Back in the early days of corporate networking, IT departments typically deployed firewalls to keep employees from accessing non-work related content, like social media sites. While content filtering remains part of a firewall’s job, it’s no longer the primary reason for using one. In today’s connected world, firewalls are fundamental to network security. Further, today’s firewall solutions have evolved to respond to companies’ changing needs, enabling organizations to micro-segment networks and protect web-applications.
As part of a robust data protection program, you need to choose the right tools that help you implement some firewall/network security best practices.
What is a firewall?
A firewall is a network security device deployed as hardware or software that defends against external threats by monitoring and controlling network traffic, allowing authorized traffic while blocking unauthorized access and malicious traffic. To create a barrier between internal and external networks, firewalls apply a set of security rules to all inbound and outbound traffic to determine whether access should be allowed or denied.
Firewalls fall into two general categories:
- Network-based: placed between the internal network and the internet
- Host-based: installed on individual machines or servers
Since each category has its unique strengths, many organizations use a combination of both.
When combined with services like unified threat management and antivirus, firewalls can provide robust protection against external threats.
Why are firewalls important?
A firewall’s primary purpose is to apply security rules and detect suspicious network activity to:
- Prevent unauthorized network access
- Protect against application layer attacks
- Provide granular control over access to sensitive data
- Enable data loss prevention (DLP) initiatives
- Detect and block Distributed Denial of Service (DDoS) attacks
How does a firewall work?
Firewalls work by monitoring the tiny data pieces called packets. As files travel across the network, they get broken up into smaller chunks so that they can move faster. The firewall applies predetermined security rules to the packets so that it can allow them to access or block them from your network.
Depending on the type of firewall, it may use one or more of these methods:
- Packet inspection: determining whether to allow or deny the packet
- Packet filtering: comparing packet to predetermined criteria, like incoming IP address or destination port
- Stateful inspection: monitoring the state of connections between devices on the network
- Deep packet inspection: analyzing the packet’s content for malware
Types of firewalls
The type of firewall is based on the way it analyzes the packets. Each firewall type has strengths and weaknesses, so understanding what they are and how they work enables you to make the right choice for your organization.
Some characteristics of these firewalls include:
- Easy configuration
- Packet headers inspection to allow or deny traffic based on predefined security rules that may include IP address, port, and protocol
- Router installation, although sometimes can be hardware or software-based deployment
- Vulnerability to attacks that exploit weaknesses in network protocols or use disguised traffic to bypass filters
These network security devices include the following characteristics:
- Intercepting and analyzing inbound and outbound traffic
- Enabling anonymity, traffic management, content filtering
- Blocking certain malicious traffic, like spam or malware
- Hiding the identity and IP addresses of internal devices
- Filtering content
These network security devices include the following characteristics:
- Easy to configure with graphic and command-line interfaces
- Examining packets and connections between devices to the network, prevent unauthorized users from connecting to network, limit malware spread
- Detecting and preventing malicious software and suspicious activity by analyzing the content
- Selectively allowing or blocking outbound network traffic
- Verifying incoming connections to block malicious traffic
- Incorporating services like antivirus and cloud management
Next-generation firewall (NGFW)
These network security devices combine traditional firewall capabilities with advanced security technologies, including characteristics like:
- Easy management with user-friendly interfaces and simplified policy configuration
- Visibility into network traffic, applications, and users to detect external and internal threats
- Deep packet inspection and intrusion prevention systems (IPS) to detect and prevent malware, viruses, and ransomware
- Policy creation that restricts access to sensitive information and applications
- Integrations with security tools like endpoint protection platforms (EPP) and Security Information and Event Management (SIEM) tools
Unified Threat Management (UTM)
By combining multiple security technologies into a single device, these cost-effective and scalable solutions usually include:
- Advanced threat detection by incorporating antivirus software, IPS, spam filtering, and content filtering to protect against malware, viruses, spyware, and phishing attacks
- Simplified management with a single device for multiple security functions
- Policy creation that restricts application and resource access
At the application level, you can choose between:
- Application-level gateways
- Application-specific proxies
- Application-level filtering
While each of these analyzes traffic in a different way or from a different network location, they all include the following characteristics:
- Centralized management for easier updating, maintenance, and troubleshooting
- Analyzing traffic at the application layer to block malicious content and unauthorized access
- Setting rules and policies to allow or restrict access to specific applications or services
- Intercepting an inspecting incoming traffic before passing it to the application or service
- Spreading traffic across multiple servers to ensure consistent performance
Specifically designed to protect virtualized environments, these software-based firewalls run on servers and integrate with the virtualization platform. Some characteristics include:
- Monitoring and controlling traffic between virtual machines (VMs)
- Easy to deploy and manage in large-scale virtualized environments
- Using the virtualization platform to eliminate the need for dedicated hardware
- Security policy creation based on the virtualized environment’s unique requirements
Best practices for configuring firewall/network security
When deploying firewalls to protect network security, you might feel overwhelmed, especially if you’re using more than one type of firewall. However, by following these best practices you can implement security and monitor your controls effectively.
1. Plan deployment
Since firewalls define network boundaries, your business needs should drive the definitions of network zones. To prevent firewalls from being a single point of failure, deploy them in a high availability (HA) cluster.
2. Harden and secure the firewall
To mitigate risks arising from vulnerabilities, apply security updates to the firewall’s operating system prior to deployment. Additionally, you should change all default passwords and configurations.
3. Block traffic by default
By blocking all unknown traffic by default then adding access back on a case-by-case basis, you mitigate human error risks, like missing vulnerabilities that threat actors can exploit.
4. Use the principle of least privilege
When configuring the firewall, you should give users the least amount of access necessary that allows them to still complete their job function. This includes security rules and policies that apply to networks and applications.
5. Secure admin accounts
Set strong firewall admin passwords and require multi-factor authentication prior to granting access.
6. Restrict zone access
Configure policies to restrict traffic flows across defined network boundaries to allow only legitimate traffic flows as defined by business needs.
7. Define source IP address
To prevent anyone from accessing the corporate network, limit the IP addresses whose traffic can connect to it.
8. Designate destination ports
Establish firewall configurations that define specific destination ports for connected services so you can limit connections to authorized accounts only, mitigating Distributed Denial of Service (DDoS) attack risks.
9. Designate IP address destinations
Limit access to specific IP addresses to prevent unauthorized traffic to mitigate DDoS attack risks.
10. Know necessary firewall ports
Identify and open the ports that users need to access services and data based on the organization’s servers and databases.
11. Map policies to compliance
Review configurations and policies to ensure that they align with the organization’s compliance requirements.
12. Test rules and policies
With regular rule and policy testing, you can find issues that impede user access by blocking legitimate traffic or configuration mistakes that allow malicious traffic.
13. Audit firewall software regularly
Review the firewall’s configuration, rules, and logs to ensure that software is up-to-date, everything is appropriately documented, and no suspicious activity is identified.
14. Centralize monitoring
With all firewall and network security monitoring in one location, you can enrich data for better visibility across both operations and security. For example, correlating firewall logs with identity and access management (IAM) tool logs enables more robust suspicious activity detection and faster investigation times.
Graylog: Enhanced Visibility for Security and Operations
With Graylog, IT and security teams can combine, enrich, correlate, query, and visualize all log data, including firewall logs, in a single location. Graylog offers pre-built dashboards and content for most major firewalls so you can get immediate value from your logs. With our high-fidelity alerts and lightning-fast search capabilities, you can increase productivity while reducing risk.