As network security professionals, we work to mitigate traffic between the untrusted network (think of the Internet as one example), the firewall (or a series of firewalls), the “Demilitarized Zone (DMZ)” and the trusted network. This is life in the balance for a network security professional.
For the budding network security professional, the firewall is one essential element that must be studied in detail. This blog is a simple starter post into the exploration of the firewall. Building expertise in firewall technologies includes a deep understanding of (a) TCP/IP, Intrusion Detection and Prevention systems (IDS/IPS), © the ISO/OSI Model (7 layers), (d) firewalls and honeypots, (e) wireless networking, and several other key topics.
To begin with, one of the key mitigating factors for network security starts at the firewall, as suggested earlier. To start out with, we can quite simply state that a network firewall is, conceptually, very much like a building firewall that is placed between two buildings to prevent or, at least, slow down the progression of a fire between to apartments or condominiums. Likewise, the hardware or software network firewall is placed strategically in a network to prevent or restrict access to certain areas or sites within an organization’s network infrastructure.
An organization will need to establish an internal network (a local area network, or LAN, perhaps), so that co-workers can effectively work with the organization’s data. The company network will need to be connected to the Internet to expand the reach organization. While the outside network (the Internet) that we are connected to are considered the ‘wild’, where there are no particular restrictions or rules for traffic, we will use a firewall to provide a separation between the untrusted and wild outside network and the trusted inside network. A firewall is any hardware and/or software that acts as a barrier between connected networks. The trusted network simply is the network inside the internal security perimeter. The trusted network is setup to isolate and protect organizational resources including email servers, database servers, and routers/switches that are critical to an organization’s communication infrastructure. As noted by Whitman and Mattord (2018), the fundamental purpose of a firewall is to control network traffic between trusted and untrusted networks, only allowing specific required and trusted network communication between an untrusted and trusted network segment.
To drive home the point between an untrusted network and trusted network, let’s explore a bit how a company will implement a trusted network environment. In this example, the company will need to establish at least one Local Area Network to share resources, such as databases containing client information and email services. The company may choose to use a screened subnet with DMZ firewall. The screened subnet is a range of IP addresses that is carefully filtered by a firewall creating a unique DMZ (demilitarized zone) that is an intermediary network that exists between the trusted and untrusted networks. Of course the DMZ terminology is taken from the military where two opposing and confronting armies may designate a space where no military will go (I think of the DMZ that existed between North and South Vietnam during the Vietnam war). The DMZ firewall will filter traffic from the untrusted network and allow access to the trusted network. Further, the firewall will also filter (validate) traffic exiting the trusted network that is transitioning into the untrusted network. Company servers that host public services are typically placed in the Demilitarized Zone (DMZ) as proxy servers. A web server is an example of a company service that can be placed as a proxy service in the DMZ. Importantly, since a proxy server is placed in a less secure area of the network, such as in the DMZ, it is exposed to greater levels of risk from the less trusted, outside networks.
Whenever we speak of firewalls and DMZs, we in network security the topic of stateful inspection surfaces. Digging down into what stateful inspection is, let’s first discuss the notion of a ‘state’. First, when we are inspecting IP traffic, we are examining the contents of each packet, which can include a careful look at the IP packet header and, possibly, the data within each packet (notice that I was careful in how I phrased the last sentence. Doing packet inspection can become quite complex, so I purposefully glazed over this topic for now). In general, you can consider that the older technology for packet filtering in a firewall involved a review of the packet headers. The common items that packet filtering examined includes:
1. IP source and destination address
2. The direction of the packet (whether it is an inbound or outbound packet)
3. Protocol noted in the packet (this type of filtering is for firewalls capable of examining the IP protocol layer. Some older firewalls cannot do this).
4. Examination of TCP (Transmission Control Protocol) or User Datagram Protocol (UDP) source and destination port requests.
This older type of filtering is termed static filtering, since the packet headers were compared to an existing set of established parameters set up in the firewall. Once the incoming or exiting packet was compared, the firewall either allowed the packet through or disallowed the packet (again, there is additional complexity, which we’ll save for later).
With the newer technology, filtering is often based on the state of the packet (or series of packets) that enter in on a firewall’s interface. Stateful inspection monitors the packets over a given period of time and will examine both incoming and outgoing packets related to the particular communications stream. Stateful inspection firewalls are designed to prevent unrequested and/or harmful packets from reaching the protected network. The incoming traffic that goes through the firewall is matched against a rules list — the state table. This table contains source address and port, destination address and port, protocol, total time and time remaining. New connections need to introduce themselves to the firewall before being allowing onto the list of established connections. While static filtering firewalls can allow entire sets of one type of packet to enter in response to authorized requests, the dynamic packet filtering of stateful firewalls allows only a particular packet with a particular source, destination, and port address to enter through the firewall. But there is a risk. The additional processing required to manage and verify packets against the state table means that a system may be vulnerable to a DoS or DDoS attack due to the incremental processing delays in stateful inspection (Whitman & Mattord, 2018). In general, Stateful inspection is much more complex, requires additional networking resources, and necessitates that the network administrator be well versed in firewall and network security protocols.
This is a summary overview of firewalls, just to get you started. Firewalls and the establishment of DMZs is quite a complex topic, and in this simple post, I admittedly glossed over several topics that will need additional discussion, especially for the network security specialist. Please feel free to add, comment, suggest clarifications, and perhaps additional resources. Learning to be a proficient network security specialist requires good conversation about the varied technologies and this is welcomed.
Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security.Boston: Cengage Learning.
About the Author
Ron McFarland is a technologist at heart works happily with students and as a consultant for industry. Demonstrating his love for the field, he received his Ph.D. in from the College of Engineering and Computer Science and a post-doc in Cybersecurity Technologies. He is a guest blogger at Wrinkled Brain Net (http://www.wrinkledbrain.net), a blog dedicated to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC email: firstname.lastname@example.org