The oldest and most simple type of firewalls. The firewall rules explicitly and accurately state from what address and port to what address and port the incoming packet can go through, i.e. it is done on the third and fourth layer of the OSI model.
The advantage of this solution is the high speed of the processing, that is why it is still being used now – at places where accuracy or thorough analysis of the data is not necessary but where high speed transfers of great amount of data take place.
The disadvantage is the low level of control over the connections which is – especially in case of more complex protocols (such as FTP, video/audio streaming, RPC, etc.) – not only insufficient for controlling of the connection itself. Allowing such a connection means to open ports and directions of connection that might be used by other protocols than the security administrator has intended to allow.
Typical representatives of packet filters are the so-called ACL (Access Control Lists) in older versions of the IOS operating system of the Cisco Systems routers, JunOS by Juniper Networks or older versions of Linux kernel firewall (ipchains).
Not a long time after packet filters another type of firewalls was created that could completely separate the networks on each side of them. They are usually called application gateways or proxy firewalls. The entire communication through the application gateway is done by two connections – the client (initiator of the connection) connects to the gateway (proxy) that processes the incoming connection and opens a new connection to the requested server where another application gateway is the client. The data that the gateway receives from the server is then transferred to the first client via the previous connection. The check is done on the seventh (application) layer of the OSI network model (that is why those firewalls are called application gateways).
One side-effect of using application gateway is that the server cannot see the source address of the client which is the originator of the request, as the external address of the application gateway is stated as the request’s source. Therefore, the application gateways automatically serve as tools for address translation (NAT). This functionality is however common to most of the packet filters, too.
The advantage of this solution is the relatively high level of security of known protocols, disadvantage being the high demands on the HW used. Application gateways are able to process much lower number of connections and speed than the packet filters and the latency is much higher. A specialized proxy must be written for each protocol or a so-called generic proxy must be used which is, however, no more secure than a packet filter. Most of the application gateways were therefore only able to control several protocols (usually around ten of them). Additionally, the former versions required the client to be able to communicate with the gateway and were not able to protect their operating system well. These faults were gradually being eliminated but after the stateful packet filters appeared the development of most of the application gateways has stopped and the remaining ones are only being used for very special cases now.
Typical representatives were for example The Firewall Toolkit (fwtk) and its successor Gauntlet by the TIS company which was later acquired by NAI.
Stateful packet filters
Stateful packet filters perform the same check as the simple packet filters but, apart from that, they store the information on the allowed connections that can be later used when deciding whether the given packets are part of an already-allowed connection and may be transferred, or they must go through the decision process again. This has two advantages – firstly, the processing of the packets belonging to an already-existing connection is faster and moreover is requires less complicated settings. You must only enter the direction of the connection and the firewall will be able to let through the reply packets and in case of known protocols even other connection used by the particular protocol, all by itself. For example, for FTP it is sufficient to set a rule where you allow the client to connect to the server via FTP and since it is a known protocol, the firewall itself will allow for establishing the control connection from the client to server’s port 21 and the reply from server’s port 21 to the source port used by the client. After the command that requests for data transfer, it will authorize the establishment of the data connection from port 20 of the server to the port that has been negotiated via the control connection, including, of course, the reply packets by the client back to the server’s port 20. Another major improvement is the possibility to create a so-called virtual connection status for stateless protocols such as UDP and ICMP.
One of the biggest advantages of stateful packet filters is their high speed, relatively high level of security and – compared to the above-mentioned application gateways and simple packet filters – even much easier configuration which has the effect of lower probability of wrong settings being set by the administrator.
The advantage is a generally lower level of security compared to the one provided by application gateways.
Typical representatives of this firewall category are e.g. FireWall-1 by Check Point (up to version 4.0), older versions of Cisco PIX, Cisco IOS Firewall, older versions of Netscreen firewall by Juniper or, as for free products, iptables in the Linux kernel and ipfw in *BSD systems.
Stateful packet filters with protocol check and IDS implement – besides information on the connection status and the ability to dynamically open ports for various control and data connections of known protocols – something that the marketing terminology of various companies usually designates as Deep Inspection or Application Intelligence. It means that the firewalls are able to control the connection up to the correctness of transferring data belonging to known protocols and applications. Thus, they can deny http connection that contains indicators that it is not a request for the WWW server but another protocol is being tunnelled. This is often used by P2P network clients (ICQ, gnutella, napster, etc.) or when data in the e-mail header do not comply with RFC.
Recently the so-called in-line IDS (Intrusion Detection Systems) have been integrated within the firewalls. These systems work similarly to antivirus programs – using a database of signatures and heuristic analyses they are able to detect the patterns of attacks in seemingly random attempts on connection, e.g. address range scanning, port range scanning, known signatures of attacks within the allowed connections, and so on.
The advantage of these systems is a high level of security of the protocol check while preserving relatively easy configuration and high speed of checking compared to application gateways. Nevertheless, compared to stateful packet filters there is a significant slow-down (by a third to half speed).
The disadvantage is primarily the fact that from the view of design security the basic security rule is to keep security systems as small and simple as possible. These types of firewalls integrate a huge amount of functionality and therefore increase the probability that some parts of their code include exploitable mistakes that may lead to compromising of the whole system.
Typical representatives of this category are the Check Point FireWall-1 (since version 4.1, now NGX), the products of the Netscreen series or ISG and SSG by Juniper. Similar functionality is available in the form of experimental modules for iptables as well.
Rules for communication through the firewall are commonly designated as “firewall security policy” or just “security policy”. The security policy not only involves the rules for communication between the networks but for most of the networks it also means various global settings, network address translation (NAT), instructions for creating encrypted connections between encryption gateways (VPN – virtual private networks), searching for possible attacks and protocol abnormalities (IDS – Intrusion Detection Systems), authentication and sometimes even authorization of users and bandwidth management.