The ABCs of Network Visibility: Firewalls
The term firewall comes from the construction industry where it describes a fire-resistant barrier intended to prevent or slow the spread of fire through a structure. In the digital world, a firewall is a security system that monitors and controls incoming and outgoing traffic based predominately on security rules.
Function of a Firewall
A firewall can consist of software, hardware, or both, and is used to filter data communications entering and leaving a private network or computer system. If a packet of information does not satisfy the parameters defined into the firewall, the packet can be stopped before it crosses the threshold or can be sent to another device for further analysis. Firewalls are customizable, which means you can add or remove filters as conditions change, though most commercially available firewalls come with already established settings. For every type of firewall, there is a risk that vulnerabilities in their particular configurations, filters, or processes may allow an attacker to gain control over the firewall and get access to the network or host. This underlines the importance of keeping all firewall software updated.
Host-based. This type of firewall is installed on each individual server and controls traffic into and out of that machine. This function may be available inside the operating system, such as with Microsoft Windows and Linux. Host-based firewalls provide backup protection in the event perimeter security fails and protection against threats from inside the organization. A host-based firewall can also be configured to support a single type of application and block everything else, for a very specific type of defense.
Next generation firewalls. NGFWs evolved to go beyond the port and destination focus of first-generation firewalls, to perform the deep packet inspection needed to effectively secure applications. Today, nearly all firewalls sold have this type of "next generation" functionality. Most NGFWs eliminate the need to deploy a separate intrusion prevention system. Many organizations choose to leave their first-generation firewall in place at the network edge and deploy a NGFW behind that device for its advanced features. This allows them to extend the service life of existing security infrastructure and reserve the capacity of the NGFW for sophisticated filtering and monitoring tasks.
Perimeter or network based. This universally deployed firewall establishes a barrier between a trusted internal network and an untrusted outside network, such as the Internet. This type of firewall compares each packet received to a set of established criteria to determine if a packet will be forwarded. Packets that do not satisfy the filter criteria are either dropped or sent to another area outside the network for further analysis. Filtering can be done based on different attributes of the traffic.
Web application firewall (WAF). These firewalls are deployed in front of web servers to protect them against attacks, to monitor and control access, and to collect access logs for compliance and audit purposes. WAFs are traditionally deployed inline as a reverse proxy, meaning they retrieve resources on behalf of users from one or more Web servers. This allows them to load balance requests between servers and optimize content by compression and caching. Some WAFs can also be positioned out-of-band to work on a copy of network traffic. Cloud-based WAF, delivered as a service, has also become a valid option for some enterprises.
Common Use Cases
Protection from brute force, DOS, and DDOS attacks. Firewalls use a variety of detection methods to prevent large-scale denial of service attacks that can make a website inaccessible to users or disable the security in order to gain administrative access. The real target of the attack can be to steal personal data, install a backdoor for a subsequent attack, or install malicious software to harness computing power for a botnet.
Prevent and monitor insider threats. Organizations generally publish policies for acceptable use of Internet resources by employees and other insiders. Firewalls can be used to enforce limits and prevent unsafe behavior, monitor usage, and document activity for auditing purposes. They can also be used to automatically discover all privileged users, verify identity before access to high-value assets, and track changes in behavior over time.
Secure applications. Firewalls are increasingly used to monitor and control access to specific applications. Firewalls also increasingly play a significant role in maintaining the availability and uptime of applications.
Support compliance. Firewalls can perform traffic logging and generate documentation to support reporting for a wide variety of compliance regulations. They can ensure that personally identifiable information (PII) is consistently encrypted before prior to transmission.
Improve incident response and forensics efficiency. Organizations can integrate their firewalls with other security solutions to accelerate the response to security alerts and help staff investigate security incidents. Armed with access to all of the data flowing to and from web applications, a WAF, for example, can identify vulnerabilities, information leaks, configurations errors and similar problems before an attempt is made to exploit them.
Serial Tool Chaining Improves Data Inspection Process for Firewalls. Tool chaining is a powerful solution for automating the movement of data packets in security monitoring solutions because of the ability to partition out suspect data and pass that data through additional security inspections. The Network Packet Broker (NPB) is the enabler for this functionality. Suspect data can be passed back and forth between an NPB and multiple security tools (IDS, DLP, SSL, WAF, NGFW, etc.). Security tool chaining is used to deliver the interoperability needed to make network security protection mechanisms truly successful.
Figure – Inline Deployment Scenario for Security Tools
Security and monitoring tools are typically linked together by using software provisioning to control the flow of data through the selected services. The data inspection can be performed in parallel or in serial, depending on the situation. To accomplish the proper flow of data, one or more tools are assigned to a port or port group on the NPB. Multiple port groups can be chained together. A well-designed NPB can support complex service chaining with many tool groups in parallel, in serial, or in a combination.
For example, data can be passed to the NPB from the bypass switch. Encrypted data can be filtered based upon Hyper Text Transfer Protocol Secure (HTTPS) and sent to a decryption device. Once the decrypted data is returned to the NPB from the SSL decryptor, it can then be passed to an IPS for inspection. Packets without anomalies are moved along quickly, to maintain maximum response time. A common example is the use of an Intrusion Prevention Solution (IPS) solution to filter out suspicious traffic for further analysis by other tools in the daisy-chain. Traffic without exception is quickly sent back through the network to support the fastest possible response time. Data that is flagged for more inspection can be sent from the NPB to another port group that might contain a Data Loss Prevention (DLP) or some other device for further analysis. Based upon that analysis, the data can be killed, deemed non-threatening and passed on into the network, or it could require further analysis/quarantining.
Considerations When Choosing a Firewall
Capacity for Customization. Security policies will need to be adjusted as threats evolve and the enterprise should be able to easily update firewall configurations and blacklists/whitelists. Having a centralized management interface is important when updating a large number of firewall devices in a distributed organization.
Maintenance without Disruption. Keeping a firewall updated with the latest hardware and/or software releases is critical to its defensive capability. If lack of personnel or available time means your firewall is out of date, you may not be protected at all. Installing a bypass switch in front of your firewall can make updates and migrations much easier and eliminate downtime. A bypass can be set to forward traffic through an alternate device or just pass it along during a maintenance event, so the security team does not have to wait for the next maintenance window.
Handling Encrypted Traffic. With security attacks increasingly embedded in encrypted traffic, enterprises need to decrypt traffic to perform a full inspection. Some firewalls are capable of decryption but are not able to share the resulting plain text traffic with other security solutions. An alternative is to deploy a network packet broker with decryption capability behind your firewall. The NPB decrypts the traffic one time and forwards the packets as you desire to other security solutions and then re-encrypts the traffic before forwarding on to its final destination. This can be a more efficient way of handling the process-intensive function of traffic decryption and re-encryption.