Firewall is one of best security mechanism that monitor and control the network traffic incoming and outgoing, based on predefined security rules. The firewall is always established between trusted internal and some other outside network (can be internet), assuming that outside network unsecured and untrusted. There are mainly two kinds of firewalls, host-based firewalls and network firewalls. Some of firewall provide additional services like DHCP (Dynamic Host Configuration Protocol) or VPN (Virtual Private Network) services for the internal network. There are Three generations of firewalls named First, Second and Third. First generation firewalls were based on packet filtering. Looking at the network address (IP) and the port of the packet, it determined whether packet is to block or allowed. If a particular packet or series of packets did not match for packet filtering rules, those were simply dropped. In 1988 first packet filter firewall was developed from Digital Equipment Firewalls. If packets do not match the rules, the filter will reject or drop the packet. These filtering works on the first three layers (physical layer, data link layer and network layer) of the OSI (Open Systems Interconnection) model.
Second generation firewalls called as "stateful" filters. Between in 1989 and 1990 AT & T Bell Laboratories developed second generation firewalls named them as “circuit level gateways”. Like in first generation it is based on first three layers of OSI model but included layer four (transport layer) too. This revolution made analyzing packet until more information is used to make decision about its state. It is known as “stateful packet inspection”. This will record whole communication passing through firewall and decide whether the traffic is beginning of a new connection or part of an existing connection. Some DoS (Denial of Service) attacks can try to create millions of fake connections and then attempt fill connection state memory (Anonymous, 2005).
When it comes to third generation firewall, they are known as application level firewalls. The main benefit of filtering the application layer is that determine typical applications and protocols such FTP (File Transfer Protocol), HTTP (Hyper Text Transfer Protocol) and DNS (Domain Name System). If unwanted services or applications trying to bypass the firewall using an allowed port, detect and drop the traffic. It stops protocol being abused in harmful way. In late 2012, most awaited firewall called NGFW (Next Generation Firewall) came in to the play. It is more focused on deeper and wider inspection of application attack. It is included deep packet analysis techniques such Intrusion Prevention Systems (IPS), User Identity Management and WAF (Web Application Firewalls).
Current attack types and how they get blocked
In any organization in the world will not be achieved 100% security for their organization. But they can mitigate those attacks by doing the right things. Considering about most dangerous attacks currently exist in the world, DDoS (Distributed Denial of Service) attacks, ransomware and malwares will come in the first place (Kenig, 2013).
Firewalls are focused on analyzing, examining and preventing one traffic at a time. To detect combining behavior of the current attacks are very hard. In the stateless protection will handle thousands of communication attacks without needing rules or table entries. Let’s consider about DDoS vector called HTTP floods. It creates billions of legitimate sessions with the server (Micro, 2015). Even if they are legitimate connections most of the Next Generation Firewall will block these kinds of attacks. Examining each individual session differentiate the malicious and un-malicious communications. Other hardest attack is backdoor attacks. It allows remote access to the device using vulnerable applications. Hackers mostly get used of these backdoor programs to take the admin privileges of internal network. Port bidding, legitimate platform abuse and calling command & control (C&C) servers to malicious payloads. Keeping firewalls in entry points (also called perimeter security) can prevent these backdoor attacks. Recently there was huge ransomware attack named “Wannacry”. It exploited the SMB (Server Message Block) on the windows operation systems. This protocol communicates through port TCP 445. Configuring rule for preventing SMB traffic entering or leaving from the network. Make sure not to mistakenly open port 445 by lower rules. Always monitor the violations and traffic flows and deny of company security policies. Initiate rules for preventing opening of SMP ports in future (Harrison, 2017).
Types of Firewalls
These proxy firewalls are bit old but still use in today. It acts as a gateway from one network to another only for predefined applications. But current proxy servers may provide more additional functionalities like security and caching by mitigating direct communication from outside networks. These types of firewalls can be more expensive and less speed compared to normal firewalls.
Unlike other firewalls network traffic does not flow through proxy firewall, instead that computer or device which needs to initiate a communication for outside network establishes connection with proxy and then proxy will create a new communication to outside network. Response will come to the proxy itself and then redirect the traffic to relevant device inside the network. This mechanism will prevent direct access from untrusted outside communication (Anonymous, 2015).
Stateful Inspection Firewall
These firewalls well known as “traditional” firewalls. Allowing or Blocking mechanism is based on protocol, port and state of the network traffic. Firewall monitors whole communication from the beginning until it is end. Both context and administrator/Security Engineer defined rules are considered to filtering decisions. Context implies that taking information from previous traffic/packet patterns and past communications belong to the ideal connection.
There can be many advantages and disadvantages as well. Those are typically faster than other available packet screening methods. Filtering is done by lower level of the ISO-OSI model. Filtering mechanism takes time to process the packet is much quicker. Those firewall types can be implemented transparently. There is no need any additional configuration for buyer or the administrator. These stateful firewalls are less expensive than the other types of firewalls. Many software packages and hardware devices already have packet filtering techniques included as a part of the standard package. There are some difficulties as well. Lack of authentication methods. Difficulties and complexity of setting up advanced packet filtering rules (Anonymous, 2015).
UTM (Unified Thread Management) Firewall
These types of firewalls typically combine intrusion prevention, antivirus and stateful inspection firewall. It can be included cloud management and more additional services. Unified Thread Management Firewall thoroughly focus on ease of use, convenience, promises integration and simplicity. Especially valuable for enterprise use. UTM provides some additional features such application control, content filtering, spam filtering and web content filtering. These firewalls designed to fight for all levels of malicious activities on the internal network (Anonymous, 2015).
NGFW (Next-Generation Firewall)
Today, most of the organizations get help to block modern threads like application layer attacks and advanced malware attacks using next generation firewalls. Very powerful and more intelligence when compared to previous firewall types. But the price also little bit higher.
These Next Generation Firewalls provide typical standard firewall capabilities, integrated intrusion prevention system, controlling to view and block suspicious application and provide more type of application awareness. Looking at the past malicious traffics and upgrade the rules including future information feeds. Include Secure Socket Layers (SSL), Secure Shells (SSH) inspection and deep packet inspections.
Threat Focused NGFW
All the features just like the Next Generation Firewalls but provide more additional threat detection and remediation. Identifying which set of assets are most at risk and deliver complete context awareness. Reactive and proactive awareness with intelligent and automation policies and hardens corporation defense dynamically. Analyze suspicious activities with network and end-point to better detection of evasive. Time to take the detection of attack and cleanup it greatly decreases. These firewalls provide continuously monitoring for suspicious behavior and activity after initial inspection. Due to the user friendliness of the firewall it is very easy to administrate and even reduce complexity of the configurations. Always comes with threat detection engines which leverage both signature less technology and signature based technology (Anonymous, 2015).
Implementation of Firewalls
There are main three purposes of implement a firewall. Establish a control network and link in the organization. Secure the internal network from Internet based attacks. And last but the not least achieve a single choke point. Generally, firewall implementations are done by experienced consultants. It needs to meet all goals of placing a firewall. Whole network traffic outside to inside or vice versa must goes through the firewall. Legal traffic only distinct by the local safety analysis should be allowable to pass. The located firewall itself wants to resistant to the diffusion. When a security consultant implements a firewall plan for the organization according to these goals, organization can expect highest security (Behrouz A.).
There are four general techniques that need to be follow before place a firewall.
- Controlling the current services – defines the varieties of Internet services could be accessed, outbound or inbound.
- Controlling user actions – determines the access control to services according to user authorization.
- Controlling the directions – defined by the direction which services requests are allowed.
- Controlling behavior – defined and control how the services are being used inside the organization (E.g. Electronic mails)
All the firewalls perform in two ways when it comes to functionalities.
Logging and Auditing
Configuring any firewall to audit and log activity, all the information can be analyzed and kept at a future day.
Authentication of users
Firewalls can be defined to ask for the end user authentication. This helps to control network associate to track and control specific user activity.
NAT (Network Address Translation)
Hiding their true IP (Internet Protocol) addresses from devices on any side of the firewall. There can be two ways to perform that.
- Many-to-one – All actual addresses are transformed to one address.
- One-to-one - All actual addresses are transformed to an unique translated address.
Anti-Spoofing – define the source of the network communication is got "spoofed".
For an example a person is trying to access a blocked site alters the source IP address inside the message, therefore all the traffic is allowed.
Single point of failure – most of configurations in the organizations firewalls are the only available link between network communications. If firewalls are unavailable or not configured properly, there will not be allowed any traffic go through the firewall.
Increase the management responsibilities – Firewalls make network troubleshooting more complex and add more management responsibilities.
Traffic bottlenecks – There can be a huge chance that the corporate network may become congest due to forcing all traffic pass through the firewall.
Firewalls may prevent Trojan or virus from using the Internet while on user machine.
In summary, buying a firewall and implement for the organization is daunting task. Most valuable step is preparation. There can be VPN users inside the organization. Identify them properly and doing a survey might help to get better idea. Whether the organization will have share point servers or exchange servers are needed to preconfigure before purchase a firewall. There can be many integrated WAF (Web Application Firewalls) even. It is very help full if the organization has web applications running in-house servers. Most people do not thoroughly understand the necessity and important of the firewalls. It always considers as product for business only. If the organization network has access or communication to the outside world through Internet, then the organization needs a firewall to protect the internal network and the devices (Beal, 2010).
Additional Features of Firewalls
Most firewall companies designed their firewalls very complex and large networks. But those cost much higher. But those firewalls have faster throughput, handle many users and other advanced features.
- Reporting mechanisms and dedicated monitoring.
- The ability to monitor and manage multiple firewalls concurrently.
- Opportunity to be extended through plugins or add on modules.
- Advanced authentication mechanism.
- Incorporate with VPN (Virtual Private Network) gateways.
- Control access through policies and apply those policies according to the user.
Other than above mentioned features there can be more advanced features according to the subscription. 3DES (Triple Data Encryption for Symmetric key) encryption is one of extra advanced feature. It provides more complexity of key cipher for the sensitive data such as passwords. Some of brands provide free services like spam filtering, URL (Uniform Resource Locator) screening, Free Anti-virus, Reporting mechanisms and centralized management and web caching (Shinder, 2004).
Best Firewalls and their features
Palo Alto Networks Wildfire
These firewalls are developed to securely and safely allow applications and avoid modern attacks. Identifying all traffic based on users, content/devices and applications to let understand the organization policies in the form of ease of use security rules.
Focusing on superior architecture and superior benefits Palto-alto give one best firewalls in the world. There are some unique features like Automated security, protection for data and users and precise control and complete visibility. They will provide free two-hour hands on experience virtual lab. Requesting the organizations’ SLR (Security Lifecycle Review) to analyze the network and create a comprehensive report about the organization. Current newest firewalls are PA-7000 series, PA-5200 Series and PA-5000 Series.
In Palo-alto – 7000 Series there are some brilliant security features such,
- APT Prevention
- Passive DNS
- Data Filtering Decryption
- User Control & Visibility
- Application control and visibility etc.
Cisco organization also have very competitive firewall technology called ASA (Adaptive Security Appliance).
In their specifications mentioned block more attacks and mitigate the network breaches. These firewall more used for data center deployments. It is to protect servers in the center from the rest of entire network. There two sides in the firewall called inside (more trusted) and outside (less trusted) zones. Both sides can be configured in different security and trust levels according to requirements. Generally large enterprise may have many data centers to protect. All the data center traffic should pass through their firewalls.
The above diagram is a good example for how to implement the basic security structure for datacenter. Each data center has a firewall placed in front of them for redundancy purposes. According to Unified Communications Solution two data centers belong to the two different clusters or same clusters (Anonymous, 2016).
Fortinet also provide one of best Next-Generation Firewalls. High-performance, with multilayered security and visibility to the end to end protection for whole network. They deliver ultra-low latency and scalable performance. Fortinet provides security for the distributed branches, internal segments and data center for the lower cost. Fight against unknown and known threats to mitigate breach of sensitive data in the cooperation (Anonymous, 2017).
There features include:
- Comprehensive protection and multilayered security against complex attacks and prevent single point vulnerabilities.
- Demonstration of effectiveness of the security and validation of third-party involving.
- SSL inspection mechanism to protect against Trojans hiding in encrypted communication.
- Simplify deployment and consistent security with single pane of glass management.
PfSense firewall addresses comprehensive information security for the large organizations. It brings together the more advanced features to create protecting the cooperate network less complex than in previously. The pfSense filters UDP and TCP network traffic according to the destination and Source IP, protocol and destination and source ports. Per rule basis it limits simultaneous connections. Flexible routing policies possible by selecting gateway (Technical team, 2017).
pfsense got some packet normalization techniques to ensure there are no ambiguity in interpretation of destination of the packet. There are many filters functions inside the firewall but still security analysts can disable relevant filters under the acknowledgements of the consultants.
Another pfsense feature IPsec grants connectivity with whatever device supports typical IPSec. It is more use for site-to-site connectivity to installation and any other firewall brands like Juniper, Cisco. Organization can get help for mobile client’s connections as well. OpenVPN also a powerful and flexible SSL solution for wide range of operating systems. From PPPoE server can be done RADIUS authentication and optional accounting in the network.
In Sophos firewall there are two types of firewalls free and non-free. The features include traffic shaping, monitoring & reporting, application control, IPS, VPN and URL filtering. Due to traffic shaping it is increased the bandwidth inside the network. Only prioritized application traffic internet connection gets shaped based on the predefined manner. Then the buyer can access their home network from anywhere in the world. Because strong VPN mechanism uses for the remote network monitoring as well.
The configuration for Sophos is very light weight due to their light weight platform. A server with Intel compatible and dual network interfaces by installing XG firewall home edition will do the work (Technical Team, 2016). Sophos firewall also have cloud sandbox called “Sandstorm”. It uses next-generation sandbox techniques providing the cooperation extra layer security against most of the ransomware target attacks. It comes with insight, unrivaled security and simplicity for the organization. Blocking unknown threats from suit of advanced securing IPS. Incident response by automatically and expose and mitigate hidden risks.
Future of the firewall
In 2017 people experience this Next Generation firewalls. But what next? It is very hard to give proper forecast about future types of firewalls. Existing firewalls based on the apply app security rules to using specific ports. By protocol such SSH (Secure Shell), FTP (File Transfer Protocol), HTTP (Hyper Text Transfer Protocol) firewall filters the traffic. After 5-10 years cooperation infrastructure change to the public cloud applications such SaaS (Software as a Service). The current available best firewalls also blind to accessing unauthorized applications from users. This is known as “Shadow IT” in IT field. Other most important thing is mobile users without going through firewall they access the cloud applications. There is a new network security product called CABS (Cloud Access Security Broker) to place those equipment addresses the limitations of firewall. Mobility and cloud infrastructure could not be solved with the firewall appliance. There will be a new platform called NSaaS (Network Security as a Service).
When security consultant gets decision about placing security of the network inside the cloud it needs start with the firewall. Policy enforcement, networking and security commonly starts with site-to-site tunnel between organization location from WAN (Wide Area Network). Websites like “Shodan” assemble IoT (Internet of Things) botnets and vulnerable devices for proceed huge attacks. Detecting attacks and threats by analyzing destination and source of the network traffic will no more possible. Phishing attacks and malicious domain come with IoT is pretty harder to defined because of the device encrypting and route DNS (Domain Name System) encryption (Dickson, 2017).
IoT with firewalls
When it comes to Internet of Things, it is always considering the cloud based firewalls. Traffic tunneling is a special effect from the cloud to see the traffic goes through the firewall even if the traffic was encrypted. From GRE Tunnels and IPSEC and double or single function tunneling for client software better to add. Cloud security for Internet of Thing devices needs to have PKI (Public Key Infrastructure) management to legitimate authorization and integrity. It has another part for device security including trusted execution atmosphere, identity certifications, and booting security. Another part is for communication security. Protection against Man-in-the-Middle-Attack (MITM), keeping message integrity, encryption and authorization.
Firewalls can be implemented as both hardware and software but need to be perform real time communication traffic inspection without having high throughput value. If it is still analyzing large number of data packet and filtering by rules there can be bottleneck as well as issues of network performances. The future firewall needs to concern illegitimate and legitimate traffic automatically to identify never-before-seen attacks and threats. When working with IoT devices firewall has to be multipurpose. Based on the current high bandwidth, these firewalls have to be 10 GB throughput per second in the next 5-10 years (Arsene, 2015). Once the organization identified Internet of things attack surface, their devices should be divided into policy-driven areas based on the risks profile. IoT policy groups and rules needs to automatically limit or grant potential compromised devices by passing exploits and malware.
Firewalls for IaaS and PaaS
Normally part of the outsourcing the computing and the firewall services, in a lower level with IaaS (Infrastructure as a Service) on a higher-level SaaS/PaaS (Software as a Service/Platform as a Service) shift in organization security responsibility. Most of the cloud service providers are offering very default and basic security products. There are many cloud computing vendors such Rackspace (IaaS), Google (IaaS/PaaS), IBM (IaaS/PaaS) and Amazon web servers (IaaS) uses next generation firewalls like Palo-Alto for their cloud security. As well-known Amazon is the largest organization to play in the cloud computing space. IaaS has come with firewall model compatible with client VM as well. Beyond the blocking certain ports inside the network, IaaS providers do not know which kind of ports will close or open in the future.
Both Azure and EC2 give user re-configurable firewalls around groups or instances of instances, related to as Security Groups in EC2 and Endpoints which are in Azure platform, designed to provide a very basic level of platform security. Interoperability and usability is giving evident as both are very easy to configure whilst proving better default security by blocking inbound network traffic (except Secure SHells) by default, mitigating un-secured devices being exposed to the public Internet unintentionally. In terms of buyer experience, both Azure and EC2 give very simple web interfaces for configuring, adding and removing firewall base rules. The GCE (Google Compute Engine) web interface grants the security consultant to disable or enable HTTP (Hyper Text Transfer Protocol)/ HTTPS (Hyper Text Transfer Protocol Secure) network traffic, but any further settings should be done using the downloadable Google Cloud Software Development Kit (SDK) via the kernel terminal. This method grants programmatic and scriptable control of the firewall, but creates configuration little bit more difficult for buyers who are less used to the KCLI (Kernel Command Line Interface). Both types of interface grant the similar level of configuration: firewall rules could be added to grant certain protocols and ports, and a range of allowable Internet Protocol (IP) or individual addresses can be specified. All the interfaces surveyed used IPv4 (Version 4) rather than v6 (Version 6).
Cloud Based Firewalls (Firewall as a service)
Cloud-based firewalls come in many different versions. All the cloud based firewalls are application that investigates that outgoing and incoming network or IP packets to get filtered against firewall access policies and mitigate malicious network traffic. Yet those firewalls are also quite different from other firewalls. Suppose of firewall as two essential network security techniques: Both are designed to protect the organization, cooperation's' network, and their virtual and real assets, but in different contexts in the cloud perspective. Plain-vanilla firewalls in the cloud based technology play such traditional on-premises firewall equipment except those firewalls are a service provided by organization ISP (Internet service provider) or may be a dedicated Software as a Service (SaaS) provider of firewall services that will be, a Firewall as a Service (FWaaS) provider. CIOs' organizations might pay a fixed or varied payment for these kinds of services. It is more likely if the available service is defined by local Internet Service Provider or telecom company. Apart from that, it might pay a monthly billing cycle based on several other factors, like total available bandwidth consumed and optional other services (like domain filtering) beyond strictly safe guarding for malware.
Changing settings, the FWaaS is quite straight forward. If this will be an add-on service provided by local telecom company, buyers probably do not need to change configurations or done anything else at main business location. Network Security administrators get a management or dashboard console that displays activities and may be lets them select options for what to be displayed on the screen, domains to whitelist or blacklist. With FWaaS, organization will only pay for what they use therefore, company do not have to go for more firewall appliance capability than company generally need to be prepared for their busiest time intervals. Organization has excessive on-premises firewall capacity, especially if the company has already started to migrate critical services to the trusted cloud. By turning-off specified appliances, organization is essentially outsourcing their security perimeter to a quite more efficient and effective service.
Future Enterprise Firewalls
Future firewalls always going to be as a cloud service. Because on cloud computing security has anyhow focused on the business benefits and engineering challenges of the cloud. Current studies which explicitly explain the security implementation and implications of the cloud, many research papers also consider an overview of challenges in cloud security because firewall will host inside the cloud. More at the regulatory and liability features help to surrounding moving data into the cloud with cloud security, or focus on theoretical implementation and implementations of security infrastructure of the cloud in the firewall. Work like that has showed at how firewalls may be smoothly adapted for cloud based environments, but it did not define any current implementations in comparison. Because it is too early to predict future specifications. While discussing the cloud as a white box, those equipment aim to reveal external and internal on functionality and frequently deal with network security issues.
There can be these kinds of features in the future:
- Advanced and intelligent Context-Based Firewall Security - the context-based security model will be quickly replaced with the static security infrastructure that currently exists in most administrations.
- Improved Decision-Making - A context-aware solution uses data from multiple sources and could intelligently put it in the right context. This will increase firewalls to make accurate security decisions during an incident.
- Better Focus, Faster Response: By filtering data based on context, firewalls could reduce the need for multiple security alerts to only a very few key vulnerabilities that represent the highest risk. This also enables reduction in response time in the future.
- Sensing Advanced Terrorizations: A context-based firewall scheme is sensitive and active in its method and delivers better perceptibility and insights. Information Technology advisors will be able to simply trail what is happening on the network. This will particularly useful for thwarting next generation malware and advanced threats that are emerging in the future.
- Operational Savings: Reduction in the response time, increase in more accuracy of decisions and improved focus of network security strategies will be all factors that collectively result in operational savings for the organization by using a firewall which implements context based security.
Upcoming Firewalls will be intensive on very higher-level information to develop more situationally aware and the firewalls will convert more dynamic to aware with no threat changes on the cloud, and the firewall will become more capable of segmenting the large cooperate network without disrupting machine communication. Firewalls are essential in perimeter security, they should be supplemented by internal or external threat monitoring mechanism. Instead of solely focusing on what is going to be inside in the firewall, security consultants will be started to experience the more focus with network security measures inside or outside the organization perimeter. Implementation of Firewall will change in the future. Human configuration will long the only way to tune a firewall. But machine learning will be enabled future firewalls to take on hackers and attackers more proactively.