Firewall for educational. Firewalls or firewalls

The number of incidents related to information security, according to leading analytical agencies, is constantly increasing. Information security specialists note the increasing activity of external intruders using the latest developments in the field of attack, trying to penetrate corporate networks to carry out their "dirty" deeds.

The number of incidents related to information security, according to leading analytical agencies, is constantly increasing. Information security specialists note the increasing activity of external intruders using the latest developments in the field of attack, trying to penetrate corporate networks to carry out their "dirty" deeds. They are not limited to stealing information or disabling network nodes. It is not uncommon for hacked networks to be used to launch new attacks. Therefore, protecting the perimeter of the information system is a mandatory element of the organization's information security system.

At the same time, in order to determine the composition of the perimeter protection components that provide the minimum (initial) level of information security, it is necessary to analyze the most common threats to the organization's information resources:
network attacks aimed at unavailability of information resources (for example, web servers, e-mail services, etc.) - DoS and DDoS attacks;
compromise of information resources and escalation of privileges both by insiders and external intruders, both for the purpose of using your resources, and for the purpose of causing damage;
actions of malicious program code (viruses, network worms, trojans, spyware, etc.);
leakage of confidential information and data theft both through the network (e-mail, FTP, web, etc.) and through external media;
various network attacks on applications.

To minimize threats to information security, it is necessary to implement firewalls at different levels of the OSI model, as shown in the table.

Table. Firewalls and OSI Models

The operation of all firewalls is based on the use of information from different levels of the OSI model (table). The OSI model, developed by the International Organization for Standardization, defines seven levels at which computer systems interact with each other, from the level of the physical data transmission medium to the level of application programs used for communication. In general, the higher the level of the OSI model at which the firewall filters packets, the higher the level of protection it provides.

The following methods of traffic control between the local and external networks can be selected:
1. Packet filtering- based on filter set setup. Depending on whether the incoming packet satisfies the conditions specified in the filters, it is allowed into the network or discarded.
2. This class of routers is a TCP connection translator. The gateway receives an authorized client's request for specific services and, after verifying the validity of the requested session, establishes a connection to the destination (external host). The gateway then copies the packets in both directions without filtering them. As a rule, the destination is set in advance, while there can be many sources. Using different ports, you can create a variety of connection configurations. This type of gateway allows you to create a TCP connection translator for any user-defined service based on TCP, control access to this service and collect statistics on its use.
3. Proxy server- an additional proxy-server device is installed between the local and external networks, which serves as a "gate" through which all incoming and outgoing traffic must pass. stateful inspection- inspection of incoming traffic - one of the most advanced ways to implement a firewall. Inspection does not mean the analysis of the entire package, but only its special key part and comparison with previously known values ​​from the database of allowed resources. This method provides the highest firewall performance and lowest latency.

The principle of operation of the firewall is based on the control of traffic coming from outside.

A firewall can be implemented in hardware or software. The specific implementation depends on the scale of the network, the amount of traffic, and the required tasks. The most common type of firewalls is software. In this case, it is implemented as a program running on the destination PC or on an edge network device, such as a router. In the case of a hardware implementation, a firewall is a separate network element that usually has greater performance capabilities, but performs similar tasks.

The firewall allows you to configure filters that are responsible for passing traffic according to the following criteria:
1. IP address. As you know, any end device operating over the IP protocol must have a unique address. By setting some address or a certain range, you can prohibit receiving packets from them, or, conversely, allow access only from these IP addresses.
2. Domain name. As you know, a site on the Internet, or rather its IP address, can be assigned an alphanumeric name, which is much easier to remember than a set of numbers. Thus, the filter can be configured to pass traffic only to/from one of the resources, or deny access to it.
3. Port. We are talking about software ports, i.e. application access points to network services. So, for example, ftp uses port 21, and applications for browsing web pages use port 80. This allows you to prohibit access from unwanted services and applications on the network, or, conversely, allow access only to them.
4. Protocol. The firewall can be configured to allow only one protocol to pass through, or to deny access using it. Typically, the protocol type can tell you what tasks it uses and the set of security settings it uses. Thus, access can only be configured to work with any one specific application and prevent potentially dangerous access using all other protocols.

The above lists only the main parameters that can be adjusted. Other network-specific filter options may also apply, depending on the tasks performed on that network.

Thus, the firewall provides a comprehensive set of tasks to prevent unauthorized access, damage or theft of data, or other negative impact that may affect network performance. Typically, a firewall is used in conjunction with other protection tools, such as antivirus software.

Create a filtering policy for firewalls
There are two main ways to create firewall rule sets: "inclusive" and "exclusive". An exclusionary firewall allows all traffic to pass, except for traffic that matches the set of rules. An enabling firewall works in exactly the opposite way. It only allows traffic that matches the rules and blocks everything else.

An inclusive firewall provides a much greater degree of control over outgoing traffic. Therefore, an inclusive firewall is the best choice for systems that provide services on the Internet. It also controls the type of traffic generated outside and directed to your private network. Traffic that does not fall into the rules is blocked, and the corresponding entries are made in the log file. Inclusive firewalls are generally more secure than exclusive firewalls because they greatly reduce the risk of firewalls passing unwanted traffic.

Security can be further enhanced using a "stateful firewall". Such a firewall saves information about open connections and only allows traffic through open connections or the opening of new connections. The disadvantage of a stateful firewall is that it can be vulnerable to Denial of Service (DoS) attacks if many new connections are opened very quickly. Most firewalls allow you to combine stateful and stateless behavior, allowing you to create the optimal configuration for each specific system.

As an example, consider creating filter rules in a simple packet filter. There are several possible options when filtering packets. The simplest is address filtering; it consists in comparing the addresses in the packet with the addresses specified in the rules. If the addresses match, the packet is passed. This comparison is made as follows:

1. Consider the following rule: all hosts on the 10.1.x.x network can communicate with hosts on the 10.2.x.x network. This rule is written as follows:

10.1.0.0 & 255.255.0.0 — 10.2.0.0 & 255.255.0.0
——- Source —— —— Destination ——

Now you can apply the rule to a packet that is sent from host 10.1.1.2 to host 10.3.7.7. Apply a mask to both addresses - the address in the rule and the address in the packet. It then checks to see if the source and destination addresses are the same. As a result, we will have:

For source address:

10.1.0.0 & 255.255.0.0 = 10.1.0.0 (for rule)
10.1.1.2 & 255.255.0.0 = 10.1.0.0 (for package)

After applying the mask, both addresses match. Now check the destination address:

10.2.0.0 & 255.255.0.0 = 10.2.0.0 (for rule)
10.3.7.7 & 255.255.0.0 = 10.3.0.0 (for package)

Since the destination addresses of the packet and the rule do not match after applying the mask, this rule should not be applied to this packet.

This operation is performed over the entire list of source and destination addresses and masks until the end of the list is reached or until the packet matches one of the rules. The list of rules has the following format:

10.1.1.2 & 255.255.255.255 — 10.2.0.0 & 255.255.0.0
10.3.3.2 & 255.255.255.255 — 10.1.2.1 & 255.255.255.255
10.1.1.0 & 255.0.0.0 — 10.2.3.0 & 255.255.255.0
10.1.0.0 & 255.255.0.0 — 10.2.0.0 & 255.255.0.0

In addition to the source and destination addresses, each IP packet contains information about the protocol and service used. It can be used as an additional filtering parameter.

For example, services in the TCP protocol are always associated with a port. As a result, you can match the list of ports with addresses.

Let's use for example two well-known services - POP3 and HTTP. POP3 uses port 110 and HTTP uses port 80. Therefore, we can add these ports to the rule description. As a result, we get:

10.1.0.0 & 255.255.0.0 - 10.2.0.0 & 255.255.0.0 TCP 80 110
—— Source —— —— Destination —— Protocol - Ports —

This rule allows every packet traveling from the 10.1.x.x network to the 10.2.x.x network using the HTTP and POP3 services to pass through the firewall.

First, the addresses from the rule are compared with the addresses of the packet. If both addresses match after the mask is applied, the protocol and destination port in the packet will be compared to the protocol and port list described in the rule. If the protocol matches and the port in the rule is the same as the packet's port, then the packet matches the rule. Otherwise, the search will continue in the list of rules.

With this new information, the ruleset will have the following format:

10.1.1.2 & 255.255.255.255 - 10.2.0.0 & 255.255.0.0 UDP 53
10.3.3.2 & 255.255.255.255 - 10.1.2.1 & 255.255.255.255 TCP 80
10.1.1.0 & 255.0.0.0 - 10.2.3.0 & 255.255.255.0 TCP 21 20 113
10.1.0.0 & 255.255.0.0 - 10.2.0.0 & 255.255.0.0 ICMP 0 8

In addition to these basic filtering options, you can add a few more. One is the source network interface; using the name of the network interface as a filtering parameter, you can allow packets with specific addresses to pass only from the specified interface.

The purpose of this procedure is to block an attack known as IP spoofing, the essence of which is that a packet with a fake source address (from the internal network) is sent to the internal network. By using the network interface name as a parameter, this type of attack can be easily blocked. For example, if the internal network communicates with the firewall through the de0 interface, then it is only necessary to set in the rules that packets with a source address from the internal network should be accepted only if they came from this interface; in all other cases they will be discarded.

In Odnoklassniki

Section 5. Question 8. (53) Firewalls.

Firewall (ME) - this is a local (single-component) or functionally distributed software (software and hardware) tool (complex) that implements control over information entering the AS and / or leaving the AS. The ME ensures the protection of the AS by filtering information, i.e. its analysis according to a set of criteria and making a decision on its distribution to (from) the AS based on the given rules, thus delimiting the access of subjects from one AS to objects of another AS. Each rule prohibits or permits the transfer of certain types of information between subjects and objects. As a consequence, subjects from one AS only get access to authorized information objects from another AS. The interpretation of the set of rules is performed by a series of filters that allow or deny the transmission of data (packets) to the next filter or protocol layer.

(definition from RD ME)

Firewalls - complex software or hardware that allows, at the proper level of security, to control the quantity and quality of network packets passing through it. The firewall analyzes network traffic based on a certain set of rules, according to which all data is filtered.

(the definition is simplified for memorization, Habr)

Thus, the main task of the ME (firewall, firewall, firewall) isprotection of autonomous nodes or common computer networks from unauthorized third-party access, which can use data for their own purposes or cause irreparable harm to the owner of the network. That is why firewalls are also called filters that do not let through data packets that do not fit the criteria specified in the configuration. Network traffic can be filtered at any layer of the OSI model. Information from different levels can be used as criteria: port numbers, data field content, sender/receiver address.

State information technology control authorities define the firewall more specifically - as one of the components of an extensive information security system, which includes a number of additional features to ensure its effective operation. A firewall is optional for a network owner to purchase. Despite the fact that he is fully responsible for the safety of confidential information, at the moment such a protection system in the Russian Federation is not widespread at the proper level. Ideally, it should be implemented in every internal network in order to monitor incoming / outgoing information flows around the clock. The information security monitoring system to some extent replaces additional network security tools at the moment, but this is not enough to define a personal security system as a set of high-level hardware.

(Habr)

For the curious, well written about certification issueshttp://habrahabr.ru/post/246193/

Firewall(ME) performs the functions of delimiting information flows at the border of the protected automated system. This allows:

Increase the security of objects in the internal environment by ignoring unauthorized requests from the external environment;

Control information flows to the external environment;

Ensure registration of information exchange processes.

Control of information flows is carried out throughinformation filtering, i.e. analyzing it according to a set of criteria and making a decision on distribution in or out of the AC.

Depending on the principles of functioning, there are severalfirewall classes. The main classification feature is the level the ISO/OSI model on which the ME operates.

1. Packet filters.

The simplest class of firewalls operating at the network and transport layers of the ISO/OSI model. Packet filtering is usually carried out according to the following criteria:

source IP address;

recipient's IP address;

Source port;

Recipient port;

Specific settings for network packet headers.

Filtering is implemented by comparing the listed parameters of network packet headers with the base of filtering rules.

Packet filtering firewalls can also be software packages based on general purpose operating systems (such as Windows NT and Unix) or firewall hardware platforms. The firewall has several interfaces, one for each of the networks to which the firewall is connected. Similar to application layer firewalls, the delivery of traffic from one network to another is determined by

set of policy rules. If a rule does not explicitly allow certain traffic, then the corresponding packets will be rejected or discarded by the firewall. Policy rules are reinforced through

using packet filters. The filters examine the packets and determine if the traffic is allowed according to

policy rules and protocol state (stateful checking). If the application protocol is running

over TCP, defining state is relatively easy, since TCP itself maintains states. It means,

that when the protocol is in a certain state, only certain packets are allowed to be transmitted.

Let's take the connection setup sequence as an example. The first packet expected is a SYN packet. The firewall detects this packet and puts the connection in the SYN state. In this state, one of two packets is expected - either a SYN ACK (packet recognition and connection permission) or a RST packet (connection reset due to connection denied by the receiver). If other packets appear on this connection, the firewall will discard or reject them as they are not suitable for this connection state, even if the connection is allowed by the rule set. If the connection protocol is UDP, the packet filtering firewall cannot use the inherent state of the protocol, instead it monitors the state of the UDP traffic. Typically, the firewall receives an external UDP packet and waits for an incoming packet from the recipient that matches the original packet by address and port for a certain amount of time. If a packet is received within this time interval, it is allowed to be transmitted. Otherwise, the firewall determines that the UDP traffic is not a response to the request and discards it. When using a firewall with packet filtering, connections are not terminated at the firewall, but are routed directly to the end system. When packets arrive, the firewall determines whether the given packet is allowed and the state of the connection by the policy rules. If so, the packet is sent along its route. Otherwise, the package is rejected or cancelled.

Packet filtering firewalls do not use access modules for each

protocol and can therefore be used with any protocol operating over IP. Some protocols require the firewall to recognize what they are doing. For example, FTP will use one connection for initial login and commands, and another for file transfers. The connections used for file transfers are established as part of the FTP connection, and therefore the firewall must be able to read the traffic and determine the ports that will be used by the new connection. If the firewall does not support this

function, file transfer is not possible. Packet filtering firewalls have the ability to support more traffic because they do not have the overhead of additional configuration and calculation procedures that take place in software access modules. Firewalls that work only through packet filtering do not use access modules, and therefore traffic is transmitted from the client directly to the server. If the server is attacked through an open service allowed by the firewall policy rules,

the firewall will not react to the attack in any way. Packet filtering firewalls also allow you to see from the outside the internal addressing structure. Internal addresses do not need to be hidden, as connections are not interrupted by the firewall.

2. Session level gateways

These firewalls operate at the session layer of the ISO/OSI model. Unlike packet filters, they can control the admissibility of a communication session by analyzing the parameters of the session-layer protocols. Therefore, the session layer gateways include filters that cannot be identified with either the network, or the transport, or the application layer. Session-level filters have several varieties depending on their functional features, but such a classification is rather arbitrary, since their capabilities overlap in many respects. It should be remembered that firewalls include session-level gateways of all or most types.

SYN and ACK bit control. A number of filters allow you to monitor the SYN and ACK bits in TCP packets. All of them are designed to deal with SYN-flooding attacks (see the sidebar "The SYN-flooding Attack"), but they use different approaches. The simplest filter prohibits the transmission of TCP packets with a SYN bit, but without an ACK bit, from the public network to computers on the internal network, unless the latter have been explicitly declared servers for the external network (or at least for a certain group of computers on the external network). Unfortunately, such a filter does not help against SYN-flooding attacks on machines that are servers for the external network, but located on the internal network.

For these purposes, specialized filters with a multi-stage connection establishment order are used. For example, the SYNDefender Gateway filter from the Check Point FireWall-1 firewall works as follows. Suppose an external computer Z tries to establish a connection with an internal server A through the ME firewall. The connection establishment procedure is shown in Figure 2. When the ME receives a SYN packet from computer Z (stage 1), this packet is transmitted to server A (stage 2). In response, server A sends a SYN/ACK packet to computer Z, but the firewall intercepts it (step 3). Next, the ME forwards the received packet to computer Z, in addition, the ME on behalf of computer Z sends an ACK packet to server A (step 4). Due to the fast response to server A, the server's memory allocated for establishing new connections will never be full, and the SYN-flooding attack will not work.

What happens next depends on whether computer Z actually initiated a connection to server A. If so, then computer Z will send an ACK packet to server A, which passes through the ME (step 5a). Server A will ignore the second ACK packet. Then the firewall will freely pass packets between computers A and Z. If the firewall does not receive an ACK packet or the connection establishment timeout expires, it will send a RST packet to server A that cancels the connection (step 5b).

Filters for monitoring the state of the communication channel.

Network filters (network layer) with advanced capabilities are often referred to as filters for monitoring the state of a communication channel.

Dynamic filtering in network filters. Unlike standard static filtering in network filters, dynamic (stateful) filtering allows you to assign only one rule for each communication channel instead of several filtering rules. At the same time, the dynamic filter itself monitors the sequence of data packet exchange between the client and the server, including IP addresses, transport layer protocol, sender and recipient port numbers, and sometimes packet sequence numbers. It is clear that such filtering requires additional RAM. In terms of performance, the dynamic filter is somewhat inferior to the static filter.

Fragmented Packet Filter. When transported over networks with different MTUs, IP packets can be split into separate fragments, with only the first fragment always containing the full transport header of the packet, including information about soft ports. Ordinary network filters are unable to check fragments other than the first one, and let them through (provided that the criteria for IP addresses and the protocol used are met). Due to this, attackers can organize dangerous denial-of-service attacks by deliberately generating a large number of fragments and thereby blocking the work of the computer receiving the packets. The fragmented packet filter does not allow fragments to pass if the first one fails registration.

3. Application Layer Gateways

Firewalls of this class allow you to filter certain types of commands or data sets in application layer protocols. For this, they are usedproxy services- special-purpose programs that manage traffic through the firewall for certain high-level protocols (http, ftp, telnet, etc.).

If without the use of proxy services, a network connection is established between the interacting partiesA and Bdirectly, then in the case of using a proxy service, an intermediary appears -proxy server, which independently interacts with the second participant of the information exchange. This scheme allows you to control the admissibility of using individual commands of high-level protocols, as well as filter the data received by the proxy server from the outside; at the same time, the proxy server, based on the established policies, can decide on the possibility or impossibility of transferring this data to the clientA.

Application layer firewalls, or proxy firewalls, are software packages based on general purpose operating systems (such as Windows NT and Unix) or on the firewall hardware platform.

In an application layer firewall, each allowed protocol must have its own access module. The best access modules are those built specifically for the allowed protocol. For example, the FTP access module is designed for the FTP protocol and can determine whether passing traffic conforms to this protocol and whether this traffic is allowed by security policy rules.

The firewall accepts the connection, analyzes the content of the packet and the protocol used, and determines if the given traffic complies with the rules of the security policy. When matched, the firewall initiates a new connection between its external interface and the server system.

The access module in the firewall accepts an incoming connection and processes commands before sending traffic to the recipient, and thus protects systems from attacks performed by applications.

Application layer firewalls contain access modules for the most commonly used protocols such as HTTP, SMTP, FTP, and telnet. Some access modules may be missing, which prevents a particular protocol from being used to connect through the firewall.

4. Expert level firewalls.

The most complex firewalls, combining elements of all three of the above categories. Instead of proxy services, these screens use algorithms for recognizing and processing data at the application level. Most of the firewalls currently in use are classified as expert. The most famous and widespread ME -CISCO PIX and CheckPoint FireWall-1. Application layer firewall manufacturers, due to the rapid development of IT technologies, have come to the conclusion that it is necessary to develop a method to support protocols for which there are no defined access modules. This is how the Generic Services Proxy (GSP) access module technology was born, which is designed to support other protocols required by the access modules of the application layer, which are necessary for the security system and for the work of network administrators. GSP enables application layer firewalls to function as packet filtering firewalls. A variety of firewalls with packet filtering already comes with the SMTP access module. At the present time, it is virtually impossible to find a firewall whose operation is based solely on the application layer or packet filtering, since it allows administrators responsible for security to configure the device to work in specific conditions.

(source from last year's answers)

The main regulatory documentaccording to the ME is the “Guideline Document. Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "(Approved by the State Technical Commission of July 25, 1997)

According to it, the ME is a local (single-component) or functionally distributed tool (complex) that implements control over information entering the AS and / or leaving the AS, and ensures the protection of the AS by filtering information, i.e. its analysis according to a set of criteria and a decision on its distribution to (from) the AU.

Five ME security classes are established.

Each class is characterized by a certain minimum set of information security requirements.

The lowest security class is the fifth, used for safe interaction of class 1D speakers with the environment, the fourth - for 1G, the third - 1B, the second - 1B, the highest is the first, used for safe interaction of class 1A speakers with the environment.

The requirements for the ME do not exclude the requirements for computer equipment (CVT) and AS in accordance with the governing documents of the State Technical Commission of Russia “Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information” and “Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection”.

When the ME is included in the AS of a certain security class, the security class of the total AS, obtained from the original one by adding the ME to it, should not be reduced.

For class 3B, 2B NPPs, MEs of at least class 5 must be applied.

For AU class 3A, 2A, depending on the importance of the information being processed, the ME of the following classes should be applied:

When processing information classified as "secret" - not lower than class 3;

When processing information classified as “top secret” - not lower than class 2;

When processing information classified as "special importance" - not lower than class 1.

Firewall Requirements

(source RD ME)

A firewall is a hardware or software element that controls network traffic based on the specified parameters, and, if necessary, filters it. Also called a firewall or firewall.

Purpose of firewalls

A firewall is used to protect individual network segments or hosts from possible unauthorized penetration through vulnerabilities in software installed on a PC or network protocols. The work of a gateway faucet is to compare the characteristics of the traffic passing through it with patterns of already known malicious code.

Most often, a firewall is installed at the edge of the local network perimeter, where it protects internal nodes. However, attacks can be initiated from within, so if you attack a server on the same network, the firewall will not perceive it as a threat. This was the reason why firewalls began to be installed not only at the edge of the network, but also between its segments, which significantly increases the degree of network security.

History of creation

Firewalls begin their history from the end of the eighties of the last century, when the Internet had not yet become an everyday thing for most people. Their function was performed by routers that analyzed traffic based on data from the network layer protocol. Then, with the development of network technologies, these devices were able to use data already at the transport level. In fact, the router is the very first implementation of a software and hardware firewall in the world.

Software firewalls appeared much later. For example, Netfilter/iptables, a firewall for Linux, was created only in 1998. This is due to the fact that earlier the function of the firewall was performed, and very successfully, by anti-virus programs, but since the late 90s, viruses have become more complex, and the appearance of a firewall has become necessary.

Traffic filtering

Traffic is filtered based on the specified rules - ruleset. In fact, a firewall is a sequence of filters that analyze and process traffic according to this configuration package. Each filter has its purpose; moreover, the sequence of rules can significantly affect screen performance. For example, most firewalls, when analyzing traffic, consistently compare it with known patterns from the list - it is obvious that the most popular types should be located as high as possible.

There are two principles by which incoming traffic is processed. According to the first, any data packets are allowed, except for the forbidden ones, so if it does not fall under any restriction from the list of configurations, it is passed on. According to the second principle, only those data that are not prohibited are allowed - this method provides the highest degree of security, but significantly burdens the administrator.

The firewall performs two functions: deny, data prohibition - and allow - permission for further transmission of the packet. Some firewalls can also perform a reject operation, denying traffic but informing the sender that the service is unavailable, which is not the case with a deny operation, thus providing more protection to the host.

Types of firewalls (Firewall)

Most often, firewalls are classified according to the supported level of the OSI network model. Distinguish:

• Managed switches;
• Packet filters;
• Session level gateways;
• Application layer intermediaries;
• Status inspectors.

Managed Switches

They are often classified as firewalls, but they perform their function at the data link layer, therefore they are not able to process external traffic.

Some manufacturers (ZyXEL, Cisco) have added to their product the ability to process data based on MAC addresses contained in frame headers. However, even this method does not always bring the expected result, since the MAC address can be easily changed using special programs. In this regard, these days, switches most often focus on other indicators, namely the VLAN ID.

VLANs allow you to organize groups of hosts into which data is completely isolated from external network servers.

Within corporate networks, managed switches can be a very effective and relatively inexpensive solution. Their main disadvantage is the inability to process higher level protocols.

Packet filters

Packet filters are used at the network layer to control traffic based on data in the packet header. Often they are also capable of processing protocol headers and a higher level - transport (UDP, TCP). Packet filters became the very first firewalls, and remain the most popular today. Upon receipt of incoming traffic, such data as: IP of the recipient and sender, type of protocol, ports of the recipient and source, service headers of the network and transport protocols are analyzed.

The vulnerability of packet filters lies in the fact that they can skip malicious code if it is divided into segments: packets pretend to be part of other, allowed content. The solution to this problem is to block fragmented data, some screens are also able to defragment it on their own gateway - before sending it to the main network node. However, even in this case, the firewall can become a victim of a DDos attack.

Packet filters are implemented as OS components, border routers, or personal firewalls.

Packet filters are characterized by a high speed of packet analysis, they perform their functions perfectly at the borders with low-trust networks. However, they are unable to parse high levels of protocols and can easily fall victim to network address spoofing attacks.

Session level gateways

Using a firewall eliminates the direct interaction of external servers with the host - in this case, it plays the role of an intermediary called a proxy. It checks every incoming packet, not missing those that do not belong to the previously established connection. Those packets that pretend to be packets of an already completed connection are discarded.

The session layer gateway is the only link between the external and internal networks. Thus, it becomes difficult to determine the network topology that the session layer gateway protects, which significantly increases its security against DoS attacks.

Nevertheless, even this solution has a significant disadvantage: due to the lack of the possibility of checking the content of the data field, a hacker can relatively easily transfer Trojans to the protected network.

Application Layer Brokers

Like session-layer gateways, application-layer firewalls mediate between two nodes, but have a significant advantage - the ability to analyze the context of the transmitted data. A firewall of this type can detect and block unwanted and non-existent command sequences (this often means a DOS attack), as well as prohibit some of them altogether.

Application layer intermediaries also determine the type of information being transferred - a prime example is mail services that prohibit the transfer of executable files. In addition, they can perform user authentication, the presence of SSL certificates with a signature from a specific center.

The main disadvantage of this type of firewall is a long packet analysis, which requires a serious time investment. In addition, application layer intermediaries do not have auto-wiring support for new protocols and network applications.

State Inspectors

The creators of the state inspectors set themselves the goal of combining the advantages of each of the above types of firewalls, thus obtaining a firewall capable of processing traffic at both the network and application levels.

Condition inspectors control:

• all sessions - based on the state table,
• all transmitted data packets - based on a given table of rules,
• all applications based on developed intermediaries.

Status Inspector traffic is filtered in the same way as session layer gateways, making it much faster than application layer brokers. Status inspectors have a convenient and understandable interface, easy configuration, and wide extensibility.

Firewall Implementation

Firewalls (Firewall) can be either software and hardware, for software. The former can be made as a separate module in a router or switch, or as a special device.

Most often, users choose exclusively software firewalls - for the reason that only the installation of special software is enough to use them. Nevertheless, in organizations it is often difficult to find a free computer for a given purpose - moreover, it meets all technical requirements, often quite high.

That is why large companies prefer the installation of specialized hardware and software systems, called "security appliance". They work most often on the basis of Linux or FreeBSD systems, limited by functionality to perform a given function.

This solution has the following advantages:

• Easy and simple management: control of the operation of the software and hardware complex is carried out from any standard protocol (Telnet, SNMP) - or secure (SSL, SSH).
• High performance: the operation of the operating system is focused on a single function, any extraneous services are excluded from it.
• Fault tolerance: software and hardware systems effectively perform their task, the probability of failure is practically excluded.

Firewall restrictions

The firewall does not filter data that it cannot interpret. The user himself configures what to do with unrecognized data - in the configuration file, according to which such traffic is processed. Such data packets include traffic from SRTP, IPsec, SSH, TLS protocols that use cryptography to hide content, protocols that encrypt application layer data (S/MIME and OpenPGP). It is also not possible to filter tunneling traffic if the mechanism of that tunneling is not understood by the firewall. A significant part of the shortcomings of firewalls has been fixed in UTM systems - Unified Threat Management, sometimes they are also called NextGen Firewall.

Firewall classification

One of the effective mechanisms for ensuring information security of distributed computing networks is shielding, which performs the functions of delimiting information flows at the border of the protected network.

Firewall increases the security of internal network objects by ignoring unauthorized requests from the external environment, thereby ensuring all the components of information security. In addition to access control functions, shielding provides registration of information exchanges.

Shielding functions are performed firewall or a firewall (firewall), which is understood as a software or hardware-software system that controls information flows entering and / or leaving an information system and ensures the protection of an information system by filtering information. Filtering information consists in analyzing information according to a set of criteria and making a decision on its reception and/or transmission.

Firewalls are classified according to the following criteria:

by location in the network - to external and internal, providing protection respectively from the external network or protection between network segments;

· according to the filtering level corresponding to the OSI/ISO reference model.

External firewalls usually work only with the TCP / IP protocol of the global Internet. Internal firewalls can support multiple protocols, for example, when using the Novell Netware network operating system, the SPX/IPX protocol must be taken into account.

Firewall Characteristics

The operation of all firewalls is based on the use of information from different levels of the OSI model. In general, the higher the level of the OSI model at which a firewall filters packets, the higher the level of protection it provides.

Firewalls are divided into four types:

session level gateways;

application level gateways;

Table 4.5.1. Firewall Types and Layers of the ISO OSI Model

Packet Filtering Firewalls are routers or programs running on the server configured to filter incoming and outgoing packets. Therefore, such screens are sometimes called packet filters. Filtering is performed by analyzing the source and destination IP addresses, as well as ports of incoming TCP and UDP packets, and comparing them with a configured rules table. These firewalls are easy to use, low cost, and have minimal impact on computing system performance. The main disadvantage is their vulnerability to IP address spoofing. In addition, they are complex to configure: they require knowledge of network, transport, and application protocols to install.

Session level gateways control the admissibility of the communication session. They monitor the handshake between an authorized client and an external host (and vice versa) to determine if the requested session is valid. When filtering packets, the session layer gateway is based on the information contained in the headers of the TCP session layer packets, that is, it operates two levels higher than the packet filtering firewall. In addition, these systems usually have a network address translation function that hides internal IP addresses, thereby eliminating IP address spoofing. However, these firewalls lack control over the content of packets generated by various services. To eliminate this shortcoming, application layer gateways are used.

Application Layer Gateways inspect the contents of each packet passing through the gateway and can filter certain kinds of commands or information in the application layer protocols they are tasked to serve. This is a more advanced and reliable type of firewall that uses application layer proxies or agents. Agents are compiled for specific Internet services (HTTP, FTP, Telnet, etc.) and serve to check network packets for valid data.

Application layer gateways degrade system performance due to re-processing in the middleware. This is imperceptible when working on the Internet when working on low-speed channels, but is significant when working on an internal network.

Expert-level firewalls combine elements of all three categories described above. Like packet filtering firewalls, they operate at the network layer of the OSI model, filtering incoming and outgoing packets based on IP addresses and port numbers. Expert-level firewalls also act as a session-level gateway, determining whether packets belong to the appropriate session. Finally, expert-level firewalls take on the role of an application-level gateway, evaluating the contents of each packet in accordance with the security policy developed in a particular organization.

Instead of using application-specific intermediaries, expert-level firewalls use special algorithms to recognize and process data at the application layer. These algorithms compare packets against known data patterns, which in theory should provide more efficient packet filtering.

Conclusions on the topic

1. Firewall increases the security of internal network objects by ignoring unauthorized requests from the external environment, thereby ensuring all components of information security. In addition to access control functions, screening provides registration of information exchanges.

2. Screening functions are performed by a firewall or firewall, which is understood as a software or software-hardware system that controls information flows entering and / or exiting an information system and ensures the protection of an information system by filtering information.

3. Firewalls are classified according to the following criteria: location in the network and filtering level corresponding to the OSI/ISO reference model.

4. External firewalls usually work only with the TCP / IP protocol of the global Internet. Internal firewalls can support multiple protocols.

5. Firewalls are divided into four types:

firewalls with packet filtering;

session level gateways;

application level gateways;

Expert-level firewalls.

6. The most comprehensive task of shielding is solved by expert-level firewalls, which combine elements of all types of firewalls.

Questions for self-control

1. What is the firewall mechanism?

2. Define a firewall.

3. The principle of operation of firewalls with packet filtering.

4. At the level of what protocols does the session level gateway work?

5. What is special about expert-level firewalls?

The purpose of this article is to compare certified firewalls that can be used to protect ISDN. The review considers only certified software products, the list of which was formed from the register of the FSTEC of Russia.

Choosing a firewall for a certain level of personal data protection

Table 1. List of FSTEC-certified firewalls

To ensure the 3rd level of PD security, firewalls of at least class 3 (or class 4, if type 3 threats are relevant and the IS does not interact with the Internet) are suitable. And to ensure the 4th level of security, the simplest firewalls are suitable - not lower than class 5. These, however, are currently not registered in the FSTEC register. In fact, each of the firewalls presented in Table 1 can be used to provide 1-3 levels of security, provided there are no type 3 threats and no interaction with the Internet. If there is an Internet connection, then you need a firewall of at least 3 classes.

Firewall Comparison

Also, all considered firewalls support NAT. But there are quite specific (but no less useful) features, such as port masking, load balancing, multi-user mode of operation, integrity control, program deployment in ActiveDirectory and remote administration from the outside. Quite convenient, you see, when the program supports deployment in ActiveDirectory - you don't need to manually install it on every computer on the network. It is also convenient if the firewall supports remote administration from the outside - you can administer the network without leaving your home, which will be relevant for administrators who are used to performing their functions remotely.

It may surprise the reader that ActiveDirectory deployments are not supported by many of the firewalls shown in Table 1, and the same can be said for other features such as load throttling and port masquerading. In order not to describe which of the firewalls supports a particular function, we systematized their characteristics in Table 2.

Table 2. Firewall capabilities

How will we compare firewalls?

1. Protection time. Clearly, the sooner the better.
2. Ease of use. Not all firewalls are equally convenient, which will be shown in the review.
3. Price. Often the financial side is decisive.
4. Delivery time. Often the delivery time leaves much to be desired, and you need to protect your data now.

The security of all firewalls is about the same, otherwise they would not have a certificate.

Firewalls in Overview

ISPD protection time

All three firewalls are distributed as MSI packages, which means you can use the ActiveDirectory Deployment Tools to install them centrally. It would seem that everything is simple. But in practice it turns out that it doesn't.

The enterprise, as a rule, uses centralized management of firewalls. And this means that a firewall management server is installed on some computer, and client programs or, as they are also called agents, are installed on the rest. The whole problem is that when installing the agent, you need to set certain parameters - at least the IP address of the management server, and maybe also a password, etc.
Therefore, even if you deploy the MSI files to all computers on the network, you still have to manually configure them. And this would not be very desirable, given that the network is large. Even if you only have 50 computers, just think about it - go to each PC and set it up.

How to solve a problem? And the problem can be solved by creating a transformation file (MST file), also known as a response file, for the MSI file. But neither VipNet Office Firewall nor TrustAccess can do this. That is why, by the way, Table 2 indicates that there is no support for deploying Active Directory. It is possible to deploy these programs in the domain, but manual work of the administrator is required.

Of course, the administrator can use editors like Orca to create the MST file.

Rice. 1. Editor Orca. Trying to create an MST file for TrustAccess.Agent.1.3.msi

But do you really think that everything is so simple? Opened an MSI file in Orca, tweaked a couple of parameters and got a ready-made answer file? It wasn't there! Firstly, Orca itself is not simply installed. You need to download the Windows Installer SDK, extract orca.msi from it using 7-Zip and install it. Did you know about it? If not, then consider that you spent 15 minutes searching for the necessary information, downloading the software and installing the editor. But all the suffering does not end there. The MSI file has many options. Look at fig. 1 - these are only the parameters of the Property group. Which one to change to indicate the server's IP address? You know? If not, then you have two options: either manually configure each computer or contact the developer, wait for a response, etc. Considering that developers sometimes take quite a long time to respond, the actual deployment time of the program depends only on the speed of your movement between computers. Well, if you have installed the remote management tool in advance - then the deployment will be faster.

Cybersafe Firewall creates an MST file on its own, you just need to install it on one computer, get the coveted MST file and specify it in group policy. You can read about how to do this in the article "Delimitation of information systems in the protection of personal data". For some half an hour (or even less), you can deploy a firewall to all computers on the network.

That is why Cybersafe Firewall gets a rating of 5, and its competitors - 3 (thanks, at least the installers are in MSI format, not .exe).

Ease of use

Well, let's see how convenient the considered firewalls are in the process of creating and protecting ISPD.

We will start with VipNet Office Firewall, which, in our opinion, is not very convenient. You can select computers into groups only by IP addresses (Fig. 2). In other words, there is a binding to IP addresses and you need to either allocate different ISPDs to different subnets, or split one subnet into ranges of IP addresses. For example, there are three ISPDs: Management, Accounting, IT. You need to configure the DHCP server so that computers from the Management group are given IP addresses from the range 192.168.1.10 - 192.168.1.20, Accounting 192.168.1.21 - 192.168.1.31, etc. This is not very convenient. It is for this that one point will be deducted from VipNet Office Firewall.

Rice. 2. When creating groups of computers, there is an explicit binding to the IP address

In the Cybersafe firewall, on the contrary, there is no binding to an IP address. Computers that are part of a group can be on different subnets, in different ranges of the same subnet, and even outside the network. Look at fig. 3. Branches of the company are located in different cities (Rostov, Novorossiysk, etc.). It is very easy to create groups - just drag the computer names to the desired group and click the button Apply. After that, you can click the button Set the rules to form rules specific to each group.

Rice. 3. Manage groups in Cybersafe Firewall

As for TrustAccess, it should be noted the close integration with the system itself. Already created system user and computer groups are imported into the firewall configuration, which makes it easier to manage the firewall in an ActiveDirectory environment. You can not create ISDN in the firewall itself, but use existing computer groups in the Active Directory domain.

Rice. 4. Groups of users and computers (TrustAccess)

All three firewalls allow you to create so-called schedules, thanks to which the administrator can configure the passage of packets on a schedule, for example, deny access to the Internet after business hours. In VipNet Office Firewall, schedules are created in the section Schedules(Fig. 5), and in CyberSafe Firewall, the rule operation time is set when defining the rule itself (Fig. 6).

Rice. 5. Schedules in VipNet Office Firewall

Rice. 6. Rule operation time in Cybersafe Firewall

Rice. 7. Schedule in TrustAccess

All three firewalls provide very handy tools for creating the rules themselves. And TrustAccess also provides a convenient rule creation wizard.

Rice. 8. Create a rule in TrustAccess

Let's take a look at another feature - tools for obtaining reports (logs, logs). In TrustAccess, to collect reports and information about events, you need to install an event server (EventServer) and a report server (ReportServer). Not that this is a flaw, but rather a feature (“feature”, as Bill Gates said) of this firewall. As for the Cybersafe and VipNet Office firewalls, both firewalls provide convenient tools for viewing the IP packet log. The only difference is that Cybersafe Firewall first displays all packets, and you can filter the ones you need using the filter built into the header of the table (Fig. 9). And in VipNet Office Firewall, you first need to install filters, and then view the result.

Rice. 9. IP Packet Log Management in Cybersafe Firewall

Rice. 10. IP Packet Log Management in VipNet Office Firewall

I had to deduct 0.5 points from the Cybersafe firewall for the lack of a function to export the log to Excel or HTML. The function is far from being critical, but sometimes it is useful to simply and quickly export several lines from the log, for example, for debriefing.

So, the results of this section:

Price

Remember these two numbers 15710 r. for one PC (per year) and 23,925 rubles. for 1 server and 5 PCs (per year). And now attention: for this money you can buy a license for 25 nodes Cybersafe Firewall (15178 rubles) or add a little and it will be enough for a license for 50 nodes (24025 rubles). But the most important thing about this product is not the cost. The most important thing is the validity of the license and technical support. License for Cybersafe Firewall - without expiration date, as well as technical support. That is, you pay once and get a software product with a lifetime license and technical support.

Delivery time

As for the CyberSafe Firewall software product, the manufacturer guarantees the delivery of the electronic version within 15 minutes after payment.

What to choose?

Reviewed by experts
integrator company DORF LLC