Guilty until proven innocent. This is the principle behind firewall systems, which are designed to monitor and filter network traffic based on predefined policies.
Network security is a hard problem, but the goal of a firewall system is simple: reject all network traffic unless explicitly allowed. This seems a straightforward approach to eliminate anomalous traffic from infiltrating your IT network — while allowing a free flow of legitimate traffic.
This simple concept is a challenge to implement. Enterprise IT networks consist of thousands of devices continuously communicating between each other. How do you create a security policy that encompasses all rules representing all forms of legitimate traffic requests? A variety of firewall systems allow you to filter unwanted traffic requests.
Let’s take a look.
How firewalls work
Firewall systems filter network traffic across several layers of the OSI network model. The most common applications cover:
- The data-link layer
- The network layer
- The transport layer
- The application layer
A high-level language may be used to describe the policy rules for filtering network traffic across these levels. The firewall filter acts as a boundary between two networks, with the assumption that the internal network devices are safe and must be protected from the outside network unless explicitly allowed to transfer.
All information transfer takes place through the firewall and is tested against the firewall policy.
Types of firewall systems
Let’s review how different types of firewall systems help achieve this network security goal:
A simple firewall system that checks:
- The source and destination IP addresses
- UDP and TCP protocols
- Access Control Lists (ACLs)
- Port addresses
All traffic that complies with the predefined rules is allowed to transfer through the device. In the case of Dynamic Packet Filtering, these rules may apply for specific time duration, also known as Stateful inspection firewall. The system only evaluates the protocols and not the message data in the network packets itself. Filtering rules are only applied based on the information available in current packets, which means no contextual knowledge is available.
Circuit level gateways
This system works at the Session Layer of the OSI model and determines whether the TCP handshaking between trusted servers and untrusted parties complies with the particular security rules of the session.
It acts as a proxy server between the external source and the internal destination server, creating a new connection with the remote host. For this connection, the gateway also changes the IP address to reflect its own instead of using the destination IP address.
Application Level gateway proxy firewall
This system inspects traffic at the Application layer of the TCP/IP stack. It works as a separate host with its own IP address, which intercepts the traffic request received by the network. The proxy firewall responds with the Synchronize-Acknowledge (SYN-ACK) packet from the message source IP address.
The transmission is divided in two steps: source-to-proxy and proxy-to-destination. At each stage, predefined rules are analyzed for security compliance. Unlike the circuit-level gateway, the Application Gateway does not change the source IP address with its own when acting as a proxy.
Unified Threat Management (UTM) firewall
This system combines multiple firewall functions of stateful inspection devices, antivirus and spyware services, and intrusion prevention devices at the gateway. A central command controls traffic flow rules with a high-level visibility and control, bandwidth management and Quality of Service monitoring.
Next Generation Firewall (NGFW)
The advanced level of firewall mechanism that includes intelligence-based access control systems using:
- Stateful inspection
- Integrated intrusion prevention systems
- Filtering based on geolocation and reputation
- The ability to evolve and improve filtering capabilities
These are further enhanced by Threat-Focused NGFW systems that provide more control, contextual awareness, and intelligent automation, and reduce the complexity associated with enforcing security policies in large scale networks.
Unlike traditional firewall which assumes that one side of the network is trustworthy, distributed firewall systems define a central policy and enforce it at each endpoint, irrespective of the network topology.
It uses a policy language that describes the connection rules for devices and network states, translated into internal format using a compiler. The policy is distributed to all network hosts by a system management tool. Network-level encryption is used to verify the identity of a traffic source. This means that there is no longer a single checkpoint for network security. The network is not limited by the throughput, latency and speed performance of firewall devices.
These systems monitor the traffic streams for anomalous behavior by evaluating signatures in the traffic. If these signatures include contents of a known cyberattack, it is filtered. Like any antivirus system…
- The signature lists must be updated continuously.
- The firewall system may require learning capabilities to improve signature pattern recognition.
An evolution of this technique is the Rules-Based Detection mechanism, which not only evaluates the signatures but also the patterns within those signatures. Advanced AI algorithms may be used to establish deductive reasoning capability of the firewall system.
So, which one of these techniques is the most effective firewall mechanism? While this may be a difficult question, an important property of a fully secure firewall system is that it offers security without compromising flexibility for the network to scale while maintaining compliance with the strict security policies.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.