There are a number of different firewalls out there for the Cybersecurity professional to be aware of. How each one works helps determine the best fit for the design of a secure network. Proper configuration of the rule set is important to know what’s being allowed and what’s being stopped from entering the network. Keep reading for firewall basics.
We’ll talk through the types of firewalls and some basic best practices you can employ to be better prepared against the Internet’s nefarious characters.
To keep it interesting I’m going to use a series of analogies to explain the types of firewalls that exist and how they behave when packets meet the firewall. After we have our fun the best practices follow at the bottom.
Types of firewalls
Stateless
Not aware of the conversation content, ACL type packet analysis. Bob is talking to Sue. About what? Don’t know. Sue said a word to Bob. Bob said a word to Sue. Bob is allowed to talk to Sue. And Sue is allowed to talk to Bob. That’s about all the firewall checks.
Stateful
The firewall reads the conversation in more detail. Sue said hello. Bob said hi back. Now they are talking about future vacations they have planned. The firewall has a little more understanding of the conversation in this example.
Further reading
Next Generation
IDS/IPS
Bob and Sue are sitting in different rooms and arbitration is taking place Bob said something mean about Sue. The arbiter won’t carry that message over to the other room where Sue is. Bob tries sending over poisonous berries to Sue. The arbiter inspects the berries, tests for poison, and throws them away.
GeoIP Restrictions
Bob is from a far off country. Does Sue do business with anyone from that country? No? Bob is turned away and further attempts to enter are rejected.
AV/Malware
Bob sends over a malicious package to Sue with a biological agent meant to cause damage. The detector goes off when the package is scanned and it’s dumped in the incinerator.
Sandboxing
Bob, a Greek, built a wooden horse statue and left it as a gift for Sue and her cohort of Trojans. The horse statue left by the Greeks looks inviting enough as a hand crafted polished mahogany. It would go well in the center square. The Greeks clearly left, their sails barely visible on the horizon of the sea. Unknown to Sue, Bob is hiding inside, hoping the statue gets rolled inside where he’ll jump out . But Sue’s got a practice Bob wasn’t aware of. The horse gets wheeled into a neighboring replica of Troy. Nobody lives there. It’s left there to see how it behaves before getting brought into the actual Troy city. Bob jumps out at dark, thinking he’s in Troy. Oops, now Bob has to deal with the Troy guards.
WAF (Web Application Firewall)
In some ways like an IPS above, this checks Bob’s gift of fruit. But this takes it to a new level. The fruit sent in is apple sauce. No poison. An IPS might think, sure this is fine, and off it goes to Sue. But the purpose of the fruit is supposed to be for a cheesecake. Apple sauce on a cheesecake? That doesn’t make any sense. The WAF throws it out.
General practices to aim for
Deny All
This is a rule of rules. Your catch all rule of your firewall, if no packet matches any other rule, is to drop it. Do not pass go. Do not collect $200. Forgetting this rule can mean you end up allowing traffic you didn’t intend. This also means you need to understand what you do want to go through the firewall. You’ll have to sit down and think about this but it is worth the time.
Change Default Passwords
This one may seem obvious, but it can be forgotten in the rush to deploy. Make it the first thing you do before plugging it into the network.
Firmware Updates
And this is the second thing you do. You might need to plug it into the network, but don’t plug it in as the “firewall” yet. Plug it into the internal network, set some temporary network configs, such as DHCP, and update it.
DMZs
DMZ stands for demilitarized zone. In firewall speak this is creating a separate network that, like the internet, has little right or ability to talk to your internal network. Call it internet level 2. The systems that go in a DMZ would be websites, email systems, secure file transfer systems, and anything that needs to take incoming connections from the internet.
Why do this? It helps isolate these systems from your internal network. Because they allow incoming connections, they have a higher risk of getting hacked. And if they do get hacked, it’s better they have little conversation capability with the rest of your network. Do you want one computer hacked? Or all your computers hacked?
Also be careful about opening up too much between the DMZ and internal network. I say that because sometimes you need to for certain things. You might have a web server in a DMZ and a SQL database server on the internal network. Open port(s) that are needed to keep the web server functioning. Don’t create an all ports rule between the two systems.
Is this another name for port forwarding?
You may get confused with the options in your firewall interface and think port forwarding does the same thing as the DMZ. It allows incoming connections to a computer, so I must have a DMZ?
No you don’t.
Port forwarding can mean you just opened up a connection to the computer that sits on your internal network, going against the idea of a DMZ and the purpose it brings.
Employ External Scanners For Verification
How do you know your rules are good? Is the deny all rule working at the end? The idea behind this topic is to scan your public IP on the firewall once you get brave enough to plug it in. It’s best to know before the hackers find out something is talking to the outside.
Geekflare has a good article linking to a number of resources to accomplish this.
Summary
Firewall basics are one of the keystone pieces to your security when interacting with the internet. If you’re putting one in place for your company it can feel overwhelming with all the choices that are out there. You might want to bring in some outside help. How do you know if you’re getting oversold on features? Is it from companies that make firewalls regularly and support their security features? On the other hand if you’re feeling pretty good after reading this article get to your favorite reseller and start talking options.