We'll guard the network What are your clients being exposed to? need protection?

Network security explained

A firewall is a part of a computer system or network that is designed to block unauthorised access while permitting outward communication. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.


Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorised Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

  1. Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
  2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.
  3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
  4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Function

A firewall is a dedicated appliance, or software running on computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarised Zone (DMZ).

A firewall's function within a network is similar to physical firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.

Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall rule set, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organisation's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" rule set, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.

History

The term "firewall" originally meant a wall to confine a fire or potential fire within a building, c.f. firewall (construction). Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.

Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s to separate networks from one another. The view of the Internet as a relatively small community of compatible users who valued openness for sharing and collaboration was ended by a number of major internet security breaches, which occurred in the late 1980s:

  1. Clifford Stoll's discovery of German spies tampering with his system
  2. Bill Cheswick's "Evening with Berferd" 1992 in which he set up a simple electronic jail to observe an attacker
  3. In 1988 an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read, "We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames"
  4. The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.

First generation - packet filters

The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.

Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).

TCP and UDP protocols comprise most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

Second generation - "stateful" filters

From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.

Second (2nd) Generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

Third generation - application layer

Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

TIS, under a broader DARPA contract, developed the Firewall Toolkit (FWTK), and made it freely available under license on October 1, 1993. The purposes for releasing the freely-available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years' experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); and to "raise the bar" of firewall software being used.

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in any harmful way.

Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS). Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardising protocols for managing firewalls and other middleboxes.

Another axis of development is about integrating identity of users into Firewall rules. Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around. The NuFW firewall provides real identity based firewalling, by requesting user's signature for each connection.

Types

There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.

Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the rule set for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.

Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.

Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).

Example of some basic firewall rules

Examples using a subnet address of 10.10.10.x and 255.255.255.0 as the subnet mask for the local area network (LAN).

It is common to allow a response to a request for information coming from a computer inside the local network, like NetBIOS.

Direction Protocol Source Address Source Port Destination Address Destination Port Action In/Out Tcp/Udp Any Any 10.10.10.0 >1023 Allow

Firewall rule that allows all traffic out.

Direction Protocol Source Address Source Port Destination Address Destination Port Action Out Tcp/Udp 10.10.10.0 Any Any Any Allow

Firewall rule for SMTP (default port 25), allows packets governed by this protocol to access the local SMTP Gateway (which in this example has the IP 10.10.10.6). (It is far more common to not specify the Destination Address, or if desired, to use the ISP SMTP service address).

Direction Protocol Source Address Source Port Destination Address Destination Port Action Out Tcp Any Any 10.10.10.6 25 Allow

General Rule for the final firewall entry. If a policy does not explicitly allow a request for service, that service should be denied by this catch-all rule which should be the last in the list of rules.

Direction Protocol Source Address Source Port Destination Address Destination Port Action In/Out Tcp/Udp Any Any Any Any Deny

Other useful rules would be allowing ICMP error messages, restricting all destination ports except port 80 in order to allow only web browsing, etc.

Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

The XML firewall exemplifies a more recent kind of application-layer firewall.

Proxies

A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.

Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organisation. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.

...and of course the latest and great development, the UTM (Unified Threat Management) appliance.

Unified Threat Management (UTM) is a comprehensive solution that has recently emerged in the network security industry and since 2004, has gained widespread currency as a primary network gateway defense solution for organisations. In theory, it is the evolution of the traditional firewall into an all-inclusive security product that has the ability to perform multiple security functions in one single appliance: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing and on-appliance reporting.

The worldwide UTM market was approximately worth $1.2 billion in 2007, with a forecast of 35-40% compounded annual growth rate through 2011. The leading UTM vendor is Fortinet. The primary market of UTM providers is the SMB and Enterprise segment, although a few providers are now providing UTM solutions for small offices/remote offices.

The term UTM was originally coined by IDC, a leading market research firm. The advantages of unified security lies in the fact that rather than administering multiple systems that individually handle anti virus, content filtering, intrusion prevention and spam filtering functions, organisations now have the flexibility to deploy a single UTM appliance that takes over all their functionality into a single rack mountable network appliance.

Brief history

UTM solutions emerged out of the need to stem the increasing number of attacks on corporate information systems via hacking, viruses, worms - mostly an outcome of blended threats and insider threats. Also, newer attack techniques target the user as the weakest link in an enterprise, the repercussions of which are far more serious than imagined.

Data security and unauthorised employee access have become major business concerns for enterprises today. This is because malicious intent and the resultant loss of confidential data can lead to huge financial losses as well as corresponding legal liabilities. It needs to be mentioned that enterprises have only now began to recognise the fact that user ignorance can lead to vital security being compromised out of their internal networks.

The main advantages of UTM solutions are simplicity, streamlined installation and use, and the ability to update all the security functions or programs concurrently. So, not only are they a cost-effective purchase, but day-to-day network running costs are also considerably lowered. Such a great degree of functionality provided by a UTM appliance is held as the justification for the replacement of older, more basic Firewalls in favor of a Unified Threat Management firewall appliance that does it all.

The ultimate goal of a UTM is to provide a comprehensive set of security features in a single product and managed through a single console. Integrated security solutions evolved as a logical way to tackle the increasingly complex blended internet threats impacting organisations.

Transition from point to integrated security solutions

Traditional point solutions, which were installed to solve major threat and productivity issues, are difficult to deploy, manage and update, which increases operational complexities and overhead costs. Instead, organisations of today demand an integrated approach to network security and productivity that combines the management of traditionally disparate point technologies.

All these disadvantages can lead to situations where organisations deploy reduced security and inferior policies at remote locations. UTMs can help overcome these problems. In summary, the fast-paced transition from point to integrated security appliances is largely due to the cost-effectiveness and ease of manageability of UTM devices.

How UTM secures the networks

A single UTM appliance makes it very easy to manage a company's security strategy, with just one device to worry about, one source of support and a single way to maintain every aspect of your security solution. The UTM can prove to be more effective a solution as its strength lies in the bundle of solutions which are integrated and designed to work together. Also from one single centralised console, all the security solutions can be monitored and configured. Thus it tweaks the solutions to perfection.

In this context, UTMs represent all-in-one security appliances that carry firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management and centralised reporting as basic features. The UTM is thus, a highly integrated quiver of security solutions, working in tandem that systematically provides network security to organisations. As there is a customised OS holding all these security features at one place, they tend to work in unison, providing a very high throughput. The UTM can prove highly effective because its strength lies in the bundle of solutions which are integrated and designed to work together without treading on each other's toes.

Unique attractions of UTM

Enterprises have been fed a constant diet of increasingly inadequate security technologies to solve their security problems. With increasing threats clearly looming over their networks and their business, they don’t want another box to solve their problems. Their needs are about leverage, simplicity and integrated management capabilities. Standalone solutions such as AV, AS, Firewall fail to protect against such threats. Enterprises are not only under pressure from cybercrime and insider abuse, but are facing increasing and evolving compliance demands - highlighting the importance of establishing effective and measurable security.

Reduced complexity, through Single security solution, Single Vendor, avoidance of multiple software installation and maintenance, Plug & Play architecture, Web-based GUI for easy management are some of the major reasons why many organisations, both big and small are fast switching to smart, UTM solutions. This, coupled with Zero-hour protection without comprising on performance translates into high ROI for customers who deploy UTMs.

For enterprises with remote networks or distantly located offices, UTMs are the only means to provide centralised security with complete control over their globally distributed networks. Enterprises thus get zero-hour protection at branch offices against security attacks despite the lack of technical resources at these locations.

Key advantages

  1. Reduced complexity: Single security solution. Single Vendor. Single AMC
  2. Simplicity: Avoidance of multiple software installation and maintenance
  3. Easy Management: Plug & Play Architecture, Web-based GUI for easy management
  4. Performance: Zero-hour protection without degrading the network performance
  5. Troubleshooting: Single point of contact – 24 x 7 vendor support
  6. Reduced technical training requirements, one product to learn.
  7. Regulatory compliance

Role of user identity

Identity-based UTM appliances are the next-generation security solutions offering comprehensive protection against emerging blended threats. While simple UTMs identify only IP addresses in the network, identity-based UTMs provide discrete identity information of each user in the network along with network log data. They allow creation of identity-based network access policies for individual users, delivering complete visibility and control on the network activities. The identity-based feature of such UTMs runs across the entire feature set, enabling enterprises to identify patterns of behavior by specific users or groups that can signify misuse, unauthorised intrusions, or malicious attacks from inside or outside the enterprise.

The strength of UTM technology is that it is designed to offer comprehensive security while keeping security an easy-to-manage affair. Enterprises get complete network information in hand to take proactive action against network threats in case of inappropriate or suspicious user behavior in the network. As identity-based UTMs do not depend on IP addresses, they provide comprehensive protection even in dynamic IP environments such as DHCP and Wi-Fi and especially in a scenario where multiple users share the same computer.

Regulatory compliance

One salient feature of UTM appliances is that they provide best-of-the-breed security technology that can handle the increasingly regulatory environment across the world. Regulatory compliances like HIPAA, GLBA, PCI-DSS, FISMA, CIPA, SOX require access controls and auditing that meet control data leakage. UTMs that provide identity-based security give visibility into user activity while enabling policy creation based on the user identity, meeting the requirements of regulatory compliances.

Why Fortinet?

Identity-based UTMs deliver identity-based reports on individual users in the network. This offers short audit and reporting cycles and facilitates the meeting of regulatory compliance requirements in enterprises.

Fortinet is the only network security vendor to have such a large breadth and depth of product and company certifications. Some of the companies' certifications include:

  • 6 ICSA security certifications
  • NSS UTM certification
  • ISO 9001 certification
  • 12 Virus Bulletin (VB) 100% awards
  • IPV6 certification and Common Criteria Evaluation Assurance Level 4 Augmented (EAL 4+) for FortiOS 3.0

Since 2000, Fortinet has received more than 100 product and company awards. In the last year, Ingram Micro selected Fortinet for its "Best New Vendor Award of Excellence", Frost & Sullivan gave Fortinet the "Global Competitive Strategy Leadership of the Year" best practices award and the FortiWifi™-60B - was recognised by SC Magazine as the 2008 Readers' Trust Award for "Best Integrated Security Solution".

Vendors

Applicure
Cymphonix
Cymtec
Fortinet
FortiRack
Mailfoundry
NeoAccel
Netpilot
SecurEnvoy
Talkativo
Xirrus