Firewall. Firewalls. Methods of organizing protection

Section 5. Question 8. (53) Firewalls.

Firewall (FW) - This is a local (single-component) or functionally distributed software (hardware and software) tool (complex) that implements control over information entering the AS and/or leaving the AS. ME provides AS protection by filtering information, i.e. its analysis according to a set of criteria and making a decision on its distribution to (from) the AS based on given rules, thus delimiting the access of subjects from one AS to objects of another AS. Each rule prohibits or allows the transfer of information of a certain type between subjects and objects. As a consequence, subjects from one AS receive access only to permitted information objects from another AS. Interpretation of a set of rules is performed by a sequence of filters that allow or deny the transmission of data (packets) to the next filter or protocol level.

(definition from RD ME)

Firewalls - complex software or hardware that allows you to control the quantity and quality of network packets passing through it at the appropriate level of security. The firewall analyzes network traffic based on a specific set of rules, according to which all data is filtered.

(a simplified definition for remembering, Habr)

Thus, the main task of the firewall (firewall, firewall, firewall) isprotection of autonomous nodes or shared computer networks from unauthorized third-party access, which could use data for their own purposes or cause irreparable harm to the network owner. That is why firewalls are also called filters, which do not allow data packets that do not meet the criteria specified in the configuration to pass through. Network traffic filtering can be performed at any level of the OSI model. Information from different levels can be used as criteria: port numbers, data field contents, sender/recipient address.

State information technology control authorities define a firewall more specifically as one component of a broad information security system that includes a number of additional features to ensure its effective operation. A firewall is not required to be purchased by the network owner. Despite the fact that he is fully responsible for the safety of confidential information, at the moment such a protection system in the Russian Federation is not widespread at the proper level. Ideally, it should be implemented in every internal network to monitor incoming/outgoing information flows around the clock. The information security monitoring system to some extent currently replaces additional network security tools, but this is not enough to define a personal security system as a set of high-level hardware.

(Habr)

For the curious, it is well written about the problems of certificationhttp://habrahabr.ru/post/246193/

Firewall(ME) performs the functions of delimiting information flows at the border of the protected automated system. This allows:

Increase the security of objects in the internal environment by ignoring unauthorized requests from the external environment;

Control information flows to the external environment;

Ensure registration of information exchange processes.

Information flows are controlled throughinformation filtering, i.e. analyzing it based on a set of criteria and making a decision on spreading to or from the AC.

Depending on the operating principles, there are severalfirewall classes. The main classification feature is the level ISO/OSI model on which the ME operates.

1. Packet filters.

The simplest class of firewalls operating at the network and transport levels of the ISO/OSI model. Packet filtering is usually carried out according to the following criteria:

Source IP address;

Recipient IP address;

Source port;

Recipient port;

Specific parameters of network packet headers.

Filtering is implemented by comparing the listed parameters of network packet headers with a base of filtering rules.

Packet filtering firewalls can also be software packages based on general purpose operating systems (such as Windows NT and Unix) or on hardware firewall platforms. The firewall has several interfaces, one for each of the networks to which the firewall is connected. Similar to application layer firewalls, the delivery of traffic from one network to another is determined by

a set of policy rules. If a rule does not explicitly allow certain traffic, then the corresponding packets will be rejected or discarded by the firewall. Policy rules are strengthened by

using packet filters. Filters examine packets and determine whether the traffic is allowed according to

policy rules and protocol state (stateful checking). If the application protocol is functioning

via TCP, determining state is relatively simple, since TCP itself supports states. It means,

that when a protocol is in a certain state, only certain packets are allowed to be transmitted.

Let's look at the connection setup sequence as an example. The first packet expected is the SYN packet. The firewall detects this packet and puts the connection into the SYN state. In this state, one of two packets is expected - either a SYN ACK (packet recognition and connection permission) or a RST packet (connection reset due to connection refusal by the recipient). If other packets appear on a given connection, the firewall will discard or reject them because they are not suitable for the given connection state, even if the connection is allowed by the rule set. If the connection protocol is UDP, the packet filtering firewall cannot use the inherent state of the protocol and instead monitors the state of the UDP traffic. Typically, a firewall receives an external UDP packet and waits for an incoming packet from the recipient matching the original packet by address and port within a certain time. If the packet is received within this period of time, its transmission is allowed. Otherwise, the firewall determines that the UDP traffic is not a response to the request and discards it. When using a packet filtering firewall, connections are not terminated at the firewall but are routed directly to the end system. When packets arrive, the firewall determines whether the packet and the connection state are allowed by the policy rules. If so, the packet is sent along its route. Otherwise, the package is rejected or cancelled.

Packet filtering firewalls do not use access modules for each

protocol and can therefore be used with any protocol running over IP. Some protocols require the firewall to recognize the actions they perform. For example, FTP will use one connection for initial login and commands, and another for file transfers. Connections used to transfer files are established as part of an FTP connection, and therefore the firewall must be able to read the traffic and determine the ports that will be used by the new connection. If your firewall does not support this

function, file transfer is not possible. Packet filtering firewalls have the ability to support more traffic because they do not have the burden of additional configuration and calculations that occur in software access modules. Firewalls that operate only through packet filtering do not use access modules, and therefore traffic is sent directly from the client to the server. If the server is attacked through an open service allowed by firewall policy rules,

the firewall will not respond to the attack. Packet filtering firewalls also allow external visibility into the internal addressing structure. There is no need to hide internal addresses, since connections are not interrupted by the firewall.

2. Session level gateways

These firewalls operate at the session level of the ISO/OSI model. Unlike packet filters, they can control the validity of a communication session by analyzing parameters of session-layer protocols. Therefore, session level gateways include filters that cannot be identified with either the network, transport, or application layers. Session level filters have several varieties depending on their functional features, but this classification is rather arbitrary, since their capabilities largely overlap. It should be remembered that firewalls include all or most types of session-layer gateways.

Control of SYN and ACK bits. A number of filters allow you to monitor the SYN and ACK bits in TCP packets. All of them are designed to combat SYN-flooding attacks (see sidebar “SYN-flooding attack”), but they use different approaches. The simplest filter prohibits the transmission of TCP packets with the SYN bit, but without the ACK bit, from the public network to computers on the internal network, unless the latter have been explicitly declared servers for the external network (or at least for a specific group of computers on the external network). Unfortunately, such a filter does not help with SYN-flooding attacks on machines that are servers for the external network, but located on the internal network.

For these purposes, specialized filters with a multi-stage order for establishing connections are used. For example, the SYNDefender Gateway filter from Check Point's FireWall-1 firewall works as follows. Let's say external computer Z is trying to establish a connection with internal server A through the Firewall firewall. The connection establishment procedure is shown in Figure 2. When the firewall receives a SYN packet from computer Z (step 1), this packet is transmitted to server A (step 2). In response, server A sends a SYN/ACK packet to computer Z, but the firewall intercepts it (step 3). Next, the ME forwards the received packet to computer Z; in addition, the ME, on behalf of computer Z, sends an ACK packet to server A (step 4). Due to the quick response to server A, the server memory allocated for establishing new connections will never be full, and the SYN-flooding attack will not work.

What happens next depends on whether computer Z has actually initiated a connection with server A. If so, then computer Z will send an ACK packet to server A, which passes through the firewall (step 5a). Server A will ignore the second ACK packet. Then the firewall will freely pass packets between computers A and Z. If the firewall does not receive an ACK packet or the timeout for establishing a connection expires, it will send an RST packet to server A, canceling the connection (step 5b).

Filters for monitoring the state of the communication channel.

Filters for monitoring the state of a communication channel often include network filters (network level) with advanced capabilities.

Dynamic filtering in network filters. Unlike standard static filtering in network filters, dynamic (stateful) filtering allows you to assign only one rule to each communication channel instead of several filtering rules. In this case, the dynamic filter itself monitors the sequence of data packet exchanges between the client and the server, including IP addresses, transport layer protocol, sender and recipient port numbers, and sometimes sequence numbers of packets. It is clear that such filtering requires additional RAM. The performance of a dynamic filter is somewhat inferior to a static filter.

Filter fragmented packets. When transmitted over networks with different MTUs, IP packets can be broken into separate fragments, with only the first fragment always containing the complete transport layer packet header, including software port information. Conventional network filters are not able to check fragments other than the first one and let them pass (if the criteria for IP addresses and the protocol used are met). Due to this, attackers can organize dangerous denial-of-service attacks by deliberately generating a large number of fragments and thereby blocking the operation of the packet recipient computer. The fragmented packet filter does not allow fragments to pass if the first one fails registration.

3. Application Gateways

Firewalls of this class allow you to filter certain types of commands or sets of data in application level protocols. For this purpose they are usedproxy services- special-purpose programs that manage traffic through a firewall for certain high-level protocols (http, ftp, telnet, etc.).

If, without using proxy services, a network connection is established between the interacting partiesA And Bdirectly, then in the case of using a proxy service an intermediary appears -proxy server, which independently interacts with the second participant in the information exchange. This scheme allows you to control the admissibility of using individual high-level protocol commands, as well as filter data received by the proxy server from the outside; in this case, the proxy server, based on established policies, can decide on the possibility or impossibility of transferring this data to the clientA.

Application layer firewalls, or proxy firewalls, are software packages based on general-purpose operating systems (such as Windows NT and Unix) or on the firewall hardware platform.

In an application layer firewall, each allowed protocol must have its own access module. The best access modules are those that are built specifically for the protocol being resolved. For example, the FTP access module targets the FTP protocol and can determine whether passing traffic conforms to that protocol and whether that traffic is allowed by security policy rules.

The firewall accepts the connection, analyzes the contents of the packet and the protocol used, and determines whether the traffic complies with the security policy rules. If there is a match, the firewall initiates a new connection between its external interface and the server system.

The firewall's access module accepts incoming connections and processes commands before sending traffic to the recipient, thereby protecting systems from application-based attacks.

Application layer firewalls contain access modules for the most commonly used protocols such as HTTP, SMTP, FTP and telnet. Some access modules may be missing, preventing a particular protocol from being used to communicate through the firewall.

4. Expert level firewalls.

The most complex firewalls, combining elements of all three of the above categories. Instead of proxy services, such screens use algorithms for recognizing and processing data at the application level. Most firewalls currently in use are classified as expert firewalls. The most famous and widespread MEs areCISCO PIX And CheckPoint FireWall-1. Manufacturers of application-level firewalls, due to the rapid development of IT technologies, have come to the conclusion that it is necessary to develop a method to support protocols for which there are no specific access modules. This is how the Generic Services Proxy (GSP) access module technology appeared, which is designed to support application-level access modules with other protocols required by the security system and the work of network administrators. GSP enables application layer firewalls to function as packet filtering firewalls. A variety of packet filtering firewalls already come with an SMTP access module. At the present time, it is virtually impossible to find a firewall whose operation is built solely on the application layer or packet filtering, since it allows administrators responsible for security to configure the device to work in specific conditions.

(source Answers from last year)

The main regulatory documentaccording to ME is the “Guidance document. Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information" (Approved by the State Technical Commission dated July 25, 1997)

According to it, ME is a local (single-component) or functionally distributed tool (complex) that implements control over information entering the AS and/or leaving the AS, and ensures protection of the AS by filtering information, i.e. its analysis according to a set of criteria and making a decision on its distribution to (from) the AS.

Five ME security classes are established.

Each class is characterized by a certain minimum set of requirements for information protection.

The lowest security class is the fifth, used for the safe interaction of class 1D speakers with the external environment, the fourth - for 1G, the third - 1B, the second - 1B, the highest is the first, used for the safe interaction of class 1A speakers with the external environment.

The requirements for ME do not exclude the requirements for computer equipment (CT) and AS in accordance with the guidelines of the State Technical Commission of Russia “Computer equipment. Protection against unauthorized access to information. Indicators of security against unauthorized access to information” and “Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection.”

When an ME is included in an AS of a certain security class, the security class of the total AS obtained from the original one by adding an ME to it should not be reduced.

For class 3B, 2B speakers, MEs of at least class 5 must be used.

For class 3A, 2A speakers, depending on the importance of the information being processed, ME of the following classes should be used:

When processing information classified as “secret” - no lower than class 3;

When processing information classified as “top secret” - no lower than class 2;

When processing information classified as “special importance” - no lower than class 1.

Firewall requirements

Security indicators	Security classes
Security indicators
Access control (data filtering and address translation)
Identification and Authentication
Registration
Administration: Identification and Authentication
Administration: registration
Administration: ease of use
Integrity
Recovery
Testing
Security Administrator Guide
Test documentation
Design (project) documentation

(source RD ME)

There are several types of firewalls depending on the following characteristics:

whether the shield provides a connection between one node and a network or between two or more different networks;

whether data flow control occurs at the network layer or higher levels of the OSI model;

whether the states of active connections are monitored or not.

Depending on the coverage of controlled data flows, firewalls are divided into:

traditional network (or firewall) - a program (or an integral part of the operating system) on a gateway (a device that transmits traffic between networks) or a hardware solution that controls incoming and outgoing data flows between connected networks (distributed network objects);

personal firewall is a program installed on a user’s computer and designed to protect only this computer from unauthorized access.

Depending on the OSI level at which access control occurs, firewalls can operate on:

network level, when filtering occurs based on the addresses of the sender and recipient of packets, port numbers of the transport layer of the OSI model and static rules specified by the administrator;

session level(also known as stateful), when sessions between applications are monitored and packets that violate TCP/IP specifications are not passed, often used in malicious operations - resource scanning, hacking through incorrect TCP/IP implementations, dropped/slow connections, data injection;

application level(or application level), when filtering is performed based on analysis of application data transmitted within the packet. These types of screens allow you to block the transmission of unwanted and potentially harmful information based on policies and settings.

Filtering at the network level

Filtering of incoming and outgoing packets is carried out based on the information contained in the following fields of the TCP and IP headers of the packets: sender IP address; Recipient IP address; sender port; recipient port.

Filtering can be implemented in a variety of ways to block connections to specific computers or ports. For example, you can block connections coming from specific addresses of those computers and networks that are considered unreliable.

relatively low cost;

flexibility in defining filtering rules;

a slight delay in the passage of packets.

Flaws:

does not collect fragmented packets;

there is no way to track relationships (connections) between packages.?

Session-level filtering

Depending on the monitoring of active connections, firewalls can be:

stateless(simple filtering), which do not monitor current connections (for example, TCP), but filter the data stream solely based on static rules;

stateful, stateful packet inspection (SPI)(context-aware filtering), monitoring current connections and passing only those packets that satisfy the logic and algorithms of the corresponding protocols and applications.

Firewalls with SPI make it possible to more effectively combat various types of DoS attacks and vulnerabilities of some network protocols. In addition, they ensure the functioning of protocols such as H.323, SIP, FTP, etc., which use complex data transfer schemes between recipients, difficult to describe by static rules, and often incompatible with standard, stateless firewalls.

The advantages of such filtration include:

packet content analysis;

no information about the operation of layer 7 protocols is required.

Flaws:

it is difficult to analyze application level data (possibly using ALG - Application level gateway).

Application level gateway, ALG (application level gateway) is a component of a NAT router that understands an application protocol, and when packets of this protocol pass through it, it modifies them in such a way that users behind the NAT can use the protocol.

The ALG service provides support for application-level protocols (such as SIP, H.323, FTP, etc.) for which Network Address Translation is not allowed. This service determines the application type in packets coming from the internal network interface and accordingly performs address/port translation for them through the external interface.

SPI (Stateful Packet Inspection) technology or packet inspection technology taking into account the state of the protocol is today an advanced method of traffic control. This technology allows data control down to the application level without requiring a separate middleman or proxy application for each protected protocol or network service.

Historically, firewalls have evolved from general-purpose packet filters to protocol-specific middlewares to stateful inspection. Previous technologies only complemented each other, but did not provide comprehensive control over connections. Packet filters do not have access to the connection and application state information that is necessary for the security system to make a final decision. Middleware programs only process application-level data, which often creates various opportunities for hacking the system. The stateful inspection architecture is unique because it allows you to handle all possible information passing through the gateway machine: data from the packet, data about the state of the connection, data needed by the application.

An example of the mechanismStatefulInspection. The firewall monitors the FTP session by examining data at the application level. When a client requests the server to open a reverse connection (FTP PORT command), the firewall extracts the port number from that request. The list stores client and server addresses and port numbers. When an attempt to establish an FTP-data connection is detected, the firewall scans the list and checks whether the connection is indeed a response to a valid client request. The connection list is maintained dynamically so that only the necessary FTP ports are open. As soon as the session is closed, the ports are blocked, providing a high level of security.

Rice. 2.12. An example of the Stateful Inspection mechanism working with the FTP protocol

Application level filtering

In order to protect a number of vulnerabilities inherent in packet filtering, firewalls must use application programs to filter connections to services such as Telnet, HTTP, FTP. Such an application is called a proxy service, and the host on which the proxy service runs is called an application-level gateway. Such a gateway eliminates direct interaction between an authorized client and an external host. The gateway filters all incoming and outgoing packets at the application layer (application layer - the top layer of the network model) and can analyze data content, such as a URL contained in an HTTP message or a command contained in an FTP message. Sometimes it is more effective to filter packets based on information contained in the data itself. Packet filters and link-level filters do not use the contents of the information stream when making filtering decisions, but application-level filtering can do so. Application-level filters can use information from the packet header, as well as data content and user information. Administrators can use application-level filtering to control access based on the user's identity and/or based on the specific task the user is attempting to perform. In application-level filters, you can set rules based on the commands issued by the application. For example, an administrator can prevent a specific user from downloading files to a specific computer using FTP, or allow a user to host files via FTP on the same computer.

The advantages of such filtration include:

simple filtering rules;

possibility of organizing a large number of inspections. Application-level protection allows for a large number of additional checks, which reduces the likelihood of hacking using holes in the software;

ability to analyze application data.

Flaws:

relatively low performance compared to packet filtering;

proxy must understand its protocol (impossibility of use with unknown protocols)?;

As a rule, it runs under complex operating systems.

Firewall

A firewall (Firewall or Firewall) is a means of filtering packet traffic coming from an external network in relation to a given local network or computer. Let's consider the reasons for the appearance and tasks performed by Firewall. A modern data network consists of many remote high-performance devices interacting with each other over a considerable distance. One of the most large-scale data transmission networks are computer networks such as the Internet. It simultaneously employs millions of information sources and consumers around the world. The widespread development of this network allows it to be used not only by individuals, but also by large companies to unite their disparate devices around the world into a single network. At the same time, shared access to common physical resources opens up the opportunity for scammers, viruses and competitors to cause harm to end users: steal, distort, plant or destroy stored information, violate the integrity of software and even remove the hardware of the end station. To prevent these unwanted impacts, it is necessary to prevent unauthorized access, for which a Firewall is often used. The very name Firewall (wall - from the English wall) conceals its purpose, i.e. it serves as a wall between the protected local network and the Internet or any other external network and prevents any threats. In addition to the above, a firewall can also perform other functions related to filtering traffic from/to any Internet resource.

The operating principle of Firewall is based on controlling traffic coming from outside. The following methods of monitoring traffic between the local and external networks can be selected:

1. Packet filtering– based on setting up a set of filters. Depending on whether the incoming packet satisfies the conditions specified in the filters, it is passed into the network or discarded.

2. Proxy server– an additional proxy server device is installed between the local and external networks, which serves as a “gate” through which all incoming and outgoing traffic must pass.

3. Stateful inspection– inspection of incoming traffic is one of the most advanced ways to implement a Firewall. Inspection does not mean analyzing the entire package, but only its special key part and comparing it with previously known values from the database of allowed resources. This method provides the highest Firewall performance and the lowest delays.

A firewall can be implemented in hardware or software. The specific implementation depends on the size of the network, the volume of traffic and the required tasks. The most common type of Firewall is software. In this case, it is implemented as a program running on the end PC or an edge network device, for example. In the case of hardware implementation, the Firewall is a separate network element, which usually has greater performance capabilities, but performs similar tasks.

Firewall allows you to configure filters that are responsible for passing traffic according to the following criteria:

1. IP address. As you know, any end device operating according to the protocol must have a unique address. By setting a certain address or a certain range, you can prohibit receiving packets from them, or, conversely, allow access only from these IP addresses.

2. Domain name. As you know, a website on the Internet, or rather its IP address, can be assigned an alphanumeric name, which is much easier to remember than a set of numbers. Thus, the filter can be configured to allow traffic only to/from one of the resources, or to deny access to it.

3. Port. We are talking about software ports, i.e. application access points to network services. So, for example, ftp uses port 21, and applications for viewing web pages use port 80. This allows you to deny access from unwanted services and network applications, or, conversely, allow access only to them.

4. Protocol. The firewall can be configured to allow data from only one protocol to pass through, or to deny access using it. Typically, the type of protocol can indicate the tasks it performs, the application it uses, and the set of security parameters. In this way, access can be configured to run only one specific application and prevent potentially dangerous access using all other protocols.

Listed above are only the main parameters that can be configured. Other network-specific filter settings may also apply, depending on the tasks performed on that network.

Thus, Firewall provides a comprehensive set of tasks to prevent unauthorized access, damage or theft of data, or other negative impacts that may affect the performance of the network. Typically, a firewall is used in conjunction with other security tools, such as antivirus software.

The number of incidents related to information security, according to leading analytical agencies, is constantly increasing. Experts responsible for information security note the increasing activity of external attackers using the latest developments in the field of attack, trying to penetrate corporate networks to carry out their “dirty” deeds. They are not limited to stealing information or disabling network nodes. It is not uncommon for hacked networks to be used to launch new attacks. Therefore, protecting the perimeter of an information system is a mandatory element of an organization’s information security system.

At the same time, in order to determine the composition of the perimeter protection components that provide the minimum (initial) level of information security, it is necessary to analyze the most common threats to the organization’s information resources:
network attacks aimed at making information resources unavailable (for example, web servers, email services, etc.) - DoS and DDoS attacks;
compromise of information resources and escalation of privileges both from insiders and external attackers, both for the purpose of using your resources and for the purpose of causing damage;
actions of malicious software code (viruses, network worms, Trojans, spyware, etc.);
leakage of confidential information and theft of data both through the network (e-mail, FTP, web, etc.) and through external media;
various network attacks on applications.

To minimize information security threats, it is necessary to implement firewalls at different levels of the OSI model, as shown in the table.

Table. Firewalls and OSI Models

The operation of all firewalls is based on the use of information from different levels of the OSI model (table). The OSI model, developed by the International Organization for Standardization, defines seven layers at which computer systems interact with each other, from the level of the physical transmission medium to the level of application programs used for communications. In general, the higher the level of the OSI model at which a firewall filters packets, the higher the level of protection it provides.

The following methods of monitoring traffic between the local and external networks can be selected:
1. Packet filtering- based on setting up a set of filters. Depending on whether the incoming packet satisfies the conditions specified in the filters, it is passed into the network or discarded.
2. This class of routers is a TCP connection translator. The gateway accepts an authorized client's request for specific services and, after verifying that the requested session is valid, establishes a connection to the destination (external host). After this, the gateway copies packets in both directions without filtering them. As a rule, the destination is specified in advance, while there can be many sources. Using different ports, you can create a variety of connection configurations. This type of gateway allows you to create a TCP connection translator for any user-defined TCP-based service, control access to this service and collect statistics on its use.
3. Proxy server- an additional proxy server device is installed between the local and external networks, which serves as a “gate” through which all incoming and outgoing traffic must pass. Stateful inspection- inspection of incoming traffic is one of the most advanced ways to implement a firewall. Inspection means the analysis of not the entire package, but only its special key part and comparison with previously known values from the database of allowed resources. This method provides the highest firewall performance and the lowest delays.

The principle of operation of a firewall is based on controlling traffic coming from outside.

A firewall can be implemented in hardware or software. The specific implementation depends on the size of the network, the volume of traffic and the required tasks. The most common type of firewall is software. In this case, it is implemented in the form of a program running on the end PC or an edge network device, for example, a router. In the case of hardware implementation, a firewall is a separate network element, which usually has greater performance capabilities, but performs similar tasks.

The firewall allows you to configure filters that are responsible for passing traffic according to the following criteria:
1. IP address. As you know, any end device operating over the IP protocol must have a unique address. By specifying a certain address or a certain range, you can prohibit receiving packets from them, or, conversely, allow access only from these IP addresses.
2. Domain name. As you know, a website on the Internet, or rather its IP address, can be assigned an alphanumeric name, which is much easier to remember than a set of numbers. Thus, the filter can be configured to allow traffic only to/from one of the resources, or to deny access to it.
3. Port. We are talking about software ports, i.e. application access points to network services. For example, ftp uses port 21, and applications for viewing web pages use port 80. This allows you to deny access from unwanted services and network applications, or, conversely, allow access only to them.
4. Protocol. The firewall can be configured to allow data from only one protocol to pass through, or to deny access using it. Typically, the type of protocol can indicate the tasks performed by the application it uses and the set of security parameters. In this way, access can be configured to run only one specific application and prevent potentially dangerous access using all other protocols.

Listed above are only the main parameters that can be configured. Other network-specific filter settings may also apply, depending on the tasks performed on that network.

Thus, a firewall provides a comprehensive set of tasks to prevent unauthorized access, damage or theft of data, or other negative impacts that could affect the functionality of the network. Typically, a firewall is used in conjunction with other security tools, such as antivirus software.

Creating a filtering policy for firewalls
There are two main ways to create firewall rule sets: "inclusive" and "exclusive". An exclusionary firewall allows all traffic to pass through, except traffic that matches a set of rules. An inclusive firewall does the exact opposite. It only allows traffic that matches the rules and blocks everything else.

An inclusive firewall provides a much greater degree of control over outgoing traffic. Therefore, an enabling firewall is the best choice for systems that provide services on the Internet. It also controls the type of traffic generated outside and directed to your private network. Traffic that does not fall into the rules is blocked, and appropriate entries are made in the protocol file. Inclusive firewalls are generally more secure than exclusive firewalls because they significantly reduce the risk of the firewall allowing unwanted traffic through.

Security can be further enhanced by using a "stateful firewall". Such a firewall stores information about open connections and only allows traffic through open connections or the opening of new connections. The disadvantage of a stateful firewall is that it can be vulnerable to Denial of Service (DoS) attacks if many new connections are opened very quickly. Most firewalls allow a combination of stateful and stateless behavior, allowing you to create the optimal configuration for each specific system.

As an example, consider creating filter rules in a simple packet filter. There are several possible options when filtering packets. The simplest is address filtering; it consists of comparing the addresses in the packet with the addresses specified in the rules. If the addresses match, the packet is passed. This comparison is made as follows:

1. You can consider the following rule: all hosts on the 10.1.x.x network can communicate with hosts on the 10.2.x.x network. This rule is written as follows:

10.1.0.0 & 255.255.0.0 — 10.2.0.0 & 255.255.0.0
——- Source —— —— Destination ——

Now you can apply the rule to the packet that is sent from host 10.1.1.2 to host 10.3.7.7. Let's apply a mask to both addresses - the address in the rule and the address in the packet. It then checks to see if the source and destination addresses are the same. As a result we will have:

For source address:

10.1.0.0 & 255.255.0.0 = 10.1.0.0 (for rule)
10.1.1.2 & 255.255.0.0 = 10.1.0.0 (for package)

After applying the mask, both addresses match. Let's now check the destination address:

10.2.0.0 & 255.255.0.0 = 10.2.0.0 (for rule)
10.3.7.7 & 255.255.0.0 = 10.3.0.0 (for package)

Since the destination addresses of the packet and the rule do not match after applying the mask, this rule should not be applied to this packet.

This operation is performed over the entire list of source and destination addresses and masks until the end of the list is reached or until the packet matches one of the rules. The list of rules has the following format:

10.1.1.2 & 255.255.255.255 — 10.2.0.0 & 255.255.0.0
10.3.3.2 & 255.255.255.255 — 10.1.2.1 & 255.255.255.255
10.1.1.0 & 255.0.0.0 — 10.2.3.0 & 255.255.255.0
10.1.0.0 & 255.255.0.0 — 10.2.0.0 & 255.255.0.0

In addition to the source and destination addresses, each IP packet contains information about the protocol and service used. It can be used as an additional filtering parameter.

For example, services in the TCP protocol are always associated with a port. As a result, you can match the list of ports with addresses.

Let's use two well-known services as an example - POP3 and HTTP. POP3 uses port 110 and HTTP uses port 80. Therefore, we can add these ports to the rule description. As a result we get:

10.1.0.0 & 255.255.0.0 — 10.2.0.0 & 255.255.0.0 TCP 80 110
—— Source —— —— Destination —— Protocol – Ports —

This rule allows every packet traveling from network 10.1.x.x to network 10.2.x.x that uses HTTP and POP3 services to pass through the firewall.

First, the addresses from the rule are compared with the packet addresses. If, after applying the mask, both addresses match, the protocol and destination port in the packet will be compared with the protocol and list of ports described in the rule. If the protocol matches and the port in the rule is the same as the port of the packet, then the packet satisfies the rule. Otherwise, the search will continue in the list of rules.

Given this new information, the ruleset will have the following format:

10.1.1.2 & 255.255.255.255 — 10.2.0.0 & 255.255.0.0 UDP 53
10.3.3.2 & 255.255.255.255 — 10.1.2.1 & 255.255.255.255 TCP 80
10.1.1.0 & 255.0.0.0 — 10.2.3.0 & 255.255.255.0 TCP 21 20 113
10.1.0.0 & 255.255.0.0 — 10.2.0.0 & 255.255.0.0 ICMP 0 8

In addition to these basic filtering parameters, you can add several more. One of them is the source network interface; Using the network interface name as a filtering parameter, you can allow packets with specific addresses to pass through only from a given interface.

The purpose of this procedure is to block an attack known as IP spoofing, the essence of which is that a packet with a fake source address (from the internal network) is sent to the internal network. By using the network interface name as a parameter, this type of attack can be easily blocked. For example, if the internal network communicates with the firewall through the de0 interface, then you only need to set the rules that packets with a source address from the internal network should be accepted only if they came from this interface; in all other cases they will be discarded.

In Odnoklassniki

\\ 06.04.2012 17:16

A firewall is a set of tasks to prevent unauthorized access, damage or theft of data, or other negative impacts that may affect the performance of the network.

Firewall, also called firewall(from the English Firewall) or firewall on the gateway allows you to provide secure user access to the Internet, while protecting remote connections to internal resources. Firewall looks through all the traffic passing between network segments, and for each packet makes a decision - to pass or not to pass. A flexible system of firewall rules allows you to deny or allow connections based on numerous parameters: addresses, networks, protocols and ports.

Methods for monitoring traffic between local and external networks

Packet filtering. Depending on whether the incoming packet satisfies the conditions specified in the filters, it is passed into the network or discarded.

Stateful inspection. In this case, incoming traffic is inspected - one of the most advanced methods of implementing a Firewall. Inspection does not mean analyzing the entire package, but only its special key part and comparing it with previously known values from the database of allowed resources. This method provides the highest Firewall performance and the lowest delays.

Proxy server. In this case, an additional proxy server device is installed between the local and external networks, which serves as a “gate” through which all incoming and outgoing traffic must pass.

Firewall allows you to configure filters that are responsible for passing traffic by:

IP address. By setting a certain address or a certain range, you can prohibit receiving packets from them, or, conversely, allow access only from these IP addresses.

- Port. The firewall can configure application access points to network services. For example, ftp uses port 21, and web browsing applications use port 80.

Protocol. The firewall can be configured to allow data from only one protocol to pass through, or to deny access using it. Most often, the type of protocol can indicate the tasks performed, the application it uses, and the set of security parameters. In this regard, access can be configured only to operate one specific application and prevent potentially dangerous access using all other protocols.

Domain name. In this case, the filter denies or allows connections to specific resources. This allows you to deny access from unwanted services and network applications, or, conversely, allow access only to them.

Other parameters for filters specific to this particular network may be used for configuration, depending on the tasks performed in it.

Most often, a firewall is used in conjunction with other security tools, for example, antivirus software.

How a firewall works

Firewall can be done:

Hardware. In this case, the router, which is located between the computer and the Internet, acts as a hardware firewall. Several PCs can be connected to the firewall, and all of them will be protected by the firewall, which is part of the router.

Programmatically. The most common type of firewall, which is specialized software that the user installs on his PC.

Even if a router with a built-in firewall is connected, an additional software firewall can be installed on each computer individually. In this case, it will be more difficult for an attacker to penetrate the system.

Official documents

In 1997, the Guiding Document of the State Technical Commission under the President of the Russian Federation "Computer technology. Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" was adopted. This document establishes five firewall security classes, each of which is characterized by a certain minimum set of requirements for information protection.

In 1998, another document was developed: “Temporary requirements for firewall-type devices.” According to this document, 5 firewall security classes are established, which are used to protect information in automated systems containing cryptographic tools.

And since 2011, legislative requirements for firewall certification came into force. Thus, if personal data is processed on an enterprise network, then it is necessary to install a firewall certified by the Federal Service for Export Control (FSTEC).

Recently, there has been a tendency to limit privacy on the Internet. This is due to the restrictions that government regulation of the Internet imposes on the user. Government regulation of the Internet exists in many countries (China, Russia, Belarus).

"Asia Domain Name Registration scam" in RuNet! You registered or purchased a domain and created a website on it. As the years go by, the site develops and becomes popular. Now the income from it has already been “dripped.” You receive your income, pay for the domain, hosting and other expenses...