For many people, the term firewall conjures images of invisible barriers reminiscent of galactic sci-fi movies where the starship commander instructs his second-in-command to Raise the Shields! If only it were so easy. A typical definition for a network firewall is:
A network security device that that monitors incoming and outgoing traffic from a specific location using a set of access rules.
Most definitions stop there. This definition has created a world of confusion and expectation about what a firewall does, its strengths and its limitations. So…
What is a firewall?
To get the right answer, you have to ask the right question. Before you can do that, we have to revise our definition of a firewall:
A firewall is a TCP/UDP port management device that monitors incoming and outgoing traffic from network addresses using access rules that govern port and destination availability.
The correct question to ask is, what is a TCP/UDP port? So…
What is a TCP/UDP port?
Most of us are familiar with IP addresses. There is a second half of internet addressing that largely goes unmentioned. This is the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) port. The port defines the service you are requesting at that IP (Internet Protocol) address. The well-known TCP ports are more commonly known by their name, HTTP, HTTPS, FTP, etc and less often by their number. The names define the type of service request. (One can override any well-known port number by adding a “:” at the end of the request followed by a substitute port number to use.)
Where did the concept of ports come from? The Internet operates on the what is called the Open Systems Interconnection model (OSI model). This is a conceptual model that allows the creations of standards upon which the interconnected network world is built. TCP/IP or TCP or UDP and IP protocol form two layers of the network model where a firewall is designed to work. A firewall manages access to ports and addresses via defined security rules.
The concept of a IP address coupled with a TCP or UDP port is a fundamental concept of the Internet. A computer can point to an IP address but without requesting some kind of service, the server or device at that IP address will not be able to respond. That service is defined by the Port Number requested.
How does a firewall manage ports and addresses?
Every IP address has over 64,000 possible TCP or UDP ports. A port is a service that can be accessed or provided at every IP address. The best way to explain a port is to imagine your house as an IP address. There are many different ways and reasons (ports) to access your house (IP address). For example, at your house one may find:
- Water pipes delivering water,
- Electricity wires supplying power,
- Sewerage pipes removing household waste,
- Recycling trucks picking up recyclables,
- Cars pulling into the driveway,
- Vans delivering food,
- Guests coming to visit,
- Family walking into the house
The house address (street, city, zip code) can be thought of as the IP address. It would give the world a precise location for the building. A set of rules is then applied to control or limit who or what accesses the house based on what they do, who they are, why they are trying to access the house and when they are trying to access. For example, driveway parking could be limited to homeowners only and access for any other visitors (guests, garbage trucks, delivery vans) would have to stay on the street (the Internet).
In the same way, a firewall is a port-management device that examines every Internet access attempt to your IP address (your house) from the Internet (the street) and manages this access by the rules that the firewall manager writes. With so many ports available for exploitation, you need a port management device or a “firewall” to block, manage, filter, scan and/or permit network traffic.
And yes, most firewalls can do routing or DHCP management – both layer 2 and 3 of the OSI model. And there are some Layer 7 application functions such as deep packet inspection or DPI that firewalls accomplish. DPI is equivalent of putting a metal detector at the door of the building and searching every packet that goes through an acceptable route. DPI is covered in another post. The faster the processor, the more the firewall has the power to accomplish ultrafast packet inspection. Much of the growth of firewall future will be to expand out of the TCP Port management area. At the home or small business, a firewall today accomplishes most of its security mission by TCP/UDP port management. Datacenters and enterprise firewalls will have high end firewalls such as SonicWALL SuperMassives or Cisco ASAs.
Good news that most ports assigned to common use internet functions are defined by the IANA and listed in the Service Name and Transport Registry. Common or well-known ports that you might be familiar with are:
- 80 – Hypertext transport protocol (HTTP),
- 21 – File Transport Protocol (FTP),
- 23 – Telnet Protocol (TELNET),
- 22 – Secure Shell (SSH), and
- 443 – Hypertext Transfer Protocol Secure (HTTPS).
When setting up a firewall, you can use the recommended settings or decide to lock out all the ports. Thinking back to your house again, since access to the house is important to any house user, 100% lockdown should neither be needed or wanted. Ultimately, good security screens out the bad and let in the good as and when you want it. So, you may allow your guests to park on your driveway for limited periods.
How to choose a firewall
Given that a firewall is a port management system, what technology is out there today to best help you manage those ports that you might want used or blocked at your IP address?
Almost all commercially available firewalls will do the basic turning ports on or off depending upon the services that your business or home may need. There are other distinguishing factors:
- Ease of Management. Do you need a PhD to set this up or is the management interface easy to use? A great firewall should have an easy to manage and understand interface that allows you to learn as you go. If the device does not have on-screen help text, it is challenging to manage.
- Firewall Site Reporting. Can the firewall generate quick and easy to understand reports of what it is seeing? Alerts when suspect packets hit the firewall, graphs showing observed and stopped attacks, and other points of interests should be included as standard with a firewall.
- Bandwidth. How fast is the firewall? How much traffic can it check before it starts bottlenecking and slowing access to and from the Internet? Firewalls are designed for various size sites from a home or small office to a campus or university sized location. Make sure you choose one with enough bandwidth for your location.
- VPN (Virtual Private Networking) compatibility. Remote workers need to access the company intranet so businesses must choose a firewall with this in mind. How fast is the VPN, what kind of VPN and how many VPNs can the firewall support? Does it support site-to-site VPNs between firewalls, where users won’t even realize they are accessing using VPN? Can users connect from their computer when at a remote location, usually via a software VPN? SSL (Secure Socket Layer) VPN’s are the most secure but require the highest amount of computing power to encrypt and decrypt and are used mostly for financial data. Before buying a firewall, make sure your firewall choice matches your VPN needs.
- Virus checking. This is always an additional value added service of a deep packet inspection firewall. Does your vendor offer this additional service for a reasonable rate? SonicWALL offers this service through their Comprehensive Gateway Security Services (CGSS). Cisco offers this when the firewall is under SmartNet. Juniper has the same kind of offering through Jcare for additional services..
- Email checking. Similar to virus checking inbound links, email checking is a value added service for an additional fee. Does your firewall vendor offer this as an additional service? SonicWALL and Cisco offer these services for additional fee.
- Comprehensive monitoring and alerting. Does your firewall vendor offer alerts from your firewall as events in the world occur? SonicWALL is known for its dashboard of world security threats visible as they increase and decrease over time.
- Firmware updates. Does your firewall vendor offer firmware updates as bugs are uncovered or more features are released? Is this an additional cost? Almost all vendors offer free firmware upgrades for major security shortfalls but few offer free firmware updates for normal or feature releases. Be sure to check this before buying or installing.
Limitations of Firewalls
Firewalls setup and managed correctly are terrific port management devices that provide excellent internet security for you. There are limitations:
- Firewalls must be actively managed and monitored. You cannot set-and-forget. Business that do this run the risk of being hacked.
- Must be set up to match business needs and security plan. Incorrectly set-up firewalls with rules that create an access hole for a malicious player are worse that no firewall because there is a false sense of security.
- Poorly chosen Firewalls can be a bottleneck. An inadequate firewall can result in bottlenecking traffic and so company operations can be significantly throttled. Match the bandwidth of the firewall with the bandwidth needs of the company.
- Firewalls can be overwhelmed by Distributed Denial of Service (DDos) attacks. Even the most powerful firewalls are useless if their network connections are saturated. Malicious attackers can use compromised botnets to overwhelm almost any network link. This kind of attack can be mitigated by partnering with an advanced Managed Security Service Provider (MSSP) and configuring your advanced firewall to work with their service.
- Firewalls manage inbound and outbound traffic through its ports only. Any other access route into a company network is a major security hole. For example, an employee using his cell phone as a wifi router could allow an outsider to bypass the firewall. There are other solutions that work in concert with a firewall to detect and prevent these kinds of security violations.
- Firewalls should be integrated with an endpoint security solution. The best firewall is useless if a trusted user brings an infected laptop into a trusted network. Deploy a comprehensive endpoint security solution and configure it to work with your advanced firewall to scan all endpoint devices and quarantine any potentially infected machines so that they don’t compromise the rest of your network.
- Firewalls are part of a security plan not the whole plan. A comprehensive network and data security plan includes procedures for backup, passwords, site recovery, etc. If your firewall is your single point security plan, you may be leaving many security holes in your business.
A corporate network without a firewall is like a starship without a deflector shield – and a security wise crew that is actively managing that shield. Understanding what a firewall is and is not is vital when choosing the right one for your business.
Other News of Interest: