Firewalls have quickly progressed in sophistication to thwart malicious inbound and outbound traffic. This week’s reading explained how access control lists can offer greater granularity in addition to Stateful Packet Inspection (SPI) firewall filtering. Many cloud providers are now offering ACL products to help customers dial in ACLs on virtual networks and applications hosted in the cloud. For example, Azure uses network security groups (NSGs), and AWS also uses a similar security group function that enables customers to create rules that utilize TCP and UDP ports and IP addresses for ingress/egress traffic. For example, as the reading states, if a web server is hosted on a cloud than an ingress rule allowing port 443 would be a default and expected behavior to create a specified rule to allow this behavior.
One of the key points that I took from this reading was the various filtering mechanisms that firewalls use. Initially I was only aware of stateful packet inspection (SPI) filtering, but it was interesting to learn about static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering. I’m curious to see if this list stays the same or grows in response to future advances in technology.
I also found the two filtering methods interesting. I didn’t know static was still used to stop some attacks, I was under the assumption that stateful has taken over which for the most part is true, but it was interesting to see that static is still used as a secondary method.
Hi Andrew,
This is absolutely masterpiece. but firewalls are a basic part of any company’s cybersecurity architecture. However, firewalls alone should never be considered the be-all, end-all solution for your company’s cybersecurity needs. Yes, they are useful, however there are a few issues with firewalls that can make it a bad idea.
One major takeaway I had from this chapter was the difference between Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). An IDS is similar to a home alarm system, as it will alert the user or security administrator if it detects suspicious traffic or an attack. On the other hand, an IPS can actually stop some attacks, rather than just monitoring and alerting like an IDS. An IPS can do this by dropping packets or limiting traffic, but some security experts are skeptical about using an IPS as they are familiar with how many false positive alerts an IDS can generate.
The difference between an IDS and IPS was also a major takeaway I had from this week’s reading. With IDS and IPS, we are able to detect attacks from sources and acts as a security barrier. Intrusion Prevention Systems can detect/prevent network security attacks. However, an IDS system looks for suspicious network traffic and compare it against a database of known threats.
I also found the difference between IDSs and IPSs particularly interesting. I think ideally both of them would be used together to 1) prevent intrusion altogether, and 2) detect intrusions if they occur.
Usually, available firewalls do not perform virus filtering, and most of them choose to work with anti-virus filtering servers. The anti-virus server will check the object when a packet arrives at the firewall. Some firewalls on the market include traditional firewall filtering methods and anti-virus filtering, such as unified threat management (UTM). However, such products are underperforming in other areas, and most UTM products only have the processing power to be used in smaller companies or branch offices of larger companies.
Virus filtering at the firewall was something that I found particular interesting in this weeks reading. I’m curious to see the limitations of this, and if it will change in time due to future advances in technology.
One of the key takeaways from this week’s reading is that firewalls are used as mechanism to separate parts of networks that have separate security levels; Hence, they are meant to determine an authorization policy that chooses the traffic to be permitted according to a security policy expressed as a set rules, often named the access control list (ACL). The rules are made up by a condition clause, formed by a series of predicates over some packet header fields, and an action clause, evaluating the action to be enforced, especially allowing or denying the traffic.
When a new packet arrives at one of the firewall network interfaces, the values from its headers are used to evaluate the condition clause predicates. A packet matches a rule if all of the
predicates of the rule are true. If a packet matches only one rule, the action enforced is taken of its action clause. Firewalls and Security Gateways are core elements in network security infrastructure. As networks and services become more complex, managing access-list rules becomes an error-prone task. Conflicts in a policy can cause holes in security, and can often be hard to find while performing only visual or manual inspection. Firewall has defined a methodology to systematically classify the severity of rule conflicts and therefore proposed solutions to automatically resolve conflicts in a firewall.
The firewall rules and mechanisms were also something that I found particular interesting from this weeks reading. I’m curious to see if/how these things change due to future advances in technology.
Though static packet filtering isn’t the primary filtering mechanism anymore, it has shown that it can still be useful in stopping some attacks like ICMP echo messages as well as incoming packets with spoofed source IP addresses. Stateful being the most popular works on states, either a packet is part of an opening connection or it is not, the latter being the most common. Non-connection opening attempts = are also the least expensive, because the firewall only has to look in the table and decide immediately if it should keep or drop the packet. It was interesting seeing the differences between static and stateful packet filtering.
I also thought the evolution from static to stateful packet inspection was interesting. More so, that it demostrates how complicated security systems can be when we have legacy (static) working together with modern (stateful) firewalls. On the one hand, its helps to leverage and extend the life of older appliances however, increasing architecture can also increase the attack surface.
One interesting point that I found in the textbook chapter was that the majority of free VPNs on the Apple and Google app stores are insecure. A 2018 study found that 59% of these VPNs had links to China, and 86% of them had unacceptable privacy policies. Also, very few had websites or support teams, and the support teams that did exist commonly communicated through personal email addresses like Gmail and Hotmail. This all means that users who use these free VPNs likely route their data through China and make their data more vulnerable and more accessible.
This came up in the textbook chapter because it discussed how China has “China’s Great Firewall”, and disabled private VPNs that are not routed through the government and implemented fines on citizens who use them. The textbook states “More than 30% of Chinese citizens regularly use a VPN to bypass China’s Great Firewall and access sites outside the tightly controlled country.”
Hi Michael,
I also found this to be an interesting point. It seems to raise the “you get what you pay for” sentiment for me; without ever knowing for certain of the statistics on free VPNs, they didn’t particularly seem like a good option. It is interesting however how common it is in China for people who use a VPN to bypass China’s firewall.
Firewalls are a core component of the intrusion detection system. They create a divide between trusted and untrusted networks. They can also create multiple layers of security as you add firewalls between the network, applications, and databases. Firewalls can’t stop all malicious activity, but they do play a part in the multi layers defense system.
Hey Madalyn, I like how you pointed out the ability to create multiple layers of security between the network, applications, and databases. We know the best way to secure systems is to implement defense-in-depth, and adding firewalls throughout the system is a great way to achieve it.
Firewall does not perform an antivirus filtering. Firewall work with other server which would be configured to perform the antivirus filtering. Traffic from the internet would typically come to the firewall first. Then it would be sent to the antivirus server. Where the traffic would be analyzed for an anonymous behavior such as for viruses, worms, etc. Then depending on the settings, it would either go to the firewall and destination host or it would direct go to the destination host.
I agree with you that the firewall does not perform anti-virus filtering. This is a time when a firewall administrator should be looking at it daily or even more frequently to ensure that daily system security is maintained. When problems are found, in addition to the firewall administrator may reconfigure the firewall or may take other measures.
The most interesting takeaway regarding firewalls for me was that the perimeter is no longer able to be protected. There are simply just too many ways to circumvent it entirely now. So many external personnel are using a VPN to access internal resources that the concept of the border is very abstract as it keeps extending. Border firewalls are also really only useful if they truly are border firewalls – that is if they are the only single point of connectivity between the internal network and the internet. In practice, this is just not the case.
I like how you point out that there is often more than a one point of connectivity between internal networks and the internet, which makes “border firewalls” less effective due to the fact that there are several different borders with different incoming data.
From the reading this week, I found the difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) interesting. As the reading mentions, Intrusion Detection Systems examine streams of packets to look for suspicious activities that indicate possible attacks. If there is a malicious attack detected, the IDS will notify the security administrator. Additionally, IDS needs to filter packet steam rather than individual packets.
Intrusion Prevention Systems (IPS) use IDS filtering methods and stop kinds of attacks that instead of identifying them and generating alarms. The most important development leading to the IPS has been the application-specific integrated circuits (ASICSs) which can filter hardware.
Hi Victoria, thanks for your post, It is critical to deploy both an IPS and IDS to a system, in order to balance a proactive and reactive approach to security.
Through the chapter I learned that if the packet is a provable attack packet, the firewall will discard the packet. If the packet is not a provable attack packet, the firewall delivers the packet to its destination. In a firewall, this is called a pass/reject decision.
It is important to harden hosts to protect them from attack packets that the firewall will not drop. The firewall will pass all attack packets that are not provable. This means it will pass any real attack packet that is not a provable attack packet. Firewall administrators should look at this log file daily or even more often to understand the type of attack the company is experiencing, even if the firewall drops much of the attacker’s data, it will not drop it all.
You make a good point about hardening the firewall. There can be instances with firewalls and or IPS where false positives and negatives can occur, and so if the system is hardened properly, then going through the log files can verify the false negatives or positives.
One major takeaway from this week’s reading is the concept of static packet filtering, Static packet filtering is a form of firewall configuration, where one packet is reviewed at a time, in isolation, in order to pass the firewall. This type of filtering is no longer used in excess today, as stateful packet filtering (SPI) is used more often due to its advantage on viewing packets during specific states and through a variety of conditions.
Hey Lauren,
That’s a great post. I do agree that the Stateful Packet Filtering is used more often this days due to its performance level. As it processes at the application level it would have greater ability to scan through the traffic in detail to get an understanding of that traffic.
Kelly Sharadin says
Firewalls have quickly progressed in sophistication to thwart malicious inbound and outbound traffic. This week’s reading explained how access control lists can offer greater granularity in addition to Stateful Packet Inspection (SPI) firewall filtering. Many cloud providers are now offering ACL products to help customers dial in ACLs on virtual networks and applications hosted in the cloud. For example, Azure uses network security groups (NSGs), and AWS also uses a similar security group function that enables customers to create rules that utilize TCP and UDP ports and IP addresses for ingress/egress traffic. For example, as the reading states, if a web server is hosted on a cloud than an ingress rule allowing port 443 would be a default and expected behavior to create a specified rule to allow this behavior.
zijian ou says
Hi Kelly,
You have provided good examples of how firewalls can be applied to the cloud platform.
Andrew Nguyen says
One of the key points that I took from this reading was the various filtering mechanisms that firewalls use. Initially I was only aware of stateful packet inspection (SPI) filtering, but it was interesting to learn about static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering. I’m curious to see if this list stays the same or grows in response to future advances in technology.
Dhaval Patel says
Hi Andrew,
I also found the two filtering methods interesting. I didn’t know static was still used to stop some attacks, I was under the assumption that stateful has taken over which for the most part is true, but it was interesting to see that static is still used as a secondary method.
kofi bonsu says
Hi Andrew,
This is absolutely masterpiece. but firewalls are a basic part of any company’s cybersecurity architecture. However, firewalls alone should never be considered the be-all, end-all solution for your company’s cybersecurity needs. Yes, they are useful, however there are a few issues with firewalls that can make it a bad idea.
Patrick Jurgelewicz says
One major takeaway I had from this chapter was the difference between Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). An IDS is similar to a home alarm system, as it will alert the user or security administrator if it detects suspicious traffic or an attack. On the other hand, an IPS can actually stop some attacks, rather than just monitoring and alerting like an IDS. An IPS can do this by dropping packets or limiting traffic, but some security experts are skeptical about using an IPS as they are familiar with how many false positive alerts an IDS can generate.
Victoria Zak says
Hi Patrick,
The difference between an IDS and IPS was also a major takeaway I had from this week’s reading. With IDS and IPS, we are able to detect attacks from sources and acts as a security barrier. Intrusion Prevention Systems can detect/prevent network security attacks. However, an IDS system looks for suspicious network traffic and compare it against a database of known threats.
Andrew Nguyen says
Hi Patrick,
I also found the difference between IDSs and IPSs particularly interesting. I think ideally both of them would be used together to 1) prevent intrusion altogether, and 2) detect intrusions if they occur.
Thanks for sharing your thoughts!
Best,
Andrew
zijian ou says
Usually, available firewalls do not perform virus filtering, and most of them choose to work with anti-virus filtering servers. The anti-virus server will check the object when a packet arrives at the firewall. Some firewalls on the market include traditional firewall filtering methods and anti-virus filtering, such as unified threat management (UTM). However, such products are underperforming in other areas, and most UTM products only have the processing power to be used in smaller companies or branch offices of larger companies.
Andrew Nguyen says
Hi Zijian,
Virus filtering at the firewall was something that I found particular interesting in this weeks reading. I’m curious to see the limitations of this, and if it will change in time due to future advances in technology.
Thanks for sharing your thoughts!
Best,
Andrew
kofi bonsu says
One of the key takeaways from this week’s reading is that firewalls are used as mechanism to separate parts of networks that have separate security levels; Hence, they are meant to determine an authorization policy that chooses the traffic to be permitted according to a security policy expressed as a set rules, often named the access control list (ACL). The rules are made up by a condition clause, formed by a series of predicates over some packet header fields, and an action clause, evaluating the action to be enforced, especially allowing or denying the traffic.
When a new packet arrives at one of the firewall network interfaces, the values from its headers are used to evaluate the condition clause predicates. A packet matches a rule if all of the
predicates of the rule are true. If a packet matches only one rule, the action enforced is taken of its action clause. Firewalls and Security Gateways are core elements in network security infrastructure. As networks and services become more complex, managing access-list rules becomes an error-prone task. Conflicts in a policy can cause holes in security, and can often be hard to find while performing only visual or manual inspection. Firewall has defined a methodology to systematically classify the severity of rule conflicts and therefore proposed solutions to automatically resolve conflicts in a firewall.
Andrew Nguyen says
Hi Kofi,
The firewall rules and mechanisms were also something that I found particular interesting from this weeks reading. I’m curious to see if/how these things change due to future advances in technology.
Thanks for sharing your thoughts!
Best,
Andrew
Dhaval Patel says
Though static packet filtering isn’t the primary filtering mechanism anymore, it has shown that it can still be useful in stopping some attacks like ICMP echo messages as well as incoming packets with spoofed source IP addresses. Stateful being the most popular works on states, either a packet is part of an opening connection or it is not, the latter being the most common. Non-connection opening attempts = are also the least expensive, because the firewall only has to look in the table and decide immediately if it should keep or drop the packet. It was interesting seeing the differences between static and stateful packet filtering.
Kelly Sharadin says
Hi Dhaval,
I also thought the evolution from static to stateful packet inspection was interesting. More so, that it demostrates how complicated security systems can be when we have legacy (static) working together with modern (stateful) firewalls. On the one hand, its helps to leverage and extend the life of older appliances however, increasing architecture can also increase the attack surface.
Kelly
Michael Jordan says
One interesting point that I found in the textbook chapter was that the majority of free VPNs on the Apple and Google app stores are insecure. A 2018 study found that 59% of these VPNs had links to China, and 86% of them had unacceptable privacy policies. Also, very few had websites or support teams, and the support teams that did exist commonly communicated through personal email addresses like Gmail and Hotmail. This all means that users who use these free VPNs likely route their data through China and make their data more vulnerable and more accessible.
This came up in the textbook chapter because it discussed how China has “China’s Great Firewall”, and disabled private VPNs that are not routed through the government and implemented fines on citizens who use them. The textbook states “More than 30% of Chinese citizens regularly use a VPN to bypass China’s Great Firewall and access sites outside the tightly controlled country.”
Antonio Cozza says
Hi Michael,
I also found this to be an interesting point. It seems to raise the “you get what you pay for” sentiment for me; without ever knowing for certain of the statistics on free VPNs, they didn’t particularly seem like a good option. It is interesting however how common it is in China for people who use a VPN to bypass China’s firewall.
Madalyn Stiverson says
Firewalls are a core component of the intrusion detection system. They create a divide between trusted and untrusted networks. They can also create multiple layers of security as you add firewalls between the network, applications, and databases. Firewalls can’t stop all malicious activity, but they do play a part in the multi layers defense system.
Patrick Jurgelewicz says
Hey Madalyn, I like how you pointed out the ability to create multiple layers of security between the network, applications, and databases. We know the best way to secure systems is to implement defense-in-depth, and adding firewalls throughout the system is a great way to achieve it.
Vraj Patel says
Firewall does not perform an antivirus filtering. Firewall work with other server which would be configured to perform the antivirus filtering. Traffic from the internet would typically come to the firewall first. Then it would be sent to the antivirus server. Where the traffic would be analyzed for an anonymous behavior such as for viruses, worms, etc. Then depending on the settings, it would either go to the firewall and destination host or it would direct go to the destination host.
Dan Xu says
Hi Vraj,
I agree with you that the firewall does not perform anti-virus filtering. This is a time when a firewall administrator should be looking at it daily or even more frequently to ensure that daily system security is maintained. When problems are found, in addition to the firewall administrator may reconfigure the firewall or may take other measures.
Antonio Cozza says
The most interesting takeaway regarding firewalls for me was that the perimeter is no longer able to be protected. There are simply just too many ways to circumvent it entirely now. So many external personnel are using a VPN to access internal resources that the concept of the border is very abstract as it keeps extending. Border firewalls are also really only useful if they truly are border firewalls – that is if they are the only single point of connectivity between the internal network and the internet. In practice, this is just not the case.
Michael Jordan says
Hi Antonio,
I like how you point out that there is often more than a one point of connectivity between internal networks and the internet, which makes “border firewalls” less effective due to the fact that there are several different borders with different incoming data.
-Mike
Victoria Zak says
From the reading this week, I found the difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) interesting. As the reading mentions, Intrusion Detection Systems examine streams of packets to look for suspicious activities that indicate possible attacks. If there is a malicious attack detected, the IDS will notify the security administrator. Additionally, IDS needs to filter packet steam rather than individual packets.
Intrusion Prevention Systems (IPS) use IDS filtering methods and stop kinds of attacks that instead of identifying them and generating alarms. The most important development leading to the IPS has been the application-specific integrated circuits (ASICSs) which can filter hardware.
Lauren Deinhardt says
Hi Victoria, thanks for your post, It is critical to deploy both an IPS and IDS to a system, in order to balance a proactive and reactive approach to security.
Dan Xu says
Through the chapter I learned that if the packet is a provable attack packet, the firewall will discard the packet. If the packet is not a provable attack packet, the firewall delivers the packet to its destination. In a firewall, this is called a pass/reject decision.
It is important to harden hosts to protect them from attack packets that the firewall will not drop. The firewall will pass all attack packets that are not provable. This means it will pass any real attack packet that is not a provable attack packet. Firewall administrators should look at this log file daily or even more often to understand the type of attack the company is experiencing, even if the firewall drops much of the attacker’s data, it will not drop it all.
Dhaval Patel says
Hi Dan,
You make a good point about hardening the firewall. There can be instances with firewalls and or IPS where false positives and negatives can occur, and so if the system is hardened properly, then going through the log files can verify the false negatives or positives.
Lauren Deinhardt says
One major takeaway from this week’s reading is the concept of static packet filtering, Static packet filtering is a form of firewall configuration, where one packet is reviewed at a time, in isolation, in order to pass the firewall. This type of filtering is no longer used in excess today, as stateful packet filtering (SPI) is used more often due to its advantage on viewing packets during specific states and through a variety of conditions.
Vraj Patel says
Hey Lauren,
That’s a great post. I do agree that the Stateful Packet Filtering is used more often this days due to its performance level. As it processes at the application level it would have greater ability to scan through the traffic in detail to get an understanding of that traffic.