Like all good technology, Firewall has evolved over the years. However, this does not mean that the methods used in the early generations of Firewall have lost their space.
Basically there are several types of Firewall. However there are only few are commonly used because of the appropriateness of available technologies.
Types of Firewall
The three main types of firewall are Basic Packet Filter (Network level firewall), Stateful Firewall and Proxy. However, Firewalls also perform additional functions such as Network Address Translation (NAT), VPN (Virtual Private Network) and user authentication/certification.
Track each of these types of firewalls in detail.
Basic Packet Filter
Basic Packet Filter is responsible for controlling the data flow through the network. Whenever data flow arrives or leaves a network segment, Basic Packet Filter controls that data. It either enable or block packets based on specified rules via IP addresses and protocols.
- Filter = sieve, separate;
- Works at the network and transport layer;
- It controls traffic coming in and out of the network;
- It is transparent to users;
- The rules are static – static packet filter;
- Filter rules contain:
- Source IP Address
- Destination IP address
- TCP, UDP, ICMP Protocols
- TCP or UDP Source Ports
- TCP or UDP destination ports
- ICMP message type
Basic Packet Filters is also known as stateless firewall. Each packet is handled in isolation. It does not save the state of the connection. As well as does not know if the packet is part of a previous connection.
According to Scarfone and Hoffman (2008), stateless packet filters have the following characteristics:
- High throughput – examine data on the network layer;
- Low overhead and flexible – can be deployed in any network infrastructure. Where its speed and flexibility make ideal for an untrusted network.
- It blocks incoming traffic. A procedure known as an input filter.
- Open permanent gaps in the perimeter of the network – are vulnerable to attacks and exploits that take advantage of existing vulnerabilities within the TCP/IP stack.
These filters perform the same functionality as the Basic Packet Filter. In addition it can maintain the state of the connections through state table. This type of firewall also enables the blocking of scans, effective control of data flow and treatment of the TCP header. In order to identify possible attacks it checks the fields of the datagram.
The packet inspection function improves the packet filter. As it tracks the state of the connections. As well as it blocks packets that do not match the expected state. This occurs through the incorporation of a greater sensitization on the transport layer, as you can see in Figure 2.
As with packet filtering, stateful inspection intercepts packets at the network layer. Then it scans them to see if those connections are allowed by an existing firewall rule.
But unlike packet filtering, the Stateful firewall tracks every connection in a state table. Even though the details of state table entries vary from firewall to firewall product. State table entries typically include the source IP address, destination IP address, port numbers, and connection state information (Table 1).
The operation of the Stateful firewall is as follows:
- Firewall only checks the first packet of each connection, according to the filtering rules.
- Connection table gains a new entry when the initial packet accepts the request.
- Other packets filter using the state table information.
The following is an example of a state table.
From the table above, the first line where an internal network asset (192.168.1.100) tries to access another resource (184.108.40.206). The connection attempt initially checks to see if Firewall rules allows it or not.
If allowed, an entry is added to the state table and indicates that a new session is starting, as shown in the first entry in “Connection State”.
If the 220.127.116.11 and 192.168.1.100 assets complete the TCP connection, the state of the connection will change to “established”. And then all subsequent traffic corresponding to that entry will be allowed (SCARFONE and HOFFMAN, 2008).
A proxy application gateway is a firewall feature that combines access control with top-tier functionality. Firewalls contain a proxy agent that acts as an intermediary between two hosts that want to communicate with each other. It never allows a direct connection between them. Each successful connection attempt actually results in the creation of two separate connections.
- Between the client and proxy server
- Another between the proxy server and its true destination.
The proxy, in addition to making the network more secure, can also leave it with higher performance. This efficiency comes from using it as a cache of requested information. This advantage allows that, if multiple machines request the same data, it can be available in the proxy which causes better performance. It also reduces the traffic in the network by reducing the number of requests.
The proxy is transparent to both of the users. Thus from their perspective, there seems to be a direct connection. Since the external hosts communicate with the proxy agent, the internal IP addresses do not know the external IP address. Each proxy agent may require the authentication of each network user individually (authentication proxy). This user authentication can take many forms. Authentication may includes user ID and password, hardware or software token, source address and biometric data (SCARFONE and HOFFMAN, 2008).
In this way, Morimoto (2010) summarizes the advantages of using a proxy in the following items:
1. Imposes restrictions based on times, login, IP address and other information. As well as block pages with unwanted content.
2. Works as a cache of pages and files, storing information that has already been accessed.
3. It allows to register all accesses (log) made through it.
The proxy gateway operates at the application layer and verifies the actual content of the traffic. Unlike packet filter analysis, which mainly checks if traffic is consistent with the IPs, services, and protocols. Proxy application gateways further analyze the packet’s content. It analyzes the content by distinguishing between normal traffic for a given protocol and traffic that may contain unwanted content.
In order for communication to take place, the gateways execute the 3-way handshake with the source system. As well as are able to protect against exploits at every stage of a communication. In addition, gateways can make decisions to allow or deny traffic based on information contained in protocol or data application headers. For example, a gateway can determine whether an e-mail message contains an attachment of a certain type that the organization does not allow (such as an executable file) or instant messaging using port 80 (commonly used for HTTP). Another feature of the Proxy is that it can restrict the actions to be performed (for example, users may be prevented from using FTP). It can also be used to allow or deny Web pages that contain certain scripts such as Java or ActiveX.
Because of Proxy Firewall needs to create extra connections to each packet sent or received. This causes a higher cost in the packet’s performance, making it a network bottleneck. In addition, Proxy Firewall does not support all protocols. That’s how reducing the number of applications that can connect to the local network.
- SCARFONE, Karen and HOFFMAN, Paul. Guidelines on firewalls and firewall policy. National Institute of Standards and Technology – NIST, 800-3, 2008.
- MORIMOTO, Carlos E. Linux Servers, practical guide. Porto Alegre: Ed. Sul Editores, 2010.