1.1. Security functions of network devices
Firewalls are security devices designed to control traffic and protect networks from each other they’re usually applied to protect high trust networks from low trust ones or to stop networks part of the same organisation but from different departments. They can be either hardware or software.
There are four different types of firewalls:
Packet filter Firewalls – uses the packet header to do basic traffic filtering usually based of the source and destination address, port numbers and protocols. They operate in the network and transport layers of the OSI model.
Circuit-level Gateways – filters traffic between internal trusted host and external untrusted host. It operates at the network and session layer of the OSI. This type of firewall ensures that the packets used to make the connection are used in the proper way. Once a connection is established no further filtering occurs.
Application level firewalls – filters traffic at the application layer of the OSI model, it bases its filtering on the user access, group membership, applications and services or even the type of resources being transmitted. This type of firewalls focuses on the characteristic of specific appliances and protocol combination and the type of content of the communication.
State full inspection firewalls – state full packet inspection (SPI) means that the firewall remembers the state of the connection or session (TCP/UDP), it automatically creates a rule for the reply packet based on the type of communication used. This rule stays as long as the connection remains; when the connection terminates the rule is deleted.
The first step taken when deploying firewalls is to create a firewall security policy, this policy states the scope of the firewall, the networks it needs to protect, the type of services, applications, devises, users that are allowed or disallowed.
Many firewalls have two or more NICs and thus they’re called dual-homed or multi-homed firewalls. The distinction of these firewalls is that for traffic to pass from one network to the other they most satisfy the rules on this firewall. Therefore in this way firewalls are able to provide a reliable and strong security.
Firewalls that have more than two NICs are able to dedicate one of these NICs to host DMZ devices; DMZs are zones containing devices that should be publicly available such as DNSs, Web, FTP servers, etc. It provides public but secure access to DMZ devices and prevents unauthorised access to private network. If this firewall is compromised then only the DMZ devices are at risk, while the private network remains secure to some extent unless the attacker manages to exploit the trust relationship of the devices to penetrate through the network.
Firewalls are unable to read or inspect encrypted data, thus if the port to enable VPN connections is open traffic dedicated to this port will go through the firewall without being inspected, which in a security point of view could provide a vulnerability.
Although routers are used to separate networks and route traffic from one network to the other they also act as packet filters and thus provide another layer of security. Routers uses rules like filters called Access Control Lists (ACLs).
Switches are used to connect devices to the network, unlike hubs switches doesn’t forward packets to all of the ports. When the destination MAC address is known it passes the packet to that port only, thus provides security against sniffing. However if the destination MAC is not known it passes the packet out to all of the ports except the one it originated from (ingress port). Ingress/egress means inbound/outbound traffic respectively.
This type of security (the switch provides) can be attacked physically/logically. If the attacker has physical access to the switch they can connect to the monitor/mirror port or configure the switch to see all data crossing it.
If the attacker only has logical access they can flood the switch with MAC addresses in an aim to push valid MAC addresses out of the switch’s MAC address table, which will make the switch to fall back to a fault tolerance hub behaviour mode transmitting data out of all ports. Thus the attacker will be able to see all of the data crossing the switch. Because the attacker has to attack the switch for the attack to succeed or sometimes attack the hosts with ARP flooding, the attack also known as active flooding. More advanced switches have a feature that acts like an IDS used to sense when this type of action is used and prevent it.
Load balancers are used to distribute the load to different links or devices, its main uses are to improve infrastructure utilisation, reduce bottlenecks, reduce response time, prevent overloading and enhance the performance of the network. The load is usually distributed to a server farm or cluster. Load balancers use different methods to balance the load.
Random – a destination is assigned to each packet or connection randomly.
Round-robin – a destination is assigned to each packet or connection in order (1, 2, 3, 4).
Load Monitoring – this basically based on the load, the device with lower load is assigned to the packet or connection.
Preferences – this method assigns destination to the connection or packet based on subjective preference or capacity difference. As an example let’s say that device 2 can handle more than device 1 and 3, therefore the destination would be assigned in this order 2, 1, 2, 3, 2, 1, 2, 3…. And so on.
Load balancer can be hardware or software. They can also have many other features that depend on the protocol, applications, caching, SSL (Secure Socket Layer) offloading, compression, error checking, filtering, buffering or even IDS and firewall capabilities.
Proxy servers can be application or circuit-level firewalls or a combination. These devices are used as a middleman between servers and clients. They serve as shield that filters unwanted traffic coming into or going out of the network. It replaces the clients IP address with its own external IP address using Network Address Translation (NAT). This hides the IP address of the network devices from external users. This adds some sort of security. In addition to this proxies can also provide caching, which aids in improving the response time to requests. This is because the proxy server already has the content requested in its cache and it doesn’t need to look for it and request it from other networks or servers on the internet.
Web Security Gateways
Web security gateways use URL and Keywords to monitor user’s web activity and block any activity that violates the organisation’s usage policy. These devices may also have malware scanning capabilities and non-web filtering features such as Instant Message (IM) filtering, email filtering, spam blocking and spoofing detection.