Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: Stateful inspection

Tag Archives: Stateful inspection

Home » Tag: Stateful inspection

What is Firewall?

What is Firewall?

What is Firewall?

What is Firewall?

What is Firewall?

Firewall, What is Firewall? A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defense on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

How Does Firewall Work?

Introduction – What is Firewall?

A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing your servers in malicious ways.

This guide will discuss how firewalls work, with a focus on stateful software firewalls, such as iptables and FirewallD, as they relate to cloud servers. We’ll start with a brief explanation of TCP packets and the different types of firewalls. Then we’ll discuss a variety of topics that a relevant to stateful firewalls. Lastly, we will provide links to other tutorials that will help you set up a firewall on your own server.

TCP Network Packets

Before discussing the different types of firewalls, let’s take a quick look at what Transport Control Protocol (TCP) network traffic looks like.

TCP network traffic moves around a network in packets, which are containers that consist of a packet header—this contains control information such as source and destination addresses, and packet sequence information—and the data (also known as a payload). While the control information in each packet helps to ensure that its associated data gets delivered properly, the elements it contains also provides firewalls a variety of ways to match packets against firewall rules.

It is important to note that successfully receiving incoming TCP packets requires the receiver to send outgoing acknowledgment packets back to the sender. The combination of the control information in the incoming and outgoing packets can be used to determine the connection state (e.g. new, established, related) of between the sender and receiver.

What is firewall? Types of Firewalls

Let’s quickly discuss the three basic types of network firewalls: packet filtering (stateless), stateful, and application layer.

Packet filtering, or stateless, firewalls work by inspecting individual packets in isolation. As such, they are unaware of connection state and can only allow or deny packets based on individual packet headers.

Stateful firewalls are able to determine the connection state of packets, which makes them much more flexible than stateless firewalls. They work by collecting related packets until the connection state can be determined before any firewall rules are applied to the traffic.

Application firewalls go one step further by analyzing the data being transmitted, which allows network traffic to be matched against firewall rules that are specific to individual services or applications. These are also known as proxy-based firewalls.

In addition to firewall software, which is available on all modern operating systems, firewall functionality can also be provided by hardware devices, such as routers or firewall appliances. Again, our discussion will be focused on stateful software firewalls that run on the servers that they are intended to protect.

Firewall Rules

As mentioned above, network traffic that traverses a firewall is matched against rules to determine if it should be allowed through or not. An easy way to explain what firewall rules looks like is to show a few examples, so we’ll do that now.

Suppose you have a server with this list of firewall rules that apply to incoming traffic:

  1. Accept new and established incoming traffic to the public network interface on port 80 and 443 (HTTP and HTTPS web traffic)
  2. Drop incoming traffic from IP addresses of the non-technical employees in your office to port 22 (SSH)
  3. Accept new and established incoming traffic from your office IP range to the private network interface on port 22 (SSH)

Note that the first word in each of these examples is either “accept”, “reject”, or “drop”. This specifies the action that the firewall should do in the event that a piece of network traffic matches a rule. Accept means to allow the traffic through, reject means to block the traffic but reply with an “unreachable” error, and drop means to block the traffic and send no reply. The rest of each rule consists of the condition that each packet is matched against.

As it turns out, network traffic is matched against a list of firewall rules in a sequence, or chain, from first to last. More specifically, once a rule is matched, the associated action is applied to the network traffic in question. In our example, if an accounting employee attempted to establish an SSH connection to the server they would be rejected based on rule 2, before rule 3 is even checked. A system administrator, however, would be accepted because they would match only rule 3.

Default Policy

It is typical for a chain of firewall rules to not explicitly cover every possible condition. For this reason, firewall chains must always have a default policy specified, which consists only of an action (accept, reject, or drop).

Suppose the default policy for the example chain above was set to drop. If any computer outside of your office attempted to establish an SSH connection to the server, the traffic would be dropped because it does not match the conditions of any rules.

If the default policy were set to accept, anyone, except your own non-technical employees, would be able to establish a connection to any open service on your server. This would be an example of a very poorly configured firewall because it only keeps a subset of your employees out.

Incoming and Outgoing Traffic

As network traffic, from the perspective of a server, can be either incoming or outgoing, a firewall maintains a distinct set of rules for either case. Traffic that originates elsewhere, incoming traffic, is treated differently than outgoing traffic that the server sends. It is typical for a server to allow most outgoing traffic because the server is usually, to itself, trustworthy. Still, the outgoing rule set can be used to prevent unwanted communication in the case that a server is compromised by an attacker or a malicious executable.

In order to maximize the security benefits of a firewall, you should identify all of the ways you want other systems to interact with your server, create rules that explicitly allow them, then drop all other traffic. Keep in mind that the appropriate outgoing rules must be in place so that a server will allow itself to send outgoing acknowledgements to any appropriate incoming connections. Also, as a server typically needs to initiate its own outgoing traffic for various reasons—for example, downloading updates or connecting to a database—it is important to include those cases in your outgoing rule set as well.

Writing Outgoing Rules

Suppose our example firewall is set to drop outgoing traffic by default. This means our incoming accept rules would be useless without complementary outgoing rules.

To complement the example incoming firewall rules (1 and 3), from the Firewall Rules section, and allow proper communication on those addresses and ports to occur, we could use these outgoing firewall rules:

  1. Accept established outgoing traffic to the public network interface on port 80 and 443 (HTTP and HTTPS)
  2. Accept established outgoing traffic to the private network interface on port 22 (SSH)

Note that we don’t need to explicitly write a rule for incoming traffic that is dropped (incoming rule 2) because the server doesn’t need to establish or acknowledge that connection.

What is  firewall? Firewall Software and Tools

Now that we’ve gone over how firewalls work, let’s take a look at common software packages that can help us set up an effective firewall. While there are many other firewall-related packages, these are effective and are the ones you will encounter the most.

Iptables

Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.

To learn how to implement a firewall with iptables, check out these links:

  • How To Set Up a Firewall Using IPTables on Ubuntu 14.04
  • How To Implement a Basic Firewall Template with Iptables on Ubuntu 14.04
  • How To Set Up an Iptables Firewall to Protect Traffic Between your Servers

UFW

UFW, which stands for Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall.

To learn more about using UFW, check out this tutorial: How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.

FirewallD

FirewallD is a complete firewall solution available by default on CentOS 7 servers. Incidentally, FirewallD uses iptables to configure netfilter.

To learn more about using FirewallD, check out this tutorial: How To Configure FirewallD to Protect Your CentOS 7 Server.

If you’re running CentOS 7 but prefer to use iptables, follow this tutorial: How To Migrate from FirewallD to Iptables on CentOS 7.

Fail2ban

Fail2ban is an intrusion prevention software that can automatically configure your firewall to block brute force login attempts and DDOS attacks.

To learn more about Fail2ban, check out these links:

  • How Fail2ban Works to Protect Services on a Linux Server
  • How To Protect SSH with Fail2Ban on Ubuntu 14.04
  • How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04
  • How To Protect an Apache Server with Fail2Ban on Ubuntu 14.04

Conclusion

Now that you understand how firewalls work, you should look into implementing a firewall that will improve your security of your server setup by using the tutorials above.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. If you can’t start Windows Firewall or you are getting an error, use Microsoft free tool to diagnose and fix problems.

  • If you use a computer at home, the most effective and important first step you can take to help protect your computer is to turn on a firewall.
  • Windows 8, Windows 7, Windows Vista, and Windows XP SP2 or higher have a firewall built-in and turned on by default. (Note: Support for Windows XP ended in April 2014.)
  • If you have more than one computer connected in the home, or if you have a small-office network, it is important to protect every computer. You should have a hardware firewall (such as a router) to protect your network, but you should also use a software firewall on each computer to help prevent the spread of a virus in your network if one of the computers becomes infected.
  • If your computer is part of a business, school, or other organizational network, you should follow the policy established by the network administrator.

Automatically diagnose and fix problems with Windows Firewall

Follow these steps to automatically repair Windows Firewall problems:
 
    • Select the Download button on this page.
    • In the File Download dialog box, click Run or Open, and then follow the steps in the Windows Firewall Troubleshooter.
Notes
  • This troubleshooter might be in English only. However, the automatic fix also works for versions of Windows in other languages.
  • If you’re not on the computer that has the problem, save the troubleshooter to a flash drive or a CD, and then run it on the computer that has the problem.
Download
What it fixes
    • Windows Firewall isn’t the default firewall
    • Windows Firewall doesn’t start
    • Windows couldn’t start Windows Firewall (Service-specific error 5 (0x5))
    • Remote Assistance isn’t working because it’s blocked by Windows Firewall
    • You’re unable to access shared files and printers because sharing is blocked by Windows Firewall
    • BFE service is missing
    • Firewall won’t start (Error Code 80070424)
Runs on
    • Windows 7
    • Windows 8
    • Windows 8.1
    • Windows 10

What is firewall?

A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defence on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

What is firewall? How does a firewall work?

Firewalls work by inspecting data packets (small chunks of data) against an internal list of rules. Here are some of the more common ones:

  • IP addresses – filter out traffic from suspicious IPs
  • Domain names – block traffic from known malicious domains
  • Ports – deny traffic trying to enter through a certain port
  • Contents – block data packets containing certain keywords

A firewall scans the contents of the packet and then determines whether to let it through based on the rules in place. On a typical network setup, all connections to the Internet flow through the firewall. Meaning it inspects all inbound or outgoing packets.

How does firewall inspection work?

The process of inspection involves comparing a packet’s contents against the firewall’s set of rules. Depending on if the rule is setup as a blacklist or whitelist, it will react differently to a match.

  • A blacklist rule will block any packets which match the criteria.
  • A whitelist rule will block any packets which don’t match the criteria.

A firewall’s rules are highly configurable. Meaning you can make the packet inspection process unique to your security setup. Here are some examples of how you could use custom firewall rules:

  • Creating a whitelist for your own company IP. Preventing any outsiders from accessing what’s behind the firewall.
  • Making a blacklist for the IP of a known malicious file server. Stopping it from distributing malware onto your network.
  • Creating a whitelist for certain domain extensions (.com, .co.uk .edu e.t.c.) on outgoing traffic. Blocking staff from accessing potentially dangerous sites.

Why are firewalls important?

Firewalls are often compared to a lock on the door to your network. But it might be more accurate to say that a firewall is the door.

Without a firewall in place, any connection can flow freely in or out of your network. Including connections from known malicious sources. This means you could experience unauthorised access to networked files. Leading to a data breach, malware infection or worse.

You need a firewall to filter out the bulk of malicious connections. And there’s a lot of malicious connections. One study found that within 52 seconds of being online, servers were being probed by hackers. With an average rate of 757 connection attempts per hour.

Are firewalls hardware or software?

Firewalls can be either a hardware appliance or a piece of software which runs on a machine. So, the answer is both.

Not helpful, I know.

But the main difference between the two is this:

  • Software firewalls tend to protect the individual machine it’s installed upon, typically a laptop or PC
  • Hardware firewalls usually protect many machines or an entire network.

What types of firewall are there?

Circuit-level

Circuit level firewalls are a type of firewall that monitors transmission control protocol (TCP) handshaking. It ensures that the communication between packets is legitimate and not malicious.

Stateful inspection

A firewall with stateful inspection considers the state of current connections when filtering packets. This means that the firewall can block the packet in one case but allowed in another. Depending on the current state of the connection.

Unified threat management (UTM)

Whilst technically not a type of firewall, UTM is instead an advanced security appliance which combines the security functions of many different security appliances. One of these being a firewall. We have an article explaining everything you need to know about UTM if you wish to learn more.

What is a next-generation firewall?

A next-generation firewall (NGFW) contains all the normal defences that a traditional firewall has and more. The most common additions are intrusion prevention software and application control. But certain vendors have other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.

Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place.

Application control software sets up a hard filter for programs that can send or receive data over the Internet. This can either be done by blacklist (blocks any programs in the filter) or by whitelist (blocks any programs not in the filter).

What is deep packet inspection?

Deep Packet Inspection (DPI) is a type of packet inspection which analyses the full contents of a data packet. Instead of only information in a packet’s header (where it is coming from and going to).

This enables DPI to filter out malicious packets, such as viruses and trojans, with better accuracy. As rather than only looking at the sender and destination, the packet’s contents can be used in filters as well.

This allows DPI to uncover a broader range of security threats because it will discover packets with a malicious payload but an innocuous header.

Where did the name firewall come from?

A final piece of trivia: the name firewall originated from the real-world application of fire partitions used in buildings. These would be walls that were implemented into a building to act as a barrier to stop fire spreading from one room to another.

The similarity between a fire spreading through a building and a computer virus spreading through a network prompted the same name to be adopted for the network device.

Firewall

Firewall

Firewall

What is Firewall?

A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defence on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

How does a firewall work?

Firewalls work by inspecting data packets (small chunks of data) against an internal list of rules. Here are some of the more common ones:

  • IP addresses – filter out traffic from suspicious IPs
  • Domain names – block traffic from known malicious domains
  • Ports – deny traffic trying to enter through a certain port
  • Contents – block data packets containing certain keywords

A firewall scans the contents of the packet and then determines whether to let it through based on the rules in place. On a typical network setup, all connections to the Internet flow through the firewall. Meaning it inspects all inbound or outgoing packets.

How does firewall inspection work?

The process of inspection involves comparing a packet’s contents against the firewall’s set of rules. Depending on if the rule is setup as a blacklist or whitelist, it will react differently to a match.

  • A blacklist rule will block any packets which match the criteria.
  • A whitelist rule will block any packets which don’t match the criteria.

A firewall’s rules are highly configurable. Meaning you can make the packet inspection process unique to your security setup. Here are some examples of how you could use custom firewall rules:

  • Creating a whitelist for your own company IP. Preventing any outsiders from accessing what’s behind the firewall.
  • Making a blacklist for the IP of a known malicious file server. Stopping it from distributing malware onto your network.
  • Creating a whitelist for certain domain extensions (.com, .co.uk .edu e.t.c.) on outgoing traffic. Blocking staff from accessing potentially dangerous sites.

Why are firewalls important?

Firewalls are often compared to a lock on the door to your network. But it might be more accurate to say that a firewall is the door.

Without a firewall in place, any connection can flow freely in or out of your network. Including connections from known malicious sources. This means you could experience unauthorised access to networked files. Leading to a data breach, malware infection or worse.

You need a firewall to filter out the bulk of malicious connections. And there’s a lot of malicious connections. One study found that within 52 seconds of being online, servers were being probed by hackers. With an average rate of 757 connection attempts per hour.

Are firewalls hardware or software?

Firewalls can be either a hardware appliance or a piece of software which runs on a machine. So, the answer is both.

Not helpful, I know.

But the main difference between the two is this:

  • Software firewalls tend to protect the individual machine it’s installed upon, typically a laptop or PC
  • Hardware firewalls usually protect many machines or an entire network.

What types of firewall are there?

Circuit-level

Circuit level firewalls are a type of firewall that monitors transmission control protocol (TCP) handshaking. It ensures that the communication between packets is legitimate and not malicious.

Stateful inspection

A firewall with stateful inspection considers the state of current connections when filtering packets. This means that the firewall can block the packet in one case but allowed in another. Depending on the current state of the connection.

Unified threat management (UTM)

Whilst technically not a type of firewall, UTM is instead an advanced security appliance which combines the security functions of many different security appliances. One of these being a firewall. We have an article explaining everything you need to know about UTM if you wish to learn more.

What is a next-generation firewall?

A next-generation firewall (NGFW) contains all the normal defences that a traditional firewall has and more. The most common additions are intrusion prevention software and application control. But certain vendors have other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.

Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place.

Application control software sets up a hard filter for programs that can send or receive data over the Internet. This can either be done by blacklist (blocks any programs in the filter) or by whitelist (blocks any programs not in the filter).

What is deep packet inspection?

Deep Packet Inspection (DPI) is a type of packet inspection which analyses the full contents of a data packet. Instead of only information in a packet’s header (where it is coming from and going to).

This enables DPI to filter out malicious packets, such as viruses and trojans, with better accuracy. As rather than only looking at the sender and destination, the packet’s contents can be used in filters as well.

This allows DPI to uncover a broader range of security threats because it will discover packets with a malicious payload but an innocuous header.

Where did the name firewall come from?

A final piece of trivia: the name firewall originated from the real-world application of fire partitions used in buildings. These would be walls that were implemented into a building to act as a barrier to stop fire spreading from one room to another.

The similarity between a fire spreading through a building and a computer virus spreading through a network prompted the same name to be adopted for the network device.

What is a Firewall?

Sales Number : +91 9582 90 7788
Support Number : +91-9654016484
Sales Email : sales@itmonteur.net
Support Email : support@itmonteur.net

Register & Request Quote
Submit Support Ticket

Firewall Checklist

Firewall Hardening Checklist

Firewall Hardening Checklist

Firewall Hardening Checklist

This checklist should be used to audit a firewall. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic listing of security considerations to be used when auditing a firewall.Only technical aspects of security are addressed in this checklist. Manual elements like physical protection for the firewall server is not considered.

Prior to using this checklist the following elements should be considered:

  • Operating system: This checklist only defines the security items relating the firewall software and not to any security elements of the operating system.
  • Port restrictions: A listing of ports to be restricted are highlighted in this checklist.However, prior to recommending that the ports be restricted, the auditor should ensure that the service associated with that port is not used by the business e.g.remote access via telnet. Where such situations exist this checklist attempts to provide alternate security options if the service is needed e.g. use SSH instead of Telnet.
  • Modems within the internal network: Modems within the internal network are the biggest threat to subvert a firewall and thus the auditor should ensure that there of 6are no modems within the internal network. It is senseless performing an audition the firewall when an even bigger threat exists via the modem. The auditor should perform war dialing to identify any modems within the internal network with tools like phone sweeper.
  • Application level firewalls: The inherent nature of application level firewalls require that the operating system be as secure as possible due to the close binding of these two components. Thus, the auditor should ensure that the security on the operating system is secure before evaluating the security offered by the application level firewall.
  • De fence in depth: It must be recognized that the firewall implementation is a notan end to itself to provide security. Thus, it is vital that the auditor evaluate the security of the other components like IDS, operating systems, web applications,IIS/Apache, routers and databases. Some organizations have opted for firewall network appliances, which are firewalls loaded onto operating systems which have their security already pre configured. In such instances, the auditor need only review the security of the firewall configuration instead of the operating system as well.
  • Rulesets: This checklist provides a listing of best practice rule sets to be applied.However, the organizational requirements may not need all of the rule sets. Fore.g. where an organization has a need to allow access via the internet to critical servers, the rule sets wound not include a deny rule to that internal IP address forthe critical server. Instead it may provide for allow access to HTTP 80 to the critical IP and deny all other traffic to the critical IP. It must be noted that some elements of the recommended rule sets have to be applied irrespective of business requirements e.g. blocking private addresses (RFC1918), illegal addresses, standard unroutables, reserved addresses, etc.
  • Laptop users: Most organizations use mobile laptops for telecommuting and on the road sales, etc. This provides a further vulnerability even if the organization operates a VPN. The hacker could easily gain access to the laptop when it is connected to the internet and download tools to the laptop that can become a problem when the laptop is again connected to the corporate network. In a VPN situation, the hacker with access to the remote station once the tunnel is connected, can access the corporate network. In such a circumstance, it is important for the auditor to determine if laptop usage occurs and to evaluate whether personal firewalls are installed on these laptops prior to usage. This checklist provides a generic set of considerations for personal firewalls, but it does not provide any product specific security recommendations.

Checklist

Checklist

Checklist

No. Security Elements
1. Review the rulesets to ensure that they follow the order as follows:
•   anti-spoofing filters (blocked private addresses, internal addresses
appearing from the outside)
•   User permit rules (e.g. allow HTTP to public webserver)
•   Management permit rules (e.g. SNMP traps to network
management server)
•   Noise drops (e.g. discard OSPF and HSRP chatter)
•   Deny and Alert (alert systems administrator about traffic that is
suspicious)
•   Deny and log (log remaining traffic for analysis)
Firewalls operate on a first match basis, thus the above structure is important
to ensure that suspicious traffic is kept out instead of inadvertently allowing
them in by not following the proper order.

 

2. Application based firewall
Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall. Alternatively some application level firewalls provide the functionality to log to intrusion detection systems. In such a circumstance ensure that the correct host, which is hosting the IDS, is defined in the application level firewall. Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities.Ensure that there is a process to update the software with the latest attack signatures.In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site.

In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route.

The following commands should be blocked for SMTP at the application level firewall:

  • EXPN (expand)
  • VRFY (verify)
  • DEBUG
  • WIZARD

The following command should be blocked for FTP:

  • PUT

Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked. In some instances organisations may want to block access to x-rated sites or other harmful sites. As such they would subscribe to sites, which maintain listings of such harmful sites. Ensure that the URL’s to deny are updated as released by the sites that warn of harmful sites.

Ensure that only authorised users are authenticated by the application level firewall.

3. Stateful inspection

Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts. Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack.

For URL’s

  • If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organisation ensure that it is a trusted source.
  • If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorised modifications.

Ensure that specific traffic containing scripts; ActiveX and java are striped prior to being allowed into the internal network.

If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.

  1. Logging
    Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.
  2. Patches and updates
    Ensure that the latest patches and updates relating to your firewall product is tested and installed.
    If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site.
In the event that patches and updates are e-mailed to the systems
administrator ensure that digital signatures are used to verify the vendor and
ensure that the information has not been modified en-route.
6. Location – DMZ
Ensure that there are two firewalls – one to connect the web server to the
internet and the other to connect the web server to the internal network.
In the event of two firewalls ensure that it is of different types and that dual
NIC’s are used. This would increase security since a hacker would need to
have knowledge of the strengths, weaknesses and bugs of both firewalls.
The rulesets for both firewalls would vary based on their location e.g. between
web server and the internet and between web server and the internal network.
7. Vulnerability assessments/ Testing
Ascertain if there is a procedure to test for open ports using nmap and whether
unnecessary ports are closed.
Ensure that there is a procedure to test the rulesets when established or
changed so as not to create a denial of service on the organisation or allow
any weaknesses to continue undetected.
8. Compliance with security policy
Ensure that the ruleset complies with the organisation security policy.
9. Ensure that the following spoofed, private (RFC 1918) and illegal addresses
are blocked:
Standard unroutables
• 255.255.255.255
• 127.0.0.0
Private (RFC 1918) addresses
• 10.0.0.0 – 10.255.255.255
• 172.16.0.0 – 172.31.255.255
• 192.168.0.0 – 192.168.255.255
Reserved addresses
• 240.0.0.0
Illegal addresses
• 0.0.0.0
UDP echo
ICMP broadcast (RFC 2644)
Ensure that traffic from the above addresses is not transmitted by the
interface.
10. Ensure that loose source routing and strict source routing (lsrsr & ssrr) are
blocked and logged by the firewall.
11. Port restrictions
The following ports should blocked:
Service Port Type Port Number
DNS Zone Transfers TCP 53
TFTP Daemon UDP 69
Link TCP 87
SUN RPC TCP & UDP 111
BSD UNIX TCP 512 – 514
LPD TCP 515
UUCPD TCP 540
Open Windows TCP & UDP 2000
NFS TCP & UDP 2049
X Windows TCP & UDP 6000 – 6255
Small services TCP & UDP 20 and below

 

Small services TCP & UDP 20 and below
FTP TCP 21
SSH TCP 22
Telnet TCP 23
SMTP (except external TCP 25
mail relays)
NTP TCP & UDP 37
Finger TCP 79
HTTP (except to external TCP 80
web servers)
POP TCP 109 &110
NNTP TCP 119
NTP TCP 123
NetBIOS in Windows NT TCP &UDP 135
NetBIOS in Windows NT UDP 137 & 138
NetBIOS TCP 139
IMAP TCP 143
SNMP TCP 161 &162
SNMP UDP 161 &162
BGP TCP 179
LDAP TCP &UDP 389
SSL (except to external TCP 443
web servers)
NetBIOS in Win2k TCP &UDP 445
Syslog UDP 514
SOCKS TCP 1080
Cisco AUX port TCP 2001
Cisco AUX port (stream) TCP 4001
Lockd (Linux DoS TCP &UDP 4045
Vulnerability)
Cisco AUX port (binary) TCP 6001
Common high order TCP 8000, 8080, 8888
HTTP ports
  1. Remote access
    If remote access is to be used, ensure that the SSH protocol (port 22) is used instead of Telnet.
  2. File Transfers
    If FTP is a requirement, ensure that the server, which supports FTP, is placed in a different subnet than the internal protected network.
  3. Mail Traffic
    Ascertain which protocol is used for mail and ensure that there is a rule to block incoming mail traffic except to internal mail.
  4. ICMP (ICMP 8, 11, 3)
    Ensure that there is a rule blocking ICMP echo requests and replies.
    Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.
  5. IP Readdressing/IP Masquerading
    Ensure that the firewall rules have the readdressing option enabled such that internal IP addresses are not displayed to the external untrusted networks.
  6. Zone Transfers
    If the firewall is stateful, ensure packet filtering for UDP/TCP 53. IP packets for UDP 53 from the Internet are limited to authorised replies from the internal network. If the packet were not replying to a request from the internal DNS server, the firewall would deny it. The firewall is also denying IP packets for TCP 53 on the internal DNS server, besides those from authorised external secondary DNS servers, to prevent unauthorised zone transfers.
  7. Egress Filtering
    Ensure that there is a rule specifying that only traffic originating from IP’s within the internal network be allowed. Traffic with IP’s other than from the Internal network are to be dropped.
    Ensure that any traffic originating from IP’s other than from the internal network are logged.
  8. Critical servers
    Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources. This rule is based on the organisational requirements, since some organisations may allow traffic via a web application to be routed via a DMZ.
  9. Personal firewalls
    Ensure that laptop users are given appropriate training regarding the threats, types of elements blocked by the firewall and guidelines for operation of the personal firewall. This element is essential, since often times personal firewalls rely on user prompt to respond to attacks e.g. whether to accept/deny a request from a specific address.
    Review the security settings of the personal firewall to ensure that it restricts access to specific ports, protects against known attacks, and that there is adequate logging and user alerts in the event of an intrusion.
    Ensure that there is a procedure to update the software for any new attacks that become known.
    Alternatively most tools provide the option of transferring automatic updates via the internet. In such instances ensure that updates are received from trusted sites.
  10. Distributed firewalls Ensure that the security policy is consistently distributed to all hosts especially when there are changes to the policy. Ensure that there are adequate controls to ensure the integrity of the policy during transfer, e.g. IPSec to encrypt the policy when in transfer. Ensure that there are adequate controls to authenticate the appropriate host. Again IPSec can be used for authentication with cryptographic certificates.
  11. Stealth Firewalls Ensure that default users and passwords are reset. Ensure that the firewall is appropriately configured to know which hosts are on which interface. Review the firewall access control lists to ensure that the appropriate traffic is routed to the appropriate segments. A stealth firewall does not have a presence on the network it is protecting and it makes it more difficult for the hacker to determine which firewall product is being used and their versions and to ascertain the topology of the network.
  12. Ensure that ACK bit monitoring is established to ensure that a remote system cannot initiate a TCP connection, but can only respond to packets sent to it.
  13. Continued availability of Firewalls: Ensure that there is a hot standby for the primary firewall.

For More Details, Please contact us on

Sales Number : +91 9582 90 7788
Support Number : +91-9654016484
Sales Email : sales@itmonteur.net
Support Email : support@itmonteur.net

Register & Request Quote
Submit Support Ticket

Firewall

Firewall

Firewall,What is a Firewall?,Defined,Explained,Explored What is Firewall?,Fire Wall,How Firewall Technology Works?,Firewall - Computer Network Security System

Firewall,What is a Firewall?,Defined,Explained,Explored What is Firewall?,Fire Wall,How Firewall Technology Works?,Firewall – Computer Network Security System

What is Firewall?

A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defence on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

How does a firewall work?

Firewalls work by inspecting data packets (small chunks of data) against an internal list of rules. Here are some of the more common ones:

  • IP addresses – filter out traffic from suspicious IPs
  • Domain names – block traffic from known malicious domains
  • Ports – deny traffic trying to enter through a certain port
  • Contents – block data packets containing certain keywords

A firewall scans the contents of the packet and then determines whether to let it through based on the rules in place. On a typical network setup, all connections to the Internet flow through the firewall. Meaning it inspects all inbound or outgoing packets.

How does firewall inspection work?

The process of inspection involves comparing a packet’s contents against the firewall’s set of rules. Depending on if the rule is setup as a blacklist or whitelist, it will react differently to a match.

  • A blacklist rule will block any packets which match the criteria.
  • A whitelist rule will block any packets which don’t match the criteria.

A firewall’s rules are highly configurable. Meaning you can make the packet inspection process unique to your security setup. Here are some examples of how you could use custom firewall rules:

  • Creating a whitelist for your own company IP. Preventing any outsiders from accessing what’s behind the firewall.
  • Making a blacklist for the IP of a known malicious file server. Stopping it from distributing malware onto your network.
  • Creating a whitelist for certain domain extensions (.com, .co.uk .edu e.t.c.) on outgoing traffic. Blocking staff from accessing potentially dangerous sites.

Why are firewalls important?

Firewalls are often compared to a lock on the door to your network. But it might be more accurate to say that a firewall is the door.

Without a firewall in place, any connection can flow freely in or out of your network. Including connections from known malicious sources. This means you could experience unauthorised access to networked files. Leading to a data breach, malware infection or worse.

You need a firewall to filter out the bulk of malicious connections. And there’s a lot of malicious connections. One study found that within 52 seconds of being online, servers were being probed by hackers. With an average rate of 757 connection attempts per hour.

Are firewalls hardware or software?

Firewalls can be either a hardware appliance or a piece of software which runs on a machine. So, the answer is both.

Not helpful, I know.

But the main difference between the two is this:

  • Software firewalls tend to protect the individual machine it’s installed upon, typically a laptop or PC
  • Hardware firewalls usually protect many machines or an entire network.

What types of firewall are there?

Circuit-level

Circuit level firewalls are a type of firewall that monitors transmission control protocol (TCP) handshaking. It ensures that the communication between packets is legitimate and not malicious.

Stateful inspection

A firewall with stateful inspection considers the state of current connections when filtering packets. This means that the firewall can block the packet in one case but allowed in another. Depending on the current state of the connection.

Unified threat management (UTM)

Whilst technically not a type of firewall, UTM is instead an advanced security appliance which combines the security functions of many different security appliances. One of these being a firewall. We have an article explaining everything you need to know about UTM if you wish to learn more.

What is a next-generation firewall?

A next-generation firewall (NGFW) contains all the normal defences that a traditional firewall has and more. The most common additions are intrusion prevention software and application control. But certain vendors have other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.

Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place.

Application control software sets up a hard filter for programs that can send or receive data over the Internet. This can either be done by blacklist (blocks any programs in the filter) or by whitelist (blocks any programs not in the filter).

What is deep packet inspection?

Deep Packet Inspection (DPI) is a type of packet inspection which analyses the full contents of a data packet. Instead of only information in a packet’s header (where it is coming from and going to).

This enables DPI to filter out malicious packets, such as viruses and trojans, with better accuracy. As rather than only looking at the sender and destination, the packet’s contents can be used in filters as well.

This allows DPI to uncover a broader range of security threats because it will discover packets with a malicious payload but an innocuous header.

Where did the name firewall come from?

A final piece of trivia: the name firewall originated from the real-world application of fire partitions used in buildings. These would be walls that were implemented into a building to act as a barrier to stop fire spreading from one room to another.

The similarity between a fire spreading through a building and a computer virus spreading through a network prompted the same name to be adopted for the network device.

FAQ

Top Best Firewall Companies in India : Check Point. FortiGate. Palo Alto Networks. WatchGuard. Seqrite Firewall. Cisco Asa Firepower. Cisco PIX. Mcafee Firewall.
Firewalls provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet.
There are three basic types of firewalls that are used by companies to protect their data & devices to keep destructive elements out of network, viz. Packet Filters, Stateful Inspection and Proxy Server Firewalls. Let us give you a brief introduction about each of these.
A firewall is a security device — computer hardware or software — that can help protect your network by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on your computer.
Firewalls provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet.
A firewall is a protective measure that safeguards an individual's or company's computer network. It provides two basic security functions, including packet filtering, which inspects traffic at the packet level, and acting as an application proxy, providing security measures at the application level.

Firewall

Sales Number : +91 9582 90 7788
Support Number : +91-9654016484
Sales Email : sales@itmonteur.net
Support Email : support@itmonteur.net

Register & Request Quote
Submit Support Ticket

Read More »