Every computer connected to internet (and more generally to any computer network ) is likely to be the victim of an attack by a hacker. The methodology generally used by hackers is to scan the network (by sending data packets at random) in search of a connected machine, then look for a security hole to exploit it and gain access to data therein.
This threat is even greater than the machine is permanently connected to the Internet for several reasons:
- The target machine may be connected without being supervised;
- The target machine is usually connected with a broader bandwidth;
- The target machine does not change (or little) of IP address .
Thus, it is necessary for both corporate networks for users with a connection type cable or ADSL , to protect themselves from network intrusions by installing a protective device.
What is a firewall?
A firewall (also known as firewalls, firewall or firewall in English) is a system that protects a computer or computer network intrusions from a third party network (including internet). The firewall is a system for filtering data packets and the network, and it is a filtering gateway providing at least the following network interfaces:
- an interface for the system to be protected (internal network);
- an interface to the external network.
The firewall system is a software system, based sometimes on a dedicated network hardware, providing an intermediary between the local network (or local machine) and one or more external networks. It is possible to put a firewall on any machine with any system provided that:
- The machine is powerful enough to handle the traffic;
- The system is secure;
- No other service that the packet filtering service is running on the server.
In the event that the firewall system is supplied in a black box “turnkey”, we use the term “appliance”.
Operation of a system firewall
A firewall system contains a set of predefined rules to:
- To authorize the connection (allow);
- To block the connection (deny);
- To reject the connection request without notifying the sender (drop).
All these rules can implement a filtering method depends on the security policy adopted by the entity.There are usually two types of security policies to:
- is to allow only communications were explicitly permitted:
- or to prevent exchanges that have been explicitly prohibited.
The first method is undoubtedly the safest, but it nevertheless requires a precise and compelling communication needs.
Simple packet filtering
A firewall system operates on the principle of simple packet filtering (in English “stateless packet filtering”). It analyzes the headers of each packet (datagram) exchanged between an internal computer and an external machine.
Thus, data packets exchanged between a machine outside the network and an internal computer pass through the firewall and have the following headers, systematically analyzed by the firewall:
- IP address of the sending machine;
- IP address of the receiving unit;
- packet type ( TCP , UDP , etc.).
- number port (reminder: a port is a number associated with a network service or application).
IP addresses contained in the packets used to identify the sending machine and the target machine, while the packet type and the port number provide an indication of the type of service used.
The table below provides examples of firewall rules:
|Rule||Action||IP source||IP dest||Protocol||Source port||Dest port|
The known ports (whose number is between 0 and 1023 </ ital>) are associated with current services (ports 25 and 110 are associated with such e-mail, and port 80 to the Web). Most firewall devices are at least configured to filter communications as the port used. It is generally advisable to block all ports that are not essential (depending on the chosen security policy).
The port 23 is for example often blocked by default firewall devices because it corresponds to the protocolTelnet , for emulating a terminal access to a remote machine so that it can execute commands remotely.The data exchanged via Telnet is not encrypted , meaning that an individual is likely to listen to the network and steal any passwords in clear flowing. Administrators generally prefer him on the SSH protocol, deemed safe and providing the same functionality as Telnet.
Simple packet filtering only attaches to examine the IP packets independently of each other, which corresponds to level 3 of the OSI model . However, most connections are based on TCP, which manages the notion of session to ensure the proper exchange. On the other hand, many services (eg FTP) initiate a connection on a static port, but open dynamically (that is to say, randomly) a port to establish a session between the machine acting server and the client.
Thus, it is not possible with a simple packet filtering to predict the ports to pass or deny. To remedy this, the system of stateful packet inspection is based on layers 3 and 4 of the OSI model, allowing to keep track of transactions between the client and server. The English term is “stateful inspection” or “stateful packet filtering,” translate “stateful packet filtering.”
A system firewall such as “stateful inspection” is able to monitor the exchange, that is to say, consider the state of the old packages to implement the filtering rules. In this way, from the time when an authorized machine initiates a connection to a machine located on the other side of the firewall, all packets passing through that connection will be implicitly accepted by the firewall.
If the dynamic filtering is better than basic packet filtering, it provided no protection from application exploits, vulnerabilities associated with applications. However, these vulnerabilities are the most important part of risk in terms of safety.
Application filtering allows you to filter communications application by application. Application filtering thus operates at level 7 (application layer) of OSI model , as opposed to simple packet filtering (level 4). The Application filtering implies knowledge of the protocols used by each application.
Application filtering allows, as its name implies, to filter communications application by application. The Application filtering implies a good knowledge of the applications on the network, including how it structures the data exchanged (ports, etc.)..
A firewall doing packet inspection is commonly called ” application gateway “(or” proxy “) because it serves as a relay between two networks by coming and doing a fine validation of the contents of packets exchanged. The proxy represents a link between the machines on the internal network and external network, suffering attacks for them. In addition, the packet inspection allows the destruction of the headers preceding the application message, thereby providing an additional level of security.
This is a high-performance, ensuring good protection of the network, provided it is properly administered. In return, a detailed analysis of application data requires great computing power and therefore often leads to a slowdown in communications, each package should be finely analyzed.
In addition, the proxy must necessarily be able to interpret a wide range of protocols and related knowledge gaps to be effective.
Finally, such a system can potentially contain a vulnerability in that it interprets the requests that pass through it. Thus, it is recommended to separate the firewall (dynamic or not) of the proxy to reduce the risk of compromise.
Notion of personal firewall
In the event that the protected area is limited to the computer where the firewall is installed it comes topersonal firewall (personal firewall).
Thus, a personal firewall to control access to network applications on the machine, and in particular to prevent attacks of the type Trojan , that is to say malicious programs made a breach in the system to allow grip away from the machine by a hacker. Personal firewall makes it possible to identify and prevent the opening unsolicited from unauthorized applications to connect.
The limitations of firewalls
A firewall system does of course not absolute security, quite the contrary. Firewalls only offer protection to the extent that all communications to the outside going systematically through them and they are configured correctly. Thus, the outside line access by bypassing the firewall are all security vulnerabilities.This is especially true for connections made from the internal network using a modem or any means of connection beyond the control of the firewall.
Similarly, the introduction of storage media from outside of the internal network machines or laptops can be highly detrimental to the overall security policy.
Finally, to ensure maximum protection, it is necessary to administer the firewall, including to monitor the activity log to be able to detect intrusion attempts and anomalies. Furthermore, it is recommended to ensure a security (by subscribing to the CERT security alerts, for example) to change the setting of the device according to the publication alerts.
The implementation of a firewall should be in accordance with true security policy.