About Internet Firewalls

A Firewall is primarily designed to reduce the exposed surface of hosts to unauthorised network hacking. By having a firewall installed either at the ingress gateway or host, grants the administrator granular control of all network communication protocols that passes thru it. Firewalls have been thru at least 3 evolutions, the first generation were mere packet filters that intercepted network traffic passing thru and comparing its packet headers against a custom ruleset. The 2nd generation firewalls had a stateful table to track all packet and datagram sessions, it is now possible to control the flow of handshake and teardown of communication protocols, an important factor is preventing Denial of Service(DOS) attacks. The 3rd generation firewalls further built on application intelligence; a hybrid of application proxies and stateful inspection technology. In this article, we will discuss the general approach of firewalls in protecting a network from malicious attack.

Figure depicts typical firewall layout

The first phase of an intrusion usually begins with the act of enumeration or probing. The act of figuring as much about the intended target is essential to successfully infiltrate a target. For example, a hacker usually runs a port scan against a target to identify services/ports that are available. Upon successful identification, the next step is to probe it for flaws or typical misconfigurations. Upon accurate fingerprinting of its exact communication protocol and inner workings will the hacker have an idea of how to exploit it further. This is where a firewall comes into the defence.

Figure depicts firewall handling incoming TCP handshake.

A firewall has a defined ruleset to control the directional flow of all network communication protocols passing thru it. It controls TCP/IP handshakes, dropping any communication that do not conform to standard protocols. In the case of a hacker trying to probe, the firewall detects an abnormality and denies the probe from further enumerating its hosts behind it. A firewall is not designed to stop hackers entirely, if a service protocol was allowed to pass thru, it will be susceptible to further attacks. This usually happens when common protocols such as HTTP traffic are publicly allowed. Hence, why web servers are commonly compromised/defaced.

Another role of the firewall is to stop Denial of Service attacks (DOS). A DOS attack happens when a server receives huge amounts of requests that overwhelms its resources resulting in service degradation or total disruption. A common attack is to utilise hundreds of previously compromised hosts called bots to send huge amount of requests to the same host or network simultaneously, this is usually referred as a Distributed Denial of Service (DDOS)attack. A properly configured firewall can detect abnormality either via unusual fluctuations in the volume of requests or via the spoofed IP addresses thrown at it. A stateful firewall maintains a connection table that tracks each connection, by tearing down and inspecting each packet that comes thru it.

Firewalls have evolved and are continuing to evolve, some provide advance intelligence such as deep packet inspection, threat analysis and intrusion prevention build into it. Such firewalls are a successful hybrid of application proxy and stateful inspection technology. It provides intelligence in inspecting the application layer of common unencrypted protocols such as HTTP, FTP, ICMP, SMTP, POP3, IMAP, DNS, etc. The wide adoption of TLS/SSL encryption posed a challenge for application aware firewalls. This means, firewalls have to act as a MitM to proxy SSL certificates in order for it to inspect packets. Such act further weakens the encryption used between these hosts and in my opinion is not encouraged.

Figure depicts the MiTM proxy of a SSL traffic between Client and Server

Firewalls are about controlling directional flow of network communication protocols, thus limiting its attack vector. Firewalls are a staple solution in any Internet facing host. Most modern Windows OS have built-in firewalls activated by default. Making common attacks difficult for hackers, that is why methods of intrusions are also evolving to client side attacks, eg. Phishing, Cross Side Forgery attacks, Cross Side Scripting (XSS). Such attacks are initiated from the client host, firewall rules are commonly lax for outgoing or trusted connections. Thus, granting an opportunity for a hacker to carry out devious deeds. Example, an unsuspecting user is sent a malicious attachment in a word document via an email claiming to be from his boss. He will most likely open it and a malicious code embedded in it will exploit a vulnerability such as Remote Code Execution (RCE) bug in SMBv1 on his Windows OS, triggering it to execute malware to encrypt contents of his hard drive and further propagating itself to other hosts in his internal network using the same vulnerable service (SMBv1).


It is imperative that Firewalls are independent from any dynamic routing protocols to avoid poisoning of routes. Such activity are detrimental as it can be used to influence the access control to safe guard the network and hosts behind it.