Firewalls

The term firewall is adopted from the aircraft and auto engineering industries. In an aircraft or a car, a firewall is a physical barrier (literally a fireproof wall) between the cockpit and the passenger compartment, or between the engine compartment and the driver. In networking, a firewall is used in the same way — it exists between the network and the resources being protected.

An organization may only use a single firewall sitting at the only connection point leading to the Internet, or they may develop a sophisticated, defense-in-depth structure of firewalls providing more protection for specific subnets over others. It is also possible to establish internal zones that allow them to use firewalls in order to protect internal departments from each other.

Firewalls can be completely software-based and run on either an endpoint or on a server. They can also be hardware (or a hybrid of both). Nowadays, it is becoming quite common for vendors to make their firewalls available as virtual appliances.

Firewalls act as a first line of defense, which is both a benefit and a limitation. They only work as perimeter defense. Firewalls are also simplistic in the sense that they can only be configured on a yes/no basis (to accept or deny) based on specific rules. Despite not being content oriented, strategically placing firewalls and creating a DMZ (demilitarized zone) for Internet facing servers will help secure a network.

Where most firewalls differ is in how their rules are configured, which determine what to do if the traffic does not meet the specified criteria. In other words, firewalls differ not so much in the conceptual function, but rather how they are managed.

DMZ

We can visualize the layers of an organization’s network by looking at it as three distinct zones: 1.) the inside (or trusted) zone, also called the internal zone or enterprise zone; 2.) the outside (or untrusted) zone, or the Internet zone; and 3.) the basic security zone known as the demilitarized zone, or simply the DMZ.

A DMZ will serve as a buffer zone where one can conduct public services safely away from their private LAN. Firewalls are used to filter out malicious traffic and to prevent Internet users from gaining a deeper access into the private LAN. Any public facing servers, like a web server, will be contained within the DMZ. This will allow public access from external sources without compromising the private, internal zone assets. In addition to this, we can implement security controls within the DMZ to help monitor and analyze both incoming and outgoing traffic.

This diagram was made using draw.io

This design places a perimeter firewall from the Internet to an initial router which leads to the web server, and a back-end firewall between the router facing the private LAN. This can be used to segment a network safely. We can employ different sets of firewall rules for traffic between the Internet and the DMZ (the front-end firewall) and the DMZ and LAN (the back-end firewall): The first firewall will only allow external traffic destined to the DMZ only. The second firewall (facing the LAN) will only allow specified DMZ traffic into the LAN.

Network Address Translation (NAT)

NAT translates internal addresses into external public addresses (and vice versa) as well as greatly reduces the need for a large number of public IP addresses that we need to lease from our ISP.

Without NAT, we need a single public IP address for each and every system. With NAT enabled, we are able to lease a much smaller set of public IP addresses to serve our organizations, resulting in lower ISP costs.

NAT will randomly assign an available public IP address to each subsequent internal client request, and once the client’s communication session ends, the public address will return to the pool of available addresses for the next communication session.

Note: Because IPv4 has an address space of 32 bits (which equates to about 4 billion different addresses available), NAT has become essential in expanding it’s viability. Consider if every device in an IP network had to have a unique address… we’d have run out a long time ago! The foreseeable address exhaustion of IPv4 is a huge factor for the redesign IPv6 (where NAT is done away with).

Firewall Actions

Any actions you allow may have security implications.

Pass, block, or reject.

The difference between block and reject is important. For block (or, filtered), the incoming packet in question is blocked and discarded (or logged if configuring to do so). There is no indication to the sender that the packet has not reached its destination. For reject (or, closed), a packet is returned to the sender indicating that the packet(s) they sent were not accepted. Adversaries could use this to their advantage by using the information of a rejected packet to verify that a computer exists at a designated IP address. It is, therefore, recommended by most that traffic should mostly be blocked and rejected only in specific scenarios.

Configuring a firewall

For this example, I will be talking about the pfSense firewall, which is a current generation product that has most of the functionality and options that will be found in most other firewall products on the market. The pfSense firewall relies on NAT to expose an IP address from the private network and bind it to an address on a public network. Because NAT enables internal resources to be used over public networks, it is how organizations expose their internal servers to the Internet.

When configuring a firewall, documenting the configuration choices in advance and carefully considering each of them in the proper context will allow you to build off of each decision made.

The first consideration when planning the configuration of a firewall is the order of your definition lists. Defining firewall rules is similar to the process of defining Access Control Lists (ACLs) as they are both simple lists of rules that are evaluated in order (if there are two conflicting rules, the first rule in the list is the one used).

The second consideration is whether or not you want the firewall to be default permissive (everything is allowed by default) or default restrictive (everything is denied by default). Generally speaking, a permissive firewall is going to make users happier because everything they may wish to do will be allowed by default – and rules only exist to combat known security issues. The restrictive approach says that by default, everything is restricted unless it is specifically allowed. I would say this is definitely the preferred approach from a security standpoint (though perhaps much to the chagrin of users).

The pfSense firewall applies the restrictive approach: every type of packet that is not explicit noted to pass will be blocked by default. As a packet comes through a computer, it will be evaluated by the firewall rules and is blocked if it is not explicitly allowed.

Windows Firewall

The Windows Firewall is a personal firewall that filters incoming and outgoing traffic by blocking unauthorized traffic to the local computer. It can be configured to support seperate profiles based on whether the computer is connected to a network at the office, home, or a public location. Using the Advanced Sewcurity profiles, network traffic can be filtered based on AD users and groups, source and destination IP addresses, port numbers, or specific programs.

Firewall with Advanced Security on Windows Server 2016

By default, the Windows Firewall disables several important services like FTP and ICMP.

In Conclusion

Despite not being content oriented, strategically placing firewalls and creating a DMZ for Internet facing servers will help secure your network. A DMZ will serve as a buffer zone where your Internet facing services can interact with untrusted networks safely away from your internal zone. Placing and configuring firewalls to create a DMZ will help filter out malicious traffic and prevent untrusted users from gaining unauthorized access in your LAN.

Implementing security controls like an IDS/IPS within the DMZ will enable you to monitor network traffic at a critical ingress/egress point.

For incoming traffic, this means that malicious traffic from the Internet attempting to reach systems in your internal network will be detected in the DMZ before it’s too late.

For external traffic (or traffic leaving your network), the benefit to funneling traffic through a DMZ outward toward the Internet is that any large volumes of data (or command and control traffic) attempting to leave your network is detected and potentially prevented.