The ABCs of Network Visibility: Firewalls
The term firewall comes from the construction industry where it describes a fire-resistant barrier intended to prevent or slow the spread of fire through a structure. In the digital world, a firewall is a security system that monitors and controls incoming and outgoing traffic based predominately on security rules.
FUNCTION OF A FIREWALL
A firewall can consist of software, hardware, or both, and is used to filter data communications entering and leaving a private network or computer system. If a packet of information does not satisfy the parameters programmed into the firewall, the packet can be stopped before it crosses the threshold or can be sent to another device for further analysis. Firewalls are customizable, which means you can add or remove filters as conditions change, though most commercially-available firewalls come with already established settings. For every type of firewall, there is a risk that vulnerabilities in their particular configurations, filters, or processes may allow an attacker to gain control over the firewall and get access to the network or host. This underlines the importance of keeping all firewall software updated.
KEY TYPES OF FIREWALLS AND ADVANTAGES
Host-based. This type of firewall is installed on each individual server and controls traffic into and out of that machine. This function may be available inside the operating system, such as with Microsoft Windows and Linux. Host-based firewalls provide backup protection in the event perimeter security fails and protection against threats from inside the organization. A host-based firewall can also be configured to support a single type of application and block everything else, for a very specific type of defense.
Next generation firewalls. NGFWs evolved to go beyond the port and destination focus of first-generation firewalls, to perform the deep packet inspection needed to effectively secure applications. Today, nearly all firewalls sold have this type of "next generation" functionality. Most NGFWs eliminate the need to deploy a separate intrusion prevention system. Many organizations choose to leave their first-generation firewall in place at the network edge and deploy a NGFW behind that device for its advanced features. This allows them to extend the service life of existing security infrastructure and reserve the capacity of the NGFW for sophisticated filtering and monitoring tasks.
Perimeter or network-based. This universally-deployed firewall establishes a barrier between a trusted internal network and an untrusted outside network, such as the Internet. This type of firewall compares each packet received to a set of established criteria to determine if a packet will be forwarded. Packets that do not satisfy the filter criteria are either dropped or sent to another area outside the network for further analysis. Filtering can be done based on different attributes of the traffic.
Web application firewall (WAF). These firewalls are deployed in front of web servers to protect them against attacks, to monitor and control access, and to collect access logs for compliance and audit purposes. WAFs are traditionally deployed inline as a reverse proxy, meaning they retrieve resources on behalf of users from one or more Web servers. This allows them to load balance requests between servers and optimize content by compression and caching. Some WAFs can also be positioned out-of-band to work on a copy of network traffic. Cloud-based WAF, delivered as a service, has also become a valid option for some enterprises.
COMMON USE CASES
Protection from brute force, DOS, and DDOS attacks. Firewalls use a variety of detection methods to prevent large-scale denial of service attacks that can make a website inaccessible to users or disable the security in order to gain administrative access. The real target of the attack can be to steal personal data, install a backdoor for a subsequent attack, or install malicious software to harness computing power for a botnet.
Prevent and monitor insider threats. Organizations generally publish policies for acceptable use of Internet resources by employees and other insiders. Firewalls can be used to enforce limits and prevent unsafe behavior, monitor usage, and document activity for auditing purposes. They can also be used to automatically discover all privileged users, verify identity before access to high-value assets, and track changes in behavior over time.
Secure applications. Firewalls are increasingly used to monitor and control access to specific applications. Firewalls also increasingly play a significant role in maintaining the availability and uptime of applications.
Support compliance. Firewalls can perform traffic logging and generate documentation to support reporting for a wide variety of compliance regulations. They can ensure that personally identifiable information (PII) is consistently encrypted before prior to transmission.
Improve incident response and forensics efficiency. Organizations can integrate their firewalls with other security solutions to accelerate the response to security alerts and help staff investigate security incidents. Armed with access to all of the data flowing to and from web applications, a WAF, for example, can identify vulnerabilities, information leaks, configurations errors and similar problems before an attempt is made to exploit them.
CONSIDERATIONS WHEN CHOOSING A FIREWALL
Capacity for Customization. Security policies will need to be adjusted as threats evolve and the enterprise should be able to easily update firewall configurations and blacklists/whitelists. Having a centralized management interface is important when updating a large number of firewall devices in a distributed organization.
Maintenance without Disruption. Keeping a firewall updated with the latest hardware and/or software releases is critical to its defensive capability. If lack of personnel or available time means your firewall is out-of-date, you may not be protected at all. Installing a bypass switch in front of your firewall can make updates and migrations much easier and eliminate downtime. A bypass can be set to forward traffic through an alternate device or just pass it along during a maintenance event so the security team does not have to wait for the next maintenance window.
Handling Encrypted Traffic. With security attacks increasingly embedded in encrypted traffic, enterprises need to decrypt traffic to perform a full inspection. Some firewalls are capable of decryption, but are not able to share the resulting plain text traffic with other security solutions. An alternative is to deploy a network packet broker with decryption capability behind your firewall. The NPB decrypts the traffic one time and forwards the packets as you desire to other security solutions and then re-encrypts the traffic before forwarding on to its final destination. This can be a more efficient way of handling the process-intensive function of traffic decryption and re-encryption.
• Solution brief: Get More Value from Security and Monitoring Tools
• Solution brief: Improve Network Reliability with External Bypass Switches