Installing a firewall onto your network is “good network firewall security”, right? Let’s be clear, it’s not – it’s the start to good security. While installing a firewall is an important component of security in a network firewall security posture, there’s much more to the process than just dropping in a piece of hardware, or enabling some new software.
Let’s talk about the specifics of maintaining network firewall security, and how it enhances the overall health and safety of your network. We’ll also discuss how to monitor and maintain your network firewall via the network management console.
What is a network firewall?
In the early days of network security, perimeter security was most often the only network security an organization implemented, making it the primary point of failure or vulnerability.
When network firewalls were first introduced, they were hardware devices with just two interfaces: an outside and an inside. Their purpose was fairly straightforward: keep unwanted inbound traffic from entering a private network at the perimeter.
Today’s network firewalls are multifunctional, multi-interface devices with many different features and capabilities, with names like next-generation firewalls, UTMs, and application firewalls. Let’s look at some of the basic hardware and software components of a modern network firewall.
Simply defined, a network firewall is a stateful security device that monitors and either blocks or allows traffic onto a network based on a set of rules. Firewalls can be software, hardware, or a combination of both. It’s also able to perform network address translation (NAT). And one of the most important but most overlooked requirements of a basic firewall is that it must include extensive logging. Let’s take a look at a few of these features and terms:
- Stateful means the firewall keeps a table of every active session passing through it. If a device is allowed to make an outbound connection to a web site on the internet, the state table knows it should allow inbound packets back from the same site. After that session ends and the firewall is no longer expecting those inbound packets, it should block them.
- Access control lists or firewall rules are simple instructions that permit or deny traffic based on information in the packet headers. This information could include IP addresses, protocols, or port numbers.
- Network address translation is a protocol that allows you to hide internal private addresses from the internet. So when forwarding a packet out, the firewall needs to replace private addresses with public addresses that can be routed on the internet. Your goal might also be to have some internal resources publicly accessible, which again means we need to create a mapping rule that associates the internal resource with a public IP address.
- Logging is a little more subtle. A firewall should be capable of logging information about every successful session, but many times, we also want to log information about unsuccessful sessions through the firewall. We may also want information about all of the NAT translations and administrative activities done by or to the firewall. Ideally, this information should be sent to a central server so you can sort through it and look for interesting patterns that might indicate something bad is going on.
Another feature commonly found on basic firewalls is high availability. This involves having a second firewall configured to automatically take over in case the first one fails. To do this without dropping active sessions, it’s important that the secondary device have all state information about the sessions. In most cases, this failover mode is active-standby: the secondary device doesn’t pass packets until the primary device fails. Then it takes over all processing.
How does a firewall support network security
Network firewalls are the heart of any network security plan. It wouldn’t be possible to maintain network security without a well performing, and well configured, firewall. It’s the first point of contact with virtually all outside threats that your network will see. It hides details about your network and your traffic to protect you outside your LAN network.
Stops outside intrusions. Today’s network firewalls constantly filter and scan for network intrusions. They filter outside traffic continually looking for viruses, malformed packets, threat profiles, and signatures.
Filters excessive packets. Network firewalls filter your traffic for excessive amounts entering your network. This can protect from bot and denial of service attacks. When these packets are detected, you’ll be able to report specific attack vectors to your management console via the logging capability of your firewall.
Keeps your users out of trouble. Network firewalls can monitor inside traffic that’s outbound and ensure your users are not going to malicious or forbidden sites that will compromise security.
Monitors activity. Network firewalls can assist with the monitoring of network activity. This keeps track of overall traffic patterns and securely gives your network management console access.
Translates network addresses. Network firewalls are the primary point in your network where you translate network addresses from the private space to the public domain. Using the techniques of NAT (network address translation) and PAT (port address translation).
Protects networks from networks. Sounds strange? Another function of a firewall is to protect network segments inside of your network from each other as well. There may be times where you notice networks within your organization experiencing traffic anomalies or security vulnerabilities you need to control. Or, you have specific security zones that need to be segmented. If these networks need to be walled off for additional security, firewalls give you the ability to perform this task easily.
Performs deep packet inspection. One of the advanced features of network firewalls is the ability to perform deep packet inspection. This is the ability to capture packets and look deep into the encapsulated data to determine if there are any hidden threats. If there are, the firewall can also decide what to do: report them, filter them, or send them to a specific location.
Best practices to maintain firewall security
Remember: Just buying and installing a network firewall is not enough. It must be installed and configured properly, and it must be maintained continuously to keep it secure.
Let’s talk about some great practices you can start following to keep your firewall running in top condition.
Plan for your security policies. You need to start by planning for everything you’d like out of your network firewall. Do you want it just to protect your perimeter, or to protect other segments? Are you going to have a DMZ? What about NAT? Is your firewall going to manage your entire network or part of it? How about redundancy? These are all considerations you should account for from the moment you begin planning.
Start from zero. Most network firewalls work on a policy basis: You create secure zones with your interfaces, then apply policies to those zones as to what traffic can flow in and out of them. A good strategy, therefore, is to start by creating your zones, with the default state that no traffic will communicate between zones. Then add in the policies that allow specific traffic and ports that need to be available for proper communication. When you’re able to map out your network, you’ll be able to identify these security zones and then apply the policies to allow traffic between them.
Identify the traffic types. There are certain types of traffic that you’ll just never need. If this is the case, make sure it’s filtered out or blocked by default (or as the result of another more general policy). Hackers are always looking to exploit these vulnerabilities and oversights.
Monitor and document traffic types. Using your network management console, monitor and identify traffic types and traffic patterns. Document the results, so you fully understand what traffic types you have, and who needs what resources.
Do you use video traffic inbound? If so, what subnets or VLANs do they need to reach? What about encrypted traffic? Encrypted traffic entering your network may not be seen by your firewall without TLS decryption, or advanced network traffic analysis from your network monitoring platform. You may need to account for this.
Apply policies. Once you’ve identified all your traffic types, you should have an idea of the security policies and procedures you want to implement. Now you need to apply these policies to your firewall. This is where you actually start blocking and filtering traffic. Be very careful. Add your new policies in an iterative manner (one at a time!). And do it during accepted outage windows. You can accidentally (and easily) start blocking desirable traffic and create problems in your network. Adding policies one at a time will allow you to see right away if you introduce a networking problem.
Test your firewall. Once you’ve implemented them and they are installed, be ready to test them for both traffic flow and effectiveness. This is another place where your network management console will help you, making sure all traffic heading where it’s supposed to, and all unwanted traffic is being filtered or flagged.
Don’t forget about logging. You should be generating extensive logs, and those logs should be forwarded to your network management console so you can detect security violations or threats. You should be intentionally trying to send suspect traffic to see if it’s being blocked or flagged. Can you see this traffic getting logged? Are your alert thresholds set to the correct level that there aren’t too many false positives? You may even want to do some penetration testing, where working with an outside testing company can be a tremendous benefit.
===
A great firewall is only as good as the network management console it reports to. Ready to try Auvik? Get your free 14-day Auvik trial here.