UNIT V

FIREWALL
A firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based
on a defined set of security rules.

here are mainly three types of firewalls, such as software firewalls, hardware
firewalls, or both, depending on their structure. Each type of firewall has
different functionality but the same purpose. However, it is best practice to
have both to achieve maximum possible protection.

A hardware firewall is a physical device that attaches between a computer

network and a gateway. For example- a broadband router. A hardware
firewall is sometimes referred to as an Appliance Firewall. On the other hand,
a software firewall is a simple program installed on a computer that works
through port numbers and other installed software. This type of firewall is
also called a Host Firewall.

Besides, there are many other types of firewalls depending on their features
and the level of security they provide. The following are types of firewall
techniques that can be implemented as software or hardware:

o Packet-filtering Firewalls
o Circuit-level Gateways
o Application-level Gateways (Proxy Firewalls)
o Stateful Multi-layer Inspection (SMLI) Firewalls
o Next-generation Firewalls (NGFW)
o Threat-focused NGFW
o Network Address Translation (NAT) Firewalls
o Cloud Firewalls
o Unified Threat Management (UTM) Firewalls
Packet-filtering Firewalls

A packet filtering firewall is the most basic type of firewall. It acts like a
management program that monitors network traffic and filters incoming
packets based on configured security rules. These firewalls are designed to
block network traffic IP protocols, an IP address, and a port number if a data
packet does not match the established rule-set.

While packet-filtering firewalls can be considered a fast solution without

many resource requirements, they also have some limitations. Because these
types of firewalls do not prevent web-based attacks, they are not the safest.

Circuit-level Gateways

Circuit-level gateways are another simplified type of firewall that can be

easily configured to allow or block traffic without consuming significant
computing resources. These types of firewalls typically operate at the session-
level of the OSI model by verifying TCP (Transmission Control
Protocol) connections and sessions. Circuit-level gateways are designed to
ensure that the established sessions are protected.
Typically, circuit-level firewalls are implemented as security software or pre-
existing firewalls. Like packet-filtering firewalls, these firewalls do not check
for actual data, although they inspect information about transactions.
Therefore, if a data contains malware, but follows the
correct TCP connection, it will pass through the gateway. That is why circuit-
level gateways are not considered safe enough to protect our systems.

Application-level Gateways (Proxy Firewalls)

Proxy firewalls operate at the application layer as an intermediate device to

filter incoming traffic between two end systems (e.g., network and traffic
systems). That is why these firewalls are called 'Application-level Gateways'.

Unlike basic firewalls, these firewalls transfer requests from clients

pretending to be original clients on the web-server. This protects the client's
identity and other suspicious information, keeping the network safe from
potential attacks. Once the connection is established, the proxy firewall
inspects data packets coming from the source. If the contents of the incoming
data packet are protected, the proxy firewall transfers it to the client. This
approach creates an additional layer of security between the client and many
different sources on the network.

Stateful Multi-layer Inspection (SMLI) Firewalls

Stateful multi-layer inspection firewalls include both packet inspection

technology and TCP handshake verification, making SMLI firewalls superior
to packet-filtering firewalls or circuit-level gateways. Additionally, these
types of firewalls keep track of the status of established connections.

In simple words, when a user establishes a connection and requests data, the
SMLI firewall creates a database (state table). The database is used to store
session information such as source IP address, port number, destination IP
address, destination port number, etc. Connection information is stored for
each session in the state table. Using stateful inspection technology, these
firewalls create security rules to allow anticipated traffic.

In most cases, SMLI firewalls are implemented as additional security levels.

These types of firewalls implement more checks and are considered more
secure than stateless firewalls. This is why stateful packet inspection is
implemented along with many other firewalls to track statistics for all internal
traffic. Doing so increases the load and puts more pressure on computing
resources. This can give rise to a slower transfer rate for data packets than
other solutions.
Next-generation Firewalls (NGFW)

Many of the latest released firewalls are usually defined as 'next-generation

firewalls'. However, there is no specific definition for next-generation
firewalls. This type of firewall is usually defined as a security device
combining the features and functionalities of other firewalls. These firewalls
include deep-packet inspection (DPI), surface-level packet inspection, and
TCP handshake testing, etc.

NGFW includes higher levels of security than packet-filtering and stateful

inspection firewalls. Unlike traditional firewalls, NGFW monitors the entire
transaction of data, including packet headers, packet contents, and sources.
NGFWs are designed in such a way that they can prevent more sophisticated
and evolving security threats such as malware attacks, external threats, and
advance intrusion.

Threat-focused NGFW

Threat-focused NGFW includes all the features of a traditional NGFW.

Additionally, they also provide advanced threat detection and remediation.
These types of firewalls are capable of reacting against attacks quickly. With
intelligent security automation, threat-focused NGFW set security rules and
policies, further increasing the security of the overall defense system.

In addition, these firewalls use retrospective security systems to monitor

suspicious activities continuously. They keep analyzing the behavior of every
activity even after the initial inspection. Due to this functionality, threat-focus
NGFW dramatically reduces the overall time taken from threat detection to
cleanup.

Network Address Translation (NAT) Firewalls

Network address translation or NAT firewalls are primarily designed to

access Internet traffic and block all unwanted connections. These types of
firewalls usually hide the IP addresses of our devices, making it safe from
attackers.

When multiple devices are used to connect to the Internet, NAT firewalls
create a unique IP address and hide individual devices' IP addresses. As a
result, a single IP address is used for all devices. By doing this, NAT firewalls
secure independent network addresses from attackers scanning a network for
accessing IP addresses. This results in enhanced protection against suspicious
activities and attacks.
In general, NAT firewalls works similarly to proxy firewalls. Like proxy
firewalls, NAT firewalls also work as an intermediate device between a group
of computers and external traffic.

Cloud Firewalls

Whenever a firewall is designed using a cloud solution, it is known as a cloud

firewall or FaaS (firewall-as-service). Cloud firewalls are typically
maintained and run on the Internet by third-party vendors. This type of
firewall is considered similar to a proxy firewall. The reason for this is the use
of cloud firewalls as proxy servers. However, they are configured based on
requirements.

The most significant advantage of cloud firewalls is scalability. Because cloud

firewalls have no physical resources, they are easy to scale according to the
organization's demand or traffic-load. If demand increases, additional
capacity can be added to the cloud server to filter out the additional traffic
load. Most organizations use cloud firewalls to secure their internal networks
or entire cloud infrastructure.

Unified Threat Management (UTM) Firewalls

UTM firewalls are a special type of device that includes features of a stateful
inspection firewall with anti-virus and intrusion prevention support. Such
firewalls are designed to provide simplicity and ease of use. These firewalls
can also add many other services, such as cloud management, etc.

Which firewall architecture is best?

When it comes to selecting the best firewall architecture, there is no need to

be explicit. It is always better to use a combination of different firewalls to
add multiple layers of protection. For example, one can implement a
hardware or cloud firewall at the perimeter of the network, and then further
add individual software firewall with every network asset.

Besides, the selection usually depends on the requirements of any

organization. However, the following factors can be considered for the right
selection of firewall:

Size of the organization

If an organization is large and maintains a large internal network, it is better

to implement such firewall architecture, which can monitor the entire internal
network.
Availability of resources

If an organization has the resources and can afford a separate firewall for
each hardware piece, this is a good option. Besides, a cloud firewall may be
another consideration.

Requirement of multi-level protection

The number and type of firewalls typically depend on the security measures
that an internal network requires. This means, if an organization maintains
sensitive data, it is better to implement multi-level protection of firewalls. This
will ensure data security from hackers.

Firewall configurations

There are 3 common firewall configurations.

1. Screened host firewall, single-homed bastion configuration
2. Screened host firewall, dual homed bastion configuration
3. Screened subnet firewall configuration

1. Screened host firewall, single-homed bastion configuration

In this configuration, the firewall consists of two systems: a packet filtering

router and a bastion host. Typically, the router is configured so that

o For traffic from the internet, only IP packets destined for the
basiton host are allowed in.

o For traffic from the internal network, only IP packets from the
bastion host are allowed out.

The bastion host performs authentication and proxy functions. This

configuration has greater security than simply a packet filtering router or an
application-level gateway alone, for two reasons:
· This configuration implements both packet level and application level
filtering, allowing for considerable flexibility in defining security policy.

· An intruder must generally penetrate two separate systems before the

security of the internal network is compromised.

2. Screened host firewall, dual homed basiton configuration

In the previous configuration, if the packet filtering router is compromised,

traffic could flow directly through the router between the internet and the
other hosts on the private network. This configuration physically prevents
such a security break.

3. Screened subnet firewall configuration

 In this configuration, two packet filtering routers are used, one between the
bastion host and internet and one between the bastion host and the internal
network. This configuration creates an isolated subnetwork, which may
consist of simply the bastion host but may also include one or more
information servers and modems for dial-in capability. Typically, both the
internet and the internal network have access to hosts on the screened subnet,
but traffic across the screened subnet is blocked. This configuration offers
several advantages:
· There are now three levels of defence to thwart intruders.

· The outside router advertises only the existence of the screened subnet to
the internet; therefore, the internal network is invisible to the internet.

· Similarly, the inside router advertises only the existence of the screened
subnet to the internal network; therefore the systems on the internal network
cannot construct direct routes to the internet.

DMZ NETWORK:
What is Demiltarized Zone?

shravanimjagtap13

Read
Discuss
Demilitarized zones, or DMZ for short, are used in cybersecurity. DMZs
separate internal networks from the internet and are often found on
corporate networks. A DMZ is typically created on a company’s internal
network to isolate the company from external threats. While the name might
sound negative, a DMZ can be a helpful tool for network security.
The DMZ is a network barrier between the trusted and untrusted network in
a company’s private and public network. The DMZ acts as a protection layer
through which outside users cannot access the company’s data. DMZ receives
requests from outside users or public networks to access the information,
website of a company. For such type of request, DMZ arranges sessions on
the public network. It cannot initiate a session on the private network. If
anyone tries to perform malicious activity on DMZ, the web pages are
corrupted, but other information remains safe.
The goal of DMZ is to provide access to the untrusted network by ensuring
the security of the private network. DMZ is not mandatory, but a better
approach to use it with a firewall.

Advantages Disadvantages

It provides access to external users by

Various vulnerabilities can be
securing the internal sensitive
found in DMZ System’s services.
network.

A DMZ can be used with a

If an attacker successfully cracks
combination of a firewall & router,
the DMZ system, they may access
which as a result provide high
your confidential information.
security.

By implementing DMZ, only the data

An attacker having are
that is intended to be visible publicly
authenticated data can access the
is displayed. the rest is hidden and
system as an authorized user.
secured.
 Advantages Disadvantages

DMZ enables web server, email

The data provided on a public
servers etc. to be accessible on the
network to the external networks
internet simultaneously protecting it
can be leaked or replicated.
with a firewall.

Key features:

• A DMZ provides a buffer from the outside world for your computer
systems. When you create a network, you must decide where your
computer systems will reside.
• Creating a buffer zone between your systems and the internet allows
you to function normally without being susceptible to external
attacks. Keeping your internal systems inside a DMZ also makes it
difficult for hackers to steal data or cause disruptions on company
networks. For this reason, most organizations use a DMZ when
creating secure computer systems.
• A DMZ provides a target for ethical hackers. Hackers often seek out
companies with weak computer security; this is why many
organizations use a DMZ to protect their internal systems.
• Companies that have strong security measures typically don’t create
vulnerabilities in their networks by demilitarizing zones on their own
computers or in their IT environments.
• The DMZ makes it easy for ethical hackers to find vulnerabilities
and gain access to designated targets once they’re inside the buffer
zone. By knowing which systems have weak security and then
targeting them, ethical hackers can perform necessary maintenance
without damaging company networks further.
Conclusion:
Demilitarized zones provide buffers between internal computers and the
internet. They can also be used as targets when performing hacking tasks such
as pretesting or social engineering. Finally, demilitarized zones may also be
used for physical penetration tests.