A firewall's basic task is to transfer traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).
What is a Firewall
A firewall's function within a network is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. However, network firewalls, unlike physical firewalls, are designed to allow some traffic to flow.
What is a Firewall?
Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.
Types of Firewall
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply.
Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed up packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection. If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.
Types of Firewalls
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
By inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach
Types of Firewalls
Network Address Translation ( NAT , also known as Network Masquerading , Native Address Translation or IP Masquerading ) involves re-writing the source and/or destination addresses of IP packets as they pass through a Router or firewall. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address. Many network administrators find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts and may have a performance impact
Types of Translation
Network Address Translation
One-to-One (One private address for One public address)
Geared for applications that require use of many ports/apps (i.e. ftp, www, 8081).
Port Address Translation
One-to-many (One public IP address is used, but specific ports are translated).
Geared for applications that only need 1 port in connection (i.e. basic web servers, e-mail).
Appropriate use of Firewalls
Firewalls are applicable when –
When there is two networks that have a distinct trust factor (friend/foe).
When network topology is designed to flow all traffic thru a single interface which connects to the firewall (i.e. protected networks connection must terminate behind firewall).
When there is need for extra layer of protection for certain applications.
Appropriate use of Firewalls
Firewalls are NOT applicable when
When applications that transverse two networks are QoS sensitive.
Vendors use scare tactics and not give a qualified reason for firewall.
When you are only support and haven’t been trained.
When application/resource accessibility is more critical than security (timing).
By default, less trusted networks has NO access to the trusted network (deny all).
Be port specific as possible when allowing outside host to access applications.
Remember ANY means ANY in a firewall ruleset! Outside of web and e-mail, this should not be used to allow access into applications.
For vendor support, restrict access just to their network or IP Address.
Certain applications are very firewall sensitive (i.e. Voice, H323 or any QoS type apps).
Firewalls does not encrypt data unless specifically programmed( IPSec tunnel).
Rulesets/access-list will not work unless applied to interface.