What Is A Firewall?
A firewall monitors and controls incoming and outgoing packets. The idea behind a firewall is that it attempts to keep your private network or computer safe from attack. Most networks have a private network that needs access to the internet.
Unfortunately, the internet is a public network, which contains black hat hackers who want to hack into your network. To prevent this from happening, a firewall is placed between the private network and the internet.
The firewall controls what traffic is allowed between the internet and the private network. Now, if the black hat hacker attempts to access the network, they will be denied access. Well, let’s hope they get denied. Firewalls allow and deny traffic based on rules. Let’s have a closer look.
Access Control Lists (ACL)
Firewalls have Access Control Lists or ACLs. ACLs are the rules that determine what traffic is allowed through the firewall. The ACLs contain the source IP address, destination IP address, protocol, port, and permissions. For permissions, this will be either allow or deny. Sometimes the permissions may go by slightly different names; for example, the deny permission may be called drop, but the result is still the same.
Firewalls are based on the principle of implicit deny. This means that the default answer to whether network traffic is allowed through, is it is denied. ACLs are processed in the order they appear, from top to bottom.
Some firewalls have a default rule at the bottom that enforces implicit deny by blocking all traffic, as seen in this rule set. The last rule denies all traffic from any source to any destination, regardless of protocol or port. In some firewalls, this rule may not be visible but is still active. Some firewalls will allow you to remove or modify the implicit deny while others will not. ACLs control traffic flow, they can also be used on non-firewall devices.
Packet Filtering
You most likely won’t be asked questions on packet filtering, but it is a good thing to understand when securing your network. Packet filtering allows or denies traffic based on rules only. This may sound like the firewall rules that we just looked at, but there is a nuance between the two. To understand what it is, it is best to consider an example.
Let’s consider that there is a web server on the internet. A user on the network is attempting to communicate with the web server and is having trouble. There is a packet filtering device between them and the web server.
To test if the web server is still working, the user sends a ping to the server. The ping is allowed through the packet filtering device since there is a rule that allows pings through. Now, assuming the web server is configured to respond to the ping request, it will send a reply back. So far, everything is working as you would expect it to.
Let’s now consider that there is a black hat hacker who is attempting to cause disruptions to the users’ network. This is an old attack, and modern firewalls should stop this, but it is a good example to show what techniques a hacker may use to get into your network.
The hacker will create a special reply packet. This packet is a reply packet for a ping request that was never sent. That is, it is not a reply to a ping packet the user sent out.
The hacker will then send the packet to the user. The packet filtering device will allow the response packet through even though it was never requested. This may not seem like a big deal, but consider if the hacker wanted to perform a denial of service attack. The hacker would send a large number of these packets to the user in a short period of time to disrupt the user from using the network. Hackers can also use attacks like these to gain access to the network. For example, they can modify a packet to appear like a ping reply packet when in fact it contains a different attack. Thus, you want to block any traffic that is not expected.
Now, let’s consider how a firewall handles these problems. Modern firewalls are stateful, meaning they keep a record of what traffic is going through the firewall. In the case of the ping, the firewall keeps a record of any ping requests that have left the network. When a reply is received by the firewall, the firewall will remove the record. Thus, any additional ping replies after this will automatically be rejected. Modern firewalls stop any traffic that is not expected.
The hacker will once again create a ping reply that was never requested. This ping reply will be sent to the firewall. This time, when the packet reaches the firewall, it will be denied access. Here, we see the advantage of stateful firewalls. Unlike simple packet filtering, stateful firewalls keep track of the connection state. Even though the ping reply itself wasn’t explicitly allowed by a rule, the firewall recognizes it as part of an existing communication and allows it through. When you configure an ACL list on a device like a router, keep this in mind. Unless the device is specifically designed to be a firewall, it most likely just performs packet filtering and won’t have this level of intelligence.
Now that we have an understanding of what firewalls can do, let’s have a look at some.
Software Firewall
One of the more common firewalls that you will come across is a software firewall. A software firewall is implemented in software, as the name suggests. Generally, it will be implemented by the operating system. There are 3rd party software firewalls that can be added to the operating system, but with the improvements of OS firewalls, these are not used as commonly as they used to be.
It is not recommended to switch off these firewalls as they help protect the computer from external and internal attacks. Let’s consider that there are two users connected to a company network behind a firewall. Each user has their OS firewall operating.
Now, let’s consider one of the user’s computers has been infected by malware. Perhaps they used a USB stick they brought in from home or opened an e-mail with malware. If you are lucky, the OS firewall will stop the malware from infecting other computers. In this case, the malware is able to get past the firewall and get on the network.
When the malware reaches the other computer, hopefully the OS firewall stops the malware from accessing the computer. Firewalls are generally designed to stop traffic from getting in rather than letting traffic out. Modern operating systems run stateful firewalls, which means if the traffic is not expected or a rule allows it, it will be blocked. Thus, you should not disable the firewall running on the operating system. Let’s have a look at how to configure the Windows Firewall.
Windows Firewall
To configure the Windows Firewall, I will open the Start menu and search for “firewall.” In newer versions of Windows, the Firewall is part of Windows Defender. Windows Defender is an anti-malware component included with Windows.
Once Windows Defender Firewall is open, you will notice the sections at the top: private network and guest or public networks. When you are connected to a home network, you generally want a bit less security to allow you to connect to other services on your network like file sharing or printers. When you connect to somewhere like public Wi-Fi, you want a little more security. On public networks like Wi-Fi, you are unlikely to be connecting to other devices on the network, but there is a higher chance that someone may try to hack into your network, so you want the extra security.
You will notice the private network is currently not connected. When you connect to a new network, Windows will ask you what type of network it is. Currently, this computer is connected to “Guest or public network.”
On the left-hand pane, there is the option “Turn Windows Defender Firewall on or off.” This will take you to another screen where you can switch the firewall on or off; however, there are some other options there.
Notice the checkbox “Block all incoming connections, including those in the list of allowed applications.” When you are using public Wi-Fi, for example at the airport or coffee shop, you may want to consider switching this option on. This will stop any unrequested incoming connections from coming into the computer. A lot of the time when connecting to public Wi-Fi, the user will just want to surf the internet or access e-mails. There won’t be any requirement for applications to connect without the computer asking for it first. For company computers, this may be different, but perhaps they can wait until the computer is on a more secure connection.
I will exit out of here. Notice that the icon has changed to indicate that incoming connections are now blocked. By default, the firewall will block network connections. To allow an application through the firewall, select the option on the left pane “Allow an app or feature through Windows Defender Firewall.”
Once in this screen, it will show all the applications currently installed. To allow or disallow an application, you simply need to tick or untick a box. If your application is not listed, you can manually add it using the option at the bottom “Allow another app.”
This is the basic interface that only allows you to allow or disallow an application. It does not give you fine control, for example, allowing or disallowing at the port level. Thus, it may not protect you if an application were to get hijacked by another. For example, if the application is supposed to only use certain ports, malware may infect the application, causing it to use additional ports. Windows Firewall will allow the application to use these additional ports because the setting is application-specific.
If you want more control over the firewall rules, you can instead use the control panel “Windows Defender Firewall with Advanced Security.” This control panel gives you a lot more control over the firewall. This tool gives you fine control over creating incoming and outbound rules for the firewall.
This covers the basics of the Windows Firewall. I will now look at an example home router.
Home Router Example
This is an example home router. I will first login. Once I am logged in, I want to look at the firewall on this router. To do this, I will select the option on the left-hand side, “Firewall.”
Your router will most likely have different options and a different interface; however, this will give you an idea of what may be available.
The first option is to enable the firewall. You should never need to switch this off. The only time you may do this is when it is connected to a better firewall.
Some routers will have additional features to keep your network safe. In the case of this router, it has an option to “Enable DoS protection.” DoS stands for denial of service attack. A denial of service attack is when an attacker floods a network with malicious traffic, making it so services on that network become unusable.
In the case of this router, there is a link to tell you what it protects you from. Different routers will have different features. The first feature on this router is SYN-Flooding protection. SYN flooding is when an attacker keeps trying to open a connection but never fully opens the connection. This leaves a large number of half-open connections on a server, preventing new connections from being made.
The next feature is “Port Scanner Protection.” Port scanning is when an attacker scans an IP address or network looking for accessible ports. Scanning ports gives the attacker information about what services are running on the network. Using this information helps the attacker know what attacks to use on the network.
Following this is the “Ping of Death.” A ping of death is when an attacker tries to send a large ping packet to congest the network. The default size of a ping packet is usually 32 to 56 bytes, depending on the operating system. The ping of death, the attacker sets the ping packet much larger than this. You can see in this case it will drop packets that are over 65,535 bytes.
You may be wondering why you can change the ping packet size at all. The reason for this is that large packets, when they go over the network, can be fragmented into smaller packets. When this occurs, it can affect certain network protocols like virtual private networks. When troubleshooting the network, you may want to change the packet size of ping packets to determine if the packets you are sending over the network are getting fragmented on their way to the destination.
I will close this page and go back to the main page. You will notice the option “Logged packets type.” Different routers will have different logging abilities. Logging will reduce the performance of the router.
The last option configures it to respond to ping requests. For home users, you want to leave this disabled. Attackers send out pings to find devices on the network to hack. If you are using the router for business use on a remote site, you may want to enable this so your remote monitoring software can detect if the router is operating.
Below this is whether the IPv6 firewall is enabled. If you are using IPv6, you should have this enabled. At the bottom, you can manually add rules for incoming traffic. For example, if you had a web server that you wanted incoming web traffic to be routed to.
In the case of this router, it also has a “URL Filter.” This allows you to permit or deny particular URLs. If you want more control, there is an option for “Keyword Filter.” This will allow you to enter keywords rather than a full URL. The next option allows network services to be allowed or disallowed. For example, you could stop web traffic from going through the router, or you could limit it to certain times.
Different routers will have extra features that are unique to that router or manufacturer. In the case of this router, there is a section called “AI Protection.”
This is an important point in understanding the differences between different firewalls. Modern firewalls often come with additional features that go beyond just routing and filtering traffic. To access these features, I will select “Network Protection.”
This option opens a number of other tabs. The first one allows me to run an assessment and gives me some statistics. The next option is “Malicious Sites Blocking.” This will let you know what malicious sites it has detected and blocked.
Following this is “Infected Device Prevention and Blocking.” If a device on your network gets infected, the firewall will attempt to block it from communicating on the internet. For example, if the device is infected with malware, causing it to be part of a bot network or leaking personal information to an attacker.
The last option is “Parental Controls.” If you want to control when your children access the internet, you can use this option. You can see that home routers may have a lot of additional features to help you secure your network. It is worth having a look through it to see what options are available.
Let’s have a look at what sort of features a business may look for in a firewall.
Firewall Appliance
Businesses will often get a hardware device that is a dedicated firewall. This may be referred to as a firewall appliance since it is dedicated to being a firewall. These devices are often modular in nature, meaning they can be expanded.
Firewall appliances have a lot of features and can differ between models and manufacturers. The A+ exam won’t expect you to know too much about enterprise networking, but the following topics are still listed, although I doubt you will get a question on them.
These devices may include an Intrusion Detection System or IDS. IDS attempts to detect known attacks and illegal login attempts. The specifics of your device will determine what it may be able to detect. It should be pointed out that IDS only detects these attacks.
To prevent attacks, there is an Intrusion Prevention System or IPS. This system attempts to detect an attack in progress and stop it. Keep in mind, it may be able to stop the attack, but there is no guarantee it will be able to.
Running systems like this can reduce network performance, which is another good reason to use a hardware firewall. You can also understand why companies will spend a lot of money on firewalls with a lot of processing power. Once you start adding extra features and services, the processing power required starts to add up.
End Screen
That concludes this video on firewalls. I hope you have found this video informative. Until the next video from us I would like to thank you for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” page 168
“Mike Myers All in One A+ Certification Exam Guide 220-1101 & 220-1102” pages 1198 to 1210
Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk