firewall - dwilson2547/wiki

Network Firewall: A Detailed Explanation

A network firewall is a security device (hardware or software) that monitors and controls incoming and outgoing network traffic based on predefined security rules. Firewalls act as a barrier between trusted internal networks and untrusted external networks (e.g., the internet), protecting against unauthorized access, cyberattacks, and malicious traffic.

1. Purpose of a Firewall
2. Types of Firewalls
3. How Firewalls Work
4. Firewall Deployment Architectures
5. Firewall Rules: Deep Dive
- 5.1. Rule Components
- 5.2. Example Rule Sets
  - Example 1: Basic Rule Set for a Perimeter Firewall
  - Example 2: Stateful Rule for Internal Firewall
6. Advanced Firewall Features
7. Firewall Logging and Monitoring
8. Common Firewall Policies
9. Firewall Limitations
10. Example: Firewall in Action
- Scenario: Protecting a Web Server
- Traffic Flow:
11. Firewall Vendors and Solutions
12. Best Practices for Firewall Management
13. Firewall vs. Other Security Devices

1. Purpose of a Firewall

Traffic Filtering: Blocks or allows traffic based on rules.
Network Security: Protects against unauthorized access, malware, and cyber threats.
Access Control: Enforces policies for which users or systems can access specific resources.
Logging and Monitoring: Tracks and logs network activity for auditing and analysis.

2. Types of Firewalls

2.1. Packet Filtering Firewall

How It Works:
- Operates at the Network Layer (Layer 3) and Transport Layer (Layer 4).
- Filters packets based on:
  - Source/Destination IP
  - Source/Destination Port
  - Protocol (TCP, UDP, ICMP)
Example:
- Block all incoming traffic on port 22 (SSH) except from a specific IP.
Pros:
- Fast and efficient.
- Low resource usage.
Cons:
- No deep packet inspection.
- Vulnerable to spoofing attacks.

2.2. Stateful Inspection Firewall

How It Works:
- Operates at Layer 3, 4, and 5.
- Tracks the state of active connections (e.g., TCP handshakes).
- Allows or blocks traffic based on the context of the connection (e.g., only allow responses to outbound requests).
Example:
- Allow outbound HTTP requests and only permit inbound responses to those requests.
Pros:
- More secure than packet filtering.
- Can detect and block suspicious traffic patterns.
Cons:
- Higher resource usage.
- More complex to configure.

2.3. Proxy Firewall (Application-Level Gateway)

How It Works:
- Operates at the Application Layer (Layer 7).
- Acts as an intermediary between internal and external systems.
- Filters traffic based on application-level data (e.g., HTTP requests, FTP commands).
Example:
- A proxy firewall can inspect HTTP traffic and block requests to malicious websites.
Pros:
- Deep inspection of application traffic.
- Can hide internal network details.
Cons:
- High resource usage.
- Can introduce latency.

2.4. Next-Generation Firewall (NGFW)

How It Works:
- Combines stateful inspection with deep packet inspection (DPI) and application awareness.
- Includes advanced features like:
  - Intrusion Prevention System (IPS)
  - SSL/TLS Inspection
  - User Identity Integration (e.g., Active Directory)
  - Advanced Threat Protection (e.g., sandboxing)
Example:
- Block traffic from specific applications (e.g., social media) or detect and block malware in real-time.
Pros:
- Comprehensive security features.
- Granular control over traffic.
Cons:
- Expensive and resource-intensive.
- Complex to configure and manage.

3. How Firewalls Work

3.1. Rule-Based Filtering

Firewalls use rules (or policies) to determine whether to allow or block traffic. Rules are typically evaluated in order (top-down), and the first matching rule is applied.

Example Rule Set:

1. Allow TCP port 80 (HTTP) from any source to 192.168.1.100
2. Allow TCP port 443 (HTTPS) from any source to 192.168.1.100
3. Block ICMP (ping) from external sources
4. Allow all outbound traffic
5. Block all other inbound traffic

3.2. Packet Inspection Process

Inbound Traffic:
- The firewall receives a packet.
- It checks the packet against its rule set.
- If the packet matches an allow rule, it is forwarded to the destination.
- If the packet matches a block rule, it is dropped.
- If no rules match, the firewall applies the default action (usually block).
Outbound Traffic:
- The firewall checks outbound packets against its rules.
- Example: Allow all outbound HTTP/HTTPS traffic but block P2P applications.
Stateful Tracking:
- For stateful firewalls, the firewall tracks the state of connections (e.g., TCP handshakes).
- Example: If an internal device initiates a TCP connection to an external server, the firewall allows return traffic for that connection.

3.3. NAT (Network Address Translation)

Many firewalls include NAT functionality to:

Hide internal IP addresses from external networks.
Share a single public IP among multiple internal devices.
Types of NAT:
- Static NAT: One-to-one mapping of internal to external IPs.
- Dynamic NAT: Maps internal IPs to a pool of external IPs.
- PAT (Port Address Translation): Maps multiple internal IPs to a single external IP using different ports.

4. Firewall Deployment Architectures

4.1. Network Perimeter Firewall

Placement: At the edge of the network, between the internal network and the internet.
Purpose: Protect the entire network from external threats.
Example:
- A firewall connected to the ISP’s router, filtering all inbound and outbound traffic.

4.2. Internal Firewall

Placement: Between internal network segments (e.g., between departments or DMZ and LAN).
Purpose: Control traffic between internal networks (e.g., HR and Finance).
Example:
- A firewall separating the DMZ (web servers) from the internal LAN.

4.3. Host-Based Firewall

Placement: Installed on individual hosts (e.g., servers, workstations).
Purpose: Protect the host from unauthorized access or malicious software.
Example:
- Windows Firewall or iptables on Linux.

4.4. Cloud Firewall

Placement: Deployed in cloud environments (e.g., AWS, Azure).
Purpose: Protect cloud-based applications and resources.
Example:
- AWS Security Groups or Azure Network Security Groups (NSGs).

5. Firewall Rules: Deep Dive

5.1. Rule Components

A typical firewall rule includes:

Source IP/Subnet: Where the traffic originates (e.g., 192.168.1.0/24).
Destination IP/Subnet: Where the traffic is headed (e.g., 10.0.0.100).
Protocol: TCP, UDP, ICMP, etc.
Source Port: Port number on the source (e.g., any or 80).
Destination Port: Port number on the destination (e.g., 443).
Action: Allow, block, or log.
Direction: Inbound or outbound.

5.2. Example Rule Sets

Example 1: Basic Rule Set for a Perimeter Firewall

Rule #	Source IP	Destination IP	Protocol	Source Port	Destination Port	Action	Direction
1	Any	192.168.1.100	TCP	Any	80	Allow	Inbound
2	Any	192.168.1.100	TCP	Any	443	Allow	Inbound
3	Any	Any	ICMP	Any	Any	Block	Inbound
4	192.168.1.0/24	Any	Any	Any	Any	Allow	Outbound
5	Any	Any	Any	Any	Any	Block	Inbound

Example 2: Stateful Rule for Internal Firewall

Rule #	Source IP	Destination IP	Protocol	Source Port	Destination Port	Action	State
1	10.0.0.0/24	10.0.1.0/24	TCP	Any	3389 (RDP)	Allow	Established
2	10.0.1.0/24	10.0.0.0/24	TCP	3389	Any	Allow	New
3	Any	Any	Any	Any	Any	Block	Any

6. Advanced Firewall Features

6.1. Deep Packet Inspection (DPI)

How It Works:
- Inspects the payload of packets (not just headers) to detect and block malicious content.
- Example: Blocking specific keywords, malware signatures, or application-layer attacks.
Use Case:
- Detecting and blocking SQL injection attacks in HTTP traffic.

6.2. Intrusion Prevention System (IPS)

How It Works:
- Monitors traffic for signatures of known attacks (e.g., DDoS, exploits).
- Can block or alert on suspicious activity.
Example:
- Blocking traffic matching a known exploit for a vulnerability in a web server.

6.3. VPN (Virtual Private Network) Support

How It Works:
- Firewalls often include VPN gateways to support secure remote access.
- Example: Allowing remote employees to connect to the internal network via IPsec or SSL VPN.

6.4. Application Control

How It Works:
- Identifies and controls traffic based on applications (e.g., Facebook, Dropbox).
- Example: Blocking social media applications during work hours.

6.5. User Identity Integration

How It Works:
- Integrates with Active Directory or LDAP to apply rules based on user identity.
- Example: Allowing only HR employees to access the HR database.

7. Firewall Logging and Monitoring

Logging:
- Firewalls log allowed and blocked traffic, including source/destination IPs, ports, and timestamps.
- Example: Logging all blocked inbound connection attempts.
Monitoring:
- Tools like SIEM (Security Information and Event Management) aggregate and analyze firewall logs for security incidents.
- Example: Alerting on repeated failed login attempts (brute-force attack).

8. Common Firewall Policies

8.1. Default Deny

Policy: Block all traffic by default and only allow explicitly permitted traffic.
Example:
- Block all inbound traffic except for HTTP/HTTPS to web servers.

8.2. Least Privilege

Policy: Grant the minimum access necessary for users or systems to perform their functions.
Example:
- Only allow database access to the database server, not to workstations.

8.3. DMZ (Demilitarized Zone)

Policy: Place publicly accessible servers (e.g., web, email) in a DMZ, a separate network segment with restricted access to the internal network.
Example:
- Web servers in the DMZ can receive traffic from the internet but cannot initiate connections to the internal LAN.

9. Firewall Limitations

Encrypted Traffic: Firewalls cannot inspect encrypted traffic (e.g., HTTPS, VPN) without SSL/TLS inspection.
Insider Threats: Firewalls may not detect malicious activity from internal users.
Complexity: Misconfigured firewalls can create security gaps or performance bottlenecks.
Performance: Deep packet inspection and advanced features can introduce latency.

10. Example: Firewall in Action

Scenario: Protecting a Web Server

Web Server IP: 192.168.1.100
Firewall Rules:
1. Allow inbound TCP port 80 (HTTP) and 443 (HTTPS) to 192.168.1.100.
2. Allow outbound traffic from 192.168.1.100 to the internet.
3. Block all other inbound traffic.
NAT Rule:
- Map public IP 203.0.113.5 to private IP 192.168.1.100 for inbound traffic.

Traffic Flow:

A user requests https://example.com.
DNS resolves example.com to 203.0.113.5.
The request arrives at the firewall on 203.0.113.5:443.
The firewall:
- Matches the request to the allow rule for TCP port 443.
- Translates the destination IP to 192.168.1.100 using NAT.
- Forwards the request to the web server.
The web server responds, and the firewall:
- Translates the source IP back to 203.0.113.5.
- Forwards the response to the user.

11. Firewall Vendors and Solutions

Vendor	Product Examples	Type
Cisco	ASA, Firepower NGFW	NGFW, Stateful
Palo Alto	PA-Series	NGFW
Fortinet	FortiGate	NGFW, UTM
Check Point	Check Point Next Generation Firewall	NGFW
Juniper	SRX Series	NGFW, Stateful
pfSense	pfSense (Open-Source)	Stateful, NGFW
Windows	Windows Defender Firewall	Host-Based
Linux	iptables, nftables, UFW	Host-Based

12. Best Practices for Firewall Management

Regular Updates: Keep firewall firmware and rules up to date.
Rule Review: Periodically review and clean up unused or outdated rules.
Logging and Monitoring: Enable logging and monitor for suspicious activity.
Testing: Test firewall rules to ensure they work as intended.
Backup: Maintain backups of firewall configurations.
Segmentation: Use firewalls to segment internal networks (e.g., separate HR and Finance).
Redundancy: Deploy firewalls in high-availability (HA) pairs to avoid single points of failure.

13. Firewall vs. Other Security Devices

Device	Primary Function	Layer
Firewall	Filters traffic based on rules	L3-L7
Router	Routes traffic between networks	L3
IDS/IPS	Detects and blocks intrusions	L4-L7
Proxy Server	Acts as an intermediary for requests	L7
Switch	Forwards traffic within a LAN	L2