Computer Systems Security Planning for Success

A firewall is a service/software/device that blocks unwanted traffic and permits wanted traffic. Typically a firewall is a barrier between and private network and the Internet.

Software like nftables

¹

wiki.nftables.org/wiki-nftables/index.php/Main_Page

can be used to build a firewall on a Linux router for many interior clients. Interior clients may also run host-based firewalls such as Windows Defender Firewall

²

docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security

. Finally hardware solutions for plug-in firewall devices are available from many vendors including Palo Alto and Cisco. Any combination of these solutions may be used.

Firewalls typically employ rules regarding which packets can come in and how to handle them. For example a firewall may have a rule to ALLOW packets from exterior hosts connecting on port 22. This would allow SSH connections. Likewise a firewall may have a rule to track internal to external connection requests and perform network address translation (NAT). On an IPv4 network it is common to have a firewall also perform NAT.

Next-Gen Firewalls (NGFW) perform the same functions of a standard firewall, but also employ an integrated intrusion prevention system (IPS) to mitigate threats. The firewall is a perfect place to perform these actions as it can easily close of connections. NGFW often tout artificial intelligence threat monitoring and automatic threat intelligence updating (typically updating attack signatures). A NGFW can also easily be built on a Linux device by making use of an IPS

³

www.snort.org/

in conjunction with a netfilter firewall.

Network infrastructure may also make use of a special space outside of a firewall called the Demilitarized Zone (DMZ). Servers that need to be directly connected to the Internet are often put in the DMZ so they don’t have a deal with restrictive firewall rules. These servers may be used to detect malicious activity, monitor incoming traffic, or to handle basic requests such as serving static web pages.

The largest firewall in the world is the Chinese Great Firewall, started in 1998 as a way to prevent outside influence in China. It is a system used to block IPs, hijack DNS queries, throttle traffic, and perform MitM decryption. The Great Firewall is made of proxies and firewalls performing packet-inspection and content filtering. VPNs are often employed within China to circumvent the great firewall and the great firewall is continually updated to attempt to detect and shut down this traffic.

A proxy typically sits between the users and an external network. Proxies and receive and send requests on behalf of a user, allowing for full control over the traffic going out and coming back in.

Proxies can be used for caching, access control, URL filtering, content scanning, and even packet inspection. Proxy solutions may be explicit or transparent and are offered by many companies including McAfee, Fortigate, Netsparker, and Palo Alto. A typical application of a proxy would be to filter explicit content on a school district network.

Proxies can also be broken into forward and reverse configurations. A forward proxy passes requests from a private or internal network to the internet. Forward proxies can speed up local requests through caching and validate that the request should be performed. Forward proxies are interoperable with standard firewalls and network address translation (NAT).

Reverse proxies take requests from an external source and pass it to an internal service. This helps prevent clients from having direct access to internal services. Reverse proxies can utilize caching and validate requests as well. A reverse proxy can also be configured to work with a firewall. Whereas it used to be common practice to place a server in a demilitarized zone (DMZ) outside of a firewall, it is now far more common to employ a reverse proxy to reach that server.

A common application for reverse proxies is to act as a load balancer for traffic. Load balancers distribute work, in the form of external client requests, among the internal resources, typically servers.

For example, if a company has four servers supporting a web application, they may employ a reverse proxy load balancer that takes requests from clients and passes that request to one of the four internal servers. Different metrics are used to determine how the servers are utilized including least used (round robin), weighted, least amount of active connections. Load balancers optimize bandwidth and increase availability.

A virtual private network (VPN) is used to encrypt internet traffic between two networks or a client and a network. VPNs have become standard procedure for linking remote offices or connecting remote workers. Given the growth of working from home, almost all users have become familiar with what a VPN is and what it does.

Site-to-site VPNs are typically used for linking offices together. This kind of VPN is on permanently. An example would be linking two college campuses: NJIT Newark and NJIT Jersey City. In this scenario users on either campus expect to be able to connect securely to services on the opposite campus at all times. The traffic is encrypted and carried over the Internet.

Remote access VPNs are used by individuals connecting in to a secure network. This kind of VPN is usually stated through a application such as Cisco AnyConnect. When the application is running the user is able to securely access internal resources as if they were at the office.

Many vendors offer VPN products including Cisco, Citrix, Fortinet, Palo Alto, and Checkpoint. Many open source options also exist for building VPNs including OpenVPN

⁴

openvpn.net/

, WireGuard

⁵

www.wireguard.com/

, and IPsec

⁶

linuxhint.com/how-to-implement-ipsec-in-linux/

.

Sometimes it is necessary for a network or security engineer to monitor what is happening on a particular network segment. In this case a network terminal access point (TAP) can be employed. A TAP creates a copy of network traffic and forwards it to a particular port on a switch or router.