What is a firewall?

GajShield Next Generation Firewall

A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one, which exists to block traffic, and the other, which, exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to deny, a firewall really won't help you. It's also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the connectivity for a large number of hosts therefore have a heavy responsibility.

Types of Firewalls

Following are the types of firewalls based on how they work:

  • Packet Filtering Firewalls - that block selected network packets.
  • Proxy Servers - that make network connections for you.
  • Unified threat management (UTM) firewall - A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus and simple malware detection. It may also include additional services for content filtering. UTMs focus on simplicity and ease of use. UTM devices have a limitation of not being able to detect modern advance threats as they are unable to inspect deeply inside the packet and identify threats.
  • Next-generation firewall (NGFW) - Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks. GajShield Next Generation Firewall (NGFW) provides an additional layer of security with its Context based Data Leak Prevention (DLP) Engine. 

Packet Filtering Firewalls

A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by

  • Protocol type
  • Source address and port
  • Destination address and port

Because very little data is analyzed and logged, filtering firewalls take less CPU and create less latency in your network. Filtering firewalls do not provide for password controls. User cannot identify them. The only identity a user has is the IP number Assigned to their workstation. This can be a problem if you are going to use DHCP (Dynamic IP assignments). Filtering firewalls are more transparent to the user. The user does not have to setup rules in their applications to use the Internet. The advanced and more complex implementations of the packet filtering process include the interpretation of the packet payload. The status of every current connection is analyzed and recorded. This process is called stateful inspection. The packet filter records the state of every single connection and only lets packets pass that meet the current connection criteria.

Proxy Servers

Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data. This lowers bandwidth requirements and decreases the access the same data for the next user. It also gives unquestionable evidence of what was transferred.

Application Proxy

The best example is a person telneting to another computer and then telneting from there to the outside world. With a application proxy server the process is automated. As you telnet to the outside world the client send you to the proxy first. The proxy then connects to the server you requested (the outside world) and returns the data to you. Because proxy servers are handling all the communications, they can log everything they (you) do. For HTTP (web) proxies this includes very URL they you see. For FTP proxies this includes every file you download. They can even filter out "inappropriate" words from the sites you visit or scan for viruses. Application proxy servers can authenticate users. Before a connection to the outside is made, the server can ask the user to login first. To a web user this would make every site look like it required a login.

Unified Threat Management (UTM) firewalls

A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus and simple malware detection. It may also include additional services for content filtering. UTMs focus on simplicity and ease of use. UTM devices have a limitation of not being able to detect modern advance threats as they are unable to inspect deeply inside the packet and identify threats.

Next Generation Firewalls (NGFW)

Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks. GajShield Next Generation Firewall (NGFW) provides an additional layer of security with its Context based Data Leak Prevention (DLP) Engine. Intentional or unintentional leak of information is a major concern for enterprises due to the exposure of users to increasing number of personal and business applications over the web. Whether they use email applications, Instant Messaging, Web Chats or simple Document Storage Sites, all these applications can be easily used for leaking information. These applications are also used by enterprise for business communication and hence blocking these applications is not the solution. Current firewalls or UTMs are unable to restrict usage of these applications to prevent Data Leaks. GajShield is the only Next Generation Firewall which gives an organisation complete control by providing 'Visibility', 'Monitor', 'Detection' and 'Prevetion' of data being sent out of the enterprise which the current generation UTM device are unable to do. Along with Data Leak Prevention, Next Generation Firewalls (NGFW) need to also adapt to cloud security or roaming users. They need to ensure all policies on roaming users, irrespective of the connectivity user or place are implemented on these devices without being a threat to enterprise network.

Stateful Inspection Firewall

Stateful firewalls represent a major technological jump in the intelligence of a firewall. This "statefulness" allows the firewall to block/detect many stealth scans that were previously undetected by many firewalls. It also blocks DOS attacks by intelligently rate limiting user-defined packet types, allowing you to block attacks like SYN floods.

Stateful Firewalling

A network communication is made up of small chunks of data called packets. In the case of TCP, several of these packets are used solely to create, maintain, and finish the connection. This is because TCP uses the concept of a connection, allowing it to automatically correct data errors, interpret incoming packets in the same order they were sent in, and otherwise keep track of a sustained connection. Normal "stateless" packet filters, like the ones present on most routers, inspect each packet individually, with no memory or understanding of its place in a connection. Now, suppose, like many organizations, you've chosen not to allow external computers to initiate connections with your internal machines. A stateless firewall/router can only distinguish a packet that's part of an existing connection from one that's part of a new connection by reading the packet's SYN flag. It has to trust the packet itself. A foreign (external) computer created that packet. so it can set the flags any way that it likes! Some network scanners exploit this to bypass firewalls, scanning networks that should have been invisible to it. A stateful firewall helps to protect from the above attacks. A stateful firewall has a memory of each connection passing through it. When that foreign packet tries to enter the network, claiming to be part of an existing connection, the firewall can consult its list of connections.

When it finds that the packet doesn't match any of these, it can drop that packet and defeat the scan. Even with the "stateless" UDP protocol, statefulness is still a very useful feature. Suppose, as before, that you're restricting outside computers from initiating connections with your internal machines. Well, DNS (computer name <-> IP address) lookups use UDP. If your routers can't keep track of your DNS requests, they have to allow in DNS-type (UDP port 53) packets from any DNS server. A stateful firewall keeps track of all your outgoing DNS requests and only allows DNS-type (UDP port 53) packets from servers that you've queried and does so intelligently enough to not keep taking data after the first response.

There's another wonderful advantage to stateful firewalls. They're a whole lot easier to administer, using a smaller number of rules to create much more precise firewalling. For example, when your FTP client opens a connection to an FTP server, this is a TCP connection originating at some high port on your client and ending on port 21 on the server. Whenever you get data, from the directory listing to a full file transfer, a second connection is opened up. Under active FTP, this connection originates at the server, on port 20, ending on your client, at some random high port negotiated between the two hosts. This is backwards! In essence, for the data channel, your client is acting like a server. Why is this a problem? Well, on a stateless "default deny" firewall, where you have to explicitly list every type of packet that you want to be allowed through the firewall, it's tough to characterize this connection. In the end, your firewall says "let every connection through that originates on my clients, and, additionally, allow any machine's TCP port 20 to connect to any high port on my clients." This is a kludge and a mess! One reason this makes us uncomfortable is that attackers have learned to originate their scans from this port, just to get through these stateless firewalls. Now, with stateful firewalling, you are in a much better situation. The firewall is smart enough to monitor the port negotiation, memorizing what port the data connection will connect to on the client. It then opens that port, and that port only, rather than the 64512 possible ports on that machine. Not only is this smarter, it's also easy to configure as it only requires one rule and no kludges

Features of GajShield Next Generation Firewall

 and many more features.