What is Firewall?

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.

Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

Types of Firewalls

Firewalls can be hardware, software, or both. The ideal firewall configuration will depend on your network’s specific needs.

Firewalls are categorized into two types: Network firewalls and Host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines.

Network Firewalls

Network firewalls, also known as a hardware firewall, are typically used by businesses and are positioned on the edge of the network to guard against threats from the outside world. They can be standalone systems or integrated into other network components.

They are often deployed in a perimeter mode, protecting an entire network by standing guard at its edge and filtering all traffic entering and leaving. They can also be deployed in a core mode, protecting a specific subset of a network.

Host-based Firewalls

Host-based firewalls, also known as software firewalls, are installed on individual servers and monitor incoming and outgoing packets from the machine only. They provide a layer of software on one host that controls network traffic in and out of that single machine.

Host-based firewalls are advantageous because they provide specific controls over each individual network device. However, managing host-based firewalls can be complex and time-consuming as it requires configuration and maintenance on each individual device.

Firewall Techniques

Firewalls use several methods to control traffic flowing in and out of a network. The primary methods include Packet Filtering, Stateful Inspection, Proxy Service, and Next-Generation Firewalls.

Each of these techniques offers different levels of security and performance, and they can be used in combination to create a layered defense against a variety of attack vectors.

Packet Filtering

Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router and look at each packet that comes in and out of the network, examining the headers of each packet based on a set of rules.

The firewall is configured to filter out packets with certain IP addresses, types of protocol, or ports. Packets that are flagged as problematic are dropped (i.e., not forwarded to the other network).

Stateful Inspection

Stateful inspection firewalls, also known as dynamic packet filtering, are a more advanced form of packet filtering. They not only examine each packet, but also keep track of whether or not that packet is part of an established TCP session. This offers more security than traditional packet filtering.

Instead of examining the contents of each packet, they compare certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics.

Proxy Service

Firewalls using a proxy server, or a gateway, are sometimes known as application-level gateways. The gateway acts as an intermediary for requests from clients seeking resources from other servers.

The firewall intercepts all traffic entering and leaving the network. The firewall then validates and reroutes the traffic. The firewall can hide the true network addresses and only allow traffic to pass through which matches the configured rule set.

Next-Generation Firewalls

Next-Generation Firewalls (NGFWs) combine the functions of a traditional firewall with additional functionality, such as deep packet inspection, intrusion prevention, and application awareness.

NGFWs go beyond protocol and port inspection by inspecting the data within the packet itself, up to and including the application layer. This allows for highly granular control over network traffic and provides improved visibility into the applications and users generating that traffic.

Firewall Policies and Responses

Firewall rules or policies dictate what traffic is allowed to enter or exit a network. The firewall matches packets with rules based on source and destination IP addresses, source and destination ports, and protocol used.

If a packet matches a rule, the firewall enforces the rule’s associated action, which can be to allow the traffic, deny the traffic, or send an alert to the network administrator.

Default Allow

A default allow policy allows all traffic through unless it meets certain criteria. The criteria, or exceptions, are defined by rules in the firewall. This policy is easier to manage because you only need to define what not to allow.

However, this policy is riskier because if you forget to prohibit some type of harmful traffic, it will be allowed through. This policy is generally used in less risk-averse environments.

Default Deny

A default deny policy blocks all traffic unless it meets certain criteria. The criteria are defined by rules in the firewall. This policy is more secure because it automatically blocks all harmful or potentially harmful traffic.

However, this policy is harder to manage because you must define what to allow. This policy is generally used in more risk-averse environments.

Firewall Limitations

While firewalls provide an important layer of security, they have limitations. They cannot protect against attacks that don’t go through the firewall. Firewalls also cannot protect against insider threats, such as a disgruntled employee.

Additionally, firewalls can’t protect a network or system against specific content in the payload of the packet that could be harmful unless the firewall has been specifically configured to recognize that harmful content.

Firewall Bypassing

Firewalls can be bypassed if an attacker finds a way around it. This can be done by tunneling protocol within another protocol, exploiting vulnerabilities in the firewall software or configuration, or by sending malicious traffic that the firewall has been configured to allow.

Attackers can also bypass firewalls by using techniques such as IP spoofing, where the attacker sends packets with a forged source IP address that the firewall has been configured to trust.

Insider Threats

Firewalls cannot protect against insider threats. An insider threat is a security threat that originates from within the organization, often by an employee or officer of the organization, who has inside information about the security practices, data, and computer systems.

The insider threat can take many forms, including disgruntled workers who intentionally misuse their access to damage the organization, employees who unintentionally cause harm through carelessness or lack of knowledge, or employees who unintentionally provide information or access to outsiders.

Conclusion

Firewalls are a fundamental part of any network security strategy. They provide a barrier between secured and controlled internal networks and untrusted outside networks, such as the Internet.

However, firewalls are not a standalone solution for network security. They should be used in conjunction with other security measures to provide a layered defense against a variety of attack vectors.