Firewalls: A Small Piece of the Security Puzzle
The first firewalls were invented in the late 1980s as a reaction to the world’s first malware. The infamous Morris Worm struck the internet on November 2, 1988, after Robert Morris release a program that tried to figure out the size of the web (Bortnik 2013). The program contained a small error that ended up making it act like a worm and ultimately took down ten percent of the known internet at that time. Later, two computer scientists released the first paper that would describe a packet filtering program that would later become known as a firewall.
What is known as first generation firewalls were simple programs that filtered packets by a set of rules that would either pass, drop, or reject packets based on those standards. Passing the packets allowed the traffic to enter the network. Dropping packets stopped packets from entering and rejected packets would send an error message back to the sender. The rules allowed traffic based on protocols, ports, or the destination/source IP address. These firewalls were “stateless” firewalls. “Stateless” means that the firewalls inspected each packet individually without any regards to the stream of information coming from a connection. So, if a connection was established between two networks and ten thousand packets were sent from one to another, ten thousand packets would be inspected. This presented a problem that with the increasing size and complexity of the internet firewalls would have to be more powerful to inspect the increased traffic. This lead to the creation of the “stateful” firewalls.
“Stateful” firewalls are known as second generations firewalls. These firewalls could operate at Layer 3 and 4 of the OSI model and retain information about the state of the packets and determine if the packet is from an existing connection or if it was from a new connection. This lead to more complex rules that allow the firewalls to be more efficient and effective. It also allowed the firewalls to defend against several types of DoS attacks that were beginning at that time.
Third generation or Application Firewalls have been introduced since the early 1990s. These firewalls are even smarter than their counterparts because the firewalls have knowledge of what applications use what protocols and ports. For example, if I was using File Transport Protocol (FTP) on anything other then port 21 then the firewall could drop the connections unless I had a rule in place that said otherwise. This is what makes the firewalls smarter and can help prevent even more attacks on the network.
Now, the Next Generation Firewall (NGFW), is the latest and greatest of firewall technology. This is still a third-generation application level firewall, but the firewall can inspect packets at a deeper level than before. This is where the firewalls start to become specialized to become Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). In 2007, Palo Alto produced a white paper that stated the 80% of new attacks are attacking weaknesses in applications (Bouchard, 2007).
The strengths of a firewall lie in its ability to controls traffic coming into and out of the network. This allows a business to allow or restrict exactly what they want going on to the next. Users can be allowed certain permissions and privileges based on their job or locations. This helps enforce a company’s network or security policy. This, in turn, makes managing the network even easier and more secure. Another strength is that the firewall has a single purpose. This makes the program more user-friendly and efficient because it only has to do one thing and one thing well. If a program had to be a firewall and program to create and manage user accounts, it would likely be less efficient at both. That is why there are so many different types of programs that have a single purpose. However, despite these tools companies are still getting hacked into. In one FireEye study the networks that are supposed to be the most secure, government and military, were proven to have a breech score of 76% (Dunn 2015). That is pretty bad. This is due to many reasons, but for firewalls, they are not hack-proof.
Firewalls do have several weaknesses that have evolved over time. With the first-generation firewalls, they were very straightforward and could only inspect packets based on the port, protocols, or the source/ destination. This worked well but could not stop malicious network traffic that exploited the firewalls simplicity. As an example, if someone wanted to send packets spoofing protocols or ports the packets would not be filtered and pass thru the firewall. This is where the second-generation firewalls came in. These firewalls filtered the packets based on the connection or session and remembered information about the connection. This cut down on previous weaknesses, but these firewalls became targets of DoS attacked the fact that these firewalls could remember things about the state of the connections and would try to fill up the firewalls memory to overload it and make it fail.
Other weaknesses that firewalls have are things that have nothing really to do with the firewalls themselves. One thing that firewalls cannot protect against is the insider threat. Users could give themselves greater access than what they need and be a threat to the network. This could be a malicious user that wants to damage the network or the business or a user that is ignorant of the threats out on the internet. Another weakness is that the firewall cannot protect against anything that has already passed thru it. If malware gets passed thru into the network and causes damage, there is nothing that the firewall can do to fix the problem. This mostly can take the form a malware that is sent via email. A third weakness is the fact that firewalls cannot protect against networks that are poorly structured or configured improperly due to bad security policies (Laverty, n.d.). Firewalls can only filter network traffic that passes thru it and only filters based on the rules that network administrators set. Firewalls can be useless if the rules are configured to pass everything thru into the network.
To combat these weaknesses other tools and techniques must be used. Intrusion Detection Systems are devices or software that analyses network traffic and look for known events or certain types of traffic. Once it recognizes an event, a log message will be recorded. Intrusion Prevention Systems work the same way but instead of only logging a message it can also react to block or take some other preprogrammed action. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are very similar in how they function. In fact, some IDS can be changed to an IPS just by changing a drop down menu from Log to Log/Drop (Pack, 2013). There are two broad types of IPS/IDS. The first category is known as Network IDS or NIDS. The second types are Host IDS or HIDS. NIDS are devices that can be installed on the network. They are usually positioned just behind the firewall so that any traffic that passes can get analyzed for certain signatures. HIDS are software bases and run on individual computers or host that can monitor traffic coming and going from that computer only.
HIDS and NIDS work by detecting network traffic. There are two main types of detection methods. The first method is signature based. Signature based HIDS/NIDS look for known signatures of malicious threats such as worms, virus, and Trojans. This malware produces signatures in the way that the packets are sent across the network. In fact, these signatures work the same way as anti-virus (AV) software. AV software scans for known signatures of malware.
The second method of detection is anomaly-based detection. Anomaly based detection is a little more complicated because it requires setting a baseline of network traffic that it can base its logic on. So, for example, if there is only network traffic during the working hours from 8 am to 5 pm then any traffic occurring outside of those working hours would either get logged in in the case of IDSs or blocked in the case of IPSs.
Many businesses prefer IPSs for their networks for their ability to stop malicious traffic, but they do have some drawbacks that would be IDSs ideal. Because IPSs can block traffic, they can sometimes block innocent traffic or traffic that has malformed packets. This would be known as a “false positive” and can lead to frustration if the network traffic is essential. Depending on the business and its security policies it may be preferable to have IDSs instead. A good example of a company that might want an IDS over an IPS would be an online seller of goods. If internet traffic cannot get to its website, because it gets blocked, the business loses money.
Another weakness the firewalls have that IDSs and IPSs also have trouble with attacks from within and social engineering attacks. It is often said that the weakest link in the network is always the human. Many of the largest attacks on businesses have come from the insider who wants to cause damage to the system or business or from social engineering attacks that come in the form of phishing email attempts or innocent phone calls. In 2014, Sony was the target of a disgruntled employee that wreaked havoc on their networks and caused substantial damage both monetarily and reputation (Schneier 2014). In the 2016 elections the Democratic National Convention (DNC) was compromised when one of their campaign leaders replied to a phishing email that asked him to reset his password (Biddle 2016). Extensive training must happen to train users that have computer access. This can help prevent the easy attacks from happening, but the most advanced attacks are almost impossible to recognize due to the sophisticated nature of how the attacks are designed. The advantage is always on the attacker’s side because the attacker has the time and the knowledge to put the attack together. In one scenario, a penetration tester was trying to find a way to hack a high-ranking vice president of a company that did not have a large internet footprint. What the pentester ended up doing was search the internet for any email addresses that the vice president used. It turned out that the VP used his companies email account to register for a stamp collecting forum. What the pentester did was create a story and a website about his grandfather passing away and wanting to sell the stamps. He emailed the VP and told him the story and left the URL link in the email that leads to his website. What the VP did not know was that there was hidden malware embedded in the website link that allowed him access to the VP’s account (Hadnagy 2010)
The third weakness that firewalls have are its inability to work on a poorly designed network. The means that care and thought must be used while designing the network topology. Often when businesses are expanding, they fail to properly scale their networks the account for the larger number or devices or host. One way to design networks is to use the zero-trust model. Traditionally, traffic that occurred within a network was considered trusted because it came from within. So, if one host copied files from a server it never passed thru any firewalls or got filtered. Now, with the increasing threat from insiders stealing a company’s Intellectual Property (IP) or a hacker that compromises a single computer, considerations must take place that can filter the traffic within the network. This is how the zero-trust model came to be. Forrestor Research working with NIST helped designed the concept of the zero trust model to help defend the threats that the traditional network designed prevent (Covington 2015). This model uses network segmentation to work and assumes all traffic on the network is untrusted. Least Privilege, and developing a strict access control list are what makes this model effective against the insider threat. This also means that the network needs more firewall devices within the network itself. Instead of traffic passing from one department to another without going thru a firewall, the departments should be segmented so that any network traffic that leaves that department will have to pass thru a firewall before it reaches its destination.
This paper covered the basics of firewall and explained many of the strengths and weaknesses. It also covered the best ways to overcome those weaknesses so that the network stays more secure. The threats to networks are always evolving and adapting and so the solutions to that threat must also evolve. The days of just installing a simple firewall and calling it a day are long gone. 91% of companies report the firewall are still a major part of their networks (Chickowski 2016). However, that report also acknowledges that 61% of businesses use other tools in addition to firewalls. Now companies must consider the most sophisticated threat along with threats from the inside of their networks. Coupled that with the increasing use of cloud computing and it becomes evident that smarter tools are needed (Cidon 2015). The only way to mitigate those threats is to use all of the tools that are available, use smart network design, and develop a well-educated employee.
References
Laverty, Shea. (n.d.) The Disadvantages of a Firewall. Retrieved from http://smallbusiness.chron.com/disadvantages-firewall-62932.html
Chickowski, Ericka. (March 28, 2016). Like It Or Not, Firewalls Still Front And Center. Retrieved from http://www.darkreading.com/perimeter/like-it-or-not-firewalls-still-front-and-center/d/d-id/1324866
Dunn, John E. (January 13, 2015). Traditional defenses not stopping breaches claims real-world FireEye study. Retrieved from http://www.csoonline.com/article/2868054/data-protection/traditional-defences-not-stopping-breaches-claims-realworld-fireeye-study.html
Cidon, Asaf. (June 10, 2015) Why the Firewall is Increasingly Irrelevant. Retrieved from http://www.darkreading.com/endpoint/why-the-firewall-is-increasingly-irrelevant/a/d-id/1320800
Bouchard, Mark. (2007). Next Generation Firewalls: Restoring Effectiveness Through Application Visibility and Control. Retrieved from http://www.advantel.com/wp-content/uploads/2016/01/next-generation-firewalls.pdf
Pack, Scott. (November 2013). Difference between IDS and IPS and Firewall. [Msg 1]. Message posted to http://security.stackexchange.com/questions/44931/difference-between-ids-and-ips-and-firewall
Schneier, Bruce. (December 2014). Lessons from the Sony Hack. Retrieved from https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html
Covington, Robert. (July 2015). Throw out the trust, and verify everything. Retrieved from http://www.computerworld.com/article/2944794/network-security/throw-out-the-trust-and-verify-everything.html
Biddle, Sam. (December 2016). Here’s the Public Evidence Russia hacked the DNC – It is not enough. Retrieved from https://theintercept.com/2016/12/14/heres-the-public-evidence-russia-hacked-the-dnc-its-not-enough/
Hadnagy, Christopher. (2010). Social Engineering: The Art of Human Hacking. Indianapolis, Indiana. Wiley Publishing, Inc.
Bortnik, Sebastian. (November 2013). Five interesting facts about the Morris Worm (for its 25th anniversary). Retrieved from http://www.welivesecurity.com/2013/11/06/five-interesting-facts-about-the-morris-worm-for-its-25th-anniversary/