The key point I have taken from this chapter is the SPI firewall which stands for State Pocket Inspection.
SPI full-state packet inspection type firewall refers to including socket pairs for each connection information: source address, destination address, source port, and destination port; protocol type, TCP protocol connection status and timeout time, etc. Check to determine whether to filter the firewall of the packet. In addition to completing the packet filtering work of the simple packet filtering firewall, it also maintains a table that tracks the connection status in its own memory, which has greater security than the simple packet filtering firewall.
The most advanced Stateful Packet Inspection (SPI) firewall provides the highest level of security. By default, it rejects all requests from the external network. It dynamically maintains all communications (connections) for the internal network’s connections through the firewall. Only the connection that responds to the internal network request and conforms to the state database’s established package can enter the intranet through the firewall. This solution allows network users to access Internet resources and prevents hackers on the Internet from accessing internal network resources.
Hi Zibai, this is very interesting. The (SPI) Stateful Packet Inspection provides the highest level of security because it rejects all requests from the external network by default. This could help minimize all potential vulnerabilities.
Hi Zibai, I agree with your point. There are different types of firewalls, including border firewalls, internal firewalls, and state packet inspection (SPI) filtering methods, because SPI focuses on connection, that is, persistent sessions between different programs on different computers. The access control list (ACL) that connects to the open attempt is composed of a series of rules, which are exceptions to the default behavior. These rules are as everyone knows the port numbers (specified applications running on the server), if-then format, ports, and server access, and all connections are not allowed.
Most firms have multiple firewalls except to main border firewalls, and build a complete firewall architecture to defense attack. Screening border routers placed between the border firewall and the Internet which purpose is reduces the load on the main border firewall by packet filtering and stops simple high-volume attacks. Internal firewall can controls traffic flowing between different parts of the firm’s internal network and it usually distribute in separate parts of the network according to different trust relationships. Besides, individual hosts—both clients and servers—may have firewalls. Using border, internal, and host firewalls can help to creates defense in depth. If the main firewall or an internal firewall has an ACL configuration error, individual hosts will still be protected. DMZ is a physical or logical subnetwork that contains all of the servers and application proxy firewalls that must be accessible to the outside world, the DMZ functions as a small, isolated network positioned between the Internet and the private to against attack.
Hi, Xinyi, I totally agree with your points. I just want to add some to your view. there is a lot of advantages of the SPI firewalls. Firstly, It more fast and low cost. Secondly, Secondly, SPI firewalls are more safety. Thirdly, SPI firewalls extremely popular in current market.
Hi Xinyi,
I agree with your opinion. The internal firewall manages DMZ access to the internal network. The internal firewall is the third line of defense for the internal network. When the external firewall fails, DMZ can also protect the internal network.
One of the key points I learned from this chapter is that there are many types of firewalls, which can be divided into several categories according to their operation methods and structure. The six types of firewalls are state packet check filter, static packet filter, firewall filter, network address translation, application proxy filter, intrusion prevention system filter and anti-virus filter. Another key point I learned from this chapter is firewall management. Although organizations can use firewalls to protect and detect network attacks, it is important to define firewall policies and control firewall security, such as firewall reinforcement, testing firewall configuration, changing firewall management and limiting authorization.
I too learned there are many different types of firewalls. Before reading this chapter, I believe IDS and IPS were a different set of technologies, but at its core it’s just a firewall. It is important to understand the differences between these types of firewalls because it will be beneficial when developing a solution for a business to implement.
I think firewall management was a huge takeaway from this chapter. We’ve mentioned before how much time is spent setting all the security protocols up, however manage those protocols is the most important and also longest process in the cycle. These firewalls are going to be tested constantly by attackers so they need to be monitored close to 24/7. They are one of the biggest and best hurdles that hackers have to break, especially if they are strategically set between information layers. Everyone that is responsible needs to clearly understand the things they need to monitoring and should constantly be assessing info that the system collects.
The key point I took from this chapter is about the dangers of traffic overload. If the traffic becomes so high, the firewall is unable to examine all arriving packets, the firewall will drop all incoming packets. This ties directly with our past chapter and why DDoS attacks are so easily done and the system can be self-compromising. Recommendations from the book say that this can be mitigated by purchasing firewalls with larger processing power, with larger capacity but traffic will always grow, Especially targeted attacks, the accidental Minecraft attack we spoke about in class, thousands of zombie computers can cause the DDoS if the attacker is intentional enough. Firewalls must also be kept up to date, as new threats appear, the administrator must actively update their filtering rules. A good firewall is one that can keep up through traffic surges, while also filtering harmful packets, and operate at wire speed – the maximum speed of lines that can connect to it.
Hi Mei,
Good point. I’ll add some firewall Settings to maintain the system.
1. Record firewall rules and add comments to explain special rules 2. Review firewall rules regularly and optimize firewall performance 3. Organize firewall rules to maximize speed. Putting the most commonly used rules at the top and moving the less commonly used rules to the bottom can help speed up your firewall. 4. Perform a penetration test to check Health Rule 5. Perform regular automatic safety audits.
From this reading on Stateful Packet Inspection firewalls, we find them relevant in today’s networks as they monitor the state of communications and communication ports and their states. This allows for the firewall to open or close a communication port when either communication is initiated or when it ends respectively. These types of firewalls allow for filtering of packets to allow or deny connections to certain ports. The whole analysis and tracking of sessions from source to destination IP addresses and ports is what gives this type of firewalls their name.
Firewall is an mechanism that examines each packet passing though it. The firewall has a pass/deny mechanism which will determine if it should let the packet go through to the target or not. If the packet is a provable attack packet, the firewall drops the packet. If the packet is not a provable attack packet, the firewall passes the packet on to its destination. Provable attack packet will be block and rejected for passing through the firewall, vise versa. In other situation, if the pack is not a provable attack packet, but it is a true attack packet, the firewall will still let it go through to the destination, which will create vulnerability for hackers and malicious third party to steal, attack and to sabotage the system or private information. During the whole process, the fire wall will record information about each dropped packet in a log file. This process is called logging. The firewall administration should check this log file daily in order to understand what kind of attack the company is facing more.
The firewall architectures section was very interesting. Most larger companies use a border router as the gateway into the network. These boarder routers are not firewalls, however they do have some firewall functionality. Static packet filtering software is generally placed on border routers and enables the router to stop simple high-volume attacks and ensures that responses to external scanning probes cannot reach an external attacker and greatly reduces the load on the main firewall. After the main firewall, there are various other firewalls that help segment the network. This could generally be done with vlans, but in a high-trust system, it is safer to protect high-trust data with another firewall. An organization can take it a step further by adding an IDS device behind the main firewall and using application firewalls in front of the application/web servers thus creating greater defense in depth.
Hi Anthony, this is the first I’m hearing about using a border router as a gateway. This can be especially helpful to reduce the number of requests flooding the firewall as a DDoS attack may be triggered.
Your suggestions of creating defense-in-depth ways of protecting the network are good ideas, I wonder what the cost benefits may be for implementing so many other detective controls.
With the development of network technology and society, there are more and more network attacks, and information security has become the focus of global concern. In order to deal with different kinds of network attacks, there are different network security devices and technical methods, and firewall is one of the important network security devices. When several different security policies are implemented on the firewall, policy conflict will not only affect the normal operation of the network, but also threaten the network security. For different network environments, the configuration of firewall policies is more and more complex, and the conflicts between policies in multiple domains occur from time to time, which seriously affect the execution efficiency of security policies. Therefore, how to ensure the consistency of firewall policies between different security domains and within the same security domain is the key to the configuration of firewall security policies.
There are many different types of firewalls. I would prefer an intrusion prevention firewall vs an intrusion detection firewall. The prevention of an intrusion is much more valuable than just being able to identify when one is occurring. Putting up roadblocks for the attackers is going to provide more protection than simply sending an alert to an InfoSec team member. There are many accounts of organizations being able to identify the intrusion but the person who received the alert didn’t recognize the intrusion. Preventing these attacks to begin with would have prevented these intrusions.
The issue becomes false positives with the preventions. You could inadvertently prevent a user from performing their business duties. However, the false positives are worth the time to investigate. As the saying goes, It’s better safe than sorry.
I wholeheartedly agree with you. An intrusion prevention firewall is much more useful than an intrusion detection firewall. Of course, there’s place for both, where initial rules are set in the IPS firewall and then updated using information gathered from an IDS.
This chapter mentions about the stateful packet inspection which monitors and tracks the active connections on a network to determine their validity. It also determines which network packets should be allowed through the firewall by utilizing information regarding active connections. One advantage of stateful packet inspection is that it offers better security posture for networks through recording the session information like IP addresses. It is a more secure method to keep intruders away from the network as it processes application layer data which takes a deeper look into the transaction to understand what is going on.
Hi Priyanka,
The aspect of monitoring active network connections and filtering traffic based on preset rules does distinguish stateful packet inspection from static packet filtering. They offer a sophisticated in-depth checks of ensuring connections are valid and the traffic being transmitted is permissible on each connection.
Network Address Translation (NAT) was the biggest takeaway for me from this chapter. NAT does not actually filter packets but it is used in several firewall techniques due to its effectiveness in providing protection. It is typically used in firewalls as a second type of protection. Sniffers are used by attackers and are placed outside of networks and as packets are passed through the sniffer, it collects info on the source IP addresses and port numbers. This allows attackers to learn about the host network without sending direct probe packets.
The NAT is used to thwart these sniffers. First, an internal client will send a packet to an external server, which includes the clients real IP and port numbers used. The NAT firewall intercepts all outgoing traffic and replaces source IP addresses and port numbers with stand-in IP addresses and port numbers. The NAT firewall also places the internal socket and external socket in the translation table so that when the server replies, it will send a packet to the stand-in address and port. It provides protection because the sniffer cannot learn internal IP addresses or port numbers so the info cannot be collected and used to make attacks. The NAT also protects against network scanning probes because the addresses and port numbers are not in the translation table.
NAT is a great way to obscure an internal IP address and service. Because the firewall chooses a random port, you wouldn’t be able to tell which service is actually running. It would be hard for someone performing a service scan to see if you are funning FTP, FTPS, SSH or SMB. Without this information an intruder would have a hard time IDing the device and service in the environment.
I think an important point of this chapter is Access Control Lists, or ACLs. Most web servers have well-known ports that are open for various purposes. Some common ones include FTP, SSH, Telnet, SMTP, DNS, HTTP and HTTPS, IMAP, and Remote Desktop Protocol. As an organization, a rule must be put in place to allow certain vital ports, and remove open ports that could pose a security risk. Some ports simply cannot be disabled, such as SMTP for email clients and HTTP/S for web hosting. FTP, SSH, and Telnet do pose some vulnerabilities and may not be needed, so could be disabled to potentially prevent a firewall intrusion. If these services are needed, it’s entirely possible to change the default ports to less known ones, and using the old ports as a honeypot to deter attackers and learn their patterns and tactics of breaching, and then use that information to patch out the exploits.
Having a useful firewall can help companies to filter and monitor any disclosure of information. According to Boyle and Panko Chapter 6, it describes how the Chinese government uses the Great Firewall of China to restrict some websites, including Google, Facebook, and Wikipedia, to provide services. It can block some IP addresses and URLs. Although this firewall very effective to help the country to protect the information, it can be a barrier for the companies, which they do business between American and China. They can use a VPN to do their works, but sometimes the VPN may be blocked by the deep packet inspection. This method can mirror all traffic and detect suspicious IP connections. However, if a firewall is lacked the capacity to examine all the packets, it will occur an overloaded firewall and drop the packets, and then the firewall is not able to create a self-inflicted denial-of-service attack against the company. So, the companies should have a firewall with sufficient processing power to control the traffic.
One main points I took from this reading is Network Address Translation (NAT). It can be used to protect and organization from sniffers preventing attackers from capturing internal network data within an organization such as source IP addresses and open ports on servers. This prevents attackers from conducting reconnaissance on the target and formulating an attack. NAT is used to hide internal IP address and port numbers by converting it into a different external IP address and port number before the packet is sent to the destination. Also, internal servers may have non-routable IP addresses. In order to communicate to the internet, a NAT can be used to convert it into an external IP address. Most importantly this provides strong security without impacting the end user.
My big takeaway from this week was the different types of filtering, how each handles the packages they are best designed for and what types of attacks they prevent. Just in comparing static versus stateful packet inspections (SPI) one can see how much more stateful inspections can evaluate. Static packet inspections look at each packet, independently without looking at the context of previous packets that passed through the firewall. Basically without context of previous packets, static filters really only protect against external ICMP echo messages from coming into the site, echo reply messages from leaving the site, incoming messages with spoofed IP addresses and single packets with both the SYN and FIN flags on. Comparatively, stateful packet inspections look at whether an already approved connection between two hosts exists and interrogates the packet header fields based on the connection table information. Stateful filters also look at access control lists to determine if the two applications had a pre-established access control that informs future connections between to two applications. Stateful filters allow different criteria sets to more tightly throttle communications for specific sender and receiver IP addresses and port references.
Hi, Heather
Good point. We may also notice that SPI is beginning to be challenged by a new type of filtering called Intrusion Prevention System (IPS) filtering. The filtering methods of intrusion prevention systems can detect and block more sophisticated attacks than earlier forms of filtering, including SPI.
The key takeaway form this chapter is the advantages of the SPI firewalls. Firstly, comparing to other vast majority of packets, the stateful packet inspection firewall can do a simple table lookup and can decide immediately whether to pass or drop the packet which more fast and low cost. Secondly, SPI firewalls are more safety and can go beyond stateful inspection and implement other protections. And attacks rarely get though an SPI firewall unless the administrator creates an incorrect ACL.
Thirdly, because the combination of high safety and low cost makes SPI firewalls extremely popular in current market. All most all main border firewalls today use stateful packet inspection.
Hi Zhen,
It is true that most vulnerabilities under implementation of Statefull packet inspection firewalls will come from the personnel setting up the rules. In some cases the mishap could be a result of contradictions in policies, causing one rule to nullify what the other does.
Hi Zhen!
Thank you for the great response! SPI firewalls topic in this reading was intriguing for me too! There are many advantages to the SPI Firewalls. The SPI Inspection firewall features a simple table lookup and can decide immediately to pass or drop the packet. The SPI firewall policies, although are very popular, must also update over time!
Reading through this chapter left me with the lasting impression that Firewalls are important but far from the only line of defense. Particularly as highlighted in the section on Firewall Filtering Problems. Protecting the perimeter is nearly impossible as there are so many ways in now. IoT, compromised internal hosts, the portability of computers and other devices are only a few of the vulnerabilities that are introduced in the current workspace. Extending the perimeter is inevitable especially give the COVID situation businesses find themselves in. Remote employee are more prevalent than ever and using home or hotel internet is essentially placing that service inside the perimeter of the firewall. Businesses need to reinforce their perimeter with internal firewalls around key applications. It’s critical to harden internal hosts against attack using a varied approach such as the hardening of clients and servers.
Firewalls are critical to networks and systems security. Although firewall technologies are now advance, they do not work themselves. Implementing the firewalls require careful planning and operational everyday management. Without proper management and maintenance of the firewall may seem secure but provides Low protection. One way to manage the firewall is to establish and strictly enforce firewall policies. These policies are high-level statements that guide the firewall implementations and maintenance. AL of these firewall policy statements must be translated to an ACL rules for the firewall to make sense and that is easy to understand. The policy statements written should not be vague for the stakeholders to follow them in different ways.
Hi, Prince.
I like you point out that the firewalls may not work well by themselves. It is essential to check the firewall daily. As you said, having a rigorous policy and implement it can help companies reduce inherent risks. Sometimes the threat may occur in some employees ignoring the notification or not following the policy.
I focus on firewall management. The starting point starts with a set of clear policies. Policies should be clear, but not limited or weakened. A good firewall strategy is developed from a high-level perspective. They will be well planned and provide continuous management, monitoring, penetration testing, and change testing before deployment and maintenance. It should be clear who can request change management and how to handle these requests. For example, change management requests should not be approved by the same person requesting the change. I see the key concepts of firewall maintenance, especially the separation of duties (SoD) and the minimum privilege principle (PolP). Most people do not think these two concepts will play a role in firewall management, but they are the best practices of common sense and should be part of all firewall policy declarations.
Another area I care about is the firewall log. I find that most of the firewall managers spend most of their time checking the firewall logs, which is interesting. Checking the firewall log is a process that consumes a lot of manpower and time every day. It tries to identify patterns and exceptions. The last concept I am interested in is that the firewall itself needs to be protected against attack. We always regard the firewall as a defensive measure against attack, but if the firewall itself is not strengthened by direct attack, it will never see its vulnerability.
I really like your summary for this topic. Firewall management should be an ongoing thing. Performing maintenance and testing can help make sure the rules in place are working correctly and the CIA principles are being followed.
A key takeaway I took from this chapter was the difference between a stateful firewall and a stateless firewall. Firewalls provide critical protection for business systems and information monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet. Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. The advantages of a stateful firewall is that they do not need many ports open for proper communication. Stateless firewalls,, focuses on individual packets, using preset rules to filter traffic.
The key point I have taken from this chapter is the SPI firewall which stands for State Pocket Inspection.
SPI full-state packet inspection type firewall refers to including socket pairs for each connection information: source address, destination address, source port, and destination port; protocol type, TCP protocol connection status and timeout time, etc. Check to determine whether to filter the firewall of the packet. In addition to completing the packet filtering work of the simple packet filtering firewall, it also maintains a table that tracks the connection status in its own memory, which has greater security than the simple packet filtering firewall.
The most advanced Stateful Packet Inspection (SPI) firewall provides the highest level of security. By default, it rejects all requests from the external network. It dynamically maintains all communications (connections) for the internal network’s connections through the firewall. Only the connection that responds to the internal network request and conforms to the state database’s established package can enter the intranet through the firewall. This solution allows network users to access Internet resources and prevents hackers on the Internet from accessing internal network resources.
Hi Zibai, this is very interesting. The (SPI) Stateful Packet Inspection provides the highest level of security because it rejects all requests from the external network by default. This could help minimize all potential vulnerabilities.
Hi Zibai, I agree with your point. There are different types of firewalls, including border firewalls, internal firewalls, and state packet inspection (SPI) filtering methods, because SPI focuses on connection, that is, persistent sessions between different programs on different computers. The access control list (ACL) that connects to the open attempt is composed of a series of rules, which are exceptions to the default behavior. These rules are as everyone knows the port numbers (specified applications running on the server), if-then format, ports, and server access, and all connections are not allowed.
Most firms have multiple firewalls except to main border firewalls, and build a complete firewall architecture to defense attack. Screening border routers placed between the border firewall and the Internet which purpose is reduces the load on the main border firewall by packet filtering and stops simple high-volume attacks. Internal firewall can controls traffic flowing between different parts of the firm’s internal network and it usually distribute in separate parts of the network according to different trust relationships. Besides, individual hosts—both clients and servers—may have firewalls. Using border, internal, and host firewalls can help to creates defense in depth. If the main firewall or an internal firewall has an ACL configuration error, individual hosts will still be protected. DMZ is a physical or logical subnetwork that contains all of the servers and application proxy firewalls that must be accessible to the outside world, the DMZ functions as a small, isolated network positioned between the Internet and the private to against attack.
Hi, Xinyi, I totally agree with your points. I just want to add some to your view. there is a lot of advantages of the SPI firewalls. Firstly, It more fast and low cost. Secondly, Secondly, SPI firewalls are more safety. Thirdly, SPI firewalls extremely popular in current market.
Hi Xinyi,
I agree with your opinion. The internal firewall manages DMZ access to the internal network. The internal firewall is the third line of defense for the internal network. When the external firewall fails, DMZ can also protect the internal network.
One of the key points I learned from this chapter is that there are many types of firewalls, which can be divided into several categories according to their operation methods and structure. The six types of firewalls are state packet check filter, static packet filter, firewall filter, network address translation, application proxy filter, intrusion prevention system filter and anti-virus filter. Another key point I learned from this chapter is firewall management. Although organizations can use firewalls to protect and detect network attacks, it is important to define firewall policies and control firewall security, such as firewall reinforcement, testing firewall configuration, changing firewall management and limiting authorization.
Hi Wenyao,
I too learned there are many different types of firewalls. Before reading this chapter, I believe IDS and IPS were a different set of technologies, but at its core it’s just a firewall. It is important to understand the differences between these types of firewalls because it will be beneficial when developing a solution for a business to implement.
Wenyao,
I think firewall management was a huge takeaway from this chapter. We’ve mentioned before how much time is spent setting all the security protocols up, however manage those protocols is the most important and also longest process in the cycle. These firewalls are going to be tested constantly by attackers so they need to be monitored close to 24/7. They are one of the biggest and best hurdles that hackers have to break, especially if they are strategically set between information layers. Everyone that is responsible needs to clearly understand the things they need to monitoring and should constantly be assessing info that the system collects.
The key point I took from this chapter is about the dangers of traffic overload. If the traffic becomes so high, the firewall is unable to examine all arriving packets, the firewall will drop all incoming packets. This ties directly with our past chapter and why DDoS attacks are so easily done and the system can be self-compromising. Recommendations from the book say that this can be mitigated by purchasing firewalls with larger processing power, with larger capacity but traffic will always grow, Especially targeted attacks, the accidental Minecraft attack we spoke about in class, thousands of zombie computers can cause the DDoS if the attacker is intentional enough. Firewalls must also be kept up to date, as new threats appear, the administrator must actively update their filtering rules. A good firewall is one that can keep up through traffic surges, while also filtering harmful packets, and operate at wire speed – the maximum speed of lines that can connect to it.
Hi Mei,
Good point. I’ll add some firewall Settings to maintain the system.
1. Record firewall rules and add comments to explain special rules 2. Review firewall rules regularly and optimize firewall performance 3. Organize firewall rules to maximize speed. Putting the most commonly used rules at the top and moving the less commonly used rules to the bottom can help speed up your firewall. 4. Perform a penetration test to check Health Rule 5. Perform regular automatic safety audits.
From this reading on Stateful Packet Inspection firewalls, we find them relevant in today’s networks as they monitor the state of communications and communication ports and their states. This allows for the firewall to open or close a communication port when either communication is initiated or when it ends respectively. These types of firewalls allow for filtering of packets to allow or deny connections to certain ports. The whole analysis and tracking of sessions from source to destination IP addresses and ports is what gives this type of firewalls their name.
Firewall is an mechanism that examines each packet passing though it. The firewall has a pass/deny mechanism which will determine if it should let the packet go through to the target or not. If the packet is a provable attack packet, the firewall drops the packet. If the packet is not a provable attack packet, the firewall passes the packet on to its destination. Provable attack packet will be block and rejected for passing through the firewall, vise versa. In other situation, if the pack is not a provable attack packet, but it is a true attack packet, the firewall will still let it go through to the destination, which will create vulnerability for hackers and malicious third party to steal, attack and to sabotage the system or private information. During the whole process, the fire wall will record information about each dropped packet in a log file. This process is called logging. The firewall administration should check this log file daily in order to understand what kind of attack the company is facing more.
The firewall architectures section was very interesting. Most larger companies use a border router as the gateway into the network. These boarder routers are not firewalls, however they do have some firewall functionality. Static packet filtering software is generally placed on border routers and enables the router to stop simple high-volume attacks and ensures that responses to external scanning probes cannot reach an external attacker and greatly reduces the load on the main firewall. After the main firewall, there are various other firewalls that help segment the network. This could generally be done with vlans, but in a high-trust system, it is safer to protect high-trust data with another firewall. An organization can take it a step further by adding an IDS device behind the main firewall and using application firewalls in front of the application/web servers thus creating greater defense in depth.
Hi Anthony, this is the first I’m hearing about using a border router as a gateway. This can be especially helpful to reduce the number of requests flooding the firewall as a DDoS attack may be triggered.
Your suggestions of creating defense-in-depth ways of protecting the network are good ideas, I wonder what the cost benefits may be for implementing so many other detective controls.
With the development of network technology and society, there are more and more network attacks, and information security has become the focus of global concern. In order to deal with different kinds of network attacks, there are different network security devices and technical methods, and firewall is one of the important network security devices. When several different security policies are implemented on the firewall, policy conflict will not only affect the normal operation of the network, but also threaten the network security. For different network environments, the configuration of firewall policies is more and more complex, and the conflicts between policies in multiple domains occur from time to time, which seriously affect the execution efficiency of security policies. Therefore, how to ensure the consistency of firewall policies between different security domains and within the same security domain is the key to the configuration of firewall security policies.
There are many different types of firewalls. I would prefer an intrusion prevention firewall vs an intrusion detection firewall. The prevention of an intrusion is much more valuable than just being able to identify when one is occurring. Putting up roadblocks for the attackers is going to provide more protection than simply sending an alert to an InfoSec team member. There are many accounts of organizations being able to identify the intrusion but the person who received the alert didn’t recognize the intrusion. Preventing these attacks to begin with would have prevented these intrusions.
The issue becomes false positives with the preventions. You could inadvertently prevent a user from performing their business duties. However, the false positives are worth the time to investigate. As the saying goes, It’s better safe than sorry.
Hi Jonathan,
I wholeheartedly agree with you. An intrusion prevention firewall is much more useful than an intrusion detection firewall. Of course, there’s place for both, where initial rules are set in the IPS firewall and then updated using information gathered from an IDS.
This chapter mentions about the stateful packet inspection which monitors and tracks the active connections on a network to determine their validity. It also determines which network packets should be allowed through the firewall by utilizing information regarding active connections. One advantage of stateful packet inspection is that it offers better security posture for networks through recording the session information like IP addresses. It is a more secure method to keep intruders away from the network as it processes application layer data which takes a deeper look into the transaction to understand what is going on.
Hi Priyanka,
The aspect of monitoring active network connections and filtering traffic based on preset rules does distinguish stateful packet inspection from static packet filtering. They offer a sophisticated in-depth checks of ensuring connections are valid and the traffic being transmitted is permissible on each connection.
Network Address Translation (NAT) was the biggest takeaway for me from this chapter. NAT does not actually filter packets but it is used in several firewall techniques due to its effectiveness in providing protection. It is typically used in firewalls as a second type of protection. Sniffers are used by attackers and are placed outside of networks and as packets are passed through the sniffer, it collects info on the source IP addresses and port numbers. This allows attackers to learn about the host network without sending direct probe packets.
The NAT is used to thwart these sniffers. First, an internal client will send a packet to an external server, which includes the clients real IP and port numbers used. The NAT firewall intercepts all outgoing traffic and replaces source IP addresses and port numbers with stand-in IP addresses and port numbers. The NAT firewall also places the internal socket and external socket in the translation table so that when the server replies, it will send a packet to the stand-in address and port. It provides protection because the sniffer cannot learn internal IP addresses or port numbers so the info cannot be collected and used to make attacks. The NAT also protects against network scanning probes because the addresses and port numbers are not in the translation table.
NAT is a great way to obscure an internal IP address and service. Because the firewall chooses a random port, you wouldn’t be able to tell which service is actually running. It would be hard for someone performing a service scan to see if you are funning FTP, FTPS, SSH or SMB. Without this information an intruder would have a hard time IDing the device and service in the environment.
I think an important point of this chapter is Access Control Lists, or ACLs. Most web servers have well-known ports that are open for various purposes. Some common ones include FTP, SSH, Telnet, SMTP, DNS, HTTP and HTTPS, IMAP, and Remote Desktop Protocol. As an organization, a rule must be put in place to allow certain vital ports, and remove open ports that could pose a security risk. Some ports simply cannot be disabled, such as SMTP for email clients and HTTP/S for web hosting. FTP, SSH, and Telnet do pose some vulnerabilities and may not be needed, so could be disabled to potentially prevent a firewall intrusion. If these services are needed, it’s entirely possible to change the default ports to less known ones, and using the old ports as a honeypot to deter attackers and learn their patterns and tactics of breaching, and then use that information to patch out the exploits.
Having a useful firewall can help companies to filter and monitor any disclosure of information. According to Boyle and Panko Chapter 6, it describes how the Chinese government uses the Great Firewall of China to restrict some websites, including Google, Facebook, and Wikipedia, to provide services. It can block some IP addresses and URLs. Although this firewall very effective to help the country to protect the information, it can be a barrier for the companies, which they do business between American and China. They can use a VPN to do their works, but sometimes the VPN may be blocked by the deep packet inspection. This method can mirror all traffic and detect suspicious IP connections. However, if a firewall is lacked the capacity to examine all the packets, it will occur an overloaded firewall and drop the packets, and then the firewall is not able to create a self-inflicted denial-of-service attack against the company. So, the companies should have a firewall with sufficient processing power to control the traffic.
One main points I took from this reading is Network Address Translation (NAT). It can be used to protect and organization from sniffers preventing attackers from capturing internal network data within an organization such as source IP addresses and open ports on servers. This prevents attackers from conducting reconnaissance on the target and formulating an attack. NAT is used to hide internal IP address and port numbers by converting it into a different external IP address and port number before the packet is sent to the destination. Also, internal servers may have non-routable IP addresses. In order to communicate to the internet, a NAT can be used to convert it into an external IP address. Most importantly this provides strong security without impacting the end user.
My big takeaway from this week was the different types of filtering, how each handles the packages they are best designed for and what types of attacks they prevent. Just in comparing static versus stateful packet inspections (SPI) one can see how much more stateful inspections can evaluate. Static packet inspections look at each packet, independently without looking at the context of previous packets that passed through the firewall. Basically without context of previous packets, static filters really only protect against external ICMP echo messages from coming into the site, echo reply messages from leaving the site, incoming messages with spoofed IP addresses and single packets with both the SYN and FIN flags on. Comparatively, stateful packet inspections look at whether an already approved connection between two hosts exists and interrogates the packet header fields based on the connection table information. Stateful filters also look at access control lists to determine if the two applications had a pre-established access control that informs future connections between to two applications. Stateful filters allow different criteria sets to more tightly throttle communications for specific sender and receiver IP addresses and port references.
Hi, Heather
Good point. We may also notice that SPI is beginning to be challenged by a new type of filtering called Intrusion Prevention System (IPS) filtering. The filtering methods of intrusion prevention systems can detect and block more sophisticated attacks than earlier forms of filtering, including SPI.
The key takeaway form this chapter is the advantages of the SPI firewalls. Firstly, comparing to other vast majority of packets, the stateful packet inspection firewall can do a simple table lookup and can decide immediately whether to pass or drop the packet which more fast and low cost. Secondly, SPI firewalls are more safety and can go beyond stateful inspection and implement other protections. And attacks rarely get though an SPI firewall unless the administrator creates an incorrect ACL.
Thirdly, because the combination of high safety and low cost makes SPI firewalls extremely popular in current market. All most all main border firewalls today use stateful packet inspection.
Hi Zhen,
It is true that most vulnerabilities under implementation of Statefull packet inspection firewalls will come from the personnel setting up the rules. In some cases the mishap could be a result of contradictions in policies, causing one rule to nullify what the other does.
Hi Zhen!
Thank you for the great response! SPI firewalls topic in this reading was intriguing for me too! There are many advantages to the SPI Firewalls. The SPI Inspection firewall features a simple table lookup and can decide immediately to pass or drop the packet. The SPI firewall policies, although are very popular, must also update over time!
Reading through this chapter left me with the lasting impression that Firewalls are important but far from the only line of defense. Particularly as highlighted in the section on Firewall Filtering Problems. Protecting the perimeter is nearly impossible as there are so many ways in now. IoT, compromised internal hosts, the portability of computers and other devices are only a few of the vulnerabilities that are introduced in the current workspace. Extending the perimeter is inevitable especially give the COVID situation businesses find themselves in. Remote employee are more prevalent than ever and using home or hotel internet is essentially placing that service inside the perimeter of the firewall. Businesses need to reinforce their perimeter with internal firewalls around key applications. It’s critical to harden internal hosts against attack using a varied approach such as the hardening of clients and servers.
Firewalls are critical to networks and systems security. Although firewall technologies are now advance, they do not work themselves. Implementing the firewalls require careful planning and operational everyday management. Without proper management and maintenance of the firewall may seem secure but provides Low protection. One way to manage the firewall is to establish and strictly enforce firewall policies. These policies are high-level statements that guide the firewall implementations and maintenance. AL of these firewall policy statements must be translated to an ACL rules for the firewall to make sense and that is easy to understand. The policy statements written should not be vague for the stakeholders to follow them in different ways.
Hi, Prince.
I like you point out that the firewalls may not work well by themselves. It is essential to check the firewall daily. As you said, having a rigorous policy and implement it can help companies reduce inherent risks. Sometimes the threat may occur in some employees ignoring the notification or not following the policy.
I focus on firewall management. The starting point starts with a set of clear policies. Policies should be clear, but not limited or weakened. A good firewall strategy is developed from a high-level perspective. They will be well planned and provide continuous management, monitoring, penetration testing, and change testing before deployment and maintenance. It should be clear who can request change management and how to handle these requests. For example, change management requests should not be approved by the same person requesting the change. I see the key concepts of firewall maintenance, especially the separation of duties (SoD) and the minimum privilege principle (PolP). Most people do not think these two concepts will play a role in firewall management, but they are the best practices of common sense and should be part of all firewall policy declarations.
Another area I care about is the firewall log. I find that most of the firewall managers spend most of their time checking the firewall logs, which is interesting. Checking the firewall log is a process that consumes a lot of manpower and time every day. It tries to identify patterns and exceptions. The last concept I am interested in is that the firewall itself needs to be protected against attack. We always regard the firewall as a defensive measure against attack, but if the firewall itself is not strengthened by direct attack, it will never see its vulnerability.
I really like your summary for this topic. Firewall management should be an ongoing thing. Performing maintenance and testing can help make sure the rules in place are working correctly and the CIA principles are being followed.
A key takeaway I took from this chapter was the difference between a stateful firewall and a stateless firewall. Firewalls provide critical protection for business systems and information monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet. Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. The advantages of a stateful firewall is that they do not need many ports open for proper communication. Stateless firewalls,, focuses on individual packets, using preset rules to filter traffic.