For solving the problems with the information leaks, unauthorized access to data, disruptions in the functioning of local networks, firewall technology (ITU), also known as Firewall, is used.
Firewall technologies: description, advantages and disadvantages
Technically, a Firewall is software or a hardware-software complex that blocks a wrong traffic. At the same time, a traffic is allowed or blocked through the firewall according to the parameters set by administrator.
These options include:
- IP addresses, denying or allowing receive the packets. It also puts the bans and permissions with the lists of IP addresses;
- domain names of websites, could be included in the list of prohibited traffic;
- ports, the blocking or permission regulating an access to the certain services and applications;
- protocols, configuration for ITU specifically to deny or allow a traffic from the specific protocols.
In this case, the parameters could be set either separately or in the various combinations.
Using Firewall allows solve a number of tasks to protect the computers and networks related to:
- restriction and control of access to weakly protected services of network nodes;
- regulation of the order of access to services;
- registration and accounting of "external" and "internal" attempts to access the devices;
- setting the barriers for the obtaining information about networks and devices;
- broadcasting disinformation about protected networks.
However, ITU also has a drawback - its implementation could restruct the network infrastructure. For preventing it there should be the correctly designed network topology at first stages of creating the information system.
The main purpose of using Firewall is to protect information and filter traffic.
Firewall types
As mentioned above, Firewalls are either in a software or in a hardware and in a hardware-software version.
Software ITUs are a special software installing on the computers and protecting the networks from external threats. As a rule, such firewalls are in the small offices or on the corporate computers out of offices.
Software firewalls have a number of advantages, such as: a good level of network protection not only from an external one, but also from the internal threats; the ability to delimit the segments of local network without dividing them into the subnets; great functionality (availability of load balancing, IDS / IPS and other useful tools). In addition, a software firewall could be deployed on an existing server.
ITU software and hardware systems (security appliance) are in the format of special devices operating with a basis of FreeBSD or Linux OS, or in the form of modules (JUNIPER switches and routers) related to standard network equipment. Narrow specialization of the functionality current devices economically justifies their use.
Software and hardware systems have the following advantages:
- increased performance, provided by focus of OS with the implementation of specific function;
- ease of management and the ability to control the security appliance both through the standard (SNMP, Telnet) and a secure (SSH, SSL) of protocols;
- high fault tolerance and, as a result, an increased level of protection.
There is also Firewall classification into ITU packet filtering and ITU filtering at the application level. Packet-Filtering Firewall filter the information in packet headers (data with a type of protocol, IP addresses of a sender and recipient, port numbers of a sender and recipient), and based on the check’s results, block or allow traffic. The check performs according to the rules specified in an access control list (ACL).
Application Firewalls work in a different way: they block the malicious requests using an application-specific information. It eliminates the direct interaction of two nodes. Application Firewall performs user-level authentication, logs traffic and the network events with the hides of IP addresses of the local network hosts.
Application and the packet firewalls could be used on they own or in combination.
Types of firewalls
Depending on traffic filtering technology in the firewalls, they divided into several types:
- proxy servers (Proxy Firewall) act as the gateways with the indirect client requests providing to other network services. The main task of a proxy server is to ensure the client anonymity and to protect against the network threats. In addition, a proxy could change the responses of clients for certain purposes. Also, using a proxy, you could create ITU at the application level with complete information about the application itself and a partial information about current connection. However, this technology has its drawbacks - the prohibition for ALG to provide a proxy for UDP protocol; limited number of the available servers and scalability due to the need to use a proxy on each individual service, low performance and a fault tolerance of ITU;
- session stateful firewalls working with the port and protocol state analysis. Based on the results of current analysis, the firewall allows or blocks a traffic and uses not only the rules created by administrator, but also contextual information collected during previous connections;
- UTM (Unified threat management) firewalls, which combine the functionality of a content filter, network attack protection (IPS) and anti-virus protection. ITU UTM exist both as software and as software and hardware systems. In the second option, in addition to the central processor, they use additional processors designed to process content (suspicious packets and archived files), high-performance network streams and TCP segments, for encryption and network address translation, to improve a performance of IPS services, the antiviruses and a protection from a data loss. The software components of such systems are responsible for the creation of multi-level ITUs, support for URL filtering and anti-spam;
- Next-Generation Firewall, NGFW - these firewalls are designed to: protect networks from attacking systems; infected with dangerous software; recognition of the application types based on IPS; inspections of various traffic, including applications; fine-grained traffic control settings at the application level; inspection of traffic encrypted via SSL; support for constantly updated databases of application and threat descriptions.
In addition, there are NGFW ITUs with active protection against threats with the implementation of main tasks of NGFW, take into account the context referring to the resources with increased risks, independently set the policies and procedures for managing an operation of system (allowing quickly repel the network attacks), correlate the events on PC and on the network, work with it more efficient to detect the suspicious and distract the malicious activity.
Functionality of the modern firewalls
Deep analysis of a network traffic and of the user sessions provides by using of the threat recognition policy in modern firewalls, the rules for determining the nature and a mechanism of impact with current threats. In this case, Firewall considers the various traffic parameters, including the application layer (L7). In particular, an address of traffic departure the volume of transferred files, the types of commands and patterns repeated in packets are inspecting.
An additional protection method used by modern Firewalls is checking encrypted HTTPS and SSL traffic. In such cases, the verification procedure includes decrypting a traffic, checking it for the threats specified in the policy, then encrypting and sending it to the recipient.
In addition, next-generation ITU uses the intrusion prevention systems (IPS) inspecting a traffic based on a signature database, track suspicious activity and on the mitigate attacks with sandboxes - isolated environments for checking potentially harmful traffic that has not passed signature verification. Sandboxes are the virtual machines with a typical OS reproducing an interaction the files with a system.
These protection methods allows eliminate such threats as: a presence of the potentially dangerous programs in traffic packets. In particular, in files with an active content (PDF, Word, Excel, PowerPoint documents); exploitation of the vulnerabilities, the criteria that are also described in the signatures; phishing emails, with the separate databases of vulnerabilities, listing a content danger criteria.
Recommendations for setting up the firewalls
In practice, a command line utility configures the firewall:
iptables
in the standard control interface. For understanding how this utility works, you need to know how its architecture structured: the first level of iptables includes the rules (consist of the conditions, actions and of the counters responsible for checking traffic packets), the rules (basic or user-defined) are combined into the chains and these chains generalized by one function form the tables.
The user who needs to configure Firewall will need to work with one of the iptables tables - Filter that is responsible pass or block a traffic packet - to set the rules for three chains: input (traffic coming to the router or other module), output (outgoing traffic) and forward (passed through the router).
There is one caveat in process of ITU setting up. For simplifying the configuration work you need to use Safe Mode button where all the necessary changes are made to the traffic filtering table. Applied changes work after pressing this button again. It is important to remember that you cannot disable the interface and filter your own packets - the connection between the interface and the router will be interrupted and you will have to start all over again.
There are two approaches for setting itself - “everything that is not prohibited is allowed” and “everything that is not allowed is prohibited”. It is better to choose the most suitable option for filtering according to the situation.
For correct work of the firewall the user should:
- provide the permission to allow or block a traffic for Management services (WinBox, SSH, in some cases WebFig), DHCP and DNS protocols for external and internal interfaces, tunnels, OSPF, ICMP, NTP, Neighbor Discovery and SNMP. From this list, you need to select everything you need and close the rest;
- apply the conditions src/dst address, protocol, src/dst port, in/out interface, connection-state and the actions accept (allowed), drop (forbidden and destroyed), reject (forbidden due to reject with) to the traffic.
For simplify an operation of the firewall you could combine several identical addresses or interfaces into the lists controlled by certain rules.