What is a Firewall?

All components of network puzzles have vulnerabilities that pose a security risk. In this post, I will talk about the issues firewalls pose. Firewalls pose a security risk because they are designed to keep risks out of the network, but if misconfigured they can cause a big issue, and basically render themselves nonfunctional.

A firewall is a component of the network puzzle, used in the hopes of creating more security. A firewall works by monitoring all incoming and outgoing data within the network, only allowing specific pieces of data based on a set of rules. These rules are allow or deny, and they can be specific or broad. Firewalls create a certain barrier between the network and the rest of the world to prevent malicious data from entering (source). There are five types of firewalls, packet filtering firewalls, circuit level gateway, application-level gateway (proxy firewalls), stateful inspection firewall, and next generation firewalls (NGFW’s) (source).

Packet Filtering Firewalls

Packet filtering firewalls work in the network layer. It applies a set of predetermined rules to every packet and based on those, allows the data to pass through or reject it. It can work very quickly and without the knowledge of the user, alerting only when data is rejected. Packet filtering however, does not allow recollection of past invasions or attempts. It tests every packet in isolation, making it easy for hackers to break into it.

Circuit Level Gateway

Circuit level gateways work by establishing a TCP connection with the inner host TCP and the outer host TCP. Circuit level gateways do not check the internal data of every data packet. They contain a table to check which data packets contain the information needed to let it pass. When a firewall ends a connection, the entry within the table is attempted to be removed within the firewall (source and source).

Application Level Gateway

Application level gateways are the only entry and exit point of a network. Application level gateway not only checks the destination of data and filters them that way, but also by things such as the HTTP request string. Application level gateways, unlike most firewalls, check the actual information within data passing through. They also are very precise in their function, in the sense that an application level gateway is able to allow a user on a specific website but only allow them to access certain aspects of that websites and certain pages. However, they cost more than most firewalls and can cause a slower network performance (source).

Stateful Inspection Firewall

Stateful inspection firewalls monitor not only incoming traffic and potential risks to the network, but also monitor active connections. A stateful firewall collects and stores information based on previous connections. This data is used to form profiles of what the firewall believes to be a safe connection. So, if incoming data doesn’t meet these profiles, the data is rejected. These firewalls can also have encryption integrated into them, blocking people with malicious intent from accessing it (source).

Next Generation Firewalls (NGFWs)

According to Gartner, NGFWs are “deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” and are not, though can be confused with, “a stand-alone network intrusion prevention system (IPS), which includes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated” (source). NGFWs can block attacks with advanced malware and application layer attacks. NGFWs can filter data based on application and can use signature matching or whitelists to distinguish between safe applications and malicious ones. NGFWs are able to detect APTs, which is a big difference between it and other firewalls. NGFWs can be a good low cost option to increase security for a company (source).

Risks

• Password is bad
• Outdated Software
• Weak restrictions

– These risks firewalls pose are really at the fault of the user. If the user creates a bad password, it can pose a risk for the firewall. Same with outdated software and weak restrictions. If the user does not allow the firewall to be constantly updated to fix vulnerabilities found by developers, risks that have previously been patched and found solutions to can be exploited (source).

• Attacks from the inside

– If a user is entrusted access to pass the firewall, they can start an attack from the inside of the system. This would essentially render the firewall useless (source).

• Lack of Deep Packet Inspection

– Deep packet inspection (Layer 7) is a strong inspection mode used by NGFW’s. It is used to examine the contents of data packets passing through the firewall. Older firewalls, on the other hand, might not actually examine the contents of data packets. Instead, most tend to inspect just the origin of the data and where the data is intended to go. Attackers can easily manipulate their data to pass the inspection, rendering this type of inspection not useless, but not as good as it can be (source).

• You can bypass the firewall

– Individual users can bypass the firewall. Say you had a firewall on one connection, but you had a phone that you accessed from another connection. Now there’s no protection there. So, users can go around that firewall to a different connection, rendering the firewall useless (source).

Solutions

Bad Password

A bad password is an issue that is fairly difficult to solve. If you make it too simple, that’s a big security risk because someone can just guess it. If you make people make passwords like XGvB-E395-Epd!9, that’s not something anyone can just memorize, and the user will complain. One thing that I have found just in my own experience is that making password requirements, like at least 1 capital, 1 character, 1 number, etc. I think that’s useful because it increases the security while keeping the difficulty of memorizing manageable. It’s possible that maybe there’s a way to store your passwords in a server private to you. Almost like what Apple does with the iCloud keychain.

Outdated Software

Outdated software poses a big risk to security. If developers come out with a new update to fix a security issue previously discovered and the user doesn’t do this, the software can be hacked from the bug that if updated wouldn’t be an issue anymore. To fix this issue, there’s already mostly a system in place, and that’s auto updating. The only issue with auto updating is that some computers might not support the new update. To fix this I think that it might be possible to separate updates. Like, separate them into two categories; Performance enhancing and security. I don’t think performance is as much of an issue as security, so I wonder if it would be possible to have automatic updates on security updates, and manually update any performance enhancement that wouldn’t be supported by someone’s software.

Weak Restrictions

Weak restrictions pose a security risk because, as the name says, there’s quite literally no security there. There’s not really a way to fix this as far as I can tell, because what people want entering or not entering their network is subjective. I think you could require that all firewalls have a specific set of rules just to ensure that it’s actually doing something. Or maybe, when a person gets a firewall, impose a set of strict rules and teach the user how to remove which ones as they need to allow or deny anything.

Inside Attacks

Inside attacks are attacks that come from inside the network after a user has already passed the firewall, essentially rendering the firewall useless. To help mitigate these attacks, data can be protected by firewalls inside the system. So, if you have a bunch of data in one spot, you can put firewalls to protect that data to slow/stop that attack. Also, having alerts when data is being accessed could be helpful, so you can monitor if any malicious activity is going on.

Lack of Deep Packet Inspection

Like I mentioned before, a lack of deep packet inspection doesn’t allow for the actual information within the data to be checked. Firewalls other than NGFW’s often don’t actually check the inside information but rather just the point of origination and its destination, which can be easily faked. So, to fix this all existing firewalls should be upgraded to include deep packet inspection, and all future firewalls installed include this too.

Bypassing a Firewall Entirely

Firewalls only work if the data is passing through that connection that the firewall is on. Obviously. So, if there are ways that devices can access the internet without passing through that specific connection, the firewall becomes useless. As a solution, when a user installs a firewall they should be notified that it would be a good idea to put firewalls on all of their incoming and outgoing connections. And so, if they choose to opt into that, someone could help them install all of those firewalls. Of course, if they don’t want to then I’m not sure there’s any way to fix that. But, with someone helping them through the process, I think it would be plausible.