Firewalls: Guidelines and Procedures

Introduction Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures. While firewalls are often discussed in the context of Internet connectivity, they may also have applicability in other network environments. For example, many enterprise networks employ firewalls to restrict connectivity to and from the internal networks used to service more sensitive functions, such as accounting or personnel. By employing firewalls to control connectivity to these areas, an organization can prevent unauthorized access to its systems and resources. Inclusion of a proper firewall provides an additional layer of security (Broida, 2011). This research paper will give a background on firewalls. The background will cover an overview of firewall technologies, as well as firewall technologies, the common requirements of firewalls, and firewall policies. This paper will also give an analysis of firewalls which will consist of what I have learned in doing this research and my opinion on the research.
Overview of Firewall Technologies Several types of firewall technologies are available. One way of comparing their capabilities is to look at the Transmission Control Protocol/Internet Protocol [TCP/IP] layers that each is able to examine. TCP/IP communications are composed of four layers that work together to transfer data between hosts. When a user wants to transfer data across networks, the data is passed from the highest layer through intermediate layers to the lowest layer, with each layer adding more information. The lowest layer sends the accumulated data through the physical network, with the data then passed upwards through the layers to its destination. Simply put, the data produced by a layer is encapsulated in a larger container by the layer below it. The four TCP/IP layers, from highest to lowest, are application layer, transport layer, IP layer, also known as the network layer, and hardware layer, also known as the data link layer. The application layer sends and receives data for particular applications, such as Domain Name System [DNS], Hypertext Transfer Protocol [HTTP], and Simple Mail Transfer Protocol (SMTP). The application layer itself has layers of protocols within it. The transport layer provides connection-oriented or connectionless services for transporting application layer services between networks, and can optionally ensure communications reliability. Transmission Control Protocol [TCP] and User Datagram Protocol [UDP] are commonly used transport layer protocols. The IP layer routes packets across networks. Internet Protocol version 4 [IPv4] is the fundamental network layer protocol for TCP/IP. Other commonly used protocols at the network layer are Internet Protocol version 6 [IPv6], ICMP, and Internet Group Management Protocol [IGMP]. The hardware layer handles communications on the physical network components. The best known data link layer protocol is Ethernet (Sourour, Adel, & Tarek, 2009). Addresses at the data link layer, which are assigned to network interfaces, are referred to as media access control [MAC] addresses. An example of this is an Ethernet address that belongs to an Ethernet card. Firewall policies rarely concern themselves with the data link layer. Addresses at the network layer are referred to as IP addresses. The transport layer identifies specific network applications and communication sessions as opposed to network addresses; a host may have any number of transport layer sessions with other hosts on the same network. The transport layer may also include the notion of ports. A destination port number generally identifies a service listening on the destination host, and a source port usually identifies the port number on the source host that the destination host should reply to. Transport protocols such as TCP and UDP have ports, while other transport protocols do not. The combination of source IP address and port with destination IP address and port helps define the session. The highest layer represents end user applications (Sourour, Adel, & Tarek, 2009).
Firewalls can inspect applications traffic and use it as the basic for policy decisions. Basic firewalls operate on one or a few layers, typically the lower layers, while more advanced firewalls examine all of the layers. Firewalls that examine more layers can perform more granular and thorough examinations. Firewalls that understand the application layer can potentially accommodate advanced applications and protocols and provide services that are user-oriented. For example, a firewall that only handles lower layers cannot usually identify specific users, but a firewall with application layer capabilities can enforce user authentication and log events to specific user (Sourour, Adel, & Tarek, 2009) .
Firewall Technologies Firewalling is often combined with other technologies, most notably routing. Furthermore, many technologies often associated with firewalls are more accurately part of these other technologies. For example, network address translation [NAT] is sometimes thought of as a firewall technology, but it is actually a routing technology. Many firewalls also include content filtering features to enforce organization policies not directly related to security. Some firewalls include intrusion prevention system [IPS] technologies, which can react to attacks that they detect to prevent damage to systems protected by the firewall (Sourour, Adel, & Tarek, 2009). Firewalls are often placed at the perimeter of a network. Such a firewall can be said to have an external and internal interface, with the external interface being the one on the outside of the network. These two interfaces are sometimes referred to as unprotected and protected, respectively. However, saying that something is or is not protected is often inappropriate because a firewall’s policies can work in both directions. For example, there might be a policy to prevent executable code from being sent from inside the perimeter to sites outside the perimeter (Lihua,
2010).
The most basic feature of a firewall is the packet filter. Older firewalls that were only packet filters were essentially routing devices that provided access control functionality for host addresses and communication sessions. These devices, also known as stateless inspection firewalls, do not keep track of the state of each flow of traffic that passes though the firewall; this means, for example, that they cannot associate multiple requests within a single session to each other. Packet filtering is at the core of most modern firewalls, but there are few firewalls sold today that only do stateless packet filtering. Unlike more advanced filters, packet filters are not concerned about the content of packets. Their access control functionality is governed by a set of directives referred to as a rule set. Packet filtering capabilities are built into most operating systems and devices capable of routing; the most common example of a pure packet filtering device is a network router that employs access control lists. In their most basic form, firewalls with packet filters operate at the network layer. This provides network access control based on several pieces of information contained in a packet, including the packet’s source IP address, the packet’s destination address, and the network or transport protocol being used to communicate between source and destination hosts, such as TCP, UDP, or ICMP ((Broida, 2011). Filtering inbound traffic is known as ingress filtering. Outgoing traffic can also be filtered, a process referred to as egress filtering. Here, organizations can implement restrictions on their internal traffic, such as blocking the use of external file transfer protocol [FTP] servers or preventing denial of service [DoS] attacks from being launched from within the organization against outside entities. Organizations should only permit outbound traffic that uses the source IP addresses in use by the organization, a process that helps block traffic with spoofed addresses from leaking onto other networks. Spoofed addresses can be caused by malicious events such as malware infections or compromised hosts being used to launch attacks, or by inadvertent misconfigurations (Sourour, Adel, & Tarek, 2009). Stateless packet filters are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack. For example, many packet filters are unable to detect when a packet’s network layer addressing information has been spoofed or otherwise altered, or uses options that are permitted by standards but generally used for malicious purposes, such as IP source routing. Spoofing attacks, such as using incorrect addresses in the packet headers, are generally employed by intruders to bypass the security controls implemented in a firewall platform. Firewalls that operate at higher layers can thwart some spoofing attacks by verifying that a session is established, or by authenticating users before allowing traffic to pass. Because of this, most firewalls that use packet filters also maintain some state information for the packets that traverse the firewall (Broida, 2011). Some packet filters can specifically filter packets that are fragmented. Packet fragmentation is allowed by the TCP/IP specifications and is encouraged in situations where it is needed. However, packet fragmentation has been used to make some attacks harder to detect (by placing them within fragmented packets), and unusual fragmentation has also been used as a form of attack. For example, some network-based attacks have used packets that should not exist in normal communications, such as sending some fragments of a packet but not the first fragment, or sending packet fragments that overlap each other. To prevent the use of fragmented packets in attacks, some firewalls have been configured to block fragmented packets (Broida, 2011). Today, fragmented packets on the Internet often occur not because of attacks, but because of virtual private networking [VPN] technologies that encapsulate packets within other packets. If encapsulating a packet would cause the new packet to exceed the maximum permitted size for the medium it will be transmitted on, the packet must be fragmented. Fragmented packets being blocked by firewalls is a common cause of VPN interoperability issues. Some firewalls can reassemble fragments before passing them to the inside network, although this requires additional firewall resources, particularly memory. Firewalls that have this reassembly feature must implement it carefully, otherwise someone can readily mount a denial-of-service attack. Choosing whether to block, reassemble, or pass fragmented packets is a tradeoff between overall network interoperability and full system security. Given this, automatic blocking of all fragmented packets is not recommended because of the legitimate and necessary uses of fragmentation on the Internet (Sourour, Adel, & Tarek, 2009). Stateful inspection improves on the functions of packet filters by tracking the state of connections and blocking packets that deviate from the expected state. This is accomplished by incorporating greater awareness of the transport layer. As with packet filtering, stateful inspection intercepts packets at the network layer and inspects them to see if they are permitted by an existing firewall rule, but unlike packet filtering, stateful inspection keeps track of each connection in a state table. While the details of state table entries vary by firewall product, they typically include source IP address, destination IP address, port numbers, and connection state information (Sourour, Adel, & Tarek, 2009). A newer trend in stateful inspection is the addition of a stateful protocol analysis capability, referred to by some vendors as deep packet inspection. Stateful protocol analysis improves upon standard stateful inspection by adding basic intrusion detection technology, an inspection engine that analyzes protocols at the application layer to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations. This allows a firewall to allow or deny access based on how an application is running over the network. For instance, an application firewall can determine if an email message contains a type of attachment that the organization does not permit, such as an executable file, or if instant messaging [IM] is being used over port 80, typically used for HTTP (Sourour, Adel, & Tarek, 2009).
Common Requirements of Firewalls

Firewall devices at the edge of a network are sometimes required to do more than block unwanted traffic. A common requirement for these firewalls is to encrypt and decrypt specific network traffic flows between the protected network and external networks. This nearly always involves VPN, which use additional protocols to encrypt traffic and provide user authentication and integrity checking. VPNs are most often used to provide secure network communications across networks that are not trusted. Another common requirement for firewalls at the edge of a network is to perform client checks for incoming connections from remote users and allow or disallow access based on those checks. This checking, commonly called network access control [NAC] or network access protection [NAP], allows access based on the user’s credentials and the results of performing what is referred to as health checks on the user’s computer. Health checks typically consist of verifying that one or more of the following comply with organizational policy. Latest updates to antimalware and personal firewall software, configuration settings for antimalware and personal firewall software, elapsed time since the previous malware scan, patch level of the operating system and selected applications, and/or security configuration of the operating system and selected applications. These health checks require software on the user’s system that is controlled by the firewall. If the user has acceptable credentials but the device does not pass the health check, the user and device may get only limited access to the internal network for remediation purposes (Elfarag, Baith, & Alkhishali, 2009). Although firewalls at a network’s perimeter provide some measure of protection for internal hosts, in many cases additional network protection is required. Network firewalls are not able to recognize all instances and forms of attack, allowing some attacks to penetrate and reach internal hosts. Attacks sent from one internal host to another may not even pass through a network firewall. Because of these and other factors, network designers often include firewall functionality at places other than the network perimeter to provide an additional layer of security.
Host-based firewalls for servers and personal firewalls for desktop and laptop personal computers [PC] provide an additional layer of security against network-based attacks. These firewalls are software-based, residing on the hosts they are protecting, each monitors and controls the incoming and outgoing network traffic for a single host. They can provide more granular protection than network firewalls to meet the needs of specific hosts (Goldsborough, 2001).
Firewall Policies A firewall policy dictates how firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization’s information security policies. An organization’s firewall policy should be based on a comprehensive risk analysis. Firewall policies should be based on blocking all inbound and outbound traffic, with exceptions made for desired traffic. Policies should take into account the source and destination of the traffic in addition to the content. Many types of IPv4 traffic, such as that with invalid or private addresses, should be blocked by default. Organizations should have policies for handling incoming and outgoing IPv6 traffic. An organization should determine which applications may send traffic into or out of its network and make firewall policies to block traffic for other applications (Khakpour & Jalili, 2009).
Analysis of Firewalls Firewalls are commonly used in most organizations. In researching firewalls, I discovered that utilizing a firewall is like project management. There are steps that need to be taken when implementing a firewall. I wasn't aware that planning and implementing a firewall are such in depth procedures. As with any new technology deployment, firewall planning and implementation should be addressed in a phased approach. A successful firewall deployment can be achieved by following a clear, step-by-step planning and implementation process. The use of a phased approach for deployment can minimize unforeseen issues and identify potential pitfalls early on. The firewall planning and implementation process includes planning, configuring, testing, deploying and managing. The planning phase involves identifying all requirements that an organization should consider when determining which firewall to implement to enforce the organization’s security policy. The configuring phase involves all facets of configuring the firewall platform. This includes installing hardware and software as well as setting up rules for the system. The testing phase involves implementing and testing a prototype of the designed solution in a lab or test environment. The primary goals of testing are to evaluate the functionality, performance, scalability, and security of the solution, and to identify any issues, such as interoperability, with components. Once testing is completed and all issues are resolved, the next phase focuses on deployment of the firewall into the enterprise. Finally, after the firewall has been deployed, it is managed throughout its lifecycle to include component maintenance and support for operational issues. This lifecycle process is repeated when enhancements or significant changes need to be incorporated into the solution (Uribe & Cheung, 2007). There has been extensive research done on firewalls. I think as long as technology continues to strive, the implementation of firewalls will steadily increase.
Conclusion

Utilizing firewalls can be very beneficial to organizations, if implemented correctly. All required steps in implementing a firewall should be carefully followed, in order to eliminate chances of human errors in implementing the firewall. One mistake can cause major problems for an organization. Organizations should only permit outbound traffic that uses the source IP addresses in use by the organization. In general, a firewall should fit into a current network’s layout.
Different common network architectures lead to very different choices for where to place a firewall, so an organization should assess which architecture works best for its security goals. In some environments, putting one firewall behind another may lead to a desired security goal, but in general such multiple layers of firewalls can be troublesome (Broida, 2011).

References
Broida, R. (2011). Minimize Security Software Headaches. PC World, 29(12), 112. Elfarag, A., Elfarag, A., Baith M., A. A., & Alkhishali, H. H. (2009). Description and Analysis of Embedded Firewall Techniques. World Academy Of Science, Engineering & Technology, 58421-426.
Goldsborough, R. (2001). Keeping Hackers Away With Personal Firewalls. Teacher Librarian, 29(2), 40.
JYOSTNA, K. K., & PADMAJA, V. V. (2011). Secure Embedded System Networking: An Advanced Security Perspective. International Journal Of Engineering Science & Technology, 3(5), 3854-3862.
Khakpour, N., & Jalili, S. (2009). VERIFICATION OF DISTRIBUTED FIREWALLS CONFIGURATION VS. SECURITY POLICIES USING ALCQI(D). Applied Artificial Intelligence, 23(10), 945-975. doi:10.1080/08839510903208088
Sourour, M., Adel, B., & Tarek, A. (2009). Ensuring security in depth based on heterogeneous network security technologies. International Journal Of Information Security, 8(4), 233-246. doi:10.1007/s10207-009-0077-2
Uribe, T. E., & Cheung, S. (2007). Automatic analysis of firewall and network intrusion detection system configurations. Journal Of Computer Security, 15(6), 663-687.