In the section on the question What is a firewall, and where can it be located? given by the author Crooked the best answer is This is protection from any attempts to penetrate your computer and from any harmful programs. If it’s standard Windows, then you can find it in the control panel (Firewall)

Answer from Suck[guru]
Restart your computer

Answer from Flush[guru]
readme read

Answer from Evil Hamster[guru]
The fire wall is translated. It is built into XP Service Pack 2. See Security Center.

Answer from Zaichena[master]
The firewall is fire on various devices. I think it’s in Victory Park, but I could be wrong.

Answer from *lix[expert]
Firewall or firewall (jarg: firewall or firewall from English firewall) - a complex of hardware and/or software, which controls and filters those passing through it network packets at various levels of the OSI model in accordance with specified rules. The main task of a firewall is to protect computer networks or individual nodes from unauthorized access. Also, firewalls are often called filters, because their main task is not to allow (filter) packets that do not meet the criteria defined in the configuration.

Answer from User deleted[newbie]
firewall: a) software - a program for protecting and monitoring the network activity of a computer, i.e. from attacks from the network and the like.
b) hardware - if I’m not mistaken, the same thing, it’s not a program but an external device, by the way, a useful thing :)
firewall seems to be the same thing

31Oct

What is a Firewall (Firewall)

Firewall or Firewall is a computer program whose purpose is to protect your computer from viruses and. The firewall monitors network traffic entering the operating system and helps stop malware that tries to access the user's personal information. In addition, the terms Firewall and Firewall have another definition. These terms are commonly used to describe fire-resistant capital walls, which in theory should protect houses from fires in densely built areas.

What is a Firewall (Firewall) - in simple words.

In simple words, Firewall (Firewall) is special protective computer programs, which constantly scan data received and sent to the Internet. Figuratively speaking, these are virtual walls that protect the computer from the dangers of the Internet: viruses, rootkits, spyware, etc. Although it's worth noting that a firewall is not the only or most reliable source of protection for your computer. As a rule, to ensure the greatest security, a firewall (Firewall) always works in conjunction with antivirus and anti-spyware software.

In most cases, the firewall is installed directly on the work machine (PC), but sometimes, as in the cases of various offices where there are many computers, the firewall is installed as a physical device ( but more on that later). Operating room users Windows systems, there is no need to install a firewall yourself ( separately), since the OS initially has its own - Windows Firewall.

Firewall - how it works, in simple words.

Without going into complex technical details, the work of the Firewall can be described as follows. When a user launches an Internet-related program such as a browser or computer game, the computer connects to a remote website and sends information about the user's computer system. However, before data is sent or received, it passes through a firewall ( firewall), where depending on the parameters set, the data will be skipped or stopped.

Figuratively speaking, in the process of its work, the firewall acts as a kind of border guard or customs officer who monitors everything that is exported and imported onto the computer. In addition, his responsibilities include checking data packets for compliance with the required parameters. Thus, a firewall can help stop existing malware such as Trojan horses and other spyware from running. In simple words, the screen simply will not transmit the data collected by these programs to the Internet. But this, of course, is all in theory, since such malicious programs are constantly being improved and learn to deceive firewalls.

What is a Hardware Firewall and how to protect your network?

A hardware firewall is a physical device that connects a computer or network to the Internet using certain advanced techniques to protect against unauthorized access. Wired routers, broadband gateways and wireless routers include hardware firewalls that protect every computer on the network. Hardware firewalls use different types of security to protect the network: packet filtering, stateful packet inspection, network address translation, and application-level gateways.

Packet Filtering Firewall checks all data packets sent to and from the system. It forwards data based on a set of rules defined by the network administrator. This hardware firewall inspects the packet header and filters packets based on source address, destination address, and port. If a packet does not comply with the rules or meets the blocking criteria, it is not allowed to pass through the computer or network.

Dynamic packet filtering or stateful packet inspection, this is a more complex security method. This firewall monitors where the packet came from to figure out what to do with it. It checks whether the data was sent in response to a request for more information or whether it simply appeared on its own. Packets that do not match the specified connection state are rejected.

Another way to ensure security is a network address translation (NAT) router. It hides a computer or network of computers from the outside world, presenting one to the public for Internet access. The firewall IP address is the only valid address in this scenario, and it is the only IP address presented to all computers on the network. Each computer on the internal side of the network is assigned its own IP address, valid only within the network. This security option is very effective because it allows you to use only one public IP address to send and receive information packets. Which in turn significantly minimizes the possibility of introducing malware. This hardware firewall is usually implemented on a separate computer on the network, which has the sole function of running as a . It is quite complex and is considered one of the most secure types of hardware firewalls.

Basic problems with firewalls.

There are several common problems problems that may occur as a result of using a firewall. The most common problem is that in addition to malware, the firewall often blocks normal traffic that we need. Some websites may have limited access or not opening up because they were misdiagnosed. Quite often problems arise with network games, since the firewall often recognizes such traffic as malicious and blocks programs from running. Based on this, it should be noted that although a firewall is a very useful thing, it needs to be configured correctly so that it does not spoil life with its prohibitions.

Categories: , // from

Creating a secure system is a complex task. One of the security measures is the use of firewalls (also known as firewalls and firewalls). As we all know, firewalls come in software and hardware. The possibilities of both the first and second are not limitless. In this article, we will try to figure out what both types of firewalls can and cannot do.

Software and hardware firewalls

The first step is to talk about what is a software solution and what is a hardware solution. We are all accustomed to the fact that if you buy some kind of hardware, then this solution is called hardware, and if it is a box with software, then this is a sign of a software solution. In our opinion, the difference between a hardware and software solution is quite arbitrary. What is an iron box? Essentially, this is the same computer, albeit with a different architecture, albeit with slightly limited capabilities (you cannot connect a keyboard and monitor to it, it is “tailored” to perform one function), on which the software is installed. The software is some version of a UNIX system with a “web face”. The functions of a hardware firewall depend on the packet filter used (again, this is software) and the “web face” itself. All hardware firewalls can be “reflashed”, that is, in essence, simply replaced with software. And with real firmware (which in the good old days was done using a programmer), the process of updating the “firmware” on modern devices has little in common. New software is simply written to a flash drive inside the hardware. A software firewall is software that is installed on an existing ordinary computer, but in the case of a hardware firewall, you can’t do it without software, and in the case of a software firewall, you can’t do it without hardware. That is why the line between these types of firewalls is very arbitrary.
The biggest difference between a software and hardware firewall isn't even functionality. Nobody bothers you to choose a hardware firewall with the necessary functions. The difference is in the method of use. As a rule, a software firewall is installed on every PC in the network (on every server and on every workstation), and a hardware firewall provides protection not for an individual PC, but for the entire network at once. Of course, no one will stop you from installing a hardware firewall for each PC, but it all comes down to money. Considering the cost of hardware, it is unlikely that you will want to protect every PC hardware with a firewall.

Benefits of Hardware Firewalls

Hardware firewalls have the following advantages:

• Relative ease of deployment and use. I connected it, turned it on, set the parameters via the web interface and forgot about its existence. However, modern software firewalls support, which also won’t take much time. But, firstly, not all firewalls support ActiveDirectory, and secondly, enterprises do not always use Windows.
• Dimensions and power consumption. Typically, hardware firewalls are smaller in size and require less power. However, energy consumption does not always play a role, but dimensions are important. A small compact box is one thing, a huge “system unit” is another.
• Performance. Typically, the performance of a hardware solution is higher. If only because the hardware firewall is engaged only in its immediate function - packet filtering. It does not run any third-party processes or services, as is often the case with software firewalls. Just imagine that you have organized a software gateway (with firewall and NAT functions) based on a server with Windows Server. It is unlikely that you will dedicate an entire server just for a firewall and NAT. This is irrational. Most likely, other services will be running on it - the same AD, DNS, etc. I’m already silent about the DBMS and postal services.
• Reliability. It is believed that hardware solutions are more reliable (precisely because they rarely run third-party services). But no one is stopping you from selecting a separate system unit (even if not the most modern one), installing the same FreeBSD (one of the most reliable operating systems in the world) on it and setting up firewall rules. I think the reliability of such a solution will be no lower than in the case of a hardware firewall. But such a task requires advanced administrator qualifications, which is why it was previously noted that hardware solutions are easier to use.

Benefits of software firewalls

To the benefits software solutions relate:

• Price. The price of a software firewall is usually lower than hardware. For the price of an average hardware solution, you can protect your entire network with a software firewall.
• Ability to protect your network from the inside. Threats do not always come from outside. There are many threats within a local network. Attacks can come from internal computers. Any LAN user, for example, dissatisfied with the company, can initiate an attack. As already noted, you can, of course, use a separate hardware router to protect each individual node, but in practice we have not come across such solutions. They are too irrational.
• Possibility of delimiting local network segments without allocating subnets. In most cases, computers from different departments are connected to the local network, for example, accounting, financial department, IT department, etc. These computers do not always need to communicate with each other. How to differentiate ISPDn? The first solution is to create several subnets (for example, 192.168.1.0, 192.168.2.0, etc.) and configure routing between these subnets appropriately. This is not to say that the solution is very complicated, but it is still more complicated than using a software firewall. And it is not always possible to distinguish subnets for one reason or another. The second solution is to use a firewall designed specifically to protect ISPD (not all software firewalls make it easy). In this case, even in the largest network, you will perform ISPD differentiation in a matter of minutes, and you will not have to bother with routing settings.
• Possibility of deployment on existing servers. There is no point in buying another piece of hardware if there is a sufficient computer park. It is enough to deploy a firewall on one of the servers and configure NAT and routing. Typically both of these operations are performed using GUI firewall and are implemented with a few mouse clicks in the right places.
• Advanced functionality. As a rule, the functionality of software firewalls is wider than that of their hardware counterparts. So, some firewalls provide load balancing functions, IDS/IPS and similar useful things that can improve the overall security of the data processing system. Yes, not all software firewalls have these features, but there is nothing stopping you from choosing the firewall that suits your needs. Of course, some hardware systems also have such functions. For example, StoneGate IPS provides the functionality of an intrusion prevention system, but the cost of such solutions will not always please enterprise management. There are also hardware load balancers, but they are even more expensive than hardware IPS.

We won’t write about the disadvantages - they follow from the advantages. The advantages of one type of firewall are usually the disadvantages of another type. For example, the disadvantages of hardware solutions include the cost and impossibility of protecting the local network from the inside, and the disadvantages of software solutions include the complexity of deployment and use (although, as noted, everything is relative).
However, there is one disadvantage of hardware firewalls that is worth mentioning. As a rule, all hardware firewalls have a reset button, pressing which you can return the default settings. You do not need any special qualifications to press this button. But to change the settings of a software firewall, you need, at a minimum, to obtain administrator rights. With the click of a single button, a disgruntled employee can compromise the security of an entire enterprise (or leave the enterprise without access to the Internet, which is even better). Therefore, when using hardware solutions, you need to take a more responsible approach to the physical security of the devices themselves.

Battle of the Firewalls

Next, we will try to understand which firewall provides better protection: software or hardware. The hardware will be the firewall built into the router from TP-Link. As a software - Cybersafe Firewall.
To test firewalls, we will use utilities from the site www.testmypcsecurity.com, namely Jumper, DNStester and CPIL Suite (developed by Comodo). A word of warning: unlike certified tools like XSpider, these utilities use the same techniques as the malware they simulate. That is why during testing (if you want to repeat the results) all anti-virus protection tools must be deactivated.
One could, of course, consider XSpider, but this test would be too boring and uninteresting for the end reader. And who can imagine an attacker using a certified scanner?
Briefly about the utilities:

• Jumper - allows you to bypass the firewall using the “DLL injection” and “thread injection” methods.
• DNS Tester - Uses a recursive DNS query to bypass the firewall.
• CPIL Suite - a set of tests (3 tests) from Comodo.

All these utilities will be launched from within, that is, directly from the computers being tested. But outside we will scan with the good old nmap.
So we have two computers. Both are connected to the Internet. One is connected through a hardware firewall (powered by a TP-Link router) and does not have a software firewall or antivirus installed. The second computer is connected to the Internet directly and is protected by the CyberSafe software firewall. The first computer has Windows 7 installed, the second has Windows Server 2008 R2.

Test 1: Jumper

Jumper, launched with administrator rights (to be honest, many users work with such rights), successfully completed its task in Windows 7 (Fig. 1). Nothing could stop him - after all, not a single security tool was installed on our system, no antivirus, no firewall, no IDS/IPS, and the hardware firewall doesn’t care what happens on client computers. He cannot influence what is happening in any way.

Rice. 1. Jumper in Windows 7

To be fair, it should be noted that if the user had not worked as an administrator, then nothing would have worked for Jumper.
In Windows Server 2008, Jumper did not even start, but this is not the merit of the firewall, but of the operating system itself. Therefore, there is parity between firewalls, since protection against this vulnerability can be provided by the operating system itself.

Test 2. DNStester

The purpose of this test is to send a recursive DNS query. By default, starting with Windows 2000, the service Windows DNS Client accepts and manages all DNS queries. This way, all DNS requests from all applications on the system will be sent to the DNS client (SVCHOST.EXE). The DNS request itself is made directly by the DNS client. DNStester uses a recursive DNS query to bypass the firewall, in other words, the service calls itself.

Rice. 2. Test failed

If the firewall settings are left at default, then neither the software nor the hardware firewall could cope with this test. It is clear that a hardware firewall does not care what happens on the workstation, so it cannot be expected to protect the system from this vulnerability. In any case, with the default settings (and they practically did not change).
But this does not mean that Cybersafe Firewall is a bad firewall. When the security level was increased to the third, the test was completely passed (see Fig. 3). The program reported an error in the DNS request. To make sure that this was not the fault of Windows Server 2008, the test was repeated on a machine with Windows 7.

Rice. 3. Test passed (DNStest)

To be fair, it should be noted that if an antivirus is installed on the computer, then most likely this application will be quarantined, but it will still manage to send one request (Fig. 4).

Rice. 4. Comodo Antivirus blocked an unwanted application

Test 3. Test suite from Comodo (CPIL)

So, the hardware firewall with default settings failed all three CPIL tests (if you click on Tell me more about Test, a window will appear explaining the principle of the test). But he failed them in some strange way. Passing the test involves the following sequence of actions:

1. You need to enter the transmitted data. We entered the values ​​1, 2, 3 for tests 1, 2 and 3, respectively.
2. Then press one of the test call buttons (Fig. 5)

Rice. 5.CPIL Test Suite

After this, the browser should open with the test results. In addition to the message that the test failed, the results page should have displayed the value we entered, which was passed to the script as a GET parameter (see Figure 6). It can be seen that the value (2 in the address bar) was passed, but the script did not display it. Comodo script bug? Of course, everyone makes mistakes, but our confidence in this test has diminished.

Rice. 6. Test result (hardware firewall)

But when using a software firewall, the CPIL tests did not even run. When pressing buttons 1 - 3 nothing happened (Fig. 7). Is it really the fault of Windows Server 2008 and not the firewall? We decided to check it out. Therefore, Cybersafe Firewall was installed on a Windows 7 computer protected by a hardware firewall. But in Windows 7, the utility managed to break through the firewall defenses. The first and third tests were passed, but when we pressed the Test 2 button we had to contemplate the window Chrome browser, similar to that shown in Fig. 6.

Rice. 7. When you click the button, nothing happens (you can see that the antivirus is disabled)

Rice. 8. Tests 1 and 3 passed

Test 4. Scanning from outside

Before this we tried to break through the firewall from the inside. Now let's try to scan systems protected by a firewall. We will scan nmap scanner. No one doubted the results of the hardware firewall - everything was closed and it was impossible to even determine the type of system being tested (Fig. 9 and 10). In all subsequent illustrations, IP addresses are hidden because they are permanent - so that no one would have the desire to repeat the test on our addresses.

Rice. 9. Scan your hardware firewall

Rice. 10. Hardware Firewall Scan (Host Details)

Now let's try to scan a system protected by a software firewall. It’s clear that by default the software firewall will allow anything and everything through (Fig. 11).

Rice. eleven. Open ports(software firewall, default settings)

Rice. 12. System type determined (software firewall, default settings)

When the rules are set up, everything falls into place (Fig. 13). As you can see, a software firewall ensures the security of the protected system no worse than its “hardware” counterpart.

Rice. 13. No open ports

Local network attacks

Why is it so important to provide protection within the local network? Many administrators mistakenly do not pay attention to protection from the inside, but in vain. After all, many attacks can be implemented within a local network. Let's look at some of them.

ARP attack

Before connecting to the network, the computer sends an ARP request to find out if the computer's IP address is occupied. When there are several Windows machines on the local network with the same IP address, the user sees a window with a message stating that the IP address is busy (used by another computer). Windows knows that an IP address is busy via the ARP protocol.
An ARP attack involves an attacker flooding machines that are running under Windows control. Moreover, hundreds of requests will be sent to each computer, as a result the user will not be able to close the constantly pop-up windows and will be forced to at least restart the computer.
The situation is not very pleasant. But the presence of a firewall on a workstation will negate all the efforts of an attacker.

DoS attacks, including various flood attacks

DoS attacks (denial attacks) are possible not only on the Internet, but also on local networks. Only the methods of such attacks differ. The nature of DoS attacks can be anything, however, it is impossible to fight them without a firewall installed on every machine on the local network.
One type of DoS attack that can be successfully used on a local network is ICMP flood. Firewall CyberSafe Firewall contains dedicated tools to combat this type of attack (Fig. 14). It also contains server load balancing tools, which can also help combat DoS attacks.

Rice. 14. ICMP security (CyberSafe Firewall)

Changing the MAC address

On a local network, computers are identified not only by IP address, but also by MAC address. Some administrators allow access to certain resources by MAC address, since IP addresses are typically dynamic and issued by DHCP. This solution is not very justified, since the MAC address is very easy to change. Unfortunately, it is not always possible to protect against MAC address changes using a firewall. Not every firewall tracks MAC address changes, as they are typically tied to IP addresses. The most effective solution here is to use a switch, which allows you to bind the MAC address to a specific physical port of the switch. It is almost impossible to deceive such protection, but it also costs a lot. True, there are also software ways to combat MAC address changes, but they are less effective. If you are interested in a firewall that can recognize MAC address spoofing, then pay attention to Kaspersky Internet Security 8.0. True, the latter can only recognize the substitution of the MAC address of the gateway. But it fully recognizes the substitution of a computer’s IP address and IP flooding.

IP address spoofing

In networks where access to resources is limited by IP addresses, an attacker can change the IP address and gain access to the protected resource. When using the Cybersafe Firewall firewall, such a scenario is impossible, since there is no binding to IP addresses even for the firewall itself. Even if you change the computer’s IP address, it will still not be included in the ISDN that the attacker is trying to penetrate.

Routing attacks

This type of attack is based on sending “fake” ICMP packets to the victim. The essence of this attack is to spoof the gateway address - an ICMP packet is sent to the victim, informing him of a shorter route. But in fact, the packets will not pass through the new router, but through the attacker's computer. As noted earlier, Cybersafe Firewall provides ICMP security. Similarly, other firewalls can be used.

There are many other attacks on local networks - both sniffers and various attacks using DNS. Be that as it may, the use of software firewalls installed on each workstation can significantly improve security.

conclusions

Protection information system should be comprehensive - this includes software and hardware firewalls, antiviruses, and correct setting the system itself. As for our confrontation between software and hardware firewalls, the former are effectively used to protect each network node, and the latter are used to protect the entire network as a whole. A hardware firewall cannot provide protection for each individual workstation, is powerless against attacks within the network, and also cannot distinguish between ISDN, which must be done in the context of protecting personal data.

Tags:

• firewall
• firewall

Add tags

Creating a secure system is a complex task. One of the security measures is the use of firewalls (also known as firewalls and firewalls). As we all know, firewalls come in software and hardware. The possibilities of both the first and second are not limitless. In this article, we will try to figure out what both types of firewalls can and cannot do.

Software and hardware firewalls

The first step is to talk about what is a software solution and what is a hardware solution. We are all accustomed to the fact that if you buy some kind of hardware, then this solution is called hardware, and if it is a box with software, then this is a sign of a software solution. In our opinion, the difference between a hardware and software solution is quite arbitrary. What is an iron box? Essentially, this is the same computer, albeit with a different architecture, albeit with slightly limited capabilities (you cannot connect a keyboard and monitor to it, it is “tailored” to perform one function), on which the software is installed. The software is some version of a UNIX system with a “web face”. The functions of a hardware firewall depend on the packet filter used (again, this is software) and the “web face” itself. All hardware firewalls can be “reflashed”, that is, in essence, simply replaced with software. And with real firmware (which in the good old days was done using a programmer), the process of updating the “firmware” on modern devices has little in common. New software is simply written to a flash drive inside the hardware. A software firewall is software that is installed on an existing ordinary computer, but in the case of a hardware firewall, you can’t do it without software, and in the case of a software firewall, you can’t do it without hardware. That is why the line between these types of firewalls is very arbitrary.
The biggest difference between a software and hardware firewall isn't even functionality. Nobody bothers you to choose a hardware firewall with the necessary functions. The difference is in the method of use. As a rule, a software firewall is installed on every PC in the network (on every server and on every workstation), and a hardware firewall provides protection not for an individual PC, but for the entire network at once. Of course, no one will stop you from installing a hardware firewall for each PC, but it all comes down to money. Considering the cost of hardware, it is unlikely that you will want to protect every PC hardware with a firewall.

Benefits of Hardware Firewalls

Hardware firewalls have the following advantages:

• Relative ease of deployment and use. I connected it, turned it on, set the parameters via the web interface and forgot about its existence. However, modern software firewalls support deployment via ActiveDirectory, which also does not take much time. But, firstly, not all firewalls support ActiveDirectory, and secondly, enterprises do not always use Windows.
• Dimensions and power consumption. Typically, hardware firewalls are smaller in size and require less power. However, energy consumption does not always play a role, but dimensions are important. A small compact box is one thing, a huge “system unit” is another.
• Performance. Typically, the performance of a hardware solution is higher. If only because the hardware firewall is engaged only in its immediate function - packet filtering. It does not run any third-party processes or services, as is often the case with software firewalls. Just imagine that you have organized a software gateway (with firewall and NAT functions) based on a server running Windows Server. It is unlikely that you will dedicate an entire server just for a firewall and NAT. This is irrational. Most likely, other services will be running on it - the same AD, DNS, etc. I’m already silent about the DBMS and postal services.
• Reliability. It is believed that hardware solutions are more reliable (precisely because they rarely run third-party services). But no one is stopping you from selecting a separate system unit (even if not the most modern one), installing the same FreeBSD (one of the most reliable operating systems in the world) on it and setting up firewall rules. I think the reliability of such a solution will be no lower than in the case of a hardware firewall. But such a task requires advanced administrator qualifications, which is why it was previously noted that hardware solutions are easier to use.

Benefits of software firewalls

The benefits of software solutions include:

• Price. The price of a software firewall is usually lower than hardware. For the price of an average hardware solution, you can protect your entire network with a software firewall.
• Ability to protect your network from the inside. Threats do not always come from outside. There are many threats within a local network. Attacks can come from internal computers. Any LAN user, for example, dissatisfied with the company, can initiate an attack. As already noted, you can, of course, use a separate hardware router to protect each individual node, but in practice we have not come across such solutions. They are too irrational.
• Possibility of delimiting local network segments without allocating subnets. In most cases, computers from different departments are connected to the local network, for example, accounting, financial department, IT department, etc. These computers do not always need to communicate with each other. How to differentiate ISPDn? The first solution is to create several subnets (for example, 192.168.1.0, 192.168.2.0, etc.) and configure routing between these subnets appropriately. This is not to say that the solution is very complicated, but it is still more complicated than using a software firewall. And it is not always possible to distinguish subnets for one reason or another. The second solution is to use a firewall designed specifically to protect ISPD (not all software firewalls make it easy to distinguish between ISPD). In this case, even in the largest network, you will perform ISPD differentiation in a matter of minutes, and you will not have to bother with routing settings.
• Possibility of deployment on existing servers. There is no point in buying another piece of hardware if there is a sufficient computer park. It is enough to deploy a firewall on one of the servers and configure NAT and routing. Typically, both of these operations are performed through the firewall GUI and are implemented with a few clicks in the right places.
• Advanced functionality. As a rule, the functionality of software firewalls is wider than that of their hardware counterparts. So, some firewalls provide load balancing functions, IDS/IPS and similar useful things that can improve the overall security of the data processing system. Yes, not all software firewalls have these features, but there is nothing stopping you from choosing the firewall that suits your needs. Of course, some hardware systems also have such functions. For example, StoneGate IPS provides the functionality of an intrusion prevention system, but the cost of such solutions will not always please enterprise management. There are also hardware load balancers, but they are even more expensive than hardware IPS.

We won’t write about the disadvantages - they follow from the advantages. The advantages of one type of firewall are usually the disadvantages of another type. For example, the disadvantages of hardware solutions include the cost and impossibility of protecting the local network from the inside, and the disadvantages of software solutions include the complexity of deployment and use (although, as noted, everything is relative).
However, there is one disadvantage of hardware firewalls that is worth mentioning. As a rule, all hardware firewalls have a reset button, pressing which you can return the default settings. You do not need any special qualifications to press this button. But to change the settings of a software firewall, you need, at a minimum, to obtain administrator rights. With the click of a single button, a disgruntled employee can compromise the security of an entire enterprise (or leave the enterprise without access to the Internet, which is even better). Therefore, when using hardware solutions, you need to take a more responsible approach to the physical security of the devices themselves.

Battle of the Firewalls

Next, we will try to understand which firewall provides better protection: software or hardware. The hardware will be the firewall built into the router from TP-Link. As a software - Cybersafe Firewall.
To test firewalls, we will use utilities from the site www.testmypcsecurity.com, namely Jumper, DNStester and CPIL Suite (developed by Comodo). A word of warning: unlike certified tools like XSpider, these utilities use the same techniques as the malware they simulate. That is why during testing (if you want to repeat the results) all anti-virus protection tools must be deactivated.
One could, of course, consider XSpider, but this test would be too boring and uninteresting for the end reader. And who can imagine an attacker using a certified scanner?
Briefly about the utilities:

• Jumper - allows you to bypass the firewall using the “DLL injection” and “thread injection” methods.
• DNS Tester - Uses a recursive DNS query to bypass the firewall.
• CPIL Suite - a set of tests (3 tests) from Comodo.

All these utilities will be launched from within, that is, directly from the computers being tested. But outside we will scan with the good old nmap.
So we have two computers. Both are connected to the Internet. One is connected through a hardware firewall (powered by a TP-Link router) and does not have a software firewall or antivirus installed. The second computer is connected to the Internet directly and is protected by the CyberSafe software firewall. The first computer has Windows 7 installed, the second has Windows Server 2008 R2.

Test 1: Jumper

Jumper, launched with administrator rights (to be honest, many users work with such rights), successfully completed its task in Windows 7 (Fig. 1). Nothing could stop him - after all, not a single security tool was installed on our system, no antivirus, no firewall, no IDS/IPS, and the hardware firewall doesn’t care what happens on client computers. He cannot influence what is happening in any way.

Rice. 1. Jumper in Windows 7

To be fair, it should be noted that if the user had not worked as an administrator, then nothing would have worked for Jumper.
In Windows Server 2008, Jumper did not even start, but this is not the merit of the firewall, but of the operating system itself. Therefore, there is parity between firewalls, since protection against this vulnerability can be provided by the operating system itself.

Test 2. DNStester

The purpose of this test is to send a recursive DNS query. By default, starting with Windows 2000, Windows service DNS Client accepts and manages all DNS queries. This way, all DNS requests from all applications on the system will be sent to the DNS client (SVCHOST.EXE). The DNS request itself is made directly by the DNS client. DNStester uses a recursive DNS query to bypass the firewall, in other words, the service calls itself.

Rice. 2. Test failed

If the firewall settings are left at default, then neither the software nor the hardware firewall could cope with this test. It is clear that a hardware firewall does not care what happens on the workstation, so it cannot be expected to protect the system from this vulnerability. In any case, with the default settings (and they practically did not change).
But this does not mean that Cybersafe Firewall is a bad firewall. When the security level was increased to the third, the test was completely passed (see Fig. 3). The program reported an error in the DNS request. To make sure that this was not the fault of Windows Server 2008, the test was repeated on a machine with Windows 7.

Rice. 3. Test passed (DNStest)

To be fair, it should be noted that if an antivirus is installed on the computer, then most likely this application will be quarantined, but it will still manage to send one request (Fig. 4).

Rice. 4. Comodo Antivirus blocked an unwanted application

Test 3. Test suite from Comodo (CPIL)

So, the hardware firewall with default settings failed all three CPIL tests (if you click on Tell me more about Test, a window will appear explaining the principle of the test). But he failed them in some strange way. Passing the test involves the following sequence of actions:

1. You need to enter the transmitted data. We entered the values ​​1, 2, 3 for tests 1, 2 and 3, respectively.
2. Then press one of the test call buttons (Fig. 5)

Rice. 5.CPIL Test Suite

After this, the browser should open with the test results. In addition to the message that the test failed, the results page should have displayed the value we entered, which was passed to the script as a GET parameter (see Figure 6). It can be seen that the value (2 in the address bar) was passed, but the script did not display it. Comodo script bug? Of course, everyone makes mistakes, but our confidence in this test has diminished.

Rice. 6. Test result (hardware firewall)

But when using a software firewall, the CPIL tests did not even run. When pressing buttons 1 - 3 nothing happened (Fig. 7). Is it really the fault of Windows Server 2008 and not the firewall? We decided to check it out. Therefore, Cybersafe Firewall was installed on a Windows 7 computer protected by a hardware firewall. But in Windows 7, the utility managed to break through the firewall defenses. The first and third tests were passed, but when we clicked the Test 2 button, we had to contemplate a Chrome browser window similar to the one shown in Fig. 6.

Rice. 7. When you click the button, nothing happens (you can see that the antivirus is disabled)

Rice. 8. Tests 1 and 3 passed

Test 4. Scanning from outside

Before this we tried to break through the firewall from the inside. Now let's try to scan systems protected by a firewall. We will scan with an nmap scanner. No one doubted the results of the hardware firewall - everything was closed and it was impossible to even determine the type of system being tested (Fig. 9 and 10). In all subsequent illustrations, IP addresses are hidden because they are permanent - so that no one would have the desire to repeat the test on our addresses.

Rice. 9. Scan your hardware firewall

Rice. 10. Hardware Firewall Scan (Host Details)

Now let's try to scan a system protected by a software firewall. It’s clear that by default the software firewall will allow anything and everything through (Fig. 11).

Rice. 11. Open ports (software firewall, default settings)

Rice. 12. System type determined (software firewall, default settings)

When the rules are set up, everything falls into place (Fig. 13). As you can see, a software firewall ensures the security of the protected system no worse than its “hardware” counterpart.

Rice. 13. No open ports

Local network attacks

Why is it so important to provide protection within the local network? Many administrators mistakenly do not pay attention to protection from the inside, but in vain. After all, many attacks can be implemented within a local network. Let's look at some of them.

ARP attack

Before connecting to the network, the computer sends an ARP request to find out if the computer's IP address is occupied. When there are several Windows machines on the local network with the same IP address, the user sees a window with a message stating that the IP address is busy (used by another computer). Windows knows that an IP address is busy via the ARP protocol.
An ARP attack involves an attacker flooding machines running Windows. Moreover, hundreds of requests will be sent to each computer, as a result the user will not be able to close the constantly pop-up windows and will be forced to at least restart the computer.
The situation is not very pleasant. But the presence of a firewall on a workstation will negate all the efforts of an attacker.

DoS attacks, including various flood attacks

DoS attacks (denial attacks) are possible not only on the Internet, but also on local networks. Only the methods of such attacks differ. The nature of DoS attacks can be anything, however, it is impossible to fight them without a firewall installed on every machine on the local network.
One type of DoS attack that can be successfully used on a local network is ICMP flood. Firewall CyberSafe Firewall contains dedicated tools to combat this type of attack (Fig. 14). It also contains server load balancing tools, which can also help combat DoS attacks.

Rice. 14. ICMP security (CyberSafe Firewall)

Changing the MAC address

On a local network, computers are identified not only by IP address, but also by MAC address. Some administrators allow access to certain resources by MAC address, since IP addresses are typically dynamic and issued by DHCP. This solution is not very justified, since the MAC address is very easy to change. Unfortunately, it is not always possible to protect against MAC address changes using a firewall. Not every firewall tracks MAC address changes, as they are typically tied to IP addresses. The most effective solution here is to use a switch, which allows you to bind the MAC address to a specific physical port of the switch. It is almost impossible to deceive such protection, but it also costs a lot. True, there are also software ways to combat MAC address changes, but they are less effective. If you are interested in a firewall that can recognize MAC address spoofing, then pay attention to Kaspersky Internet Security 8.0. True, the latter can only recognize the substitution of the MAC address of the gateway. But it fully recognizes the substitution of a computer’s IP address and IP flooding.

IP address spoofing

In networks where access to resources is limited by IP addresses, an attacker can change the IP address and gain access to the protected resource. When using the Cybersafe Firewall firewall, such a scenario is impossible, since there is no binding to IP addresses even for the firewall itself. Even if you change the computer’s IP address, it will still not be included in the ISDN that the attacker is trying to penetrate.

Routing attacks

This type of attack is based on sending “fake” ICMP packets to the victim. The essence of this attack is to spoof the gateway address - an ICMP packet is sent to the victim, informing him of a shorter route. But in fact, the packets will not pass through the new router, but through the attacker's computer. As noted earlier, Cybersafe Firewall provides ICMP security. Similarly, other firewalls can be used.

There are many other attacks on local networks - both sniffers and various attacks using DNS. Be that as it may, the use of software firewalls installed on each workstation can significantly improve security.

conclusions

Protection of the information system must be comprehensive - this includes software and hardware firewalls, antiviruses, and proper configuration of the system itself. As for our confrontation between software and hardware firewalls, the former are effectively used to protect each network node, and the latter are used to protect the entire network as a whole. A hardware firewall cannot provide protection for each individual workstation, is powerless against attacks within the network, and also cannot distinguish between ISDN, which must be done in the context of protecting personal data.

Tags: Add tags

Globalization and the communication opportunities that the Internet provides to users attract not only private but also corporate users to global information networks. Very often they become targets for attackers who use confidential information for personal gain. Every year, organizations that choose to transmit sensitive data over global networks lose huge amounts of money. cash due to the large number of attacks, unfortunately successful. The goal of developing the Internet was to create a system designed for the free exchange of data. And lovers of easy money immediately began to take advantage of this. Via the Internet you can:

• break passwords and penetrate the organization’s internal network, where it is not difficult to find secret information;
• copy confidential data;
• find out server addresses and passwords and more.

To solve this problem, it was proposed hardware firewalls. The names firewall and firewall are more widely used. This is a set of hardware and software that allows you to divide each network into several parts, monitor and protect network packets passing across the border from one part of the network to another. Typically, such a boundary is created between the internal network of an enterprise and the global Internet. But in some cases it can be created between departments of the same corporate network.

Firewalls must cover specific areas of the corporate network. In a general sense, they can be designated as follows:

• filtering at the network level;
• filtering at the application level;
• setting up filtering rules, administration;
• network authentication tools;
• setting up logs and keeping records.

Classification of firewalls

It is customary to distinguish the following classes of protective firewalls:

• filtering routers;
• session level gateways;
• application level gateways.

Filter routers

They filter incoming and outgoing packets using the data contained in the TCP and IP headers. To select IP packets, groups of packet header fields are used:

• Sender's IP address;
• Recipient IP address;
• sender port;
• recipient port.

Individual routers control the network interface of the router from which the packet came. This data is used for more detailed filtering. The latter can be performed different ways, interrupting connections to certain ports or PCs.

Filtering rules for routers are difficult to create. There is no way to check for correctness other than slow and labor-intensive manual testing. Also, the disadvantages of filtering routers include the following cases:

• the internal network is visible from the Internet;
• complex routing rules require excellent knowledge of TCP and UDP;
• When a firewall is hacked, all computers on the network become defenseless or inaccessible.

But filtering routers also have a number of advantages:

• low cost;
• flexible definition of filtering rules;
• low latency when working with packets.

Session Gateways

These are TCP connection translators. The gateway processes the authorized client's request for specific services. Verifies the validity of the session and makes a connection to the external host. The gateway then copies the packets in both directions without filtering. The destination is usually set in advance. There may be several sources. Thanks to the variety of ports, you can configure different connection configurations. Using a gateway, you can create a TCP translator for any service that works with a TCP connection.

The gateway determines the admissibility of a request for a communication session according to certain rules. First, an authorized client makes a request for access to a specific service. The gateway accepts it and checks that the client meets the basic filtering parameters. If everything is ok, the gateway establishes a connection with the external host. Next, the TCP communication handshake procedure is monitored. If the gateway determines that the client and the external host are authorized, the connection proceeds. During information transfer, the gateway maintains a table established connections and skips information that relates to one of the communication sessions specified in the table. After the end of the session, the connection is interrupted. The corresponding data is erased from the table.

Application Layer Gateways

For more reliable protection, screens use filtering applications when connecting to Telnet and FTP. This application is called a proxy service or, in other words, an application level gateway. When using a gateway of this type Communication between an authorized client and an external host is not possible. Filtering is carried out at the application level.

When the gateway detects a network session, it stops it and connects special application to complete the service. Application level gateways provide reliable protection, since interaction with the external network occurs through a small number of authorized applications. They perform strict control of incoming and outgoing traffic. Each network service requires separate applications.

Pros of using an application layer gateway:

• invisibility of the protected network from the Internet;
• efficient and secure authentication and registration;
• optimal ratio of cost and level of protection;
• simple filtering rules;
• possibility of installing additional checks.

Hardware firewalls

Hardware firewalls use their own firewalls to filter packets. OS, specially proposed by the developers.

For a hardware firewall to work correctly, it is important to correctly install, connect, and configure it. The simplest firewall is a device that includes a set of applications to centralize access control and protect information. The main functions that a hardware firewall performs are the same as those of software ones: packet analysis, filtering and redirecting traffic, connection authentication, protocol content blocking, data encryption.

Often, to increase security, it is necessary to install several hardware firewalls. It is possible to combine screens different types into one system. The use of firewalls with different structures based on different architectures allows you to create a higher level of protection.

Creating firewalls in corporate networks

If you need to install a reliable corporate or local network, it is necessary to solve the following problems:

• network protection from unauthorized remote access using the global Internet;
• protecting network configuration data from global network visitors;
• separation of access to a corporate or local network from a global one and vice versa.

To ensure the security of the protected network, various firewall creation schemes are used:

Firewall as a filter router- the simplest and most common option. The router sits between the network and the Internet. For protection, data from the analysis of addresses and ports of incoming and outgoing packets is used.

Firewall using a two-port gateway is a host with two network interfaces. The main filtering for data exchange is carried out between these ports. A filter router can be installed to increase security. In this case, an internal shielded network is formed between the gateway and the router, which can be used to install an information server.

Firewall with Shielded Gateway— high management flexibility, but insufficient security. Differs in the presence of only one network interface. Packet filtering is performed in several ways: when an internal host allows access to global network only for selected services, when all connections from internal hosts are blocked.

Firewall with Screened Subnet— to create it, two shielding routers are used. The external one is installed between the shielded subnet and the Internet, the internal one is installed between the shielded subnet and the internal protected network. A good option for security with significant traffic and high speed.