Firewalls are another protective device for networks that stand in the way of a penetration tester or attacker. Firewalls represent a barrier or logical delineation between two zones or areas of trust. In its simplest form an implementation of a firewall represents the barrier between a private and a public network, but things can get much more complicated from there, as you’ll see in this section.
When discussing firewalls, it is important to understand how they work and their placement on a network. A firewall is a collection of programs and services located at the choke point (the location where traffic enters and exits the network). It is designed to filter all traffic flowing in and out and determine if that traffic should be allowed to continue. In many cases the firewall is placed at a distance from important resources so that in the case of compromise key resources are not adversely impacted. If you take enough care and do proper planning along with a healthy dose of testing, only traffic that is explicitly allowed to pass will be able to do so, with all other traffic dropped at the firewall.
Here are some details about firewalls to be aware of:
- Firewalls are a form of IDS since all traffic can be monitored and logged when it crosses the firewall.
- A firewall’s configuration is mandated by a company’s security policy and will change to keep pace with the goals of the organization.
- Firewalls are typically configured to allow only specific kinds of traffic, such as with email protocols, web protocols, or remote access protocols.
- In some cases, a firewall may also act as a form of phone tap, allowing for the identification of attempts to dial into the network.
- A firewall uses rules that determine how traffic will be handled. Rules exist for traffic entering and exiting the network, and it is possible for traffic going one way not to be allowed to go the other way.
- For traffic that passes the firewall, the device also acts as a router, helping guide traffic flowing between networks.
- Firewalls can filter traffic based on a multitude of criteria, including destination, origin, protocol, content, or application.
- In the event that traffic of a malicious nature tries to pass the firewall, a properly configured alarm will alert a system administrator or other party as needed.