Firewalld & UFW 🔥🧱

essential concepts in firewall management using Firewalld and UFW.

A firewall acts as a security system, controlling the flow of traffic between networks by enforcing rules based on zones —logical areas with different security policies. Services are predefined sets of ports or protocols that firewalls allow or block, and zones like DMZ (Demilitarized Zone) provide added security layers by isolating public-facing systems. Stateful packet filtering tracks the state of connections, allowing more dynamic rules, while stateless packet filtering inspects individual packets without connection context. Proxies facilitate indirect network connections for security and privacy, while advanced security measures such as Web Application Firewalls (WAF) and Next-Generation Firewalls (NGFW) offer specialized protection against modern threats.

Types of Firewalls 🔍

Firewalld 🔥🧱

Uses zones to define the level of trust for network connections, making it easy to apply different security settings to various types of connections (like home, public, or work). It’s dynamic, meaning changes can be made without restarting the firewall, ensuring smooth operation.

Zones 🍱

The concept is specific to Firewalld. Zones are a predefined set of firewall rules that determine the level of trust assigned to a network connection. Zones allow you to apply different security policies to different network interfaces based on how much you trust the network.

Common Commands

    firewall-cmd --state

Checks if Firewalld is running.

    firewall-cmd --get-active-zones

Lists all active zones and the interfaces associated with them.

    firewall-cmd --get-default-zone

Displays the default zone for new interfaces or connections.

    firewall-cmd --set-default-zone=ZONE

Changes the default zone to the specified zone.

    firewall-cmd --zone=ZONE --add-service=SERVICE

Allows a service (e.g., SSH, HTTP) in the specified zone.

    firewall-cmd --zone=ZONE --remove-service=SERVICE

Removes a service from the specified zone.

    firewall-cmd --zone=ZONE --add-port=PORT/PROTOCOL

Opens a specific port (e.g., 80/tcp) in the specified zone.

    firewall-cmd --zone=ZONE --remove-port=PORT/PROTOCOL

Closes a specific port in the specified zone.

    firewall-cmd --reload

Reloads the Firewalld configuration without dropping active connections.

    firewall-cmd --list-all

Lists all the rules and settings in the active zone.

    firewall-cmd --permanent

Applies changes permanently (used with other commands to ensure changes persist after reboots).

    firewall-cmd --runtime-to-permanent

Converts the current runtime configuration to a permanent one.

Zone example

A public zone might have stricter rules, blocking most traffic except for essential services like web browsing.
A home zone could allow more open traffic, such as file sharing, because the network is more trusted.

UFW 🔥🧱

Uncomplicated Firewall is a user-friendly firewall designed to simplify the process of controlling network traffic by allowing or blocking connections. UFW is commonly used on Ubuntu and provides easy commands for setting up firewall rules, making it ideal for beginners. Despite it is simplicity, it is powerful enough to handle complex configurations.

Default Deny Policy 🔐

By default, UFW denies all incoming connections while allowing outgoing ones. This enhances security by requiring users to explicitly allow any incoming traffic.

Common Commands

    sudo ufw status

Displays the current status of UFW and active rules.

    sudo ufw enable

Enables the UFW firewall.

    sudo ufw disable

Disables the UFW firewall.

    sudo ufw default deny incoming

Sets the default policy to deny all incoming connections.

    sudo ufw default allow outgoing

Sets the default policy to allow all outgoing connections.

    sudo ufw allow PORT

Allows traffic on a specific port (e.g., sudo ufw allow 22 to allow SSH).

    sudo ufw deny PORT

Denies traffic on a specific port.

    sudo ufw delete allow PORT

Removes a previously allowed rule for a port.

    sudo ufw allow SERVICE

Allows traffic for a service by name (e.g., sudo ufw allow ssh).

    sudo ufw deny SERVICE

Denies traffic for a service by name.

    sudo ufw allow from IP

Allows traffic from a specific IP address.

    sudo ufw deny from IP

Denies traffic from a specific IP address.

    sudo ufw allow proto PROTOCOL from IP to any port PORT

Allows traffic for a specific protocol, source IP, and port (e.g., sudo ufw allow proto tcp from 192.168.1.100 to any port 80).

    sudo ufw reset

Resets all UFW rules to default.

    sudo ufw reload

Reloads UFW rules without disabling the firewall.

WAF 🔥🧱

Web Application Firewall is a security system designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It helps prevent common web-based attacks like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) by analyzing the incoming and outgoing traffic and blocking malicious requests. Unlike traditional firewalls that focus on network security, a WAF specifically targets the security of web applications and can be an important part of a layered defense strategy.

More Sophisticated 🍷

are generally more sophisticated than Firewalld or UFW because they operate at the application layer (Layer 7) of the OSI model. Blocking traffic is one thing, but packet inspection is another.

Quite a few ⚖️

There are many Web Application Firewalls out there that cover specific cloud platforms or web services. Here is a list of some popular ones:

AWS WAF
Cloudflare WAF
F5 Advanced WAF
Imperva WAF
ModSecurity
Barracuda WAF
Sucuri WAF
Akamai Kona Site Defender
Fortinet FortiWeb

NGFW 🔥🧱🧠

Next-Generation Firewall is an advanced type of firewall that goes beyond traditional firewall features like packet filtering. It combines standard firewall capabilities with more advanced functionalities such as deep packet inspection (DPI), intrusion prevention systems (IPS), and application-level control. NGWs can inspect and control traffic at a more granular level, allowing administrators to set security rules based on specific applications, users, or behaviors.

Features of a typical NGFW

Deep Packet Inspection (DPI): Examines the content of data packets, not just their headers, allowing the firewall to identify and block threats hidden in the traffic.
Intrusion Detection and Prevention System (IDS/IPS): Monitors network traffic for suspicious activity and can take action (like blocking or alerting) to prevent attacks in real-time.
Application Awareness and Control: Recognizes and manages specific applications (e.g., Facebook, Skype) regardless of port or protocol, allowing for fine-grained traffic control.
Advanced Malware Protection (AMP): Detects and blocks malware using both signature-based detection and behavioral analysis to prevent malware from entering the network.
SSL/TLS Decryption: Decrypts encrypted traffic (HTTPS) for inspection to detect threats hiding inside secure channels.
User Identity Integration: Applies firewall rules based on user identity or group membership rather than just IP addresses, providing more flexible access control.
Threat Intelligence Feeds: Uses real-time threat data from global databases to protect against emerging threats and malicious IP addresses or domains.
Cloud-Delivered Security: Provides scalable and flexible cloud-based protection services such as sandboxing, traffic analysis, and updates for zero-day attacks.
Virtual Private Network (VPN) Support: Allows secure, encrypted connections for remote users or between different networks (site-to-site or remote access VPNs).
URL Filtering: Controls access to websites based on categories (e.g., social media, gambling) or specific URLs, helping enforce acceptable use policies.
Quality of Service (QoS): Prioritizes certain types of traffic, ensuring that critical applications receive the necessary bandwidth and reducing congestion.
Zero-Trust Network Segmentation: Implements policies based on strict access control, ensuring that users and devices only access the resources they are explicitly permitted.
Sandboxing: Isolates suspicious files or code in a secure environment to detect malicious behavior without affecting the rest of the network.
Logging and Reporting: Provides detailed logs and reports on network traffic, blocked threats, and firewall activity for auditing and troubleshooting.

NGFW Products

Palo Alto Networks NGFW
Cisco Firepower NGFW
Fortinet FortiGate NGFW
Check Point NGFW
Sophos XG NGFW
Juniper Networks SRX Series NGFW
Barracuda CloudGen NGFW
SonicWall NGFW
WatchGuard Firebox NGFW
Forcepoint NGFW
PfSense NGFW

Evaluation of Implementing a Web Application Firewall WAF

1. Introduction

This report has been prepared in response to a request to evaluate the suitability of implementing a Web Application Firewall (WAF) within our infrastructure. The aim of this report is to:

Compare WAF technology with traditional firewall solutions currently implemented.
Assess the benefits and limitations of each.
Provide recommendations based on the findings.

2. Objectives

The key objectives of this evaluation are:

To determine the suitability of WAF in enhancing our web application security.
To identify potential risks and benefits associated with the deployment of WAF.
To compare traditional firewall solutions with WAF in terms of functionality, security, and cost.
To make recommendations based on the current and future needs of our IT infrastructure.

3. Comparison of Technologies

3.1 Traditional Firewalls (firewalld/ufw)

Primary Function: Control and filter network traffic based on IP addresses, ports, and protocols.
Strengths:
- Blocks unwanted connections at the network level.
- Suitable for general network protection.
- Easy to configure and manage.
Limitations:
- Does not inspect web traffic at the application level.
- Cannot protect against specific web application attacks (e.g., SQL injection, XSS).

3.2 Web Application Firewalls (WAF)

Primary Function: Protect web applications by filtering and monitoring HTTP/HTTPS traffic.
Strengths:
- Protects against common web application vulnerabilities (e.g., SQL injection, XSS).
- Monitors web traffic to block malicious requests.
- Can provide real-time threat detection and logging.
Limitations:
- May require more resources and specialized configuration.
- Focused solely on web applications, not general network traffic.

3.3 Key Differences

Feature	Traditional Firewall	Web Application Firewall (WAF)
Layer	Network (Layer 3/4)	Application (Layer 7)
Traffic Type	IP, ports, protocols	HTTP/HTTPS, web requests
Use Case	General network security	Web application protection
Threat Coverage	Blocks IP-based threats	Mitigates web vulnerabilities (SQLi, XSS)
Cost	Typically lower	Generally higher due to specialized focus

4. Key Considerations for WAF Implementation

4.1 Security Benefits

Enhanced protection against web-specific attacks.
Ability to monitor and block suspicious activity in real-time.
Added layer of security on top of traditional network firewalls.

4.2 Cost Analysis

Initial Investment: The upfront cost of acquiring and configuring a WAF solution.
Ongoing Costs: Maintenance, updates, and potential personnel training.

4.3 Operational Impact

May require additional resources for setup, monitoring, and incident response.
Potential need for collaboration between the security and development teams to ensure smooth integration.

5. Risk Assessment

Without WAF: Increased vulnerability to web application-specific threats, such as cross-site scripting (XSS) and SQL injection, especially for critical applications.
With WAF: Increased security for web applications but requires ongoing monitoring and adjustment to ensure performance and efficacy.

6. Recommendations

Based on the evaluation, I recommend the following:

Implement a WAF: Due to the increasing reliance on web applications and the rise in web-based attacks, implementing a WAF would provide an essential layer of security.
Maintain Traditional Firewalls: Existing firewalls should continue to be used for network-level protection alongside the WAF.
Pilot Implementation: Begin with a limited deployment of WAF for high-risk applications to evaluate performance and cost before a full-scale rollout.
Staff Training: Ensure the security and IT teams are trained in WAF management to maximize its effectiveness.

7. Conclusion

The implementation of a Web Application Firewall is a strategic move to protect our web applications from evolving security threats. While traditional firewalls remain crucial for network security, they cannot defend against the types of attacks WAFs are designed to mitigate. By implementing both WAF and traditional firewall solutions, we can ensure comprehensive security coverage across both network and application layers.

Definitions

Firewall: A security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Zone: A defined area within a network that contains systems with similar security requirements, separated by a firewall.
Service: A specific type of network functionality, like HTTP or DNS, that can be allowed or blocked by a firewall.
DMZ: A "Demilitarized Zone" is a network segment that serves as a buffer between a secure internal network and untrusted external networks.
Proxy: A server that acts as an intermediary for requests between clients and servers, often used for filtering, security, or caching.
Stateful packet filtering: A firewall feature that tracks the state of active connections and makes filtering decisions based on the connection's state.
Stateless packet filtering: A type of firewall filtering that analyzes each packet independently without considering the state of the connection.
WAF: A Web Application Firewall that protects web applications by filtering and monitoring HTTP/HTTPS traffic for threats like SQL injection and XSS.
NGFW: A Next-Generation Firewall that combines traditional firewall functions with additional features like application awareness, integrated intrusion prevention, and advanced threat detection.

Systems