Firewalls for Fun and Profit

I will be presenting at the MUG April 2017 Meeting and Penguicon 2017 on Firewalls for Fun and Profit.

The presentation is about what a firewall is, some history, the differences between the three types, and how to understand the Firewall Rules

The presentation slides can be found here:

Here is a text version of the presentation:

What is a Firewall
A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.

Host based vs network based
Host based is an application installed on the machine and manages connections in and out of the single device.
Linux Host based Firewalls: IPTables, FirewallD, UFW
BSD: pf

Network Based is a network appliance that controls the connections between two or more networks. (Internal and Internet)
Most home routers have a basic firewall built into it now.
Linux Distros: IPCop / IPFire, Smoothwall, Sophos UTM
BSD: pfSense, OPNsense, BSD Router Project

The First Generation Firewalls were called Packet Filters and first used in the late 1980s. In 1988 DEC published the first paper on Packet Filter Firewall systems.
The Second Generation Firewall are called Statefull Firewalls.
Orignaly called Circuit-level Gateways, AT&T Bell Labs developed them on 1990. The Statefull Firewall was first introduced by Checkpoint in 1994
The Third Generation Firewalls are call Application Gateways.
First developed in 1995 but because it was processor insinsive it iddn’t become popular for some time. in 2012 some firewall manufactors rename it NGFW or the Next Generation Firewall.

Packet Filtering, Statefull Firewall, and Application Gateway
Packet Filter is the most basic type of firewall. It allows or denies network traffic based on the Source and Destination IP addresses, the port number, and Protocol (UDP/TCP). Packet filters work on OSI Layer 3 and treats each packet individualy.
Cisco ACL is a popular use of a packet filter still used today:
access-list 107 permit tcp any eq 23
(ACL Number, action, protocol, source IP , Destination IP, port)

Statefull Firewall
Statefull Firewall maintains a table of open connections, inspecting the payload of some packets and intelligently associating new connection requests with existing legitimate connections. OSI Layer 3 and 4.
TCP uses a three way handshake to create a connection is made of of the states SYN, SYN-ACK, and ACK. Sessions are ended with FIN, FIN-ACK, and ACK. Thus if there is a SYN then it is a new connection and the ESTABLISHED state is recognized as a authenticated connection.

Application Level/Layer Gateway (ALG)
Operates on the OSI Layer 7 and filters based on the application. Its considered to be an extension to a Statefull firewall and goes beyond the source/destination and port and inspects the application. It can tell the difference between HTTP for web and HTTP for file shearing.

Who uses firewall?

Everyone should be using them.

Creating Firewall Rules
Every rule needs a Source, Destination, Protocol, and Port or service. Wild cards and supernets are acceptable. By default everything is blocked thus any legitimate traffic needs to be allowed. All Rules are enforced top down.

Typical Rules:
Action   Protocol     Source     Port     Destination     Port     Description
Lan Side:
allow TCP   LAN   * (any)     Local IP       80,443,22   Anti-Lockout (Administration)
allow * (any)   LAN   * (any)     * (any)     * (any)   Internet Access
WAN Side
Deny * (any)   * (any)   * (any)     * (any)     * (any)   (Implicit Default Rule)