FirewallsIn building structural terms, a firewall is designed to resist the passage of something undesirable, i.e., a fire, from one side to the other. In technology, a network firewall serves a similar purpose. A network firewall is a network device that is designed to resist the passage of undesirable network traffic from one side to another. Unlike building firewalls, network firewalls actually can have many "sides" and can protect devices on any one side from those on any other side.
Types of firewalls
- A network-based firewall is a dedicated piece of hardware and software installed on a network to protect a number of computer servers and/or workstations.
- A personal firewall is a piece of software that resides on an individual workstation primarily to protect that workstation.
Network-based firewall placement
- A perimeter firewall is placed at the point at which the campus network connects to outside entities, such as the Internet, private leased lines to other institutions and businesses, etc. The purpose of a perimeter firewall is to control the network traffic between off-campus devices and those on-campus.
- An interior firewall is positioned within the campus network to control network traffic between the general campus population and specific groups of devices (e.g., institutional servers, devices associated with a specific department, etc.).
Performance and network availability considerations
Whenever a firewall is placed between groups of devices, every piece of network traffic between any device on any one side of the firewall and one on any other side must pass through and be analyzed by the firewall. If the firewall fails, all traffic between devices on opposite sides of the firewall is interrupted. Therefore, when implementing a firewall, it is important to consider network performance and to plan how you will restore network connectivity in case of a firewall failure.
How firewalls work
Primarily, firewalls allow or block network traffic between devices based upon rules set up by the firewall administrator. Each rule defines a specific traffic pattern you want the firewall to detect and the action you want the firewall to take when that pattern is detected.
Note - A firewall can only operate on communications traffic that physically passes through it. A firewall has no impact on traffic between two devices on the same "side" of the firewall (i.e., both connected to the same firewall network card or port).
Criteria Used to Identify Communication Sessions
When the firewall receives a request from a device on one side to communicate with a device on a different side, it compares information about the request against each firewall rule in sequence until a match is found. The following information is considered:
- The network address of the device initiating the communication ("source") is compared against the list of sources contained within the rule.
- The network address of the device whose services are requested ("destination") is compared against the list of destinations contained within the rule.
- The service being requested (e.g., Web, mail, file transfer, terminal session, etc.) is compared against the list of services contained within in the rule.
Additional Criteria Provided by Some Vendors
Some firewall products can also consider not only the service type, but also the specific actions, files or elements involved. For example, between specific sources and destinations, a firewall may:
- allow Web requests to proceed except for certain Web pages,
- allow file transfers to proceed from destination to source but not vice versa,
- allow file transfers to proceed except for certain named files.
Actions that can be taken when criteria are met
If an attempted communication meets all the criteria specified in any rule, the firewall will take the appropriate action specified in the rule. After a match, the firewall will not review any subsequent rules in the ruleset for that communications session. Depending on the vendor, the actions may be taken:
- allow the communication to occur,
- block the communication without notifying the source,
- block the communication and notify the source,
- require the user to provide valid authentication information (e.g., user ID and password, smart token or biometric data) before allowing the communication,
- set up a Virtual Private Network (VPN) to encrypt the communication session between the source and the firewall.
Other things firewalls can do
Anti-Spoofing - Detecting when the source of the network traffic is being "spoofed", i.e., when an individual attempting to access a blocked service alters the source address in the message so that the traffic is allowed.
Authentication - Firewall rules can be set up so that communication sessions between a computer initiating a communication session aith a specific target device over a specific port only proceed if the user successfully logs into the firewall first. Typically, firewalls can support multiple authentication methods including locally-stored passwords, directory-based passwords, secure tokens, etc.
Network Address Translation (NAT) - Changing the network addresses of devices on any side of the firewall to hide their true addresses from devices on other sides. There are two ways NAT is performed:
- One-to-One - where each true address is translated to a unique translated address.
- Many-to-One - where all true addresses are translated to a single address, usually that of the firewall.
Virtual Private Networks - VPNs are communications sessions traversing public networks that have been made virtually private through the use of encryption technology. VPN sessions are defined by creating a firewall rule that requires encryption for any session that meets specific criteria, i.e., the communications session is initiated by one of the computers listed as a "source", is destined for one of the computers listed as a "destination", and the requested connection is to one of the destination ports specified. Note - The session is only encrypted between the initiating computer and the firewall. The session is not encrypted between the firewall and the target system.
In order to do establish a VPN, the firewall and the client device must be prepared to use the same encryption technology, e.g., proprietary, standards-based. Typically, firewall-based encryption requires user authentication before the session may proceed.
Are firewalls really necessary?
A combination of devices and software services can cover many firewall functions
- Routers, already on the network, can also block traffic based upon source, destination and requested service.
- Anti-spoofing and network address translation can also be performed by routers.
- Servers can be configured to shut down unnecessary services or to screen out specific sources to specific services.
- If server and workstation software is updated with the latest security patches as soon as they are released, the risk of an attack being successful is reduced.
But a firewall does it all in a consistent, comprehensive package
- Since a firewall passes traffic to/from many devices, and since firewall software usually provides easy-to-use management tools, setting (and resetting) rules and monitoring network traffic for a wide range of devices is a fairly simple process. Managing a large number of independent devices and remembering to reapply rules after a device is rebuilt can be far more complex.
- Being an independent device, a firewall can be helpful in preventing attacks from a compromised server from reaching their targets.
- A firewall can protect devices that are running unused, vulnerable services that may be unknown to the device's primary user.
- A firewall can provide centralized virtual private network (VPN) services for many devices.
Summing it up...
When protecting sensitive data, the simple, straightforward and consistent management of network controls that firewalls provide give them an advantage over the cobbling together of solutions involving devices that primarily serve other functions. Thus, a firewall should always be considered the preferred solution for limiting access to devices housing sensitive systems and data.