Understanding Firewall Technologies


Firewalls, however unfortunately, are an essential part of connecting to the Internet. The devices that you use to connect to the Internet use complicated operating systems which are prone to security risks due to the nature of software engineering. Because of the consistent weaknesses in software on your personal computer and hand-held devices, installing firewalls is an inherently reactionary security measure–no amount of cryptography is going to completely protect you against buggy software.

In order to minimize risk and protect yourself from the potential threats that exist beyond your home/office local area network, it’s wise to implement, at the very least, a basic stand-alone firewall (such as a router). Firewalls are designed to monitor and/or prevent network intrusions and are programmed with much less code, therefore having a (proven) lower probability that they contain bugs/security holes.

One of the greatest things to happen to the Internet is the popularity of wireless (802.11 a/b/g/n) devices. You may be skeptical because of the security risks that are inherent with unsecured wireless networks. But what this increase disbursement of wireless routers did was it directly, however unintentionally, put a hardware (stand-alone) firewall in front of millions, if not billions of home networks.

There are many different technologies used in various firewalls: packet filter, stateful, application proxy, unified threat management (UTM), intrusion detection and/or protection system (IDPS), and network address translation (NAT). There are big differences when it comes to the performance of the different types of firewalls; however, as a typical home user you will not notice the limitations of throughput.

Before we jump into the various firewall technologies, you should understand the difference between an appliance-based firewall and a server-based firewall. A typical Linksys home-network router is an appliance firewall because the hardware was designed around the needs of the firewalls software. There are exceptions of course, which include third-party firewall operating systems, such as DD-WRT, Open-WRT or Tomato. But using these operating systems in appliance-based firewalls does not make them server-based firewalls because they are static, unchangeable units. Server-based firewalls can be changed to adapt to the necessary requirements of any given local area network. Server-based firewalls include x86/64 computers that Linux-based firewalls can be installed to via CD, DVD, USB, or PXE.

Packet Filter

Packet filtering is the oldest and the most basic firewall technology. All firewalls have some level of packet filtering. Packet filtering simply allows or denies individual packets based on a set of rules–a set of rules that manages the inspection of the information in the packets header, such as the packets source or destination address, protocol, and/or port number. Packet filtering does not inspect the payload; nor does it monitor the sessions, which makes them vulnerable to spoofing attacks. Packet filtering works on layers 1, 2 and 3 of the OSI model making packet filter technology very efficient.

Stateful Packet Inspection (SPI)

Stateful firewalls are built into any modern firewall system. To be a “stateful” firewall, the “state” of all TCP sessions are monitored including the sequence numbers in packet headers. After the session has ended, the session-table is discarded. Stateful firewalls also do not monitor the payload of data packets. Stateful firewalls differ based on firewall vendor because with UDP and ICMP traffic, for example, there are no packet “states” for the firewall to monitor, unlike a classic TCP protocol where there is a well defined start and end of any given session. Connectionless “sessions” can be monitored, but the end of a session is ended via timeout.

SPI Examples

Appliance-based stateful firewalls include any typical home/small office router or wireless access point. Server-based stateful firewall operating systems include:

Some of these server-based stateful firewall distributions support basic intrusion detection and prevention system technologies (keep reading…).

NOTE: The reason why people like to change their appliance-based operating system from the default OS found in most routers, such as those by Linksys, is because the default operating systems are tailored to home users that typically do not know enough about firewall and/or routing systems to modify them. It would cost router vendors more money to increase the complexity of these firewall operating systems, not to mention the probable increase in tech support. By “upgrading” an appliance-based routers firmware with third-party firmware, such as DD-WRT, advanced users can have access to better router/firewall controls.

Application Proxy

Application-proxy firewalls are the most “in depth” and most secure firewall technology for specific network applications because these firewalls are the middle man between all communications across all seven layers of the OSI model. It is most commonly used in simple Web hosting or (non-time-sensitive) e-mail service environments, and are not used in high-bandwidth intensive environments (such as Web file servers). Each protocol that needs to be monitored and controlled requires a unique proxy application module, increasing the need for computation resources. Being bandwidth-sensitive, due to the dependency on computation resources, application proxy firewalls are susceptible to denial of service attacks. The advantages of an application proxy firewall over a packet filter firewall or a stateful firewall include advanced security monitoring functions. Application proxy firewalls can authenticate users directly, examine the payload of data packets and make decisions based on the payloads. Application proxy firewalls can also be deployed in redundant configurations and/or clusters.

Application Proxy Examples:

  • ($$) Microsoft’s ISA server, a server-based firewall, which can run in server-core which is highly secure and less taxing on the servers limited resources. The best use of Microsoft ISA server is within the local area network and not at the network perimeter. (software based)
  • ($$) Fortinet Web Application Firewall (hardware based)
  • ($$) McAfee Firewall Enterprise (hardware based)
  • (free) Zorp GPL is an less comprehensive application proxy that can be installed onto a *nix operating system by an advanced user. (software based)

Unified Threat Management (UTM)

UTM firewalls combine several firewall technologies, including stateful, intrusion detection and prevention, anti -virus, -spyware, -fishing, -adware, -spam and web content filtering. UTMs are also used primarily in low-throughput intensive environments, with low-user counts. UTMs are not limited to low-throughput networks however, because server-based firewalls are only limited by how much money you can put into its hardware. The IPS capabilities in UTM firewalls are typically subsets of full blown IPS features, meaning they only support protection for a small amount of protocols. Anti-virus functionality is generally limited to HTTP, SMTP, and POP3 protocols only.

UTM Examples:

Intrusion Detection and Prevention System (IDPS, IDS, IPS)

Intrusion detection systems (IDS) only monitor. Typically, IDS are used in conjunction with intrusion prevent systems (IPS) by monitoring and logging network traffic. This logged information is then shared with various IPS, both network-based and host-based.

(Internet) –> (IDS) –> (Firewall) –> (IPS) –> (Network/Servers/Hosts)

In this above scenario, the IDS is able to monitor all traffic that enters and leaves the network. This is important because log analysis is crucial for proper care of a business environment’s network. The information that the IDS collects can be used to anticipate (IPS) incoming traffic. Having a leaner SPI firewall in front of the IPS decreases the amount of IPS processing so the IPS can have maximum resources available to tackle more complex traffic.

IDPS are commonly associated to network-based devices, meaning they are appliance- and server-based devices that support the network. IDPS can also support, monitor and protect the hosts on the network in the form of software. Host-based intrusion detection and prevention systems (HIDS/HIPS) also support the NIDS/NIPS by providing the complete IDPS with up-to-date information with needs and activity of the hosts on a network.

IDPS are different from UTMs because IDPS are much more feature-rich in terms of capability. UTMs support only a couple hundred signatures and only a dozen or so protocols, where as a full IDPS will utilize several thousand signatures and over 40 protocols. Of course this is dependent on the vendor and/or product. IDPS are capable of managing their own rule sets by “learning” and can update themselves either by downloading new content or sharing information with other IDPS on the network. Stand alone appliance-based IDPS can also support up to multi-gigabit speeds.

HIDS such as OSSEC (see below) are important to businesses that have to be PCI compliant because they monitor extremely detailed aspects of hosts. This information that OSSEC monitors is stored centrally on a local server for system administrators.

IDPS Examples:

Read this excellent article: Three Open Source IDS/IPS Engines: The Setup

Network Intrusion Prevention Systems (NIPS)

Host Intrusion Prevention Systems (HIPS)

Network Intrusion Detection Systems (NIDS)

Host Intrusion Detection Systems (HIDS)

  • (free) OSSEC (SANS Institute InfoSec Reading Room: Using OSSEC with NETinVM [pdf])
  • (free) Samhain

NOTE: Cisco, Juniper, and Check Point are the largest suppliers of business-class firewall devices. Be sure to do your research and to ask questions when shopping for security solutions. ICSA Labs is always a good place to start.

Additional resources:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s