WHAT IS A FIREWALL?
Firewalls are used in both personal and business contexts, and many devices, including Mac, Windows, and Linux PCs, come with one built-in. They’re usually regarded as an important part of network security.
WHY ARE FIREWALLS IMPORTANT?
Firewalls are significant in that they have had a significant impact on contemporary security measures and are still frequently utilized. They initially appeared during the early days of the internet, when networks need new security mechanisms to cope with growing complexity. In the client-server model â€” the core architecture of modern computing â€“ firewalls have since formed the cornerstone of network security. Firewalls â€“ or technologies that are similar â€“ are used by the majority of devices to analyze traffic and neutralize dangers.
Firewalls are utilized in both business and home environments. Along with other cybersecurity devices, modern enterprises include them in a Security Information And Event Management (SIEM) System. They can be put at a company’s network perimeter to protect against external threats, or they can be installed within the network to establish segmentation and protect against insider attacks.
Firewalls serve critical logging and audit tasks in addition to immediate threat prevention. They keep track of occurrences, which administrators may use to spot patterns and enhance rule sets. To keep up with ever-changing cybersecurity risks, rules should be modified on a regular basis. New dangers are discovered by vendors, who release patches to address them as quickly as feasible.
A firewall may filter traffic and notify the user of intruders in a single home network. They’re particularly beneficial for connections that are constantly on, such as DSL or cable modem, because those connections employ static IP addresses. They’re frequently used in conjunction with antivirus software. Unlike corporate firewalls, personal firewalls are generally a single product rather than a collection of several products. They might be software or hardware with built-in firewall firmware. Hardware/firmware firewalls are frequently used to establish limits between devices in the house.
THE WORKING MECHANISM OF A FIREWALL
A firewall is a device that creates a barrier between an external network and the network that it protects. It is placed inline across a network connection and inspects all packets entering and exiting the protected network. It employs a series of pre-configured rules to distinguish between benign and malicious packets as it inspects them.
The term ‘packets’ refers to data that has been prepared for transmission over the internet. Data, as well as metadata about the data, such as where it originated from, is contained in packets. This packet information can be used by firewalls to determine if a given packet complies with the ruleset. If it doesn’t, the packet will be denied access to the protected network.
Rule sets can be based on several things indicated by packet data, including:
At different layers of the network, these features may be expressed in different ways. A packet is reformatted numerous times as it travels over the network to notify the protocol where to deliver it. There are several types of firewalls that can read packets at various network levels.
TYPES OF FIREWALLS
Firewalls are either categorized by the way they filter data, or by the system they protect.
When categorizing by what they protect, the two types are network-based and host-based. Network-based firewalls guard entire networks and are often hardware. Host-based firewalls guard individual devices â€“ known as hosts â€“ and are often software.
When categorizing by filtering method, the main types are:
A packet-filtering firewall examines packets in isolation and does not know the packet’s context.
A stateful inspection firewall examines network traffic to determine whether one packet is related to another packet.
A proxy firewall (aka application-level gateway) inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
A Next-Generation Firewall (NGFW) uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.
Each type in the list examines traffic with a higher level of context than the one before â€“ i.e., stateful has more context than packet-filtering.
A packet’s source and destination addresses, protocol, and destination port number are all examined when it travels through a packet-filtering firewall. If a packet does not conform with the firewall’s ruleset, it is dropped – that is, it is not transmitted to its intended destination. If a firewall is set to restrict Telnet access, for example, packets destined for Transmission Control Protocol (TCP) port number 23, where a Telnet server application would be listening, will be dropped.
Although the transport layer is utilized to get the source and destination port numbers, a packet-filtering firewall primarily functions on the network layer of the OSI reference model. It examines each packet separately and has no way of knowing whether or not it is part of a larger stream of traffic.
The packet-filtering firewall is effective, but because it processes each packet in isolation, it can be vulnerable to IP spoofing attacks and has largely been replaced by stateful inspection firewalls.
STATEFUL INSPECTION FIREWALLS
This type keeps track of all open connections using a table. When new packets arrive, it compares the information in the packet header to the status table – its list of legitimate connections â€“ to see if the packet is part of an existing connection. If it is, the packet is allowed to pass without being examined further. If the packet does not match an existing connection, it is analyzed using the new connection rule defined.
Although stateful inspection firewalls are quite effective, they can be vulnerable to denial-of-service (DoS) attacks. DoS attacks work by taking advantage of established connections that this type generally assumes are safe.
APPLICATION LAYER AND PROXY FIREWALLS
A proxy-based or reverse-proxy firewall is another name for this sort of firewall. They offer application layer filtering and may evaluate a packet’s content to identify legitimate requests from malicious programs masquerading as legitimate data requests. As web server attacks became increasingly widespread, it became clear that firewalls were needed to defend networks against attacks at the application layer. At the application layer, packet-filtering and stateful inspection firewalls are unable to do this.
This kind allows security experts more granular control over network traffic since it checks the payload’s content. It can accept or refuse a single incoming Telnet command from a specific user, for example, whereas other kinds can only handle generic incoming requests from a certain host.
When this kind is hosted on a proxy server, it becomes a proxy firewall, making it more difficult for an attacker to figure out where the network is truly located and adding another layer of security. Both the client and the server must go through an intermediary in the form of a proxy server that hosts an application layer firewall. When an external client requests a connection to an internal server or vice versa, the client instead establishes a connection with the proxy. The proxy firewall will open a connection to the requested server if the connection request matches the requirements in the firewall rule base.
The ability to block specific content, such as known malware or specific websites, and recognize when certain applications and protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and domain name system (DNS), are being misused, is a key benefit of application-layer filtering. Application layer firewall rules can also be used to govern how certain apps execute files or handle data.
NEXT-GENERATION FIREWALLS (NGFW)
This kind is a hybrid of the others, with additional security software and gadgets thrown in for good measure. Each kind has its own set of advantages and disadvantages, and some are designed to defend networks at different layers of the OSI model. The advantage of an NGFW is that it incorporates each type’s strengths while also covering each type’s weaknesses. An NGFW is more often than not a collection of technologies grouped together under one label rather than a single component
Because modern network perimeters include so many entry points and users, better access control and security at the host is essential. NGFWs arose as a result of the necessity for a multilayer approach.
Traditional firewall features, application awareness, and an IPS are all integrated into an NGFW. NGFWs provide more context to the firewall’s decision-making process, similar to how stateful inspection was introduced to first-generation firewalls.
Traditional enterprise firewall capabilities, such as Network Address Translation (NAT), Uniform Resource Locator (URL) blocking, and virtual private networks (VPNs), are combined with quality of service (QoS) functionality and features not found in first-generation products in next-generation firewalls. Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, as well as reputation-based malware detection, are all features that NGFWs provide to facilitate intent-based networking. Deep packet inspection (DPI) is also used by NGFWs to verify the contents of packets and prevent malware.
Unified threat management refers to the employment of an NGFW or any firewall in combination with other devices (UTM).
Because they do not employ DPI to completely inspect packets, less advanced firewalls â€“ such as packet-filtering â€“ are vulnerable to higher-level assaults. To mitigate this issue, NGFWs were created. NGFWs, on the other hand, continue to experience difficulties and are vulnerable to emerging threats. As a result, companies should use them in conjunction with other security components such as intrusion detection and prevention systems. The following are some instances of current dangers to which a firewall may be vulnerable:
Internal attacks: On top of a perimeter firewall, organizations can utilize internal firewalls to partition the network and provide internal security. If an attack is detected, businesses can use NGFW features to audit sensitive data. All audits should be compared to the organization’s baseline documentation, which describes recommended practices for using the network. The following are some instances of behavior that might signal an insider threat:
- Transmission of sensitive data in plain text.
- Resource access outside of business hours.
- Sensitive resource access failure by the user.
- Third-party users network resource access.
DDoS attacks: A distributed denial of service (DDoS) attack is a malicious effort to interrupt regular network traffic by flooding the target or its surrounding infrastructure with traffic. It uses a variety of hacked computer systems as attack traffic sources. Computers and other networked resources, such as internet of things (IoT) devices, are examples of exploited machinery. A DDoS assault is similar to a traffic jam that prevents ordinary traffic from reaching its destination. Differentiating between attack and regular traffic is crucial in minimizing a DDoS assault. The traffic in this form of attack can sometimes come from seemingly legitimate sources, necessitating cross-checking and auditing from many security components.
Malware: Malware threats are diverse, complicated, and developing all the time, much like security technology and the networks it protects. With the development of IoT, networks are becoming more complex and dynamic, making firewall defense more difficult.
Patching/Configuration: A poorly configured firewall or a vendor update that isn’t installed can compromise network security. IT administrators should be vigilant in keeping their security components up to date.
Businesses intending to buy a firewall should be aware of their requirements and have a good understanding of their network architecture. There are several varieties, features, and suppliers who specialize in each of these categories. Listed below are a few reputable NGFW providers:
Palo Alto: extensive coverage but not cheap.
SonicWall: It is affordable and suitable for a variety of business sizes. SonicWall offers network security solutions for small, medium, and large networks Its sole flaw is that it doesn’t have a lot of cloud functions.
Cisco: largest breadth of features for an NGFW but not cheap either.
Sophos: good for midsize enterprises and easy to use.
Barracuda: decent value, great management, support, and cloud features.
Fortinet: extensive coverage, great value, and some cloud features.
FUTURE OF NETWORK SECURITY
Network traffic largely went north-south in the early days of the internet, when AT&T’s Steven M. Bellovin first utilized the firewall metaphor. This basically implies that in a data center, the majority of traffic flows from client to server and server to client. Virtualization and trends like converged infrastructure, on the other hand, have resulted in greater east-west traffic in recent years, which implies that the highest amount of traffic in a data center is sometimes traveling from server to server. Some corporate firms have shifted from traditional three-layer data center designs to various versions of leaf-spine architectures to deal with this transformation. Some security experts have warned that, while firewalls still play a crucial role in keeping a network safe, they may become less effective as a result of this shift in architecture. Some analysts even expect a complete shift away from the client-server approach.
The adoption of software-defined perimeters is one such approach (SDP). Because it has less latency than a firewall, an SDP is better suited to virtual and cloud-based infrastructures. It also works better in security models that are becoming increasingly identity-centric. This is due to the fact that it prioritizes safeguarding user access above IP address-based access. A zero-trust framework underpins an SDP.