Description: One of the classic appliances/services in information security is the firewall. Firewalls are often portrayed in popular culture as all-powerful defense mechanisms capable of protecting sensitive assets from all external threats. This perception is inaccurate. Firewalls cannot defend assets against all cyberattacks; in fact, they often fall short. However, a well-configured firewall is still a necessity for any network environment and will usually defend your infrastructure against the most common threats.

At its most basic level, a firewall is a system that monitors traffic coming into a network and leaving it and validates the traffic against a set of pre-defined rules. Traffic that complies with the rules is allowed to pass, and traffic that does not comply is either dropped or blocked outright. A firewall’s rules are designed to identify known intrusion techniques and otherwise unnecessary traffic and act accordingly. The standard way to configure a firewall is to use a deny-by-default strategy. Here, all traffic ingress to the company network is blocked, and all traffic egress is allowed. Business users are allowed to access the Internet, but nobody from the Internet is allowed in. Then, admins determine the necessary services that need to communicate with the business network and open those ports on the firewall on a one-by-one basis. For better security, deny by default can also be applied to egress traffic and the same strategy can be utilized.

There are several different firewall “builds” comprised of different architectures with different purposes and techniques.

  1. Packet Filtering Firewall: This firewall is the classic implementation and functions at the Network and Transport Layers of the OSI Model. They filter network packets based on their TCP/IP headers, applying rules based on source and destination IP addresses, port, and protocol. Packet filtering firewalls does not maintain awareness of context or connection state This means knowledgeable threat actors can usually bypass them pretty easily.
  2. Stateful Inspection Firewall: This firewall also functions at the Network and Transport Layers, but takes its security tasks a bit further. In addition to address, port, and protocol information, a stateful firewall monitors the progress of individual sessions passing through. By monitoring the state of network communications, the firewall can intervene to enforce rules based on what is occurring presently in the session.
  3. Circuit Level Gateway: This firewall implementation functions strictly at the Session Layer of the OSI Model. It does not inspect the specific payloads of network packets, and instead validates rules against the TCP handshakes occurring between network nodes. If the firewall detects an invalid or suspicious session, it intervenes.
  4. Application-Level Firewalls aka Application Proxies: This firewall structure combines Network and Transport Layer enforcement with monitoring of the Application Layer of current sessions. They have full knowledge of the application data being exchanged, and can act based on specific application commands such as HTTP GET or HTTP POST. These firewalls have the added benefit of being able to enforce strict access controls and log extensive data on network activity.
  5. Next Generation Firewall (NGFW): This version of the firewall is newer and monitors the Network Layer all the way up to the Application Layer of the OSI Model. Think of this as a superpowered system that combines all of the previous firewall functionalities into one. They can perform stateful inspection on the sessions moving into and out of the network, and can also look into the application data for suspicious activities. Since an NGFW can stop and examine the entire network packet from the header to the data, it is often referred to as performing deep packet inspection (DPI).

If this seems like a lot to digest, don’t worry. The extent to which firewalling needs to be configured in your business environment varies. Small businesses confined to a smaller geographic area typically use a Small Office and Home Office (SOHO) Router. These are the basic consumer routers you pick up at your local Walmart, and they actually combine routing and firewalling functionality into one device. The firewall is preconfigured, utilizing a combination of Network Address Translation (NAT) Routing and Stateful Inspection. Therefore, these devices do not need extensive configuration unless you want specific traffic rules to be enforced. You may have seen open-source intelligence (OSINT) websites such as Shodan.io, which post live feeds of security cameras or remote desktops on local networks. These exist because admins have specifically configured their firewalls to port forward common protocols through their firewall to an internal device.

For most small businesses, the plug-and-play SOHO routers should suffice for firewalling capabilities. However, larger organizations with more complex network designs and traffic levels segregate routing and firewalling functionality to individual appliances. Their router is typically a box connecting to the Internet, with the firewall appliance sitting behind it. In this case, IT admins log into the firewall’s firmware and configure firewall rules themselves. Extensive networks made up of multiple subnets with varying security requirements will implement multiple firewalls at strategic points to protect specific network segments. The extensive use of firewalls on smaller groupings of assets is a key part of micro-segmentation.

For businesses that want to thread the needle and save costs, certain open-source solutions like PfSense and OpenSense exist that allow businesses to install their firmware on a dedicated device and configure both routing and firewalling themselves. Vendors like Netgate sell basic small to medium office devices with pfSense pre-installed. Think of this as the natural step up from the consumer SOHO router. It is up to you, along with senior management and IT staff, to select the proper firewall solution for your business network.  If your business is comprised of 10 or less employees, and your network performance baseline is being consistently met, then it may make sense to stick with the SOHO solution. However, if your business is expanding into a larger geographic area or is expanding its on-premises digital infrastructure, then you may want to consider offloading firewalling capabilities to a dedicated appliance. Procuring firewalls must follow the same planning strategy as any other business asset. Functional, operational, and technical requirements must be defined, and vendors/solutions must be evaluated by the senior management. Once purchased, firewalls shall be configured by the appropriate skilled personnel and tested in an appropriate environment before deployment to the production network.