DeMilitarized Zone (DMZ)
IOS-Zone-Based firewalls is a specific set of rules which may help to mitigate mid-level security attacks in enviorments where security is also meant to be implemented via routers. In zone-based firewalls(ZBF), interfaces of devices are placed to different unique zones like (inside, outside or DMZ) and then policies are applied on these zones, Naming Conventions for zones must be easier to understand in order to be helpful at the hour of toubleshooting.
ZBFs also uses stateful filtering which means that if the rule is defined to permit originating traffic from one zone, say inside to another zone like DMZ, then return traffic would automatically be allowed. Traffic from different zones can be allowed using policies permiting the traffic in each direction.
One of the advantages of applying policies on zones instead of interfaces is that whenever new changes required at the interface level, then simply removing or adding interface in particular zone apply policies on it automatically.
Types Of Firewall
1, Packer Filtering Firewall
Packet Filtering Firewall includes the use of access-list to permit or deny traffic based on layer 3 and layer 4 information. Whenever a packet hits an ACL configured layer 3 device’s interface, it checks for a match in an ACL (starting from the first line of ACL.) Using an extendend ACL in Cisco device, following information can be used for matching traffic:
- Source Address
- Destination Address
- Source Port
- Destination Port
- Some Extra Features Like TCP established sessions etc.
Ease of implemention by using permit and deny statements
Less CPU intensive that deep packet inspection techniques
Configurable on almost every Cisco IOS
Even a mid-range device can perform ACL based filtering
Also Read: How to hack wifi using kali linux
Cannot mitigate IP spoofing attacks. An attacker can compromise the digital assets by spoofing IP Source address to one of the permit statements in the ACL
Difficult to maintain when ACLs size grows
Cannot implement filtering based on session states.
Scenarios in which dynamic ports are used, a range of ports will be required to be opened in ACL which may also be used by malicious users.
2. Circuit-Level Gateway Firewall
Circuit Level gateway Firewall operates at the session layer of the OSI model. They capture the packet to monitor TCP Handshaking, in order to validate if the sessions are legitimate. Packets forwarded to the remote destination through a circuit-level Firewall appears to have originated from the gateway.
3. Application-Level Firewall
Application Level Firewall can work at layer 3 up to the layer 7 of OSI Model. Normally ,a specialized or open source software running on high-end server acts as an intermediatary between cient and destination address. As these firewalls can operate up to layer7, more granular control of packets moving in and out of network is possible. Similarly, it becomes very difficult for an attacker to get the topology view of inside or trusted network because connections requests terminate on Application/Proxy firewalls.
Granular control over the traffic is possible by using information up to layer 7 of OSI model.
The indirect connections between end devices makes it very difficult to generate an attack.
Detailed logging is possible as every session involves the firewall as an intermediary.
Any commercially available hardware can be used to install and run proxy firewalls on it.
As proxy and application, firewalls run in software, A very high-end machine may be required to full fill the computational requirements.
Just like NAT, not every application has support for proxy firewalls and few amendas may be needed in current applications architechture.
Another software may be required for logging feature which takes extra processing power.
Along with computational power, high storage may be required in differnt scenarios.
4. Stateful Multilayer Inspection Firewall
As the name depicts, this saves the state of current sessions in a table known as a stateful database. Stateful inspection and firewalls using this technique normally deny any traffic between trusted and untrusted interfaces. Whenever an end-device from trusted interface wants to communicate with some destination address attached to the untrusted interface of the firewall, its entry will be made in a stateful database table containing layer 3 and layer 2 information.
Helps in filtering unexpected traffic
Can be implemented on a broad range of routers and firewalls
Can help in mitigating denial of service (DDOS) attacks.
Unable to mitigate application layer attacks
Expect for TCP, other protocols do not have well-defined state information to be used by the firewall
Some applications may use more than one port for successful operation. Application architecture review may be needed in order to work after the deployment of stateful inspection based firewall.
5. Transparent Firewalls
Most of the firewalls discussed above work on layer 3 and beyond.
Transparent firewalls work exactly like above-mentioned techniques, but the interfaces of the firewall itself are layer 2 in nature. IP address are not assigned to any interface, think of it as a switch with ports assigned to some VLAN. The only IP address assigned to the transparent firewall is for management purposes. Similarly, as there is no addition of extra hop between end-devices, the user will not be able to be aware of any new additons to network infrastructure and custom-made applications may work without any problem.
6. Next Generation Firewalls (NGFW)
NGFW is relatively a new term used for lastest firewalls with the advanced feature set. This kind of firewalls provides in-depth security features to mitigate against known threats and malware attacks. An example of next-generation firewalls is Cisco ASA series with FirePOWER services. NGFW provides complete visibility into network traffic users, mobile devices, virutal machine(VM) to VM data communication, etc.
7. Personal Firewalls
Personal Firewall is also known as desktop firewalls, helps the end-users personal computers from general attacks from inruders. Such firewalls appea to be great security line of defence for users who are constantly. connected to the internet via DSL or cable modem . Personal Firewall help by providing inbound and outbound filtering, controlling internet connectivity to and from the computer and altering the user for any attempts of intrusions.