A firewall is a security device that controls the flow of traffic across a network. A firewall may be a hardware appliance, or it may be a piece of software that runs on a third-party operating system. Firewalls operate based on a set of pre-defined, as well as customizable security rules that inspect network traffic to block or permit access to a network.
Oftentimes, a firewall is logically positioned between a private and a public network, acting as both the first and last line of defense in a network. In a large enterprise, it is common to see separate firewalls within the network architecture, each serving different functions depending on the security level of a particular department. Firewalls are typically used to protect against malware and network-based threats. Modern firewalls can also monitor and alert for suspicious network activities, administer access controls, and protect databases and applications.
Types of firewalls
Organizations must diligently identify and choose the appropriate firewall type that aligns with their network requirements. Organizations may need more than one type of firewall to better secure their systems.
- Packet filtering firewall – Operates at the network layer of the OSI model. A cost-effective and simple firewall that examines each incoming and outgoing packet for the source and destination IP address, port number, and protocol. A packet-filtering firewall cannot detect malware since it doesn`t analyze the packet`s contents. This makes this type of firewall susceptible to IP spoofing. This firewall is best suited for small networks with fewer security requirements.
- Circuit-level gateway – This firewall monitors Transmission Control Protocol (TCP) connections and active sessions based on preset rules. It does not inspect packets and is best used with other types of firewalls for protection against malware.
- Application-level gateway/proxy firewall – This firewall acts as a mediator between two end systems, assessing incoming requests against a set of security rules and deciding whether to permit or block them. It monitors traffic for Layer 7 protocols such as HTTP and FTP and uses stateful and deep packet inspection to detect malicious traffic before passing through the proxy. An application-level gateway provides optimum protection against web application threats, blocks access to harmful sites and helps prevent direct contact with external clients, thereby mitigating the risk of data leakages.
- Stateful inspection firewall – This firewall operates at the transport layer of the OSI model. It maintains a state table that monitors the status of every active connection. It also inspects packet headers and payloads. This firewall offers a high degree of security and control but affects the speed of network communications.
- Next-generation firewall (NGFW) – NGFWs offer robust threat protection capabilities, including Intrusion Prevention, Deep Packet Inspection (DPI), user and application identification, and sandboxing for analyzing zero-day exploits and Advanced Persistent Threats (APTs). This firewall is expensive, resource intensive, and complex compared to traditional firewalls.
How to set up your firewall
Configuring your firewall securely and optimally is paramount to ensure its effective and efficient operation and to avoid threat actors gaining control over protected internal networks and resources. Cisco recommends following these six simple steps to safely and securely configure your firewall, ensuring network protection.
- Secure the firewall – Before proceeding to add new rules, make sure that the security of the firewall is ensured by implementing the following essential configurations: Update the firewall to the latest recommended firmware. Delete/rename default user accounts and change default passwords to complex passwords. Limit users who have administrative privileges to the device.
- Establish firewall zones and IP address structures – Identify your network`s assets and group them into network zones based on their criticality or functional importance. For example, assign email, web, and VPN servers to a Demilitarized Zone (DMZ) that limits inbound traffic. Create a corresponding IP address scheme for the created zones and assign them to your firewall interfaces and sub-interfaces. For networks using IP version 4, employ internal, non-routable IP addresses for private networks (according to RFC 1918), and configure Network Address Translation (NAT) to facilitate communication between internal devices and the internet.
- Configure Access Control Lists (ACLs) – ACLs are firewall rules determining which selected traffic is allowed to traverse the organization’s network zones. They are applied to each firewall interface and subinterfaces, comprising inbound ACLs to control incoming traffic and outbound ACLs to manage outgoing traffic in the network zones effectively. The created ACLs should be as specific as possible, specifying the exact source and/or destination IP addresses and port numbers.
- Configure other firewall services and logging - Configure firewalls to support additional services like Dynamic Host Configuration Protocol (DHCP), Intrusion Prevention, and Network Time Protocol (NTP). Disable unnecessary services. Also, if applicable, ensure firewalls report to a logging service to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.
- Test the firewall configuration – Ensure the firewall configuration is working as intended; the tests can also include vulnerability scanning and penetration testing and keep a secure backup of the configuration in case of failure.
- Firewall management - After configuring and launching your firewall, regular maintenance is crucial for optimal performance. Remember to update firmware, perform log reviews, conduct vulnerability scans, and review configuration rules at least every six months or whenever any baseline changes are made to the infrastructure.
Best practices for a secure network firewall
- Secure the base configuration - Configure the firewall to block all traffic by default, permitting only specific known services and protocols on specific ports. This is known as the “drop all” rule and is positioned as the final rule in every firewall rule set. This approach enhances network security, preventing unauthorized access and potential breaches.
- Implement least privilege access to users - Secure network firewall access for authorized users only by limiting their accounts to access necessary files and tools relevant to their role.
- Perform regular firewall audits - Regular audits help ensure firewall compliance and security. By combining best practices with these audits, you achieve a compliant and secure configuration. To carry out the audit, Conduct the audit by collecting relevant data, ensuring compliance with access policies, and monitoring firewall logs for potential threats. Review and update firewall rules as needed.
Firewalls play a critical role in safeguarding networks from potential threats. Understanding types, proper configuration, and best practices will ensure robust cybersecurity. With a comprehensive and well-maintained firewall strategy, businesses can mitigate risks, safeguard sensitive data, and cultivate a resilient defense against ever-evolving cyber threats.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.