Most of us have heard of firewalls, but do we understand the concepts that make them work. This week, Host Africa will take a look at some basic firewall concepts and try to make them a bit easier to understand.
Traditionally, there are two main types with many variations in-between. These two are stateless and stateful. The new generation firewalls are adding a whole host of new states. Active (Dynamic) firewalls, Packet inspection firewalls (which include layer 7 (content aware) firewalls) and Zero hour blocking firewalls which use complicated heuristic algorithms to detect potentially harmful traffic.
These firewalls are usually very basic and operate by either a “allow all, block list” or the better “block all, allow list” principles. What this means is that a list of ports/services is set up. Anything that is NOT on the list is then blocked. The older “allow all, block list” does not work anymore as there is no way of knowing what to block. This is due to attackers being able to find multiple addresses and ports to come from. It is also due to the fact that the modern server has many possible points of entry.
Blocking an active service port will deny that service to your users or audience and is pointless. Blocking a service you are not using is also pointless as it should not be running in the first place. Stateless firewalls do not track the related in and out session data and thus almost always need to be more open that stateful firewalls.
These firewalls are slightly more complex than the previous. If your server requests a DNS record on a remote UDP port 53, the reply will come back from some random high port. This traffic is seen as “RELATED and ESTABLISHED” as it pertains to the same request and/or session. On these firewalls then, you can allow “RELATED or ESTABLISHED” traffic to enter the server. Some firewalls automatically allow this type of traffic. Stateful firewalls can also translate external requests into internal ones, thus enabling Network Address Translation (NAT) or Port Address Translation (PAT) which is also known as MASQUERADE on Linux firewalls. This allows you to install your servers behind the firewall and then decide what is and is not allowed to and fro your servers via ONE firewall.
Dynamic or Active firewalls
These firewalls utilize the same sort of rulesets as the previous firewalls. The main difference is that they also have some mechanism to respond to threats and alter the rules accordingly. It may be as simple as inspecting a log file for failed logins and blocking the IP (such as fail2ban). On the other hand, it may involve inspecting data packets to look for Malware/Virus signatures and the blocking the sender of such data (Layer 7 firewalls). Some of the new generation firewalls even establish a pattern of usage on a network and warn you if this pattern changes suddenly.
Dynamic firewalls usually detect, protect and warn about attacks. These include Distributed Denial of Service (DDOS) attacks, Port Scanning (attempts to map your open ports) and break-in attempts such as Brute-Force (multiple attempts to guess your passwords). All in all very useful to have, but some firewalls can come with quite a hefty price tag as well.