Firewall Design Principles

1. Developing Security Policy

Security policy is a very essential part of firewall design. Security policy is designed according
to the requirement of the company or client to know which kind of traffic is allowed to pass.
Without a proper security policy, it is impossible to restrict or allow a specific user or worker
in a company network or anywhere else. A properly developed security policy also knows
what to do in case of a security breach. Without it, there is an increase in risk as there will
not be a proper implementation of security solutions.
2. Simple Solution Design
If the design of the solution is complex. then it will be difficult to implement it. If the solution
is easy. then it will be easier to implement it. A simple design is easier to maintain. we can
make upgrades in the simple design according to the new possible threats leaving it with an
efficient but more simple structure. The problem that comes with complex designs is a
configuration error that opens a path for external attacks.
3. Choosing the Right Device
Every network security device has its purpose and its way of implementation. if we use the
wrong device for the wrong problem, the network becomes vulnerable. if the outdated
device is used for a designing firewall, it exposes the network to risk and is almost useless.
Firstly the designing part must be done then the product requirements must be found out,
if the product is already available then it is tried to fit in a design that makes security weak.
4. Layered Defense
A network defense must be multiple layered in the modern world because if the security is
broken, the network will be exposed to external attacks. Multilayer security design can be
set to deal with different levels of threat. It gives an edge to the security design and finally
neutralizes the attack over the system.
5. Consider Internal Threats
While giving a lot of attention to safeguarding the network or device from external attacks.
The security becomes weak in case of internal attacks and most of the attacks are done
internally as it is easy to access and designed weakly. Different levels can be set in network
security while designing internal security. Filtering can be added to keep track of the traffic
moving from lower-level security to higher level.

DEFINITION: A Firewall is hardware or software to prevent a private computer or a

network of computers from, it acts as a filter to avoid unauthorized users from
accessing private computers and networks. It is a vital component of network
security. It is the first line of defense for network security. It filters network packets
and stops malware from entering the user’s computer or network by blocking access
and preventing the user from being infected.

Characteristics of Firewall

1. Physical Barrier: A firewall does not allow any external traffic to enter a
system or a network without its allowance. A firewall creates a choke point
 for all the external data trying to enter into the system or network and
hence can easily block the access if needed.
2. Multi-Purpose: A firewall has many functions other than security
purposes. It configures domain names and Internet Protocol (IP)
addresses. It also acts as a network address translator. It can act as a
meter for internet usage.
3. Flexible Security Policies: Different local systems or networks need
different security policies. A firewall can be modified according to the
requirement of the user by changing its security policies.
4. Security Platform: It provides a platform from which any alert to the
issue related to security or fixing issues can be accessed. All the queries
related to security can be kept under check from one place in a system or
network.
5. Access Handler: Determines which traffic needs to flow first according
to priority or can change for a particular network or system. specific action
requests may be initiated and allowed to flow through the firewall.

Need and Importance of Firewall Design Principles

1. Different Requirements: Every local network or system has its threats

and requirements which needs different structure and devices. All this can
only be identified while designing a firewall. Accessing the current security
outline of a company can help to create a better firewall design.
2. Outlining Policies: Once a firewall is being designed, a system or
network doesn’t need to be secure. Some new threats can arise and if we
have proper paperwork of policies then the security system can be
modified again and the network will become more secure.
3. Identifying Requirements: While designing a firewall data related to
threats, devices needed to be integrated, Missing resources, updating the
security devices. All the information collected is combined to get the best
results. Even if one of these things is misidentified leads to security issues.
4. Setting Restrictions: Every user has its limitations to access different
level of data or modify it and it needed to be identified and taken action
accordingly. After retrieving and processing data, priority is set to people,
devices, and applications.
5. Identify Deployment Location: Every firewall has its strengths and to
get the most use out of it, we need to deploy each of them at the right place
in a system or network. In the case of a packet filter firewall, it needs to be
deployed at the edge of your network in between the internal network and
webserver to get the most out of it.

Advantages of Firewall:

1. Blocks infected files: While surfing the internet we encounter many

unknown threats. Any friendly-looking file might have malware in it.
The firewall neutralizes this kind of threat by blocking file access to the
system.
2. Stop unwanted visitors: A firewall does not allow a cracker to break
into the system through a network. A strong firewall detects the threat and
 then stops the possible loophole that can be used to penetrate through
security into the system.
3. Safeguard the IP address: A network-based firewall like an internet
connection firewall(ICF). Keeps track of the internet activities done on a
network or a system and keeps the IP address hidden so that it can not be
used to access sensitive information against the user.
4. Prevents Email spamming: In this too many emails are sent to the
same address leading to the server crashing. A good firewall blocks the
spammer source and prevents the server from crashing.
5. Stops Spyware: If a bug is implanted in a network or system it tracks all
the data flowing and later uses it for the wrong purpose. A firewall keeps
track of all the users accessing the system or network and if spyware is
detected it disables it.

Limitations:

1. Internal loose ends: Firewall can not be deployed everywhere when it

comes to internal attacks. Sometimes an attacker bypasses the firewall
through a telephone lane that crosses paths with a data lane that carries
the data packets or an employee who unwittingly cooperates with an
external attacker.
2. Infected Files: In the modern world, we come across various kinds of
files through emails or the internet. Most of the files are executable under
the parameter of an operating system. It becomes impossible for the
firewall to keep a track of all the files flowing through the system.
3. Effective Cost: As the requirements of a network or a system increase
according to the level of threat increases. The cost of devices used to build
the firewall increases. Even the maintenance cost of the firewall also
increases. Making the overall cost of the firewall quite expensive.
4. User Restriction: Restrictions and rules implemented through a firewall
make a network secure but they can make work less effective when it
comes to a large organization or a company. Even to make a slight change
in data can require a permit from a person of higher authority making work
slow. The overall productivity drops because of all of this.
5. System Performance: A software-based firewall consumes a lot of
resources of a system. Using the RAM and consuming the power supply
leaves very less resources for the rest of the functions or programs. The
performance of a system can experience a drop. On the other hand
hardware firewall does not affect the performance of a system much,
because its very less dependent on the system resources.

TYPES OF FIREWALL

1. Packet filtering firewall

Packet filtering firewalls operate inline at junction points where devices such as routers and
switches do their work. However, these firewalls don't route packets; rather they compare
each packet received to a set of established criteria, such as the allowed IP addresses, packet
type, port number and other aspects of the packet protocol headers. Packets that are flagged
as troublesome are, generally speaking, unceremoniously dropped -- that is, they are not
forwarded and, thus, cease to exist.

Packet filtering firewall advantages

• A single device can filter traffic for the entire network

• Extremely fast and efficient in scanning traffic

• Inexpensive

• Minimal effect on other resources, network performance and end-user experience

Packet filtering firewall disadvantages

• Because traffic filtering is based entirely on IP address or port information, packet

filtering lacks broader context that informs other types of firewalls

• Doesn't check the payload and can be easily spoofed

• Not an ideal option for every network

• Access control lists can be difficult to set up and manage

Packet filtering may not provide the level of security necessary for every use case, but there
are situations in which this low-cost firewall is a solid option. For small or budget-
constrained organizations, packet filtering provides a basic level of security that can provide
protection against known threats. Larger enterprises can also use packet filtering as part of a
layered defense to screen potentially harmful traffic between internal departments.

2. Circuit-level gateway

Using another relatively quick way to identify malicious content, circuit-level gateways
monitor TCP handshakes and other network protocol session initiation messages across the
network as they are established between the local and remote hosts to determine whether the
session being initiated is legitimate -- whether the remote system is considered trusted. They
don't inspect the packets themselves, however.

Circuit-level gateway advantages

• Only processes requested transactions; all other traffic is rejected

 • Easy to set up and manage

• Low cost and minimal impact on end-user experience

Circuit-level gateway disadvantages

• If they aren't used in conjunction with other security technology, circuit-level

gateways offer no protection against data leakage from devices within the firewall

• No application layer monitoring

• Requires ongoing updates to keep rules current

While circuit-level gateways provide a higher level of security than packet filtering firewalls,
they should be used in conjunction with other systems. For example, circuit-level gateways
are typically used alongside application-level gateways. This strategy combines attributes of
packet- and circuit-level gateway firewalls with content filtering.

3. Application-level gateway

This kind of device -- technically a proxy and sometimes referred to as a proxy firewall --
functions as the only entry point to and exit point from the network. Application-level
gateways filter packets not only according to the service for which they are intended -- as
specified by the destination port -- but also by other characteristics, such as the HTTP request
string.

While gateways that filter at the application layer provide considerable data security, they
can dramatically affect network performance and can be challenging to manage.

Application-level gateway advantages

• Examines all communications between outside sources and devices behind the
firewall, checking not just address, port and TCP header information, but the
content itself before it lets any traffic pass through the proxy

• Provides fine-grained security controls that can, for example, allow access to a
website but restrict which pages on that site the user can open

• Protects user anonymity

Application-level gateway disadvantages

• Can inhibit network performance

 • Costlier than some other firewall options

• Requires a high degree of effort to derive the maximum benefit from the gateway

• Doesn't work with all network protocols

Application-layer firewalls are best used to protect enterprise resources from web application
threats. They can both block access to harmful sites and prevent sensitive information from
being leaked from within the firewall. They can, however, introduce a delay in
communications.

4. Stateful inspection firewall

State-aware devices not only examine each packet, but also keep track of whether or not that
packet is part of an established TCP or other network session. This offers more security than
either packet filtering or circuit monitoring alone but exacts a greater toll on network
performance.

A further variant of stateful inspection is the multilayer inspection firewall, which considers
the flow of transactions in process across multiple protocol layers of the seven-layer Open
Systems Interconnection (OSI) model.

Stateful inspection firewall advantages

• Monitors the entire session for the state of the connection, while also checking IP
addresses and payloads for more thorough security

• Offers a high degree of control over what content is let in or out of the network

• Does not need to open numerous ports to allow traffic in or out

• Delivers substantive logging capabilities

Stateful inspection firewall disadvantages

• Resource-intensive and interferes with the speed of network communications

• More expensive than other firewall options

• Doesn't provide authentication capabilities to validate traffic sources aren't

spoofed
5. Next-generation firewall
A typical NGFW combines packet inspection with stateful inspection and also
includes some variety of deep packet inspection (DPI), as well as other network
security systems, such as an IDS/IPS, malware filtering and antivirus.

While packet inspection in traditional firewalls looks exclusively at the protocol

header of the packet, DPI looks at the actual data the packet is carrying. A DPI
firewall tracks the progress of a web browsing session and can notice whether a
packet payload, when assembled with other packets in an HTTP server reply,
constitutes a legitimate HTML-formatted response.

NGFW advantages

• Combines DPI with malware filtering and other controls to provide an

optimal level of filtering

• Tracks all traffic from Layer 2 to the application layer for more accurate
insights than other methods

• Can be automatically updated to provide current context

NGFW disadvantages

• In order to derive the biggest benefit, organizations need to integrate

NGFWs with other security systems, which can be a complex process

• Costlier than other firewall types

NGFWs are an essential safeguard for organizations in heavily regulated industries,

such as healthcare or finance. These firewalls deliver multifunctional capability,
which appeals to those with a strong grasp on just how virulent the threat
environment is. NGFWs work best when integrated with other security systems,
which, in many cases, requires a high degree of expertise.
ASYMMETRIC KEY CIPHERS:
Asymmetric key cryptosystems / public-key cryptosystems (like RSA, elliptic curve
cryptography (ECC), Diffie-Hellman, ElGamal, McEliece, NTRU and others) use a pair
of mathematically linked keys: public key (encryption key) and private key (decryption
key).
The asymmetric key cryptosystems provide key-pair generation (private + public key),
encryption algorithms (asymmetric key ciphers and encryption schemes like RSA-OAEP
and ECIES), digital signature algorithms (like DSA, ECDSA and EdDSA) and key
exchange algorithms (like DHKE and ECDH).
A message encrypted by the public key is later decrypted by the private key. A message
signed by the private key is later verified by the public key. The public key is typically
shared with everyone, while the private key is kept secret. Calculating the private key from
its corresponding public key is by design computationally infeasible.

Public-Key Cryptosystems
Well-known public-key cryptosystems are: RSA, ECC, ElGamal, DHKE, ECDH, DSA, ECDSA, EdDSA,
Schnorr signatures. Different public key cryptosystems may provide one or more of the following
capabilities:

• Key-pair generation: generate random pairs of private key + corresponding public

key.
• Encryption / decryption: encrypt date by public key and decrypt data by private key
(often using a hybrid encryption scheme).
• Digital signatures (message authentication): sign messages by private key and verify
signatures by public key.
• Key-exchange algorithms: securely exchange cryptographic key between two parties
over insecure channel.

The most important and most used public-key cryptosystems are RSA and ECC. Elliptic curve
cryptography (ECC) is the recommended and most preferable modern public-key
cryptosystem, especially with the modern highly optimized and secure curves (like
Curve25519 and Curve448), because of smaller keys, shorter signatures and better
performance.
The RSA public-key cryptosystem is based on the mathematical concept of modular
exponentiation (numbers raised to a power by modulus), along with some mathematical
constructions and the integer factorization problem (which is considered to be
computationally infeasible for large enough keys).
The elliptic-curve cryptography (ECC) cryptosystem is based on the math of the on the
algebraic structure of the elliptic curves over finite fields and the elliptic curve discrete
logarithm problem (ECDLP), which is considered to be computationally infeasible for large
keys. ECC comes together with the ECDSA algorithm (elliptic-curve digital signature
algorithm). ECC uses smaller keys and signatures than RSA and is prefered in most modern
apps. We shall discuss ECC and ECDSA later in details, along with examples.
Most public-key cryptosystems (like RSA, ECC, DSA, ECDSA and EdDSA) are quantum-
breakable (quantum-unsafe), which means that (at least on theory) a powerful enough
quantum computer will be able to break their security and compute the private key from
given public key in seconds.

RSA ALGORITHM
The RSA algorithm provides:

• Key-pair generation: generate random private key (typically of size 1024-4096 bits)
and corresponding public key.
• Encryption: encrypt a secret message (integer in the range [0...key_length]) using
the public key and decrypt it back using the secret key.
• Digital signatures: sign messages (using the private key) and verify message
signature (using the public key).
• Key exchange: securely transport a secret key, used for encrypted communication
later.

RSA can work with keys of different keys of length: 1024, 2048, 3072, 4096, 8129, 16384 or
even more bits. Key length of 3072-bits and above are considered secure. Longer keys
provide higher security but consume more computing time, so there is a tradeoff between
security and speed. Very long RSA keys (e.g. 50000 bits or 65536 bits) may be too slow for
practical use, e.g. key generation may take from several minutes to several hours.

RSA Key Generation

Generating an RSA public + private key pair involves the following:

Using some non-trivial math computations from the number theory, find three very large integers e,
d and n, such that:

• (me)d ≡ m (mod n) for all m in the range [0...n)

The integer number n is called "modulus" and it defines the RSA key length. It is typically very large
prime number (e.g. 2048 bits).

The pair {n, e} is the public key. It is designed to be shared with everyone. The number e is called
"public key exponent". It is usually 65537 (0x010001).

The pair {n, d} is the private key. It is designed to be kept in secret. It is practically infeasible to
calculate the private key from the public key {n, e}. The number d is called "private key exponent"
(the secret exponent).

The Elliptic Curve Cryptography (ECC) is modern family of public-key cryptosystems, which is based
on the algebraic structures of the elliptic curves over finite fields and on the difficulty of the Elliptic
Curve Discrete Logarithm Problem (ECDLP).

ECC implements all major capabilities of the asymmetric cryptosystems: encryption, signatures and
key exchange.
The ECC cryptography is considered a natural modern successor of the RSA
cryptosystem, because ECC uses smaller keys and signatures than RSA for the same level of security
and provides very fast key generation, fast key agreement and fast signatures.

ECC Keys
The private keys in the ECC are integers (in the range of the curve's field size, typically 256-bit
integers). Example of 256-bit ECC private key (hex encoded, 32 bytes, 64 hex digits) is:
0x51897b64e85c3f714bba707e867914295a1377a7463a9dae8ea6a8b914246319.

The key generation in the ECC cryptography is as simple as securely generating a random integer in
certain range, so it is extremely fast. Any number within the range is valid ECC private key.

The public keys in the ECC are EC points - pairs of integer coordinates {x, y}, laying on the curve. Due
to their special properties, EC points can be compressed to just one coordinate + 1 bit (odd or even).
Thus the compressed public key, corresponding to a 256-bit ECC private key, is a 257-bit integer.
Example of ECC public key (corresponding to the above private key, encoded in the Ethereum
format, as hex with prefix 02 or 03) is:
0x02f54ba86dc1ccb5bed0224d23f01ed87e4a443c47fc690d7797a13d41d2340e1a. In this
format the public key actually takes 33 bytes (66 hex digits), which can be optimized to exactly 257
bits.

ECC Algorithms
Elliptic-curve cryptography (ECC) provides several groups of algorithms, based on the math of the
elliptic curves over finite fields:

• ECC digital signature algorithms like ECDSA (for classical curves) and EdDSA (for
twisted Edwards curves).
• ECC encryption algorithms and hybrid encryption schemes like the ECIES
integrated encryption scheme and EEECC (EC-based ElGamal).
• ECC key agreement algorithms like ECDH, X25519 and FHMQV.

All these algorithms use a curve behind (like secp256k1, curve25519 or p521) for the calculations
and rely of the difficulty of the ECDLP (elliptic curve discrete logarithm problem). All these
algorithms use public / private key pairs, where the private key is an integer and the public key is a
point on the elliptic curve (EC point). Let's get into details about the elliptic curves over finite fields.

Diffie-Hellman algorithm
The Diffie-Hellman algorithm is being used to establish a shared secret that
can be used for secret communications while exchanging data over a public
network using the elliptic curve to generate points and get the secret key
using the parameters.
• For the sake of simplicity and practical implementation of the
algorithm, we will consider only 4 variables, one prime P and G (a
primitive root of P) and two private values a and b.
• P and G are both publicly available numbers. Users (say Alice and
Bob) pick private values a and b and they generate a key and
exchange it publicly. The opposite person receives the key and that
 generates a secret key, after which they have the same secret key
to encrypt.
Diffie Hellman Algorithm
1. key =(YA)XBmod q -> this is the same as calculated by B

2. Global Public Elements

• q: q is a prime number

• a: a < q and α is the primitive root of q

3. Key generation for user A

• Select a Private key XA Here, XA <q

Now, Calculation of Public key YA YA = aXA mod q

4. Key generation for user B

• Select a Private key XB Here, XB <q

• Now, Calculation of Public key YB YB = aXb mod q

5. Calculation of Secret Key by A

• key =(YB)XA mod q

6. Calculation of Secret Key by B

 • key =(YA)XB mod q

Example

1. Alice and Bob both use public numbers P = 23, G = 5

2. Alice selected private key a = 4, and Bob selected b = 3 as the private

key

3. Both Alice and bob now calculate the value of x and y as follows:

• Alice: x = (54 mod 23) = 4

• Bob: y = (53 mod 23) = 10

4. Now, both Alice and Bob exchange public numbers with each other.

5. Alice and Bob now calculate the symmetric keys

• Alice: ka = ya mod p = 104 mod 23 = 18

• Bob: kb = xb mod p = 43 mod 23 = 18

6. 18 is the shared secret key.