In this blog article I am going to explain to you important concepts related to firwall and related interview questions
Q.1) What is a firewall? What is WAF? How is WAF different from iptables? Why might a WAF be a better solution?
Firewall
A software program that prevents unauthorized access to or from a private network. They are a tools that can be used to enhance the security of computers connected to a network.
It is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security tools.
They scan data packets and make sure they don’t contain anything malicious.
It can be hardware, software or both.
Packet Filtering Firewall
Only checks the sender and receiver ip address and the port number
Allowed addresses and ports are mentioned in the Access Control Lists.
already implemented in routers
does not check the data portion or the payload
Application/Proxy Firewall
Hides us from the attacker in internet
does not disclose our ip address
Checks the data packet payload as well. Hence, slower than the packet filtering firewall
Hybrid Firewall
combines packet filtering and application firewall in series
Web Application Firewall
Applies rules to HTTP conversation
allow or deny based on expected input
helps prevents sql injection
It is an appliance or plugin that sits between the organization’s network and servers. Directing the access to and from the application and services. It monitors and filters out content that do not meet the advanced criteria of firewall. It is able to specifically montior and filter the contents of specific web application
A regular firewall typically looks at layer 3 and layer 4, such as ip address, port. For HTTP requests, once “allow tcp port 80” is cleared, it is not interested in what is passed through.
A WAF works at layer 7, concerning with security in terms of content of the HTTP request. It prevents attacks like cross site scripting, sql injection.
They shield the web server from the kind of manipulated and malicious requests that attackers use to compromise the web server.
Iptables is an extremely flexible firewall utility for linux operating system
Uses policy chain to allow or block traffic.
When a connection tries to establish itself, the iptables look for a macthing rule, if it doesn’t, then it resorts to default action.
Iptables uses three different chains: input, output and forward
Input chain: used to control the behavior of incoming connection
Forward chain: This is used for incoming connections that are not delivered locally. e.g. Router
Output chain: This chain is used for outgoing connection
iptables –policy INPUT/OUTPUT/FORWARD ACCEPT/DROP/REJECT
Accept- allow the connection
drop – drop the connection and dont let receiver know
reject – drop the connection and let the receiver know
iptables -A = append to the rules
it starts from the top of the list and goes till end, until it find a matching rule
example to block all connection from the ip address;
iptables -A input -s 10.10.10.0 -j DROP
block ssh connection from any ipaddress
iptables -A input -p tcp -dport ssh -j drop
Use states when you want to allow two way communication but only one way connection
save the iptables config: sudo service iptables save
list the currently configured iptables rules; iptables -L
to clear all the rules: iptables -f
packet and byte information: iptables -v
