wa firewalls and how to build one
what are firewalls and how do they work
Imagine a firewall as a bouncer in front of a nightclub, checking peoples IDs to make sure they are over 18 and are not heavily intoxicated. Thats what your computer firewall does with incoming and outgoing traffic.
Firewalls follow rules such as ‘block packet from a specific IP address’. This is a technique called packet filtering, which will compare all packets being transmitted against the rules set in place.
Basic firewalls have a process to inspect data that is being transmitted. It begins with a rule evaluation like mentioned above, where the data packet is evaluated against the rules in place. The packet will be allowed to pass or blocked based on several factors such as source, destination, port, protocol.
whichever methology is applied depends on the type of firewall.
Stateful inspection firewalls will track the state of network connections. It maintains a table of active connections and allows or blocks packets based on their context within the connection. For example, if a packet is part of an established TCP connection, it may be allowed even if it would be blocked based on packet filtering rules alone.
Application filtering firewalls analyze the content of network packets to identify specific applications or protocols. They will block or allow traffic based on the application or protocol being used. For instance, a firewall might block all traffic from a particular web application to prevent unauthorized access.
DPI (deep packet inspection) which involves examining the contents of network packets in detail, often at the application layer. Which allows firewalls to identify and block malicious traffic based on specific patterns or signatures within the packet data.
IDS (intrusion detection system) which are often integrated with firewalls to enhance security. These systems monitor network traffic for signs of malicious activity, such as known attack signatures or anomalous behavior. When an IDS detects a potential threat, it can notify the firewall to block traffic from the offending source.
Decision making- The firewall makes a decision based on the criteria above.
allow- allow packet to pass
deny- deny packet to pass
inspect- the packet is subjected to further analysis
what are firewalls used to protect against?
Firewalls protect against unauthorised access, and cyber threats such as adversaries, malware, viruses. It protects against them exfiltrating and stealing data. We can protect networks by monitoring the flow of network traffic and in some cases taking action against it.
firewall and dmz architecture
In the diagram we have a firewall sitting between the internal network and external networks. Why do we have a demilitarised zone between those? A DMZ acts as a buffer between the internal and external network. Often mail and FTP servers that need to be accessible by the internet are placed in the DMZ, if one of those servers are compromised, its just the server and not the entire internal network. A demilitarised zone is kind of like our virtual sacrificial lamb.
This is an example of network segmentation, a technique used to secure defenses to reduce attack surface. Which ensures we have fewer points of entry in our network
Imagine the packet filter icons, as both our external and internal firewalls. External firewalls are placed round the perimeter, primarily to protect the internal network. Internal firewalls break down the network in smaller subnets which are easier to protect. If an attacker gains access to a network, internal firewalls prevent them from moving laterally across a network.
building a basic waf firewall with python in linux
To build our firewall, we are essentially defining a set of criteria to block or allow traffic onto ur web application. For a Web Application Firewall, we want to protect it against the most common attacks such as cross site scripting and SQL Injection attacks. So we want to build a firewall that will block signatures associated with these attacks.
common signatures associated with SQL Injection attacks: Error messages
Each block has its own function, we will need a block to import the necessary modules, a block to define the rules whether its block or allow sources or detect signatures associated with certain attacks.
A good Web Application Firewall should have a block to validate, respond, signature or anomaly detection. We can use flask library for web applications
Python For Advanced Web Application Firewall (WAF) - Code With C
We are going to build a basic WAF or web application firewall.
code explanation
These are the key components of our WAF (Web application Firewall)
Python Libraries
Flask- for building web applications
Werkzeug- For HTTP request and response (handle_request) function
IPython- for interactive development and testing
create a flask instance
Handle Requests- To process incoming requests
input validation- applies to expressions to validate request data against common expressions used in cross site scripting and SQL Injection attacks. (xssregex) is used to detect common patterns in cross site scripting such as (<,>). (sql_injection_regex) is used to detect common patterns associated with SQL injection attacks such as (SELECT|INSERT|UPDATE|DELETE|DROP|UNION|FROM|WHERE|OR|AND)'). The status code 400 is returned if these patterns are detected.
Block IPs- check for blocked ips. If the IP is in a blocked list it immediately returns the 403 abort code.
web application logic- lets say I’m writing my WAF for a blog