is that it does not know who is using the service.
Packet filtering firewall is used in low security environment or when the cost is an issue. It can be implemented on the router to save money but this kind of firewall should not be used in high security environment. Good for small businesses or filter traffic within the organization.
Stateful Inspection Firewall
The stateful firewall checks and monitors the state of the connections between source and destination . It is the most complex type of firewall. This type of firewall can monitor all kinds of connections e.g. connection initiation, connection termination and information transfer . It can perform the multilayer inspection. In multilayer inspection the packets first checked at the Internet Protocol layer (Layer 3 of the TCP/IP model) if the packet is granted access than it can also perform the second check at the application layer (Layer 5 of the TCP/IP model).
It can inspect the TCP or UDP sessions and keep monitor these session between the source and destination. When the packet first arrived at the firewall it inspects the protocols in the packet and authorized or denied the packet according to the network security policy. If the packet is authorized than it keeps the information about the sources, destination, port number and TCP sequence number in the record table. E.g. Cisco Pix firewall
The following figure displays the incoming coming packet can be filter based on the specified application rules.
It is more secure than the packet filtering because it can not only do the deep inspection of the packets but also keeps records of each session.
It can slow the network down because all traffic goes through firewall and this kind of firewall is expensive.
The other disadvantage is the when packet inside the network go outside the hackers can capture the packet and examines the internal IP address in the packet header. This can give hacker some information about the IP address scheme used in the network. This information leads towards the some sort of attack on the network. But NAT can be used to resolve this problem with stateful firewall.
This kind of firewall is good for networks that required high level of security. Mostly used by the medium and large size organization where audit of each session is required.
Application level firewall was design to provide more security to the network by checking all layers of the TCP/IP model. As the packet switching firewall only examine the incoming packet up to Internet protocol layer of but application layer firewall provide security checking up to application layer.
The application firewall is a dedicated computer also known as proxy server. Proxy server proxy for external services request for internal services and proxy exchange information with internal network . The main advantage is that it hides the internal network from the outsiders.
A proxy service has two important components: proxy server and proxy client 
The job of the proxy server is to accept connection from one side of the network and connect to the other side of the network. Proxy Server first checks if the connection or host is allowed or not, if host is allowed than the proxy server makes the second connection to the destination host on the other side of the network.
In this way the source host is connected indirectly to destination host via proxy server. This indirect connection between source and destination hide the valuable information about the internal network to pass on to external network.
As Application layer firewall filter up to application later, it can understand variety of different application so that checks can be perform on the content of the different application traffic for effect results.
If there are too many users in the network proxy services may slow the network down.
The following figure displays the incoming coming packet can be filter based on the specified application rules. For example you can stop the HTTP traffic and allow all other protocol. With the application firewall you have more control to filter traffic based on the protocols.
This kind of firewall is good for networks that required high level of security such as Banking. Mostly used by the medium and large size organization. It cost more than the packet filtering firewall.
Circuit level firewall is more advance form of packet filtering firewall because it can examine the incoming packet in more detail. It also provides more protection against attacks as compare with packet filtering firewall. Circuit level firewall not only checks the IP address, port number but it also checks the TCP handshake status between source and destination hosts and keep record of the TCP handshake . This type of firewall checks TCP handshake connection status before authorizing the access.
The circuit level firewall works at the TCP layer (Layer 4 of TCP/IP model). Because it need to examines the TCP handshake between hosts and open the session between hosts.
The source host start the connection, when the packet arrived at the gateway; the gateway examines the connection information in the IP packet. The gateway find the match of the packet with the in security policy predefined on the gateway. If the packet gets permission to enter in the network the gateway makes the 2nd connection to the destination host. When the IP packet arrives at the destination it has the source address as the address of the gateway .
The following figure displays the traffic is only allowed if the session is initiated by the authorized host on the network otherwise all other traffic will be denied.
The circuit level gateway provides better protection against some attacks such as IP spoofing which packet filtering firewall cannot detect.
It checks each TCP session and open the port manage all the incoming and outgoing connection. Because of that no unauthorized traffic allowed in the network it is considers protected network.
The other main circuit level gateway benefit is that it hides the IP address of the trusted network from the un-trusted networks because outside host only get the source IP as the gateway address. E.g. Network Address Translation (NAT)
The main problem with this kind of firewall is that it does not check the content of the packet. This means that the in the packet the content may be some kind of virus or worm. Because of this reason authorized host mistake can bring virus in the network.
This kind of firewall is good for networks that required high level of security. Mostly used by the medium and large size organization. Network router can be used to act as a firewall but for large organizations separate firewall devices is recommended.
Comparison between different firewalls:
Firewall type or cost vary depends on the size of the organization and type or access required. My investigation is based upon for medium size company. Now a day firewalls are very advance piece of equipment that has most the function in one device. E.g. IDS, IPS
So many different types are available in market, depend on the type can filter based upon IP address
Yes it can
Depends upon the security policy the firewall can filter incoming or outgoing traffic.
These are mostly proprietor devices so the network administrator must learn to manage.
Cisco ACE 4710 HARDWARE-0.5GBPS-100
Expensive because it comes with the special hardware device.
Yes it can filter
Yes it is easy to operate.
Cisco PIX Firewall Software
Relatively cheaper that hardware firewall
Packet filtering firewall
Basic firewall cannot filter ports.
If configure to filter it can check either incoming or outgoing or both traffic.
Yes it is easy to operate.
Netgear SRX5308-100EUS ProSafe Quad WAN Gigabit SSL VPN Firewall
One of the basic type, you can find this firewall cheaper.
Cisco ASA 5505 Security appliance – Unlimited Firewall Edition Bundle
Expensive but provide good level of protection
Application level firewall
Easy to manage GUI based interface which makes it to configure
SonicWALL NSA 220
Expensive but provide good level of protection
Circuit level firewall
Easy to manage GUI based interface which makes it to configure
Cisco ASA 5505 Firewall Edition Bundle – security appliance
Expensive but provide good level of protection
Recommendation and Implementation:
Firewall design principles:
The first thing to remember that firewall is good only if it is configured properly but before buying and placing the firewall in the network you should know the answer of the following questions.
What type of network it is and what are the network requirements?
What is kind of information you have in the network?
What level of protection is required?
Where to place the firewall in the network?
There are many choices to place the firewall in the network. The following part of the report explains the best placement of the firewall.
The bastion host is a computer system that is used on the network especially on the local area network. It is normally installed after the first firewall. This system is designed in such a way that all the traffic has to go through it. As all communication of the private LAN go through it is designed to harden against attacks from outside. It runs the secure version of operating system and record of the audit information .
The following figure displays the bastion host in the network. All traffic in or out of the private LAN is going through the bastion host.
Figure 11 Bastion host example [Ref: 13]
The host based firewall is designed to protect the individual host in the network . This kind of firewall mostly used for the servers  or other important host in the network to provide another layer to defense against the attacks. Host based firewall normally comes with the operating system or because it is software based so you can also buy and install on the host.
This is the most effect solution to prevent the individual host in the network. Because most of the attacks now a day’s comes from the inside of the organization network. So the firewall at the boundary cannot protect from these internal attacks. By installing the host based firewall on host can defend host against security violation and control the traffic according to the access rules. As it is on the host itself it can protect host from both inside and external attacks. The other benefit of host based firewall is that it can be designed and configure according to the host requirement. The reason is that as some host on the network has different operating system or different needs e.g. servers.
The disadvantage to have host based firewall on host is that host processes each packet which is CPU intensive. This traffic checking process can slow the performance of the individual host.
The following figure display each host in the network has host-based firewall to gives extra protection to the individual host according to their needs.
Figure 12 Host based Firewall [Ref: 14]
It is application software that can be installed on the computer or host. Once activated on the computer it examines the traffic going in or out of the computer. User control this firewall through GUI based application and configures the required level of security. It can allow or deny the traffic as defined by the user. There are many free personal firewalls available on the internet which can be downloaded from the internet. E.g. AVG antivirus is free and comes with basic personal firewall.
The other thing you must remember that it is design to protect one host, this means that personal firewall need to install on every host on the network. This is not very scalable in the large network that is why it is mostly use for personal computers in homes or for small office.
The following figure display the example of the Norton personal firewall.
Figure 13 Personal Firewall Example [Ref: 15]
Firewalls in network design:
There are many solutions available here are some of the important ones:
Demilitarized Zone (DMZ) design:
The Demilitarized Zone (DMZ) is the special area which is designed between two networks. DMZ provides protection against outside and inside attacks. The external firewall is used to protect the network and the internal firewall is used protect the network from inside attacks; the secure area is created between the two firewalls. In the large organizations this area is used to keep the servers such as web server or file servers so that the authorized outside users can access the network. In really you are creating three zones:
Outside zone (Internet)
Intermediate zone (DMZ)
Inside zone (Private network)
You can see from the figure below that two firewalls are use to create DMZ.
Figure 14 Firewall Implementation in DMZ design [Ref: 17]
Fault tolerant firewall design:
The following design can be used to provide fault tolerant solution. In the following design two firewalls are used. One of the firewall is in active mode (main firewall) and the other one is passive mode (standby firewall). If the active firewall fails the passive firewall takes control. This is best solution to provide the network security and redundancy.
Figure 15 Example of fault tolerant firewall implementation [Ref: 16]
Test the firewall:
After firewall is installed in the network, you should always test that how effect it is and what are the vulnerabilities of this firewall. Testing the firewall can be done by using the network testing tools such as network penetration tools or Port scanning tools. These tools are available in the BackTrack software version 5 for network testing. If you able to hack you own network and bypass the firewall, its means that firewall is effective. In this way you can able to find the vulnerabilities of the firewall and work on these weaknesses to resolve the network security issue.
Overall benefits and limitations of firewalls:
Benefits of using firewall in the Network:
Prevent unauthorized personals in the network.
Prevent sensitive information exposure to unauthorized hosts.
The flow of data between two networks or between two hosts can be controlled.
By the deep examination of the data packet certain protocols can allowed or deny in the network.
Security policy rules can be configuring to provide technical control.
As all the network traffic goes through firewall, placing the firewall at the edge of the network gives one point of entry for all data. It makes easy to manage one point control connection to outside world.
Limitations of Firewalls:
As firewall is the single point of entry for all traffic, failure of firewall can cause the disconnection from the internet or other connected networks.
Some of the new attacks may not be detected by the firewalls.
Hackers try different ways to bypass the firewalls by checking the weakness or vulnerabilities of the specific firewall and attack according to the type of firewall.
By placing the firewall on the network edge can slow down the network performance because firewall has to check each packet going in to out of the network.
If the firewall configuration is not right it may not stop the attacks.
If the packet is encrypted firewall cannot understand
There is no one firewall which can be placed on the network and network will be 100% secure. So do not rely on just one firewall to provide all kind of protection. In the network use multiple protection devices such as IPS or IDS with the firewall to defence against other attacks. The most important to have network security policy and all users must agree to follow this policy. The firewall devices must be configured according to the security policy of the organization. The network administer should continually review the firewall as the level of the threats changes frequently. The best firewall should reduce the risk of attacks and easier to manage setting. The cost is another important point when selecting the firewall. Lastly when selecting the firewall network requirements, quality of service and performance should be the main consideration because it is the focal point for the traffic going in or out of the network. Too many users and extra load on the firewall can degrade the performance of the whole network. So during selection of the firewall consideration of network requirements is the most important stage.