WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
The network firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.
Firewall protection has come a long way in recent years. In addition to monitoring internet traffic, the latest network firewall security products incorporate a wide range of additional features.
"The latest firewalls can neutralize an attacker's ability to use stolen credentials for lateral movement and network compromise," said Navneet Singh, product marketing director at Palo Alto Networks. "This is done by enforcing multi-factor authentication at the network layer."
What is a network firewall?
The intention behind network firewalls is that they filter internet transmissions so that only traffic that belongs is allowed into an organization. Decisions are based on pre-set rules or policies. Like many areas of technology, firewalls have evolved greatly over time and are more sophisticated in terms of efficacy as well as flexibility of deployment. For example, they have developed the ability to be deployed in completely virtual environments to protect data transferred to and from the cloud or to protect remote branches. "Firewalls have also greatly improved their ability to integrate threat defense and intelligence to protect against a range of threats including botnets, command and control servers, advanced persistent threats (APTs) and zero-day threats," said Mihir Maniar, vice president of Security Business and Strategy at Juniper Networks.
Types of network firewalls
The foundation of IP communications is still based on a variety of factors, such as source, destination, IP addresses, protocols and ports and URLs, so packet filtering remains at the core of firewall defense and is the best first line of defense for an organization's network.
Essentially, a network firewall analyzes traffic to determine if the packets can enter an internal network based on source, destination, ports and protocols. Initially, this was done with static filtering that inspected only packet headers, said Maniar. Soon, hackers figured out that all they had to do was change the packet header information to something expected and their illicit traffic would pass. As a response, stateful or dynamic packet inspection was created. That looks at incoming and outgoing communication packets over a time period. Outgoing packets look for a specific type of incoming packet. Those incoming packets are monitored and only the ones with the right correspondence are allowed to pass. Some types of firewall protection can also provide unified threat management (UTM) functions with outgoing traffic such as secure web gateways to prevent command and control (C&C) traffic.
Singh lists the main types of firewalls as:
- Packet filtering firewalls: An early type of firewall security that relied on packet characteristics like source and destination IP address, port and protocol of individual packets to determine if the packet should be allowed through or dropped.
- Stateful inspection firewalls: This form of firewall protection added the capability to look at packets that belong to one complete session. Once a session is established, the source and destination are allowed to communicate without the need to look at subsequent packets in that session.
- Application layer firewalls: These network security firewalls examine packet-level information and application-layer information such as the URL of the HTTP request.
- Next-generation firewalls: The latest firewall technology adds so many capabilities that it merits its own section below.
Gartner defines a next-generation firewall (NGFW) as a deep-packet inspection tool that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention and intelligence from outside the firewall. This is not to be confused with a network intrusion prevention system (IPS), which typically includes either a basic commodity firewall or consists of an appliance containing a poorly integrated firewall and IPS.
Some next-generation firewalls can perform full-packet inspection on encrypted traffic. Additionally, they can apply application-specific and user-specific security policies. This helps protect against threats, manages how network bandwidth is allocated and maintains appropriate access controls. Some NGFWs may also prevent malware from getting into the network. "Advanced firewalls can detect intrusion attempts, user identity and application control, in addition to simply identifying unauthorized traffic access," said Maniar.
Next-generation firewalls, then, are regular network firewalls that have additional capabilities that allow them to do more than static filtering of traffic. They inspect at the application layer and can do SSL traffic inspection, intrusion and other prevention techniques. They can be deployed at the perimeter, inside the network as core firewalls to segment traffic, and also within a host to protect virtual workloads.
But network security firewalls, no matter how advanced or next-gen, won't stop everything. They generally don't detect and stop threats that have entered a network via social engineering, insider threats, email or Bring Your Own Device (BYOD). Other security tools are required to take care of that side of the equation.
Yet some vendors have begun to integrate these features into their firewall products. Whether these tools can validly be termed "firewalls" is a matter of debate. But the reality is that the combination of traditional firewall technology with the latest security techniques provides a formidable obstacle for cyber criminals.
Network firewall hardware and software
Firewalls were originally hardware-based before software-based firewalls arrived on the scene. Some vendors insist software firewalls can now perform and scale similarly to their hardware-native counterparts for most use cases. They concede that the only real exceptions may be the largest and most demanding environments may require a heavy duty hardware firewall.
Others say that software firewalls are only for home users and personal devices. Hardware firewalls, on the other hand, can protect the entire network, whether it is the home network, a small branch, an enterprise or a large service provider.
Klaus Gheri, vice president and general manager of Network Security at Barracuda, has another take. He said organizations today rely on cloud-based applications like Microsoft Office 365 and Salesforce, or infrastructures like Amazon Web Services or Microsoft Azure. Firewalls need to enable access to cloud applications and have the flexibility to be deployed in public cloud environments. Next-generation firewalls, he said, need to combine a full security feature set with capabilities like load balancing, traffic optimization, uplink bonding and cloud access optimization from branch offices.
"Businesses today may need to deploy next-generation firewalls at every office or remote site, yet have the ability to manage them all from a central interface," said Gheri. "Today's networks and business assets are much more dispersed, so the firewalls that protect them need to reflect that through extended secure connectivity capabilities."
The common denominator of all these viewpoints is that the firewall of today is quite different from those of a decade ago. How different, though, depends on the vendor's technology emphasis. The various software and hardware camps make liberal use of terminology such as virtual firewall and virtual appliances. Thus virtualization has blurred the lines between what were once quite distinct software- and hardware-based firewalls.
Next-generation firewall solutions
Gartner analyst Adam Hils said next-generation vendors can be differentiated based on feature strengths. Each has their own take on what next generation means.
"Buyers must consider the trade-offs between best-of-breed function and costs," said Hils.
Gartner added that less than 50% of enterprise internet connections today are secured using next-generation firewalls. By year-end 2019, however, this is expected to rise to 90% of the installed base. Understandably, there are many vendors seeking to exploit this surge in the firewall market. Here are a few of the candidates which fared well in the most recent Gartner next-generation firewall Magic Quadrant.
Juniper Networks offers a portfolio of network firewalls that can service mid-size enterprises, large enterprises, service providers in a private or public cloud, and hybrid environments. Juniper's Software-Defined Secure Network (SDSN) runs the JUNOS operating system, which provides uniform administration across its hardware-based and software firewalls.
Palo Alto Networks claims that some firewalls masquerade as next-generation firewalls by tacking deep inspection modules onto traditional port- and protocol-based architectures. It characterizes its own offering as true a NGFW that natively classifies all traffic based on applications, users and content.
Barracuda Networks NextGen Firewalls allow users to regulate application usage and prioritize network traffic with features like link balancing and WAN optimization. They can be deployed in cloud, virtual, and on-premises scenarios. This includes small remote offices, a single desktop, or a large campus. They can defend against: intrusion attempts and exploit patterns at the network layer; unauthorized access control attempts; DoS and DDoS attacks; malware such as viruses, worms and Trojans; and advanced threats such as backdoor attacks or covert phone home activity from botnets, as well as blocking access to unwanted websites and servers via web filtering, said Gheri.
Check Point Software's firewall gateway can be augmented via subscriptions to provide advanced malware protection and multiple threat intelligence feeds. Its firewall can support public clouds such as Amazon Web Services and Microsoft Azure. It also integrates with VMware NSX and Cisco Application Centric Infrastructure.
Cisco is one of the giants of the networking space, but it has also been steadily advancing its security capabilities. Its Adaptive Security Appliance (ASA) with FirePOWER services offers Sourcefire IPS, malware protection and application control.
SonicWALL has a range of firewall-related products for small offices and branches, midmarket and larger enterprises, and provides integration with wireless access points, WAN optimization products and switches.
Forcepoint unifies various elements such as Websense and Raytheon Cyber Products with McAfee's Stonesoft NGFW and threat intelligence data. The firewall product can scale up to 120 Gbps, and has a virtualized version.
Fortinet's FortiGate product is used as a firewall for service providers, enterprises and SMBs. Its firewall appliances are said to accelerate packet processing.
These are just a few of the products available. But there are many others to choose from.
The latest firewalls contain a wealth of security features. Depending on the vendor, next-generation firewalls may also incorporate services such as data loss protection, threat intelligence, malware detection, DDoS defense and more. That said, no one vendor is going to offer a firewall that comes with every single zone of necessary security technology. So add them by all means. Take advantage of their enhanced capabilities. But don't neglect other areas of enterprise security.
"Network firewalls (or virtual network firewalls in the cloud) are critical in providing perimeter security," said Dave Ginsburg, vice president of worldwide marketing at Cavirin. "But they are only part of an overall security posture that includes perimeter, network, endpoint, application, and data security as well as policy management and operations. Once the bad guys get in, and they will, other parts of the security infrastructure must come into play."