There are a few different types of firewalls. Here’s a little history.
The traditional approach was access routers. Using access control lists to control network access.. A low cost, high performance solution. Didn’t need UNIX expertise, transparent to user – no requirements for user to change their behavior or configuration.
Issues though were that internal addresses were exposed to the Internet. If you were logging onto servers that were suspect to attacks or snooping, someone could then see the host addresses. This is often the first step to finding holes in the network. By finding out the host address, you can then start attacking the host, leaving you vulnerable to attacks. Important to hide the addresses.
In most cases, it was possible to spoof in. Basically, spoofing means someone represents themselves as a trusted host in the network, thus having free access to the network. ACLs are also tough to negotiate if they’re complex; thus it’s easy to make a mistake. This brought about the development of proxy servers, which brought about statefulness, which we’ll discuss in more detail later.
Proxy servers are also sometimes known as “bastion hosts”. As its name suggests, this kind of firewall acts as a “proxy” for internal computers accessing the Internet. To the outside world, it appears as if all sessions terminate at a single host, which is carefully configured for maximum security.
Proxy servers hide IP addresses, so they are not exposed to the outside world. Certain proxy servers also can examine content, so they can limit what can or can not be done, such as FTP gets, or going higher in the application and determining what you can or can not do. They can also run other services (e.g. run your mail services).
Problem is that you’re buying a box dedicated for that, plus software, plus maintaining the operating system. Must follow CERT alerts and make changes quickly. Hackers can follow alerts and use those techniques to break in before you make changes. This requires a lot of administration and time spent monitoring such advisories. Difficult to do in today’s busy environment.
This was also a very intrusive method for users as well, since users have to tell apps they’re using a firewall and going through 2-3 step logins to gain access – not at all transparent to user.
Many Firewalls talk about being stateful, but what does this mean and why is this important? If you know what traffic to expect on your network, you can ensure that that is the volume of traffic you get. For example, when Mary sends a web request to a homepage (www.e-tutes.com), a stateful firewall will remember this. When a page comes back from e-tutes.com to Mary, the firewall will expect it and let the traffic pass.
Stateful filtering, or stateful network address translation, is a security scheme that provides very high performance with a high degree of security. Stateful means it allows the firewall to maintain session state connection flows, tracking the source and destination ports plus addresses, TCP sequence numbers, and additional TCP flags.
Each time a TCP connection is established from an inside host accessing the Internet through the firewall, the information about the connection is logged in a stateful session flow table. The table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP connection associated with that particular host.
This information temporarily creates a connection block in the firewall. Inbound packets are compared against session flows in the connection table and are permitted through only if they can be validated. The block is then terminated until the next packet is received.