Which Firewall Technology Is Better At Protecting

Published Date: 02 Nov 2017

Abstract

More and more organisations are now conducting business with their customers and suppliers online and they now find that they are more at risk from online threats from attacks on their systems which if successful can cause them lose them money, reputation and in some cases lives.

In order to protect themselves from these threats organisations make use of firewalls to help them direct legitimate network traffic to their published online services while mitigating as much as possible the risks from being attacked by external parties.

This report identifies some of the online threats that exist and promotes the importance of organisations creating a security policy and following industry best practices to utilise firewalls and then reviews several journals articles from experts in this field to provide an overview of two specific types of technologies used in firewalls: packet filtering and application level. The report details how each technology works and includes a comparison of the advantages and disadvantages of both. I am then able to provide the argument from the reviews that out of these two technologies application firewalls offer the highest level of security to an organisation.

Finally I conclude the paper by suggesting that there does not appear to be a reason why an organisation could not make use both the technologies together as this would appear to offer even more of a comprehensive solution to protect business from online threats.

Introduction

We have been tasked with providing a journal style review paper as part of the IS4S704 Independent study module. I have agreed with the module supervisor to provide a review on the following subject of "Which firewall technology is better at protecting business from online threats, application or packet filtering?"

This particular subject is of a professional interest to me as I have used many of these technologies over the years in my role as a network manager. What I have found by speaking to other network managers is that recently a lot of businesses use a combination of both of these technologies with the mind-set that using both of these technologies together increases the security of that system.

Therefore the purpose of this review is to determine if this is the case, or would using one technology be more beneficial than the other.

In this report I will detail the methods that I used to research the information needed to complete the paper which I then used to review several published articles from various journals and website sources which I then grouped into the following sections to provide the main body of the report:

An understanding of why there is a need to protect business from online threats.

An overview of both application and packet level filtering firewalls

A Comparison of both technologies to determine any strengths or weaknesses of each technology, if any.

The report conclusions will draw on the information provided in the earlier sections to reveal if one of these technologies is better at protecting business from online threats.

Research Methods

Following suggestions given by our supervisor during our team meetings and at our lectures for this module I decided to make use the University of Glamorgan’s (2013) online "FINDit" library catalogue system which is available to me as a part-time student via the University’s web based student portal as a starting point to obtain the academic papers that I needed to for this report.

The "FINDit" system provides access to a variety of databases, journals and conference proceedings from various industry publishers such as the ACM Digital and IEEE Xplore Digital Libraries for example which the University has subscribed too which enables staff and students to access a variety of academic papers which can be used as research for their particular subject (University of Glamorgan, 2013).

For the purpose of this report I needed to select the Computer Security database which gave me access to a list of resources which I could then access to search for relevant papers for this assignment.

As a starting point I selected the ACM and the IEEE Digital libraries in order to search each of them using the advanced search function and the general search string of "Firewalls" to see what results were returned. Upon reviewing the abstracts of some of the results returned I determined that using this particular search string had not been specific enough to meet the requirements of this report so decided to search the libraries again using a few revised search strings which I believed where more specific to the subject of my report.

When using the new search terms the returned results seemed to be more appropriate for my needs and after reading through several abstracts and some of the full text of the papers from my search I was able to start to build a list of papers which I could use within my report so I printed off copies of these so I could read the full text at a later date.

I also found additional papers to review from references contained within some of the papers that I had already reviewed. For example one of the reports that I reviewed by Lipson & van Wyk (2008) included an interesting reference to a book by Julia Allen (2001) which I later included as part of the report.

Most of the papers that I have reviewed for this paper where located using the methods described above although I also made use of the advanced search facility of the Google search engine to provide some additional material to review in the form of articles from websites for example the Cisco (2012) report on the "Evolution of the Firewall Industry" was located using this facility and I decided to include it in this report as Cisco are known as a market leader in networking and firewall technologies and are well regarded by the industry.

For this review paper I made the decision to avoid the use of direct content from websites such as Wikipedia because it is hard to accurately confirm that the information provided is correct as there is no formal process of checking its validity and accuracy unlike the review process which is undertaken by publishers for journal/conference inclusion or for publication in books.

Finally I used the Universities Library and purchased some books which I had identified as potential sources of information for inclusion in this review from references contained within the existing papers and from some of the web resources that I located and had reviewed as part of this paper.

Why do we need to protect businesses from online threats?

In order to review the different firewall technologies identified in this report we first have to understand why there is a need to protect businesses from online threats and what kind of damage can be caused to a business which doesn’t protect itself against them.

In my opinion data is one of the most valuable assets a business has. A business can use its data to be more profitable. For example the data collected from customers can be used by managers to determine product development strategies to ensure that the business is making the products that its customers want. This can lead to a strong demand for a product which increases the profits of a business.

Another example of the importance of data could be the data held by a bank. Could you image if a bank didn’t hold any data about its accounts. How would any customer be able to withdraw cash or make purchases if the bank didn’t know how much money you had in your account? What would happen if a bank didn’t hold data on your transactions and how you manage your account, could they risk lending you money? How would they know you could or would pay it back! They wouldn’t.

Now we understand that data is important to a business, why do they need to protect it from threats? Well simply put what would happen if someone maliciously changed some of that data. In some cases for example if the customer data from a bank was deleted the bank would not be able to function.

Allen (2001) highlights that business use networks and even the internet to provide reliable and fast access to its data to help it make decisions. The networks used allow it to provide better customer service for example by allowing electronic transactions between itself and its customers and suppliers. However, the report goes on to suggest that while this technology has improved the way businesses work for the better, it has also lead to an increased risk from attacks. An attack on that data could cost a business a lot of money to repair which in some extreme cases it may not be able to recover from at all.

The report argues that the security of the networks are often left in the hands of system administrators who typically do not have enough time to monitor and manage the security threats which are evolving on a daily basis as they have enough to do in just the day to day management of the systems (Allen, 2001).

Allen (2001) suggests that any users of the network should take some responsibility for the security of that information not just the system administrators and recommends that the business implements adequate policies and procedures as relevant from the CERT best practice structure from the highest levels of management to ensure a consistent approach to the security across the organisations infrastructure.

These guidelines provide a framework for helping an organisation protect itself from threats by making use of some of the best practice across five different headings listed below (Allen, 2001):

Harden/Secure

This is the process of ensuring that only the relevant parts of a network are configured for specific purpose they were intended to carry out. It requires that an organisation ensures that all systems are fully patched and are up-to-date and that careful consideration is given to the permissions of users within that system and recommends the installation and configuration of firewalls to prevent unauthorised access to the systems which we will cover in more detail in the next part of this report.

Prepare

Ensure that organisations have policies and procedures in place to manage new security threats which might arise and employ tools and techniques to identify the risks.

Detect

Regularly review log files from the systems including firewalls for suspicions activity and monitor network and system activity.

Respond

In the event of a breach of security collect as much data as possible and then terminate the unauthorised access and recover the data to its original state.

Improve

Finally carry out improvements to the security systems employed such as upgrading systems or making changes to firewall policies which may be identified in points 3 and 4.

Now we have a better understanding of the threats that an organisation may face we need to understand where these threats come from. Generally most threats can be placed into one of two categories which are as follows:

Internal

The greatest internal threat to an organisation comes from its employees. For example poorly secured systems could simply allow the accidental deletion of vital information by an employee or more worryingly a deliberate attack from say a disgruntled employee(s) who changes/remove data could allow for criminal activities such as fraud to occur.

External

External threats are deliberate attempts to cause the maximum damage to an organisations system. They are normally carried out by hackers who will be trying to cause system failures or will be trying to carry out some criminal activity such as fraud or espionage.

I think that the use of Allen’s (2001) guidelines will help businesses protect themselves against both internal and external threats but firewalls are really one of the only effective ways in protecting against external threats as most firewalls do not operate within an organisations system rather they sit on the perimeter.

Romanoski (2002) defines firewalls as the main defence for a business’s computer infrastructure against external threats as it provides a barrier between data passing from two different networks. The firewall is used to ensure that only network traffic defined as allowed in a security policy is permitted to flow into or out of the network controlled by that organisation.

This report agrees with Allen’s (2001) findings in that failure to protect data could lead to loss of monies and includes the additional risk of the loss of confidential information but goes onto recommend that firewalls are an effective solution to manage the threat from external parties.

The report explains that a firewall works by implementing an organisations security policy by using a set of filters (rules) which can be applied to any network resource with the network to protect it. For example if we have a web server which we wish external users to visit we would firstly create a network resource on the firewall for the web server and then we would create a filter which would allow only external users to connect to the web server. It also details how filters can also be used to control internal user’s access to external resources outside of the network such as the internet (Romanofski, 2002).

Finally Romanoski (2002) states that firewalls need to be strategically positioned to act as a gateway for the network traffic between the internal and external networks.

It appears to me that both Allen (2001) and Romanoski (2001) have identified that there are threats that occur for business online and that an organisation needs to devise an adequate security policy which will allow them to mitigate the risk and that firewalls seem to be the recommendation to protect an organisation from external threats although it can also be used to control access to external resources by internal users.

In the next section of this report we will look at two specific types of firewall technology to get a better understanding of how they work:

Packet Filtering Firewalls

Packet filtering provides the most basic level of protection for a network and is generally considered the simplest to implement. Zalenski (2002) describes packet filtering as the inspection of network traffic against predefined criteria which can then be used to allow or deny access.

Romanoski (2001) adds that packet filtering works at the transport layer of the OSI Layer Model by analysing the IP Packet specifically in the IP and Transport layer headers and direction of the packet to see if it matches any rule within the firewall. Packet filtering allows an organisation to allow or deny access on the following parts of the data packet:

The Physical Network Interface received

Source IP Address

Destination IP Address

Type of Transport Layer

Transport Layer Source Port

Transport Layer Destination Port

Cisco (2012) describes the process of a network packet entering a packet filtering firewall system as:

Drop network packet if no rule match is found.

Allow transmission if matching rule permits connection.

Drop packet is matching rule denies connection.

Romanoski (2001) and Cisco (2012) believe that packet filtering is the least secure firewall technology as it does not inspect the application layer of the data packet and doesn’t keep track of any connection states.

Examples of packet filtering firewall rules are detailed in the table below (Zalenski, Feb/Mar 2002):

Rule

Direction

Src Address

Dest Address

Protocol

Dest Port

Action

1

In

External

Internal

TCP

25

Allow

2

Out

Internal

External

TCP

25

Allow

3

In

External

Internal

TCP

80

Allow

4

In

External

Internal

TCP

23

Deny

5

Either

Any

Any

Any

Any

Deny

The 1st and 2nd rule would allow inbound and outboard communication to email servers to send and receive email. Rule 1 allows any external address communicate through the firewall with our internal email server on Port 25 using TCP as the protocol. The 2nd rule allows communication from inside our network to email servers on any address using the protocol TCP on Port 25.

Rule 3 allows any external address to communicate with an internal web server on Port 80 using port 80. Rule 4 would deny any external request to connect to an internal telnet server on the protected network. Finally Rule 5 is the catch all rule as described by Cisco (2012) where any request where no matching rule can be found will be denied.

All packet filtering firewalls work on top down basis meaning that when I packet is received it will apply each rule from 1 until something matches or it will be caught in the catch all rule 5 and denied.

It appears to me that Packet Filtering is quite a simple system to use and would offer some immediate protection to a network, all of the journals reviewed state that packet filtering is very fast at inspection and very cheap to implement (in some cases free). However, as stated by Romanoski (2001) and Cisco (2012) packet filtering doesn’t work at the application layer so there is a chance that specifically crafted data packets with a malicious payload could be able to get through the firewall and cause problems at the application layer.

Application Level Firewalls

Application level firewalls have been described by Bryne (2006) to improve firewall security by providing additional application specific information to enhance the overall IT security infrastructure.

Rowan (2007) states that most traditional firewalls cannot protect against directed attacks at an application if legitimate communication is used. The article argues that traditional firewalls such as packet filtering can protect against the very basic attacks such as port and probe scans for the purposes of enumerating network information but warns that carefully crafted attacks engineered against specific applications will be allowed through as the network traffic will look legitimate to packet filtering firewalls.

The article goes deeper to justify this argument by claiming that if a firewall has been set to allow communication to say web application for the TCP protocol on Port 80 then traffic will be allowed through even if the data includes malicious code which could be used to carry out an attack on that server in fact he states that most of the latest types of attacks which are being used today such as cross site scripting, buffer overflows, denial of service and database injections would all be able to bypass basic packet filtering firewalls (Rowan, 2007).

This is where application level firewalls come into play. They take the existing strengths of packet filtering but add an extra level of protection by trying to protect the published applications from these specifically crafted attacks.

Rowan (2007) defines application level protection as a firewall filter which allows for granular control of what communication request are allowed through to a specific application. He notes that specific tailoring of the security policy is needed to ensure the right level of protection and that the responsibility for defining these filters should lie with the application developers rather than the network security team as they have a much better understanding of what is required to protect the application.

Another description of application firewalls is that they provide some form of content filtering. The filtering works by intercepting data entering or leaving an application and comparing the traffic against specific rules defined in the security policy to determine if the request is allowed or denied. For example the filter may discover on inspection of the network traffic to a published web server that SQL commands have been included in the code which might be used to carry out a SQL Injection attack which it can then deny access and record the attempt into the log files (Lipson & van Wyk, 2008).

Lipson & van Wyk (2008) suggest that this type of firewall could also offer the ability to learn about the type of attacks which are being commitment by using the firewall as some form of "Honeypot" which gives organisation’s the ability to record and then analyse the specific details of attacks that are being targeted at them without actually allowing the attack to inflict any damage on their systems.

As mentioned earlier for the firewall to be effective in protecting against online threats some form of advanced application knowledge is required. This is achieved by making use of a database of known attacks which is made from either the signatures of previous attack data or by looking for differences in the behaviour of how network traffic passes into an application in that this is what the application developer would expect to see and if it is different further analysis would be required (Lipson & van Wyk, 2008).

Rowan (2007) indicates that there are two security models which application developers can use to create the signature’s used in application level firewalls which are:

Positive Security Model

This model uses a while list of accepted signatures. Basically only traffic which complies with the white list signatures will be allowed through the firewall.

Negative Security Model

This model uses a black list of attack signatures. In this approach traffic is allows through the firewall unless it matches a black list signature.

It is recommended that both approaches need to be used otherwise certain types of attack will make it through the firewall as the negative model will allow traffic to pass if it doesn’t know about that particular attack yet.

Cisco (2012) adds that most application level firewalls also include some specialist programs such as proxy services which allow it to manage specific network traffic such as FTP or HTTP through the firewall. These programs are designed to offer more control over access and can carry out further validation checks on the data being transmitted as the service is built specifically for the particular protocol that they manage.

The proxy service is made up of two components which are the proxy server and the proxy client. The server component acts as the firewalls published service as far as the end user is concerned. The server takes the request from the end user and carries out various checks to see if the request is allowed based on its rule table for the specific service it is managing. If the request is allowed the data is passed onto the client component which then connects to the real service on behalf of the end user and relays the returning data from the actual service to the proxy server which in turn relays the data back to the client. As the proxy service is built for the specific protocol it is managing requests which fail can be recorded for audit purposes and extra security such as user authentication can be added which makes the process more secure (Cisco, 2012).

Khan (2011) considers that application level firewalls are very efficient as they allow for all network traffic passing through it to be inspected by its configured security policies and as the firewall uses proxy services no direct communication between the end user and the published service is allowed which decreases the risk of an attack being successful.

Comparison of Both Technologies

In this section we will uncover the strengths and weaknesses of each technology from the reviewed journals to help us determine if any one of the technologies is better at protecting business from online threats.

Romanoski (2001) indicates that administrators need to evaluate the potential trade-off between performance and security when selecting a firewall. In summary this journal considers that packet filtering offers faster performance as they do not offer the same level of security that application level firewalls do.

Zalenski (2002) provides a more detailed comparison of each technology giving his opinion on the advantages and disadvantages of both. For packet filtering he believes that it is the simplest to configure and has the widest range of products available in the market and that it works for all applications as it operates at the network and transport layers of the OSI Model. However, it is easier to compromise in that malicious code can be embedded into legitimate traffic and that some organisations security policies would not be able to be enforced by packet filtering alone.

For application level firewalls he believes that they offer a higher level of security as it doesn’t allow direct communication between external users and internal applications, carries out more detailed analysis of the data being transmitted over the network traffic compared to packet filtering and has the ability to add extra layers of security to application by making use of user authentication and by providing more comprehensive log files. The main issues with application level firewalls is that they do not support all types of connections, offers slower performance and require more detailed knowledge of the applications than packet filtering (Zalenski, Feb/Mar 2002).

Rowan (2007) offers a slightly different comparison indicating that both technologies are useful in their own right. He goes on to state that packet filtering will protect networks from the more traditional attacks whereas application firewalls can give an organisation a higher level of specialist security for specific applications they use. However, businesses will need to ensure that they regularly test the firewalls to ensure that it is offering the level of protection they are expecting against the security policies that they have put in place.

Another one of the journals indicated that packet filtering can have problems with published services if they use random port numbers as there is a requirement in the configuration of a packet filter rule to include the port numbers in order to block or allow it. What happens where the port numbers are not clearly identified? It also states that with application firewalls due to the specialised knowledge of application perhaps not all of the major services are supported (Bellovin, 1994).

Cisco (2012) offer the argument although packet filtering offers faster processing speeds the industry generally considers that application firewalls offer far better security.

One certain feature which is not present in packet filtering but is found within application firewalls is the ability for it to check content passed within the traffic being sent in to or out of a system. For example an application firewall can look for trigger words within email or attachments being send in traffic and can block the email or attachment from being sent. This is now becoming a critical feature for most organisations (Cheswick, et al., 2008).

Another difference which can be observed between the technologies can be found when looking at encryption of the network traffic. Some advanced type of attacks may try to encrypt the data it is transmitting to try to mask the malicious nature of its payload. As noted earlier the data packets within packet filtering firewalls are not inspected and could therefore get through to the service. However, application level firewalls are able to offer the opportunity to inspect, log and decide how to deal with the encrypted data within the traffic (Wright, et al., 2006).

Conclusions

Now we have completed our review of the journals relating to packet filtering and application firewalls we can now consider the question of which technology offers the best protection for business against online threats?

This report has shown that online threats do indeed exist to businesses and that an organisation needs to build a comprehensive security policy to minimise the risks that these threats pose against it. Therefore providing a comprehensive firewall system that offers a higher level of defence against it is the way forward.

Interestingly a lot of the articles that I reviewed which were taken across multiple authors and over various time periods seem to suggest the same theme in that although packet filtering is faster and cheaper to implement it offer less protection than if an organisation choses to implement the slower but far more in-depth scanning that is available when using application level firewalls.

This review showed that both technologies offer some benefits to businesses but in general the consensus from each paper indicates that the trade-off is mainly performance versus the level of security as the main difference between them. In my opinion performance is a consideration that only needs to be made depending on the level of traffic passing through a firewall but providing robust security is paramount.

Therefore I recommend that the organisations should make use of application level firewalls where possible to protect any services it needs to publish to the outside world as this clearly offers a more comprehensive protection against any attack and that they should develop their security policies utilising industry standard best practises such as following the CERT Guidelines mentioned by Allen (2001) to provide a consistent approach to implementing them.

They should also carry out regular assessments of their security arrangements as mentioned in the article by Rowan (2007) in which it is recommended that organisations carry out frequent penetration tests to ensure that the policies that they have in-place as still valid and are actually working as new vulnerabilities and attacks emerge every single day.

Finally from my research there is nothing to suggest that you cannot use both of these technologies together which in my opinion I believe offers the highest level of protection that you can provide in your network. In fact as an example of this I operate both types of firewalls on my workplace network by initially passing all incoming traffic through a packet filtering firewall which is used to deter general attacks and then the allowed data traffic is then passed onto an application firewall for further analysis before reaching the published services.