Traditional firewalls block incoming traffic based on the kind of traffic it is. Firewalls have been the first line of defense in network security for nearly three decades. They can come in many different types including traditional, next-generation, hardware, or software. With thirty years of technology changes and so many different firewall forms, it can be difficult to determine your firewall needs. Choosing the wrong firewall can leave you vulnerable to the emerging threats of today's threat landscape.
In order to answer your most pressing questions and help you better understand your network security needs we've broken this post up into the following sections:
Are Routers and Firewalls the Same Thing? | Traditional vs Next-Gen Firewalls | Hardware vs Software Firewalls | How Does a Firewall Identify Threats? | Firewall Management | | What Firewall Features Does My Business Need?
What is a firewall?
A firewall is a device that sits on a network. Its role is to prevent traffic, people, and devices out on the internet from getting into your private network.
The new next-gen firewalls are used to keep malicious activity and unwanted traffic off your network.
A router and a firewall aren’t the same things. The only job of a router is to direct traffic where it needs to go. It doesn’t stop to prevent any traffic except simple Access Control List (ACL) traffic. Routing is a function of a firewall, but it doesn’t provide any of the threat detection and prevention features of a firewall.
Not all firewalls operate the same way. In general, there are two types of firewalls; “traditional firewalls” and “next-gen firewalls.”
Traditional firewalls block incoming traffic based on the kind of traffic it is.
For example, the traditional firewall identifies Port 80 traffic, which is essentially web browsing traffic, or it identifies SMTP, which is email traffic. However, the firewall doesn’t inspect the traffic or the data inside the traffic itself.
Next-generation firewalls take things a step further by actually inspecting the traffic and stopping any malicious payloads.
A hardware firewall, like the Sophos XG115, have operating systems that are optimized to work with a specific piece of hardware. This provides the best protection and optimal functionality.
A software firewall takes the software equivalent of the hardware firewall operating system and allows you to run the software firewall from a computer or as a virtual machine.
The software firewall is a good solution if you’re on an extremely tight budget. Much of the software is free, and if you have an old computer scheduled for decommissioning, you can repurpose it to run the firewall software.
Machine Requirements to Run a Software Firewall
- Minimum of two network cards - one designated for outside traffic and one designated for inside, connected to your local area network (LAN)
- Intel or AMD processor
- Hard drive space
Think of the connection to the internet from your network as a bridge.
On this bridge, you have cars traveling back and forth. The cars represent traffic on your network.
You also have a guard on this bridge that has to approve the cars before they're allowed to travel on the bridge. The guard represents your firewall.
The guard looks at the traffic on the bridge and sees a blue car (representing web traffic), and it sees a red car (representing email traffic). The guard says blue car you’re allowed, red car you’re allowed. Then comes a purple car (representing SMTP traffic that’s not allowed) and the guard says, “nope, sorry purple car you can’t use this bridge.”
This delegation is essentially how a traditional firewall operates. It's an okay system, but it has a big flaw often exploited in today's threat landscape.
The guard allowed the red car to travel across the bridge, but since he didn’t search the car, he failed to see that bad guys were hiding in the trunk (representing traffic from a compromised website with a malicious payload).
Next-generation firewalls don’t have this problem. They inspect the payload of the traffic coming in before allowing it to enter. These next-gen firewalls also inspect traffic from the inside before allowing it out, an invaluable feature for combating ransomware.
In the case of a traditional ransomware infection, a user gets infected with ransomware, and the payload starts to set itself up.
Once the ransomware is running, it needs an encryption key to encrypt the user's files and hold them for ransom. At this stage, the ransomware pings its command and control server to request an encryption key.
A next-gen firewall inspects this outbound traffic request and identifies that it’s attempting to go to a known bad site and block it.
In the example, a computer’s endpoint point protection software failed to detect the ransomware initially. However, the next-gen firewall was able to detect the ransomware trying to ping out to the command and control server and then prevented the ransomware from executing.
Within an enterprise, the network administrator is typically responsible for firewall management. Depending on the type of firewall you purchase, you may get emailed notifications and reports to keep you up to speed on what’s going in and out of your network. However, it is also best practice to look at the firewall management interface on the device itself.
Firewall management is a daily duty for network administrators, and it can become an increasingly complicated task based on how many locations/firewalls you have. For example, a bank with three branch locations should have four firewalls in place. However, you’re not going to want to manage all four firewalls independently.
Thankfully there are many options to enable centralized management of all the devices comprising your security solution. These include centralized policies, notifications, and managed security service providers (MSSPs).
If you're looking for an entirely hands-off security solution, MSSPs can provide you the hardware, software, and device management as part of a service. Some providers even go so far as to provide a connection to the internet itself.
- Look for the “Next-Gen” or “Next-Generation” label on your firewall
- Look for “Intrusion Prevention Systems (IPS)” and “Intrusion Detection Systems (IDS)”
- Look for “Advanced Threat Protection (ATP)”
- Look for a firewall that can work in conjunction with your end point security solution
- #ShamelessPlug the Sophos XG series of firewalls communicate with the Sophos Central based end point security products, especially Intercept X
- This allows the firewall to isolate a machine from the network when that machine is reported as high risk or potentially infected -- preventing any threats from moving laterally and infecting the rest of the network.
Originally published on 02/27/2019