Why a Reliable Firewall is Essential to Enterprise Security?

[harlan4096]

Heimdal™ Security’s Approach to Firewall Security

It’s no doubt in my mind that the threatscape has changed – new malicious strains rising to wreak havoc, traditional (and outdated) countermeasures failing, ML and AI stepping up to the plate to create actionable mediation (and remediation) strategies.

In this scenario, where everything moves faster than light to keep up with the challenges, it’s quite unlikely to find something hinting to “the old ways”, which in this case, broadly refers to the whole malware-riddance “Machinarium”, with the limelight, of course, falling on the antivirus.

Yet, there is hope for ‘traditional’ solutions, the firewall beings amongst them, or, better said, the only one that has aced the test of time.

In this article, we are going to take a closer look at firewalls – how they work, why they’re still in place, how many firewall types are there, and, of course, why they should be a part of your company’s cyber-resilience plan.

What exactly is a firewall? Some tips on how to choose the best one for your company

Going back to the basics, a firewall is a network security device that monitors outgoing and incoming traffic. Basically, it’s the IT equivalent of a TSA officer (no disrespect intended, of course), checking the passengers as they pass through the airport’s security gates.

Firewalls can be physical devices (i.e. hardware firewall), but also be deployed in software form (i.e. Microsoft Windows’ Defender Firewall). Firewalls, regardless of form, do more than checking inbound/outgoing traffic – they also ensure that user-defined rules are observed.

Here’s an example of how a firewall works: in keeping with the airport controller metaphor, let’s imagine a random person going through the checkpoint. It’s the officer’s job to check that person’s ID and inquire about the destination. On the IT side, this translates to the firewall inquiring about the IP and source of the transmission.

At this point, I should introduce two concepts called whitelist and blacklist. Simple enough to understand – what’s on the whitelist is good and what’s on the blacklist is bad. Now, after the ‘inquiry’ stage, the officer will check the person’s credentials against the two lists. If he’s on the whitelist, he can go through. If not, well, he will have some explaining to do.

The same thing happens on the traffic level – incoming packages get checked. If the transmission comes from a safe source (on the white list), they will be allowed to pass. If not, the connection will be severed.

Although the term “firewall” appears to be universal, there are, in fact, several types of firewalls, each designed to address (and overcome) a certain network security challenge. Let’s take a close look at the various firewall types.

Personal firewall

Endpoint-centric traffic monitoring and management solution. Protects a single endpoint (i.e. desktop computer, laptop, tablet or smartphone) and is usually a part of a larger cybersecurity software package. For all-purpose and intent, the Windows Defender Firewall can be considered a personal firewall, interposing itself between the machine and the Internet. Software-wise, there are a lot of choices.

Packet-filtering firewall

Moving further down the list, we have yet another basic firewall type – the packet or package-filtering firewall. A little more secure compared to the personal firewall, the packet-filtering variety adds more muscle to a multi-device network, such as the ones run by small businesses.

This type of firewall has pre-determined rules and policies, which allows it to generate various types of filtering criteria: allowed IP addresses, packet protocol headers, port numbers, and the types of data-bearing packets.

Packet-filtering firewalls are what we call “in-line defenses”, meaning that they are placed at junction points such as routers or switches.

This type of firewall has but only one caveat: it simply compares the transmitted packages against a predetermined list, meaning that there’s no way to route some that get flagged are suspicious. Packet-filtering firewalls simply discard the packets that do not match the criteria. Discarded packets cease to exist. Daunting perspective, don’t you agree?

Circuit-level gateway (firewall)

The methods enumerated so far, are architecture-centric, meaning that they do not factor in the context nor the content of the data packages. Circuit-level gateways are cheap and somewhat efficient ways of providing some insight into what is being relayed during the communication.

To identify potentially malicious data packets, circuit-level gateways inspect any (and all) network protocols used during the data transmission.

This includes TCP handshakes and subsequent encryption keys. Again, this is just one of the many instruments employed to verify the context and some content. Unfortunately, it’s a blunt one, since circuit-level gateways cannot perform in-depth analyses on the packets’ content.

Stateful inspection firewall

Since the entire malware industry is focused on creating variants that circumvent detection grids, there is, indeed, a need for a firewall capable of inspecting the contents of each package. Enter the stateful inspection firewall, which is, more or less, the IT equivalent of a customs officer, in charge of checking every parcel and suitcase before the owner can retrieve it and go about his business.

Stateful inspection firewalls, albeit more expensive and difficult to deploy compared to the other items on our list, can inspect the contents of each data packet. More than that, it can ascertain whether or not that packet or ‘bundle’ is part of or has been requested during an active network session.

Another caveat that comes to mind is that stateful inspection firewalls can take quite a toll on your network’s performance, by increasing the latency. Of course, it does tend to make up for this with the extra ‘muscle’ it brings.

Proxy firewall

In every aspect, the proxy firewall can be considered the love-child of the packet-filtering firewall and the circuit-level gateway. In more technical terms, this packet-inspection technique interposes a firewall-enabled proxy server between the client (your machine) and the rest of the Internet.

Often called application-level gateways, these types of firewalls have dynamic filtering capabilities – capable of filtering packets according to the service they are attempting to access. Additionally, they can call up additional criteria, such as the HTTPS request string.

Since it’s phenotypical, the proxy firewall also has the same packet-inspection capabilities as the gateway. On the other hand, just like in the case of the stateful inspection firewall, the proxy firewall can impact your network’s performance.

Hybrid firewall

The epitome of firewall technology, hybrids combine advanced packet-scanning techniques, such as deep-packet inspection, with antivirus antimalware software. A hybrid firewall will inspect every aspect of a web browsing session, right down to the content of each transmitted packet.

More than that, hybrids have the capability of performing deep packet analyses. For instance, they can ‘figure out’ if the packets came from a legitimate source by piecing together the entire server reply, which is made of many more data packets.

As you would imagine, hybrid firewalls are the go-to solutions if you want to ensure that no malicious packets slip through. With the built-in AV\AM, it can provide HIDS and HIPS.

However, just like the other types of deep packet inspection firewalls, hybrids can also impact your network’s performance. More than that, hybrids can impact your organization’s resources as well, since they require front-end maintenance.
...

Continue Reading