We use many different firewall technologies to secure our computers and networks. In this video, you’ll learn about host-based firewalls, network-based firewalls, application-aware security devices, SOHO firewalls, and unified threat management devices.
<< Previous: Physical Security ControlsNext: Firewall Configurations >>
Let’s start our conversation of firewalls with a firewall that’s very close to us. And by that, I mean it’s physically close to us. It’s generally running on the computing device that we’re using. These are personal firewalls or host-based firewalls, and they are software that’s running on your system. Many host-based firewalls are included with the operating system.
They’re simply part of the OS that you’re using, although you can also purchase personal firewalls from many third parties. These host-based firewalls are able to stop unauthorized traffic because they understand what the state of communication is to other devices. We call these stateful firewalls because of that. When you talk to another device, you’re coming from your IP address and a port number and communicating to an IP address and a port number on another device.
The firewall recognizes this and keeps track of all of the different connections you’ve made and over what port numbers. If any traffic comes into your device that is not on this list, it’s not part of the current state, then that information is automatically dropped by the firewall. Since these host-based firewalls are running on our operating system, they’re aware of what applications you’re using. And so they can also be configured to allow or disallow certain applications from communicating through your system.
A very common host-based firewall is the Windows Firewall and it can filter information by application, by port number, by IP address, and by many other tuples as well. Here’s some of the screenshots from the Windows Firewall. You’ve got a main screen that allows you to turn on or turn off the Windows Firewall. There are also exceptions that you can create. If a certain program should be operating through the firewall but it’s not working for some reason, you can enable or disable that notice by the program name itself because it’s application aware.
You can define a TCP or UDP port number and then tell the firewall to either allow or deny that traffic passing through this firewall. We might also have firewalls that are on our network that are outside of our operating system and connected to our network infrastructure itself. These firewalls are network-based firewalls and they are designed to filter information based on OSI layer four or the TCP or UDP port numbers that might be going through your network. Some firewalls are also application-aware.
They know what type of applications are going across the wire and they can allow or disallow access based on the application data itself. Many firewalls also have VPN tunneling capabilities built in where you can connect different sites up by their firewalls and encrypt all of the information between the firewalls. That way if you need to communicate to a site that’s across the internet, you can send encrypted data over the public internet and decrypt it on the firewall so that it can be used inside of your organization.
Some firewalls are configured as proxies where you make a request to the firewall and then the firewall makes its own request on your behalf to the internet. It then examines the results that it gets back and if there’s no malware or anything dangerous inside of that response, it sends that response down to you. So it acts as the middle man or the proxy for all of your network communication. Many firewalls are also configured as layer 3 devices, so they’ll provide routing functionality between the inside of our network and the outside of our network.
This is a good way to have a central device that sits between you and the internet that provides routing, network address translation, and security. Today’s modern firewalls are application-aware. They know everything about the data that’s flowing through the network. You may see these referred to as application layer gateways, stateful multilayer inspection devices, deep packet inspection, next generation firewalls. What they’re doing, effectively, is decoding every bit of traffic that’s passing through the connection.
It’s looking and analyzing, understanding exactly the type of application that’s flowing through, and then making a security decision about whether that application is allowed or denied through the network. Because your firewall is now application-aware, it can make decisions not just on port number, but on the application. Or, in some cases, the way the application is working. You might allow or disallow Microsoft SQL Server or Twitter, or YouTube, or even subsets of that application. For example, you may be able to view Twitter but not post to Twitter because your application-aware firewall knows exactly the differences between those two.
Many of today’s firewalls also include some type of intrusion prevention system as well. And having that application-aware visibility can even hone its signature detection down to very specific application vulnerabilities. And as we mentioned before, our host-based firewalls already know what applications you’re using, so you can set some very granular controls inside of a host-based firewall. In your small office or home office you probably also have a firewall, but these firewalls are usually smaller devices that don’t have the same throughput requirements as the larger devices in your enterprise.
But they are still providing you with a number of valuable security functions. They can be a wireless access point, they’ll provide the routing for your connection. They’ll of course be firewalling all of this data. And there might also be enhanced content filters inside of these devices as well. What you may not get with these firewalls are things like dynamic router protocol support or the ability to access the device remotely.
These are more advanced capabilities that you would find in an enterprise firewall but may not be available in the smaller home office or small office firewalls. These days we try to put a lot of functionality into single devices and you may find these all-in-one security appliances can provide just that. You may hear these referred to as UTM devices or unified threat management. Might also be called web security gateways. And we try to put a lot of security functions in these devices.
Things like URL filtering or content filtering so that we can filter based on what’s inside of the content flowing through these devices. These might also have malware signatures, so they can stop malware as it’s flowing through the network before it even gets to your device. These often have spam filtering built into them as well, so they can stop anyone from spamming your particular inbox. These might also include wide area network connectivity so there might be a CSU/DSU built into this particular appliance.
These devices, of course, act as routers. Occasionally they’ll have many ports on them and you can switch between many of the ports on the device. There’s generally firewall functionality built into these.
Intrusion detection and intrusion prevention capabilities are an option. And these devices can often include a bandwidth shaper so you can prioritize different applications as they’re flowing through your firewall. And finally, these devices may act as a VPN endpoint. So you can send encrypted data out over the internet and decrypt it on both sides of these VPN end points.