A firewall is a network security device that monitors incoming and outgoing data from your network and allows or denies the data to reach its end destination depending on rules configured by the entity responsible for managing the firewall. Its purpose is to block malicious traffic like viruses, malware, and hackers, and is the first line of security defense for your network. Show Firewalls can be physical devices, or a software program running on servers or workstations. How does it work?Firewalls, both physical and software, analyze incoming and outgoing data, using rules created and enabled by the firewall provider, your IT service, or other software that engages with the firewall. By filtering this data, the firewall can determine if traffic is legitimate and if it should be allowed through to its end destination. For example, if content filtering is enabled, the firewall will identify traffic coming from an unauthorized website—usually via IP addresses—and block access, notifying the end user. You may have experienced this in your web browser: you attempted to visit a site, and instead got a warning that the site is not allowed or that it’s unsafe to visit. Firewalls protect more than just web browser traffic, however. Your network has “ports” or specific locations that data will try to access depending on the type of data it is. A very common one is a port that is open for VoIP phone traffic. Your firewall would have a rule set that only traffic coming from the VoIP provider is allowed to enter this port, but all other traffic will be denied. Why does it matter?Network security is essential to maintaining a healthy network, and ensuring that your work isn’t interrupted by viruses, malware—and that your data remains secure and inaccessible to bad actors. By utilizing a firewall as the first line of defense in your web of security, you are able to block malicious traffic before it enters your network, and ensure that people and devices are only able to access exactly what they need to and no more.
Firewalls have existed since the late 1980’s and started out as packet filters, which were networks set up to examine packets, or bytes, transferred between computers. Though packet filtering firewalls are still in use today, firewalls have come a long way as technology has developed throughout the decades.
Back in 1993, Check Point CEO Gil Shwed introduced the first stateful inspection firewall, FireWall-1. Fast forward twenty-seven years, and a firewall is still an organization’s first line of defense against cyber attacks. Today’s firewalls, including Next Generation Firewalls and Network Firewalls support a wide variety of functions and capabilities with built-in features, including: Types of Firewalls
A Firewall is a necessary part of any security architecture and takes the guesswork out of host level protections and entrusts them to your network security device. Firewalls, and especially Next Generation Firewalls, focus on blocking malware and application-layer attacks, along with an integrated intrusion prevention system (IPS), these Next Generation Firewalls can react quickly and seamlessly to detect and react to outside attacks across the whole network. They can set policies to better defend your network and carry out quick assessments to detect invasive or suspicious activity, like malware, and shut it down.
Firewalls, especially Next Generation Firewalls, focus on blocking malware and application-layer attacks. Along with an integrated intrusion prevention system (IPS), these Next Generation Firewalls are able to react quickly and seamlessly to detect and combat attacks across the whole network. Firewalls can act on previously set policies to better protect your network and can carry out quick assessments to detect invasive or suspicious activity, such as malware, and shut it down. By leveraging a firewall for your security infrastructure, you’re setting up your network with specific policies to allow or block incoming and outgoing traffic.
Network layer or packet filters inspect packets at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set where the source and destination of the rule set is based upon Internet Protocol (IP) addresses and ports. Firewalls that do network layer inspection perform better than similar devices that do application layer inspection. The downside is that unwanted applications or malware can pass over allowed ports, e.g. outbound Internet traffic over web protocols HTTP and HTTPS, port 80 and 443 respectively.
Firewalls also perform basic network level functions such as Network Address Translation (NAT) and Virtual Private Network (VPN). Network Address Translation hides or translates internal client or server IP addresses that may be in a “private address range”, as defined in RFC 1918 to a public IP address. Hiding the addresses of protected devices preserves the limited number of IPv4 addresses and is a defense against network reconnaissance since the IP address is hidden from the Internet. Similarly, a virtual private network (VPN) extends a private network across a public network within a tunnel that is often encrypted where the contents of the packets are protected while traversing the Internet. This enables users to safely send and receive data across shared or public networks.
Next Generation Firewalls inspect packets at the application level of the TCP/IP stack and are able to identify applications such as Skype, or Facebook and enforce security policy based upon the type of application. Today, UTM (Unified Threat Management) devices and Next Generation Firewalls also include threat prevention technologies such as intrusion prevention system (IPS) or Antivirus to detect and prevent malware and threats. These devices may also include sandboxing technologies to detect threats in files. As the cyber security landscape continues to evolve and attacks become more sophisticated, Next Generation Firewalls will continue to be an essential component of any organization’s security solution, whether you’re in the data center, network, or cloud. To learn more about the essential capabilities your Next Generation Firewall needs to have, download the Next Generation Firewall (NGFW) Buyer’s Guide today.
In Spanish Too many network administrators think only to protect their private network resources from external attacks when assessing security threats. Today's landscape is littered with threats that emanate from malware-infected endpoints. Attackers can use these to collect and forward sensitive information from your network or to attack or spam other networks. Companies large and small are better served when network administrators are equally concerned with threats that are associated with outbound connections. In this column, I discuss ways organizations can improve their risk profile and be better 'netizens by implementing egress traffic filtering. Filter Egress Traffic to Protect YourselfIf you don't restrict the services that hosts in your internal networks can access, malware will inevitably find its way onto some of your hosts and may exfiltrate data to a location that an attacker controls. Data exfiltration could be also unintentional, i.e., an insider might incorrectly attach sensitive information an email message to upload it to a document sharing service. Sadly, data exfiltration often results from configuration error: misconfigured NetBIOS, DNS, or other service traffic can leak from your trusted networks and be captured or exploited by external parties. Irrespective of the cause, data exfiltration is a threat you can’t mitigate without egress traffic enforcement, and one you can’t readily detect if you don't log and monitor traffic behavior associated with permitted and prohibited services. Filter Egress Traffic to Do No Harm to OthersIn the most lax of configurations – and sadly, in many default configurations - a firewall or router may treat and forward traffic it receives from any source address as valid. Fred Avolio calls this “The Nefarious Any”. Such configurations are green fields for attacks that make use of forged source IP addresses (IP spoofing). Compromised or unauthorized hosts that gain access to your local networks often use IP spoofing to attack (DDoS) other networks, to store child abuse or other illegal material, or to conduct spam or phishing campaigns. This is problem enough in NAT environments: in poorly implemented router configurations, especially where you have multiple access points to the Internet, your organization can inadvertently behave as a transit network for forged, malicious traffic emanating from other organizations. Compromised or unauthorized systems can play roles in criminal activities without the use of spoofed addresses, too. A compromised server or user device on any of your internal networks (trusted, DMZ, guest) can be used to generate spam, host malware or phishing sites. A compromised DNS name server can host zone data for a malicious domain. Improperly configured, your DNS resolver – or possibly any UDP-based service you use (chargen, NTP) - can support a criminal conspiracy! Just as egress traffic filtering can help mitigate data exfiltration from your networked assets, so can it help you protect the world from your network. Step #1: Egress Traffic Enforcement PolicyMotivated? Good. Begin by consulting your company's Security Policy and/or Acceptable Use Policy (AUP). If you don't have such policies, gather stakeholders and define them. Include as stakeholders individuals who are not only responsible for implementing your company's network security but also those individuals who are party to risk management and mitigation. Without clearly-defined notions of network security and a strict application and traffic policy you intend to enforce, your firewall configuration will end up being little more than an ad hoc and troublesome listing of outbound rules to meet users' perceived needs, instead of a well conceived policy designed to protect the company's resources. Compose a list of the approved Internet-accessible services. For an organization that outsources email and DNS, this list might include DNS, POP/IMAP, SMTP, NTP, and HTTP/HTTPS. Think, too, about malicious destinations - botnet C&Cs, hijacked address space, notorious (bad) hosting providers - and how you might block these. If your organization supports services like email and DNS from its own internal servers, compose a list of these services and service hosts (domain names and IP addresses). List any Internet servers these must communicate with. If, for example, you run a split-DNS then include any public servers your DNS server contacts for zone transfers, uses as resolvers, etc. If you run SMTP, include any mail servers with which you exchange mail directly (typically, your ISP's mail hosts). If you intend to implement content exit control at a proxy or firewall, enumerate the types of content you will permit or deny. You many also find it necessary to identify permission sets for user groups if your content exit control is not a "one glove fits all" policy. Accept the fact that your firewall configuration will deviate from the ideal enforcement policy you develop following this exercise. Such deviations or exceptions may be necessary to accommodate senior management, business relationships, or sometimes for lack of a better or more secure path to completing a critical project. Assess the risk of each deviation, call attention to the security risks inherent in any alteration you are required to make to the firewall's egress policy, and consider how you might compensate by implementing a complementary security measure. Step #2: Kill the Nefarious ANY The best way to configure egress traffic filtering policies is to begin with a DENY ALL outbound policy, packet filter, or firewall rule. This creates a "nothing leaves my network without explicit permission" security baseline. Next, add rules to allow authorized access to the external services identified in your egress traffic enforcement policy. Add granular, restrictive rules to allow administrators access to network and security systems outside your firewall. Lastly, add rules to allow servers you operate from your trusted network to communicate with Internet-hosted servers. Let's examine each of these general policies in some detail. Restrict Internet Access to Authorized SourcesIn many firewalls, the default egress traffic policy for trusted networks is to allow any source address in outbound packets: literally, if the source address is syntactically correct, your firewall will forward it. This is overly permissive for any network, large or small. Prune it. List the IP subnet numbers or individual IP addresses of hosts that are authorized (trusted) to make use of externally hosted services. Limit the addresses allowed to send traffic to Internet destinations by configuring policies such as these:
Restrict Internet-Accessible Services (Destinations)The Nefarious ANY appears again in the default egress traffic policy of firewalls that allow hosts on internal networks to access any service (port) on Internet hosts if forwarding to the destination is permitted. Limit the destination ports on Internet-directed traffic in the following ways:
Testing and Monitoring Egress Traffic Policies Firewall configuration testing remains an acquired skill, effectively performed by firewall experts, auditors or security professionals with this special expertise. Because many egress traffic-handling policies will be source address dependent, you can achieve some confidence that your configuration satisfies your policies by logging intensely, running address and port scanning tools, and confirming that your allow/deny results are what you expect. Rigorous logging of denied outbound connections could help identify scofflaws that are either ignorant or defiant of your AUP, as well as provide early warning of infections. Where possible, cause potentially dangerous denied outbound packets to trigger notification for further investigation. Consider, too, tools like ftester (now deprecated but still available), NMAP, Nessus, or some of the commercial software listed at Security Wizardry if you are looking for automated alternatives. ConclusionWhen I first wrote this article with Nathan Buff in 2003 we concluded that configuring egress traffic policies is admittedly more time consuming than not, and that your organization should rightly assess whether the time invested and the improved risk profile you achieve when you take this initiative is justified. This was perhaps too soft a sell. Events throughout the past 18 months (2013-2014) bear evidence that motives to exfiltrate data will only increase. I now believe that governments and private organizations are near the tipping point and no longer willing to passively accept the current threat condition but now actively investigating ways to mitigate harm resulting from the lax security practices of others. It may only be a small matter of time before regulatory compliance or fear of being held contributory to a criminal act or liable for financial loss will drive many organizations to choose to implement stringent egress traffic policies. Use the time wisely. The original (2003) version of this article can be found here. |