In this blog, we’ll go into different types of firewalls as well as its pros and cons.
<> Stateless Firewalls <>
As its name implies, stateless packet filtering firewalls are the most basic of firewalls and were developed and deployed early because of their compatibility with existing hardware. These firewalls are good at looking into packets quickly as long as we size it probably. Because of that, these firewalls are often the fastest and the cheapest and can filter some of the noise before more advanced technologies come in.
These firewalls can handle simple attacks pretty quickly. However, they can easily be tricked because of the nature of network traffic in which almost all network traffic is bi-directional, but stateless firewalls must decide on what to do with network traffic without any knowledge of previous packets or communications. In this case, allowing only outbound traffic is the same as only allowing trafic that initiates outbound. It would be difficult for stateless firewalls to make decisions about inbound traffic that is part of a communication stream that started as outbound. It can only make decisions on the content of each packet, not about their state or communication stream. If the ACK flag is set, the packet is assumed to be part of an existing communication and is forwarded on.
Nmap ACK scan can be used to determine the port’s status if these firewalls are being used.
<> Stateful Firewalls <>
Stateful firewall operates similar to stateless firewall by focusing on the IP and TCP header of the traffic but they do not inspect any application data.
Since it works with IP and TCP header, it keeps track of all the connections that are going through the firewall so that it cannot be fooled with an ACK scan. Instead, the stateful firewall uses a table of socket pair (SrcIP:SrcPort – DstIP:Dest:Port) and a state flag. The state flag identifies the relationship between the source and destination address including ports, and the status of the current connection. The following are some possible values for the state:
- SYN_SENT: A SYN packet has been sent from host A to host B which is the first step in the 3-way handshake (TCP mechanism)
- SYN_RECV: A SYN ACK packet has been received from host B, the second step in the 3-way handshake.
- ESTABLISHED: The last step in the 3-way handshake, after this step completed the connection will be established.
- FIN_WAIT1: One host has issued a FIN packet indicating the connection should be gracefully closed
- LAST_ACK: The other host has acknowledged the request to gracefully close the connection
- FIN_WAIT2: The other host has issued a FIN packet in response to the request to gracefully close the connection in which both sides are finished the communication
- CLOSED: No more connection between the two hosts
By keeping track of the state of TCP connections, the stateful firewall can respond smartly to packets out of order or packets that include malformed TCP flag combinations. This improves the functionality of a packet filter firewall at the cost of additional overhead in maintaining a stateful tracking table for each connection through the firewall
Unlike TCP, UDP and ICMP protocols do not have 3-way handshake mechanism hence no state flags that indicate when a connection completes, stateful firewalls rely on a timeout duration for these protocols to determine when they can be safely to remove from the state table. Once the timeout duration exceeds, traffic from the external host will be dropped until another UDP or ICMP packet for the source/destination address and port originates on the inside of the network.
<> Application Gateway <>
Application firewalls are the slowest in terms of performance and the most inconvenient to manage, such as when a new protocol isn’t yet supported. However, application firewalls usually provide the best security.
Application firewalls work by breaking down each packet layer by layer on one interface and build it back up on the opposite interface. From the perspective of the source, the traffic flows to the destination. But the traffic actually is delivered to a virtual destination just inside the application firewall, on the input side, where it is disassembled and examined. If the policy being enforced allows this traffic through, it is regenerated on the output side of the application firewall, thus resulted in poor performance but better security.