Firewalls

  • There are different types of firewalls:

    • packet filters, stateful, application firewalls
    • can be software or hardware

  • Firewalls are designed to stop unauthorized traffic from one network to another

    • typically placed between trusted/untrusted networks

  • Goals:

    • all traffic should pass through firewall
    • only authorized traffic should be able to pass through (as defined by firewall policy)
    • firewall must be immune to penetration

  • Firewall actions:

    • accepted: connection is allowed through firewall
    • denied: not allowed to enter other side of firewall
    • rejected: similar to denied but with an attempt to tell the source of packet about the decision though ICMP packet

  • Firewalls can inspect traffic from both directions:

    • ingress filtering: firewall protects internal network against attacks from outside
    • egress filtering: when firewall prevents outgoing traffic to certain destinations
    • VPN can bypass ingress/egress filtering

  • packet filters

    • distinguish allowed traffic based on packet headers
    • does not pay attention to whether packet is part of existing stream of traffic
    • simple but fast

  • stateful firewall

    • tracks state of traffic by monitoring connection interactions until it is closed
    • retains packets until enough information is available to make a judgement about state of the connection
    • there are many types of states, in Linux kernel connection tracking has the following:
      • new: connection is starting
      • established: connection established and two-way communication has occurred
      • related: special state to help establish relationship between different connections
      • invalid: for packets that do not follow expected behavior
    • connection state table is maintained to understand context of packets
    • more fine-grained filtering than packet filters

  • application/proxy firewall

    • controls input/output and access to/from application or service
    • inspects network traffic upto application layer do determine if is should be allowed to pass
    • application proxy firewall acts as an intermediary by impersonating the intended recipient: client connects to proxy and proxy connects to destination
    • can authenticate users directly rather than depending on network addresses
    • significantly slower than the other options and not suited for real-time/high-bandwidth applications