What is Firewall?
A firewall is a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic based on a set of rules.
History of firewall.
Computer security borrowed the term firewall from firefighting and fire prevention, where a firewall is a barrier established to prevent the spread of fire.
When organizations began moving frommainframe computers and dumb clients to the client-server model, the ability to control access to the server became a priority. Before firewalls emerged in the late 1980s, the only real form of network security was performed by access control lists (ACLs) residing on routers. ACLs determined which IP addresses were granted or denied access to the network.
The growth of the Internet and the resulting increased connectivity of networks meant that this type of filtering was no longer enough to keep out malicious traffic as only basic information about network traffic is contained in the packet headers. Digital Equipment Corp. shipped the first commercial firewall, DEC SEAL, in 1992, and firewall technology has since evolved to combat the increasing sophistication of cyberattacks.
Type's of firewall:-1..Ppu acket firewalls
The earliest firewalls functioned as packet filters, inspecting the packets that are transferred between computers on the Internet. When a packet passes through a packet-filter firewall, its source and destination address, protocol, and destination port number are checked against the firewall's rule set. Any packets that aren't specifically allowed onto the network are dropped (i.e., not forwarded to their destination). For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined forTCP port number 23, the port where a Telnet server application would be listening.
2..Stateful firewalls
In order to recognize a packet's connection state, a firewall needs to record all connections passing through it to ensure it has enough information to assess whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. This is what's called "stateful packet inspection." Stateful inspection was first introduced in 1994 by Check Point Software in its FireWall-1 software firewall, and by the late 1990s, it was a common firewall product feature.
This additional information can be used to grant or reject access based on the packet's history in the state table, and to speed up packet processing; that way, packets that are part of an existing connection based on the firewall's state table can be allowed through without further analysis. If a packet does not match an existing connection, it's evaluated according to the rule set for new connections.
3..Application-layer firewalls
As attacks against Web servers became more common, so too did the need for a firewall that could protect servers and the applications running on them, not merely the network resources behind them. Application-layer firewalltechnology first emerged in 1999, enabling firewalls to inspect and filter packets on any OSI layer up to the application layer.
The key benefit of application-layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols -- such as HTTP, FTP and DNS -- are being misused.
Firewall technology is now incorporated into a variety of devices; many routers that pass data between networks contain firewall components and most home computer operating systems include software-based firewalls. Many hardware-based firewalls also provide additional functionality like basic routing to the internal network they protect.
4..Proxy firewalls
Firewall proxy servers also operate at the firewall's application layer, acting as an intermediary for requests from one network to another for a specific network application. A proxy firewallprevents direct connections between either sides of the firewall; both sides are forced to conduct the session through the proxy, which can block or allow traffic based on its rule set. A proxy service must be run for each type of Internet application the firewall will support, such as an HTTP proxy for Web services.
Firewall Rules:-
As mentioned above, network traffic that traverses a firewalls is matched against rules to determine if it should be allowed through or not. An easy way to explain what firewall rule looks like is to show a few example, so we’ll do that now.
Suppose you have a server with this list of firewall rules that apply to incoming traffic:
- Accept new and established incoming traffic to the public network interface on port 80 and 443 (HTTP and HTTPS web traffic)
- Drop incoming traffic from IP addresses of the non-technical employees in your office to port 22 (SSH)
- Accept new and established incoming traffic from your office IP range to the private network interface on port 22 (SSH)
Note that the first word in each of these examples is either “accept”, “reject”, or “drop”. This specifies the action that the firewall should do in the event that a piece of network traffic matches a rule. Accept means to allow the traffic through, rejectmeans to block the traffic but reply with an “unreachable” error, anddrop means to block the traffic and send no reply. The rest of each rule consists of the condition that each packet is matched against.
As it turns out, network traffic is matched against a list of firewall rules in a sequence, or chain, from first to last. More specifically, once a rule is matched, the associated action is applied to the network traffic in question. In our example, if an accounting employee attempted to establish an SSH connection to the server they would be rejected based on rule 2, before rule 3 is even checked. A system administrator, however, would be accepted because they would match only rule 3.
Default Policy
It is typical for a chain of firewall rules to not explicitly cover every possible condition. For this reason, firewall chains must always have a default policy specified, which consists only of an action (accept, reject, or drop).
Suppose the default policy for the example chain above was set todrop. If any computer outside of your office attempted to establish an SSH connection to the server, the traffic would be dropped because it does not match the conditions of any rules.
If the default policy were set to accept, anyone, except your own non-technical employees, would be able to establish a connection to any open service on your server. This would be an example of a very poorly configured firewall because it only keeps a subset of your employees out.
Incoming and Outgoing Traffic
As network traffic, from the perspective of a server, can be either incoming or outgoing, a firewall maintains a distinct set of rules for either case. Traffic that originates elsewhere, incoming traffic, is treated differently than outgoing traffic that the server sends. It is typical for a server to allow most outgoing traffic because the server is usually, to itself, trustworthy. Still, the outgoing rule set can be used to prevent unwanted communication in the case that a server is compromised by an attacker or a malicious executable.
In order to maximize the security benefits of a firewall, you should identify all of the ways you want other systems to interact with your server, create rules that explicitly allow them, then drop all other traffic. Keep in mind that the appropriate outgoing rules must be in place so that a server will allow itself to send outgoing acknowledgements to any appropriate incoming connections. Also, as a server typically needs to initiate its own outgoing traffic for various reasons—for example, downloading updates or connecting to a database—it is important to include those cases in your outgoing rule set as well.
Writing Outgoing Rules
Suppose our example firewall is set to drop outgoing traffic by default. This means our incoming accept rules would be useless without complementary outgoing rules.
To complement the example incoming firewall rules (1 and 3), from the Firewall Rulessection, and allow proper communication on those addresses and ports to occur, we could use these outgoing firewall rules:
- Accept established outgoing traffic to the public network interface on port 80 and 443 (HTTP and HTTPS)
- Accept established outgoing traffic to the private network interface on port 22 (SSH)
Note that we don’t need to explicitly write a rule for incoming traffic that is dropped (incoming rule 2) because the server doesn’t need to establish or acknowledge that connection.
Firewall Software and Tools
Now that we’ve gone over how firewalls work, let’s take a look at common software packages that can help us set up an effective firewall. While there are many other firewall-related packages, these are effective and are the ones you will encounter the most.
Iptables
Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.
UFW
UFW, which stands for Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall.
FirewallD
FirewallD is a complete firewall solution available by default on CentOS 7 servers. Incidentally, FirewallD uses iptables to configure netfilter.
Fail2ban
Fail2ban is an intrusion prevention software that can automatically configure your firewall to block brute force login attempts and DDOS attacks.
0 comments:
Post a Comment