What is a firewall and how does it work?


What is a firewall and how does it work

The Ultimate Guide to Firewalls: Enhancing Your Network Security

Introduction

Whether you’re new to the subject or exploring out of curiosity, you’ve probably come across the term “firewall.” A firewall is a crucial system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. The primary purpose of a firewall is to limit or eliminate unwanted network communications while allowing legitimate communication to flow freely. In most server infrastructures, firewalls are essential layers of security that, combined with other measures, prevent attackers from accessing servers maliciously.

This comprehensive guide aims to explain how firewalls work, the mechanics behind technologies like Nftables and FirewallD, and how they relate to cloud servers. Here’s a quick outline to help you navigate through this guide:

  1. TCP Network Packets
  2. Types of Firewalls
  3. Firewall Rules
  4. Incoming & Outgoing Traffic
  5. Firewall Software & Tools

1. TCP Network Packets

Before diving into the different types of firewalls, let’s take a quick look at what Transport Control Protocol (TCP) network traffic means and how it works.

TCP network traffic moves around a network in packets, which are containers consisting of a packet header. They contain control information such as:

  • Source and destination addresses
  • Packet sequence information
  • Data (also called a payload)

The control information in each packet ensures that the associated data is delivered properly. Firewalls use these elements to match packets against firewall rules.

Note: To receive incoming TCP packets, the receiver must send outgoing acknowledgment packets back to the sender. The combination of control information in the incoming and outgoing packets between the sender and receiver determines the connection state: new, established, or related.

How TCP Works in Detail

Understanding TCP is crucial for configuring firewall rules effectively. TCP ensures that data packets are delivered in the correct order and without errors. This is achieved through a process known as the three-way handshake:

  1. SYN: The sender sends a SYN (synchronize) packet to the receiver.
  2. SYN-ACK: The receiver acknowledges with a SYN-ACK (synchronize-acknowledge) packet.
  3. ACK: The sender sends an ACK (acknowledge) packet back to the receiver, establishing a connection.

Firewalls monitor these packets to determine the state of a connection and apply rules accordingly. This ensures that only legitimate traffic is allowed through, enhancing the security of your network.

2. Types of Firewalls

There are three basic types of network firewalls:

Packet Filtering (Stateless Firewalls)

Packet filtering firewalls inspect individual packets in isolation. They remain unaware of the connection state, allowing or denying packets based on individual packet headers.

Stateful Firewalls

Stateful firewalls are more flexible than stateless firewalls and can determine the connection state of packets. They collect related packets and apply firewall rules to the traffic only after determining the connection state.

Application Firewalls (Proxy-Based Firewalls)

Application firewalls go deeper by analysing the data being transmitted. This allows network traffic to be matched against firewall rules specific to individual services or applications.

Available on all modern operating systems, firewall software and functionality can also be provided by hardware devices such as routers or firewall appliances.

Note: This article focuses on stateful firewalls running on the servers they are intended to protect.

Detailed Comparison of Firewall Types

Packet Filtering Firewalls

Packet filtering firewalls, also known as stateless firewalls, are the simplest type of firewall. They operate by inspecting packets individually, without regard to the state of the connection. This means they cannot track the connection state and may not be as effective in identifying malicious traffic patterns. However, they are fast and efficient, making them suitable for small networks or specific applications where speed is critical.

Stateful Firewalls

Stateful firewalls, on the other hand, keep track of the state of active connections and make decisions based on the context of the traffic. This allows them to be more precise in filtering traffic, as they can identify and block unwanted connections based on their state. Stateful firewalls are more resource-intensive than packet filtering firewalls but offer greater security and flexibility.

Application Firewalls

Application firewalls, or proxy-based firewalls, operate at the application layer of the OSI model. They can inspect the data being transmitted and enforce rules based on the content of the traffic. This makes them highly effective in protecting against application-layer attacks, such as SQL injection or cross-site scripting (XSS). However, they can be more complex to configure and maintain, and may introduce additional latency due to their deep packet inspection capabilities.

3. Firewall Rules

Network traffic traversing a firewall is matched against rules to determine if it can be allowed through or not. Here’s an example of a server with a list of firewall rules applying to incoming traffic:

  1. “Accept new and established incoming traffic to the public network interface on port 80 and 443” (HTTP and HTTPS web traffic).
  2. “Drop incoming traffic from IP addresses of the non-technical employees in your office to port 22” (SSH).
  3. “Accept new and established incoming traffic from your office IP range to the private network interface on port 22” (SSH).

The actions specified in firewall rules include:

  • Accept: Allow the traffic through.
  • Reject: Block the traffic but reply with an “unreachable” error.
  • Drop: Block the traffic and send no reply.

Network traffic is matched against a list of firewall rules in a sequence or chain from beginning to end. Once a rule is matched, the associated action applies to the network traffic. For instance, if an employee from the Marketing department tries to establish an SSH connection to the server, they would be rejected based on rule number 2 before rule 3 is checked. However, a system administrator would be accepted because they would match rule 3.

Creating Effective Firewall Rules

Creating effective firewall rules requires a thorough understanding of your network and the types of traffic that need to be allowed or blocked. Here are some best practices for writing firewall rules:

  • Define Clear Policies: Establish clear policies for what types of traffic are allowed and what types are blocked. This will help you create rules that align with your security objectives.
  • Use Specific Rules: Be as specific as possible when defining firewall rules. For example, instead of allowing all traffic to a particular port, specify the source IP addresses or network ranges that are allowed to connect.
  • Prioritise Critical Rules: Place the most critical rules at the top of the firewall rule set to ensure they are applied first. This can help prevent unauthorized access and improve the overall security of your network.
  • Regularly Review and Update Rules: Regularly review and update your firewall rules to ensure they remain effective. Remove any outdated or unnecessary rules to minimize the risk of security vulnerabilities.

Firewall’s Default Policy

A chain of firewall rules may not cover all possible conditions, so firewall chains must have a default policy specified, which consists only of an action:

  • Accept
  • Reject
  • Drop

For example, if the default policy in the above chain was set to “drop,” any computer outside of your office attempting to establish an SSH connection to the server would be dropped because the traffic does not match the conditions of any rules.

Conversely, if the default policy is set to “accept,” anyone, except your own non-technical employees, would be able to establish a connection to any open service on your server. This would be an example of a poorly configured firewall because it only keeps a subset of your employees out.

4. Incoming and Outgoing Traffic

Network traffic on the server side can be either:

  • Incoming
  • Outgoing

Firewalls maintain distinct sets of rules for both. Servers generally allow most outgoing traffic because the server is usually trustworthy to itself. However, incoming traffic is treated differently as it comes from external sources.

An outgoing rule set can be used to prevent unwanted communications if a server is compromised by an attacker or a malicious executable. To maximise the security benefits of a firewall, you should identify all the ways other systems need to interact with your server, create rules that explicitly allow them, and then drop all other traffic.

Note: The appropriate outgoing rules must be in place so that a server will allow itself to send outgoing acknowledgements to any appropriate incoming connections.

Writing Outgoing Rules

Suppose we have set the firewall to drop outgoing traffic by default. This means our incoming accept rules would be useless without complementary outgoing rules. To complement these incoming firewall rules (refer to the Firewall Rules section) and allow proper communication on those addresses and ports, we could use the following outgoing firewall rules:

  1. Accept established outgoing traffic to the public network interface on port 80 (HTTP) and 443 (HTTPS).
  2. Accept established outgoing traffic to the private network interface on port 22 (SSH).

Note: For the incoming rule that is dropped, we don’t need to explicitly write an outgoing rule. The server doesn’t need to establish or acknowledge that connection.

Practical Examples of Incoming and Outgoing Rules

Example 1: Web Server

For a web server that hosts a website, you would need to allow incoming traffic on ports 80 (HTTP) and 443 (HTTPS). Here are the rules you might set:

  • Incoming Rules:
    • Accept incoming traffic on port 80 (HTTP)
    • Accept incoming traffic on port 443 (HTTPS)
  • Outgoing Rules:
    • Accept outgoing traffic on port 80 (HTTP)
    • Accept outgoing traffic on port 443 (HTTPS)

Example 2: Email Server

For an email server, you would need to allow incoming traffic on ports 25 (SMTP), 110 (POP3), and 143 (IMAP). Here are the rules you might set:

  • Incoming Rules:
    • Accept incoming traffic on port 25 (SMTP)
    • Accept incoming traffic on port 110 (POP3)
    • Accept incoming traffic on port 143 (IMAP)
  • Outgoing Rules:
    • Accept outgoing traffic on port 25 (SMTP)
    • Accept outgoing traffic on port 110 (POP3)
    • Accept outgoing traffic on port 143 (IMAP)

5. Firewall Software and Tools

Now that we understand what a firewall is, its types, how it works, and its rules, let’s explore common software packages that can help you set up a firewall.

While there are many firewall-related packages, these are some of the most effective and commonly used:

Nftables

Nftables is a subsystem of the Linux kernel that provides filtering and classification of network packets/datagrams/frames. It replaces the legacy iptables portions of Netfilter.

UFW (Uncomplicated Firewall)

UFW is an interface to iptables geared towards simplifying the process of configuring a firewall. It’s user-friendly and designed for ease of use.

FirewallD

FirewallD is a complete firewall solution available by default on CentOS 7 servers. It uses iptables to configure netfilter.

Fail2ban

Fail2ban is intrusion prevention software that can automatically configure your firewall to block brute force login attempts and DDoS attacks.

If you want to dive deeper into Fail2ban, check out this guide: How Fail2ban Works to Protect Services on a Linux Server

Advanced Firewall Tools

In addition to the above tools, there are several advanced firewall tools and frameworks that offer enhanced security features and functionality. These include:

pfSense

pfSense is an open-source firewall/router software distribution based on FreeBSD. It provides enterprise-level features and is highly customizable. It is commonly used in network security applications due to its robustness and flexibility.

Cisco ASA

Cisco Adaptive Security Appliance (ASA) is a sophisticated firewall solution that combines firewall, VPN, and intrusion prevention capabilities. It is widely used in enterprise environments to protect network infrastructures.

Check Point Firewall

Check Point offers a range of firewall solutions known for their advanced threat prevention and security management features. These firewalls are used in large enterprises to safeguard critical data and applications.

Conclusion

We hope this article helps you understand what a firewall is, how it works, and what rules you should implement to improve your server’s security. Firewalls are a fundamental component of network security, and configuring them correctly is essential for protecting your systems from malicious attacks.

If you need assistance with setting up or managing your firewall, our super-friendly support team is available 24/7 to help. Feel free to contact us using our ticket platform or via our live chat.

Additional Resources

Outbound Links

By implementing the knowledge from this guide, you can significantly enhance the security of your network and protect your servers from potential threats. Stay informed, stay secure!

Leave a Reply

Your email address will not be published. Required fields are marked *