An Overview of Firewall Functionality and Types

Photo Credit: Jason O’Halloran via Flickr CC

Firewalls are the forgotten heroes in the Internet of things. Often times users click away on the Internet, completely oblivious to what’s happening behind the scenes. If your firewall doesn’t provide alerts, you may not even know it just stopped malicious code from running on your device.

Protecting your sensitive data from cyber criminals has become increasingly important, and you owe it to yourself to learn a bit about the software that’s protecting you. Read on to learn how firewalls work, why you need them, and how to choose a setup that will best serve your needs.

What is a Firewall?

To put it in simple terms, a firewall is software that chooses to allow or deny both incoming and outgoing communication through your computer’s ports or local network. Although “hardware” firewalls exist, it’s important to remember that this is just a standalone device running firewall software. Firewalls filter traffic based on a variety of factors, including rules, IP address, connection state, and by referencing databases. Firewalls act as a bouncer, sending away traffic that doesn’t fit criteria.

Firewalls can also be used to filter out places that an administrator doesn’t want a user to go. For example, an admin may block Facebook or YouTube through firewall settings to prevent workers from breaking company policy on Internet usage. They may also filter out sites known to be sources of malware to deter users from accidentally downloading a virus. Firewalls, aren’t a catch all though. For example an e-mail containing a malicious attachment could slip through. Depending on your firewall type, you may be vulnerable to certain attacks.

What are the different types of Firewalls?

Firewalls protect you in a variety of ways.  Network Address Translation and proxy setups can hide your identity from those outside the network, but the main job of a firewall is to filter traffic. Filtration comes in five main firewall types:

• Packet Filtering: This is the grandfather of firewalls, and sometimes referred to as a stateless firewall. Packet filters basically inspect a packet, and determine whether or not it fits a rule set that will allow it to pass through the filter. For example, if there’s a rule allowing TCP port 80 traffic inbound/outbound you can communicate using HTTP services.  These are cheap, but require a bit of configuration, and they don’t examine entire packets.
• Stateful Filtering: This type of firewall still uses packet filtering, but now it also considers the connection state of a device. Initially the firewall inspects packets at the application layer, once a connection is established, the inspection on the application layer is no longer needed.  It performs most of its examinations between the Physical and Transport layers of the OSI model. Note that these can be vulnerable to man-in-the-middle attacks (IP spoofing).
• Application Layer Firewalls: Application layer firewalls filter by process instead of by port. They are useful in preventing attacks on processes like HTTP and SMTP, guarding against SQL injection, DDoS attacks, and more. These actually filter application level commands and fully inspect the packet. Of course, vendors need to keep pushing out updates for new protocols, and there may be some delay in this support, which could lead to potential exploits.
• Circuit Level Gateway: These work on the Session layer of the OSI model to confirm that TCP handshakes between packets are legit. This acts as a circuit for a proxy server and internal clients; and ensures that an external client doesn’t have any actual information about the server. There is potential for harmful information to get through to the proxy to the Internal client because these do not examine packet contents.
• Stateful Multilayer Inspection: These are a combination of packet filtering, circuit level gateways, and application layer firewalls. These are fairly complex, and could actually be more insecure than a simple firewall if you don’t have an admin who is knowledgeable about proper configuration.

What Happens If My Firewall Is Turned Off Or Configured Wrong?

Let me give you an example of what can happen when your firewall is turned off. It’s an old example (pre 2008!) but a fantastic one. Suppose you are a user on a Windows XP Service Pack 2 machine. There have been some new updates, but you haven’t had the time to let them run and are carrying out business as usual.

Normally the Windows firewall will protect your RPC (remote procedure call) interface. However, suppose your firewall is disabled for some reason; or file and printer sharing is enabled. At this point, if you are on the same network as me (or if I hacked into your network), I can control your machine because you have exploitable ports open and nothing to filter my traffic out.

By running a couple tools in Kali Linux, I can identify your computer on the network as running Windows XP. I might even be able to tell which service pack version you have. Furthermore I can see what ports are open. From here it’s just a matter of a few commands, and I can open a Meterpreter Shell on your PC. From here I can install a key logger, take a screen shot, copy files to my machine, and delete files them from your PC. I could even delete an entire System 32 file and wreck the computer.

Where this gets really scary is your Web Browser. If you saved passwords for any website, I can take them. Now think about this – how often have you reused that Facebook password? Is it used to access your bank account online? If it’s not the same, is it similar? Are you logged into your e-mail, giving me access to reset a password elsewhere?

As you can see, firewalls are a key piece to your network security setup. Had the operating systems firewall been on (and file/print sharing disabled), I could not have exploited this vulnerability!

Determine which firewall type and other security measures fit your needs

There is more to network security than simply having a firewall or two. You should staying up-to-date on operating system patches since these often contain security updates. (Keep in mind that if you administer a large network, you need to test those updates before deployment. If no testing occurs, you could wind up having a critical program that’s incompatible with the new update.)

Anti-spyware and anti-malware are also a critical pieces of the puzzle. Use anti-malware with active monitoring. Free anti-Malware/virus programs only help clean up the mess afterwards. The only way to ensure a virus is totally gone is by wiping everything and starting over. Typically, nonexecutable files like text files and pictures can be safely kept, but everything else should be replaced.

You should also consider running multiple hardware firewalls. A hardware firewall is a dedicated appliance that sits between your router and Internet connection. Running two inline firewalls from different companies can help in the event that one has an unknown exploit and it’s unlikely that the secondary firewall is vulnerable to the same attacks. In the event that one device fails, another can take over if you configure a fail-over setup with some firewall models. Some of these devices even offer what’s known as an active/active setup that performs load balancing while both are active.

What kind of firewall setup is right for you? A small office or home network can get away with whatever firewall came installed in your router, and the operating system’s firewall. Anything more increases complexity and cost, and you most likely don’t need further protection.

Midsize offices should have at minimum, packet filtering firewalls and standalone firewall devices like the Cisco ASA 5500X series. Having a dedicated firewall device provides a bit of extra security since it runs on it’s own operating system. Equally important, is that it works faster and keeps your network from slowing down, as they generally handle higher traffic loads than a router with a built in firewall.

Larger companies, I’m sure you have an IT team to consult with. Ask them what your current setup is and areas for improvement. If you host a webpage on your own server consider increasing your security to prevent things like SQL injection by adding application layer firewalls, and perhaps a proxy if funds permit.

When it comes to network security, you have nothing without a firewall. Although they can’t do everything, any other security measure is pointless without them. Hackers pick on easy targets, so take network security seriously.