What is a firewall?
A firewall is software or firmware that prevents unauthorized access to a network. It inspects incoming and outgoing traffic using a set of rules to identify and block threats.
Firewalls are used in both personal and enterprise settings, and many devices come with one built-in, including Mac, Windows, and Linux computers. They are widely considered an essential component of network security.
Why are firewalls important?
Firewalls are important because they have had a huge influence on modern security techniques and are still widely used. They first emerged in the early days of the internet, when networks needed new security methods that could handle increasing complexity. Firewalls have since become the foundation of network security in the client-server model – the central architecture of modern computing. Most devices use firewalls – or closely related tools – to inspect traffic and mitigate threats.
Firewalls are used in both corporate and consumer settings. Modern organizations incorporate them into a security information and event management (SIEM) strategy along with other cybersecurity devices. They may be installed at an organization's network perimeter to guard against external threats, or within the network to create segmentation and guard against insider threats.
In addition to immediate threat defense, firewalls perform important logging and audit functions. They keep a record of events, which can be used by administrators to identify patterns and improve rule sets. Rules should be updated regularly to keep up with ever-evolving cybersecurity threats. Vendors discover new threats and develop patches to cover them as soon as possible.
In a single home network, a firewall can filter traffic and alert the user to intrusions. They are especially useful for always-on connections, like Digital Subscriber Line (DSL) or cable modem, because those connection types use static IP addresses. They are often used alongside to antivirus applications. Personal firewalls, unlike corporate ones, are usually a single product as opposed to a collection of various products. They may be software or a device with firewall firmware embedded. Hardware/firmware firewalls are often used for setting restrictions between in-home devices.
How does a firewall work?
A firewall establishes a border between an external network and the network it guards. It is inserted inline across a network connection and inspects all packets entering and leaving the guarded network. As it inspects, it uses a set of pre-configured rules to distinguish between benign and malicious packets.
The term 'packets' refers to pieces of data that are formatted for internet transfer. Packets contain the data itself, as well as information about the data, such as where it came from. Firewalls can use this packet information to determine whether a given packet abides by the rule set. If it does not, the packet will be barred from entering the guarded network.
Rule sets can be based on several things indicated by packet data, including:
These characteristics may be represented differently at different levels of the network. As a packet travels through the network, it is reformatted several times to tell the protocol where to send it. Different types of firewalls exist to read packets at different network levels.
Types of firewalls
Firewalls are either categorized by the way they filter data, or by the system they protect.
This is a chart that illustrates different types of firewalls.
When categorizing by what they protect, the two types are: network-based and host-based. Network-based firewalls guard entire networks and are often hardware. Host-based firewalls guard individual devices – known as hosts – and are often software.
When categorizing by filtering method, the main types are:
Each type in the list examines traffic with higher level of context than the one before – ie, stateful has more context than packet-filtering.
When a packet passes through a packet-filtering firewall, its source and destination address, protocol and destination port number are checked. The packet is dropped – meaning not forwarded to its destination – if it does not comply with the firewall's rule set. For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for Transmission Control Protocol (TCP) port number 23, the port where a Telnet server application would be listening.
A packet-filtering firewall works mainly on the network layer of the OSI reference model, although the transport layer is used to obtain the source and destination port numbers. It examines each packet independently and does not know whether any given packet is part of an existing stream of traffic.
The packet-filtering firewall is effective, but because it processes each packet in isolation, it can be vulnerable to IP spoofing attacks and has largely been replaced by stateful inspection firewalls.
Stateful inspection firewalls
Stateful inspection firewalls – also known as dynamic packet-filtering firewalls – monitor communication packets over time and examine both incoming and outgoing packets.
This type maintains a table that keeps track of all open connections. When new packets arrive, it compares information in the packet header to the state table – its list of valid connections – and determines whether the packet is part of an established connection. If it is, the packet is let through without further analysis. If the packet does not match an existing connection, it is evaluated according to the rule set for new connections.
Although stateful inspection firewalls are quite effective, they can be vulnerable to denial-of-service (DoS) attacks. DoS attacks work by taking advantage of established connections that this type generally assumes are safe.
Application layer and proxy firewalls
This type may also be referred to as a proxy-based or reverse-proxy firewall. They provide application layer filtering and can examine the payload of a packet to distinguish valid requests from malicious code disguised as a valid request for data. As attacks against web servers became more common, it became apparent that there was a need for firewalls to protect networks from attacks at the application layer. Packet-filtering and stateful inspection firewalls cannot do this at the application layer.
Since this type examines the payload's content, it gives security engineers more granular control over network traffic. For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other types can only control general incoming requests from a particular host.
When this type lives on a proxy server – making it a proxy firewall -- it makes it harder for an attacker to discover where the network actually is and creates yet another layer of security. Both the client and the server are forced to conduct the session through an intermediary -- the proxy server that hosts an application layer firewall. Each time an external client requests a connection to an internal server or vice versa, the client will open a connection with the proxy instead. If the connection request meets the criteria in the firewall rule base, the proxy firewall will open a connection to the requested server.
The key benefit of application layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and domain name system (DNS), are being misused. Application layer firewall rules can also be used to control the execution of files or the handling of data by specific applications.
Next generation firewalls (NGFW)
This type is a combination of the other types with additional security software and devices bundled in. Each type has its own strengths and weaknesses, some protect networks at different layers of the OSI model. The benefit of a NGFW is that it combines the strengths of each type cover each type's weakness. An NGFW is often a bundle of technologies under one name as opposed to a single component.
Modern network perimeters have so many entry points and different types of users that stronger access control and security at the host are required. This need for a multilayer approach has led to the emergence of NGFWs.
A NGFW integrates three key assets: traditional firewall capabilities, application awareness and an IPS. Like the introduction of stateful inspection to first-generation firewalls, NGFWs bring additional context to the firewall's decision-making process.
NGFWs combine the capabilities of traditional enterprise firewalls -- including Network Address Translation (NAT), Uniform Resource Locator (URL) blocking and virtual private networks (VPNs) -- with quality of service (QoS) functionality and features not traditionally found in first-generation products. NGFWs support intent-based networking by including Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, and reputation-based malware detection. NGFWs also use deep packet inspection (DPI) to check the contents of packets and prevent malware.
When a NGFW, or any firewall is used in conjunction with other devices, it is termed unified threat management (UTM).
Less advanced firewalls – packet-filtering for example – are vulnerable to higher-level attacks because they do not use DPI to fully examine packets. NGFWs were introduced to address that vulnerability. However, NGFWs still face challenges and are vulnerable to evolving threats. For this reason, organizations should pair them with other security components, like intrusion detection systems and intrusion prevention systems. Some examples of modern threats that a firewall may be vulnerable to are:
Enterprises looking to purchase a firewall should be aware of their needs and understand their network architecture. There are many different types, features, and vendors that specialize in those different types. Here are a few reputable NGFW vendors:
Future of network security
In the early days of the internet, when AT&T's Steven M. Bellovin first used the firewall metaphor, network traffic primarily flowed north-south. This simply means that most of the traffic in a data center flowed from client to server and server to client. In the past few years, however, virtualization and trends such as converged infrastructure have created more east-west traffic, which means that, sometimes, the largest volume of traffic in a data center is moving from server to server. To deal with this change, some enterprise organizations have migrated from the traditional three-layer data center architectures to various forms of leaf-spine architectures. This change in architecture has caused some security experts to warn that, while firewalls still have an important role to play in keeping a network secure, they risk becoming less effective. Some experts even predict a departure from the client server model altogether.
One potential solution is the use of software-defined perimeters (SDP). An SDP is more aptly suited to virtual and cloud-based architectures because it has less latency than a firewall. It also works better within increasingly identity-centric security models. This is because it focuses on securing user access rather than IP address-based access. An SDP is based on a zero-trust framework.
Which boundary network hosts resource servers for the public Internet?
Any service provided to users on the public internet should be placed in the DMZ network. External-facing servers, resources and services are usually located there. Some of the most common of these services include web, email, domain name system, File Transfer Protocol and proxy servers.
Which of the following is described as confidence in your expectation that others will act in your best interest?
Begins with trust. is confidence in your expectation that others will act in your best interest. With computers and networks, trust is confidence that users will act in accordance with your organization's security rules and corporate mission and vision. Trust is the belief that others are trustworthy.
What is accomplished with IP addressing?
IP (Internet Protocol) addresses are used to identify hardware devices on a network. The addresses allow these devices to connect to one another and transfer data on a local network or over the internet. We need billions of IP addresses to identify every computer, router and website on the internet.
When training your employees on how do you identify various attacks which of the following policies should you be sure to have and enforce select two?
Be sure to have an effective password policy and clean desk policy in place, and don't forget to enforce them. Be sure to train your employees on how to identify all the various attacks that could target them.