FIRE, FIRE,

Abstract
Implementing a firewall is seldom a simple task. It must be carefully planned in order to meet all of the needs of a companies complicated network design. The design objectives depend on what problems are anticipated, what services to allow or deny, and what level of risk is acceptable. How to cover these objectives is a lot to consider; how much money is available or allowed in order to implement this design, how long does the administrator have to complete this design, and is the expertise level of knowledge available in order to correctly implement this design? The most daunting task of all; which firewall to implement? A firewall comes in all shapes, sizes, and specification. All are meant to make a network more secure, but where to start? Is it a software driven firewall or hardware bases firewall used? Which type of firewall; database, network based, host bases, or application bases? What are the differences between them, how they work or what they actually do? Will it do more harm than good? It can all be very confusing when trying to protect a network and figure out which firewall is best fit. All of these are very important questions that should be answered before starting the installation and implementation of a firewall. Hopefully the answer to these questions will become clear as firewalls are discussed further in this paper.

Firewalls What is a firewall and how does it work? By definition a firewall protects an internal network from malicious access from the outside. A firewall basically comes in two different styles, hardware or software based. A software based firewall is just that, software that is installed on another piece of equipment in order to provide the functionality of a firewall. Hardware based firewall is an ancillary piece of equipment whose sole purpose it to work as a firewall. The most secure configuration would be a combination of both on your network. Packet filtering and stateful packet inspection are among the various types of firewall methods that are implemented. Typically firewalls are placed at the perimeter of the network or between segments; they are the defenders of the perimeter wall against possible attacks. Other options will be discussed as well; network layer firewalls, also referred to as packet filter firewalls, stateful inspection firewalls, and application layer firewalls. Firewalls can be configured many different ways, dependant on the type of firewall that you are utilizing. They basically use a form of access control in order to deny or allow traffic. They can allow traffic based on the service, the Internet Protocol (IP) address of the source or destination, or the ID of the user requesting service. One of the benefits to a firewall is that you can also configure logging for all traffic. A software firewall is usually installed on an individual personal computer. This type of firewall works on a per-packet and a per-process filter. Since a software firewall is running on a computer, it is capable of knowing more about the network traffic than just what port it is using. It will know what program is accessing the Internet and if it is malicious or not. Dependant on the information that is set in the filter, a software firewall can allow or block a program’s ability to sent or receive data. The filter can also be set to prompt the user to confirm or deny traffic before it is allowed to access the Internet. Using a software firewall is an extra layer of firewall protection; it is not beneficial to an entire network since it protects only the computer it is loaded on. Hardware firewalls are typically a stand alone product. They can be effective with little or not configuration. They can normally be configured with little or minimal knowledge and protect a network. A hardware firewall is normally more secure since it is not using a regular operating system. Operating systems have complex code that could become a vulnerability to a firewall if it is not properly patched. Anything that is vulnerable can be exploited, and that exploitation can compromise the system.
Data Base firewall A data base firewall is a hardware apparatus or software that is installed on a server to protect against database specific attacks. They may have a pre-set dictionary of signatures, which are updated by the vendor when attacks are identified. A database firewall can identify vulnerabilities identified in the operating system or protocols and notify an administrator for patch management if properly configured. Policies and rules can be set that will monitor for irregular activities which could prevent possible hacking. In an article by ExcITingIP.com (2011) two of the most common attacks to a database are SQL injection and Buffer Overflows, these are prevented with the use of exception policies to support patching and policy that can assess everything from time of day and IP address to verification of user.
Application firewall An application firewall is a device placed between the network firewall and the host that runs the web-based application. It monitors the web application accesses collecting valid application requests. It can block all requests that do not qualify as a valid request according to its rule base. There are two types, inline and passive. Inline has all traffic flow through it; this can be risky if there is a hardware failure. Inline is also considered an active firewall and will drop any requests that are perceived to be an attack (Eubanks, 2005). Passive will log the information but will not block any request that violates the rule set. An application firewall should be able to react appropriately, as defined by the policy or rules set, to threats against identified vulnerabilities. Be able to inspect and respond, either allow, block, or notify, based on the rules set. It should also be able to work on “white lists” or “black lists”. A white list defines acceptable data or behavior, where a black list defines what is not allowed. There are many parameters that can be defined within the “lists” and careful consideration needs to be adhered to in order to prevent exposing applications to potential hazards on the Internet (PCI Security Standards Council, 2008).
Network Based firewall Network firewalls protect an entire network by guarding the perimeter. The firewall is put directly in line with all information coming into or leaving a network. It inspects all traffic for malicious content and must make a decision on whether to let the data access the internal network or drop it. This could be as simple as a border router using packet filtering or a separate piece of hardware that receives the data from the router prior to the data entering the internal network. A major problem that can occur with this type of firewall is that all data must pass through this single interface. This becomes a possible single point of failure within a network, if it fails your network is down until repair or replacement can be accomplished.
Host Based firewall Host-based firewalls are software firewalls installed on individual systems. They usually offer features beyond a typical firewall, such as spyware, virus scan software, and pop up blockers. Host-based firewalls can be run on individual desk tops or laptops. Some companies have users that telecommute either from their home or possible from a hotel. Having a host-based firewall helps protect the user from incidents and also prevent the spread of infections. Host-based firewalls can be used as an addition layer of defense. They protect the host that they are installed on, but will also defend against a compromised system being used to attack other systems as stated by Northcutt, Zeltser, Winters, Frederick, & Ritchey (2003) . They can also detect insider threats, when an employee is involved in a hacking attempt on the inside of a system.
Firewall Types
Packet Filter A packet filter is used to instruct a firewall to drop any traffic that meets a certain criteria. This type of firewall examines the header of a packet to determine its source and destination addresses. This is done at the Network layer of the OSI model which is directly compared to the Internet layer of the TCP/IP layer. It is then compared to a predefined or user created set of rules that determine whether the packet is safe or not. The object is to look for malformed or suspicious packets and decide whether or not if each packet should be allowed in the protocol stack. If it is deemed safe then it is allowed; if not, it is denied. There are several TCP/IP attributes used when implementing packet filtering rules. You can use source and destination IP addresses, IP protocols, source and destination TCP and UDP ports, and the interfaces of the packets arrival or destination (Scarfone & Hoffman, 2009).
Stateful Packet Inspection This type of Firewall looks at additional characteristics such as a packet’s origin and whether it is a response to a request or unsolicited acknowledgement. When we look at a connection setup sequence, the first packet that is expected is a SYN packet. When the firewall sees this packet it places the connection in the SYN state. When in this state, only two possibilities exist for the next packet; a SYN ACK packet (acknowledging the packet), or an RST packet (resetting the connection). If any other packet is provided the firewall will deny it since it is not what the firewall is expecting. One of the benefits of a packet filter firewall is that they can handle larger amounts of traffic at a faster rate since they do not have the overhead of extra processing that is required with application firewalls. Stateful firewalls monitor the connection processes according to Dubrawsky (2010); they do not look any further up the protocol stack. A combination of stateful and application firewall, known as a deep packet firewall, is capable of not only monitoring the connection but also monitoring higher level protocols for abnormalities.
Application-Layer
This type of Firewall is also known as a proxy firewall and works like a mediator. Since all connections begin and end on the firewall, the internal network can not be seen by the outside world. All internal addressing schemes are hidden behind the firewall. Policies are enforced through the use of proxies and each protocol must have its own proxy. A benefit of this type of firewall is that it is difficult to hide traffic inside other services. “With an application gateway, first the client application is checked to see if access should be granted, and then the users are authenticated” (Easttom, 2006). There are some drawbacks to using an application-layer firewall. Since it is “full packet awareness” the firewall uses more resources comprehending and clarifying each packet. They tend to be unsuited to high-bandwidth applications. “An individual, application specific agent is required for each type of network traffic that needs to transit a firewall” (Scarfone &Hoffman, 2009). Because of this, they do not support new applications.
Circuit-level Gateways Circuit level gateways set up a virtual circuit between the internal client and a proxy. It validates the user first, then the connections, before allowing data to be exchanged. It operates at the transport layer of the OSI and will only permit traffic transfer if it determines the connection between both ends is valid according to the rule set. It has some characteristics of a proxy server since the external network never sees the internal network, but also similar to a packet filter in that it makes access decisions based on IP address, protocol, and port information. Harris (2010) states it may not provide the detailed access control of an application layer firewall but it does provide security for a wider range of protocols.
Bastion Host A bastion host is usually a highly exposed device that is outward facing on the Internet. It is used as a first line of defense and is locked down and hardened to protect the internal network. In order to make it as secure as possible it should have only the required services running, all ports that are not absolutely required to be open should be shut, and all unnecessary or inactive user accounts should be disabled.
Defense in Depth (DiD) Defense in Depth is more than just computer system security. It is all of the methods, techniques, tools, people and processes needed to protect that network. A layered security mechanism increases the security of the system as a whole. When an attack gets by one system, another system in standing by to hinder or deter that attack. Some tools, though not specifically considered firewalls, fall into a firewall like capacity. De-militarized Zones (DMZs), and Access Control Lists (ACLs) are such tools (Northcutt et al, 2003).
Demilitarized Zone (DMZ) Most computers run behind a firewall, one or more will run outside of the firewall in what is called the DMZ. The computers in the DMZ intercept traffic and broker requests similar to a proxy server. All outbound requests are sent to the DMZ on behalf of the internal network, all incoming requests must first pass through the DMZ before reaching the firewall. This offers an added layer of protection to the network prior to the firewall according to Maiwald (2004). The systems that are placed in a DMZ are accessed from an external network and can also be accessed from the internal network, but they never allow the external network access the internal network. These systems are Web servers, and External Domain Name Server (DNS). The services that are in the DMZ are not fully trusted so remain on the outside of the trusted network.
Access Control Lists (ACL) You can configure an access control list to prevent certain traffic from entering or exiting a network. This is usually done on a router as part of a security solution. ACLs filter network traffic by controlling whether packets are forwarded or blocked at the interface. ACL list are scanned for a match one line at a time from top to bottom, for a pattern that matches the incoming packet. A permit or deny rule is associated with the list to determine the fate of the packet. Access lists can be applied to inbound or outbound traffic depending on the interface they are associated with. All unmatched packets are normally dropped by default, it is a good habit to end all list with a ‘deny all’ statement. Access lists are a good way to do packet filtering, remember though that they cannot adapt to changing network or security needs. Harris (2010) suggest it is not a true firewall, just another layer of security to help protect your network.
Firewall issues It is easy to make a mistake in configuring complex firewalls. Many of them come with security holes which conscientious administrators must find and close. Software Firewalls run on top of other devices, you have to contend with an operating system that could have vulnerabilities as well as any potential vulnerability in the firewall. Hardware firewalls have less OS vulnerabilities, but vulnerabilities are still there. An attacker has many techniques that can be used to bypass a firewall; he only needs to find one vulnerability to succeed where an administrator has to find all of the vulnerabilities and close them to keep an attacker out.
Firewalking
Firewalking is a process of using the Traceroute Time to Live (TTL) feature to map your network by using the TTL exceeded in transit message. It attempts to determine which protocols a firewall will block and which they will pass on to downstream hosts. By scanning the ports on a firewall you can map which ports are open and passing traffic. By doing this you can map your way through a firewall. According to David Irby “One of the greatest threats posed by firewalking scan is that most firewalls do not log traffic on allowed ports” (Irby, 2005). Because of this, a potential hacker does not leave any traces of their scans in the system logs. Based on the results of Firewalk scans, a hacker can identify which ports are open. Firewalking can be used by both the attacker and the administrator.
NMAP
NMAP is another resource for administrators and hackers alike. It is an open source tool that can be used by an administrator to verify the security posture of a network; it can also be used by a hacker to probe a network for possible attack. You can use NMAP to penetrate firewalls, and determine which ports a firewall will allow through. Firewalls are designed to prevent attacks, NMAP includes a number of features designed to circumvent a firewalls defenses. Scanning a target using packet fragmentation, idle zombie scan, or randomize target scan order are just a few of the options available. According to Lyon (2008) NMAP not only can detect open ports, it can detect which services are running and their version number. The scans can also be altered to prevent the firewall from detecting the NMAP scans. NMAP can be a useful tool to an administrator. If properly utilized it can reveal vulnerabilities in the network; this can afford the administrator the option of securing the network before a hacker used the same tools against them.
Summary
Understanding the capabilities of each type of firewall and designing your network with those capabilities in mind will be beneficial in protecting a network system. “A firewall is a network access control device that is designed to deny all traffic except that which is explicitly allowed” (Maiwald, 2004). As technology continues to change the capability to provide more robust and dynamic protection to the network will only increase. Developing a policy or rule set for your network that meets the needs of the users while protecting the data from malicious users or malware is the ultimate goal. An important part of building a firewall is knowing how your network is laid out and how networking works in general. The best defense against attacks is a well configured firewall. The cardinal rule is “deny by default”. If an administrator tries to allow everything and then tries to block just the malicious traffic, it may be too late when he determines something is malicious. Instead of trying to block just the malicious traffic, block everything. The user will notify the administrator on what traffic is necessary. A firewall is purposely put in a position to inspect and filter every packet that comes into the network. By default, latency in network performance is incurred by this process. Every effort should be made in order to minimize the latency while affording the best protection of the data is essential to any network architecture.

References
Dubrawsky, I. (2010, November 02). Firewall Evolution – Deep Packet Inspection. Retrieved from http://www.symantec.com/connect/articles/firewall-evolution-deep-packet-inspection.
Easttom, C. (2006). Network Defense and Countermeasures: Principles and Practices. Upper Saddle River, NJ: Pearson Education, Inc.
Eubanks, R. (2000). Application Firewalls: Don’t Forget About Layer 7. Retrieved from http://www.sans.org/reading_room/whitepapers/application/application-firewalls-forget-about-layer-7_1632.
ExcITingIP.com. (2011, May 26). What are Database Firewalls, why are they required & how do they protect databases? Retrieved from http://www.excitingip.com/1933/what-are-database-firewalls-why-are-they-required-how-do-they-protect-databases/.
Firewall Security Technical Implementation Guide – Cisco V8R6. (2011, April 29).
Harris, S. (2010). CISSP All-in-One Exam Guide, Fifth Edition. New York, NY: McGraw-Hill.
Irby, D. (2005). Firewalk: Can Attackers See Through Your Firewall? Retrieved from http://www.giac.org/paper/gsec/312/firewalk-attackers-firewall/100588 .
Lugo, I. G. & Parker, D. (2010, November 10). Software Firewalls: Made of Straw Part 1 of 2 Retrieved from http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-1-2
Lyon, G. (2008). NMAP Network Scanning. Sunnyvale, CA: Insecure.Com LLC
Maiwald, E. (2004). Fundamentals of Network Security. Burr Ridge, IL: McGraw-Hill.
Northcutt, S., Zeltser, L., Winters, S., Frederick, K. K., & Ritchey, R. W. (2003, July). Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems. Indianapolis, IN: New Rider Publishing.
Pacchiano, R. (2011, June 09). Firewall Debate: Hardware vs. Software. Retrieved from http://www.smallbusinesscomputing.com/webmaster/article.php/10732_3103431_/Firewall-Debate-Hardware-vs-Software.htm.
PCI Security Standards Council. (2008, October). Information Supplement: Application Reviews and Web Application Firewalls Clarified. Retrieved from https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf.
Scarfone, K. & Hoffman, P. (2009, September). Guidelines on Firewalls and Firewall Policy. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf.