Firewalls act like the security guards of a network, analyzing all attempts to connect to systems on a network and determining whether the request should be allowed or denied according to the organization’s security policy. Learn the basic functioning of a firewall, including the implicit deny principle.
- [Narrator] If routers and switches are the connectivity building blocks of a network, firewalls are the security work horses. Firewalls act like the security guards of a network, analyzing all attempts to connect to systems on the network, and determining whether those requests should be allowed or denied, according to the organization's security policy. Firewalls often sit at the network perimeter, in between an organization's routers and the Internet. From this network location, they can easily see all inbound and outbound connections.
Traffic on the internal network may flow between trusted systems unimpeded, but anything crossing the perimeter to or from the Internet must be evaluated by the firewall. Firewalls often connect three networks together, the Internet, an internal network, and a special purpose network known as the Demilitarized Zone, or DMZ. The DMZ contains systems that must accept direct connections from the outside world, such as public web servers. The DMZ isolates those systems because they are at higher risk of compromise.
If an attacker manages to compromise a system located in the DMZ, he or she still does not have direct access to other systems located on the internal network. Firewalls use a technique known as Stateful Inspection that allows them to keep track of established connections. For example, when a user on the internal network requests a webpage from a server, the firewall notes that request and then allows the web server to respond, and the two systems to communicate back and forth for the duration of the connection without reevaluating the request each time a new packet appears at the firewall.
When the firewall encounters a new connection request, it evaluates it against a set of rules created by system administrators. These rules describe network connections that the firewall should act upon, using several important characteristics. The first of these is the address of the source systems affected by the rule, as well as the destination IP addresses for systems affected by the rule. It also includes the destination port and protocol, and tells the firewall the action that it should take when encountering traffic matching these characteristics.
This is normally either allow or deny, telling the firewall to permit or block traffic that matches the description in the rule. For example, imagine that we have a web server located in our DMZ with the IP address 10.15.100.1. If we want users on the Internet to access that system, we must write a firewall rule that permits access from the Internet into the DMZ. This is a rule that permits access, so we set the action to allow. In this case, the connection request would be coming from an unknown Internet system to the web server.
Since we do want anyone to have access to the website, we set the source address on this rule to any. We do want to limit this access to the web server only, so we set the destination IP address to 10.15.100.1, the IP address of our web server. We also want to limit access to resources on the system to the HTTP protocol, which uses port 80. So we set the destination port as 80 and protocol as TCP. And that's how you create a firewall rule.
Firewall configurations simply consist of writing many different rules like this one and adding them to the configuration as new systems require access. One of the core principles of a firewall is that any traffic that isn't explicitly permitted by a rule should be automatically denied. This principle is known as the default deny, or implicit deny rule. This is a very important concept that is often tested on the Security Plus exam. Web application firewalls are a specialized type of firewall that is application aware.
They understand how the HTTP protocol works, and peer deep into those application connections, looking for signs of SQL injections, cross site scripting, and other web application attacks. Firewalls of all types play a very important role in building strong, secure networks.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security