Firewalls Great Network Security Devices but Not a Silver Bullet Solution

Firewalls: Great Network Security Devices, but Not a "Silver Bullet" Solution

In construction, a firewall is a hardened divider between the hostile external environment outside and what needs to be protected inside. Similarly, firewalls are designed to protect computers from being accessed by unauthorized individuals, and for the most part, they perform this task well. Unfortunately, firewalls are also akin to the castles of old when siege weapons were built to defeat the highest walls. As the siege weapons became more powerful, the defenders were forced to build the walls yet higher and install moats and other protective measures. Similarly, today, hackers and so-called crackers are always trying to overcome security devices for profit, pleasure or for more nefarious purposes such as denial of service attacks by terrorist organizations. To gain some fresh insights in this area, this paper presents a review of the relevant scholarly and peer-reviewed literature concerning firewalls to provide a working definition, a description of their capabilities and what technologies are typically involved. A discussion concerning the different types of firewalls that are available and their respective pros and cons is followed by an assessment of what proactive measures can be taken to harden a firewall. Finally, an analysis of future trends is followed by a summary of the research and important findings in the conclusion.

Review and Analysis

What are firewalls and their capabilities?

The definition provided by Blair (2009) states simply that firewalls are "single devices used to enforce security policies within a network or between networks by controlling traffic flows" (para. 1). Prior to the introduction of Web 2.0, most firewalls operated in an "allow-don't allow" environment (Hua, 2011). Following the introduction of Web 2.0 and a bewildering array of mobile devices, providing adequate firewall protection became more complicated (Hua, 2011). Firewalls basically operate by blocking attacks; by contrast, so-called intrusion detection systems (IDSs) operate by identifying attacks when they actually take place (Sequeira, 2003). According to this authority, "Such techniques are crucial to network security, but have limitations. A firewall can stop attacks by blocking certain port numbers, but it does little to analyze traffic that uses allowed port numbers. IDSs can monitor and analyze traffic that passes through open ports, but do not prevent attacks" (Sequeira, 2003, p. 36).

Technologies involved

Firewall technologies include (a) packet-filtering; (b) application/proxy; (c) reverse-proxy and packet inspection (see Table 1 below for pros and cons of each).

Types of firewalls and pros and cons

The first issue many organizations face with respect to firewall protections if the decision whether to purchase them outright or lease them from a vendor. Each of these approaches offers some advantages but both also carry some disadvantages as well. For example, Andress (2003) reports that, "With a single-vendor solution, such as Cisco Systems or Check Point Software Technologies, you have to deal with only one vendor and might receive deeper discounts based on the amount of product you purchase" (p. 15). Other advantages of this approach include the need for network administrators to train on one firewall version, making updates and configurations a straightforward task (Andress, 2003). The single-vendor approach, though, may not represent the optimal solution for some organizations. For instance, Andress cautions that, "The vendor's firewall might fit your environment perfectly, but its IDS might not have the features or capability your company needs. Additionally, the common features of same-vendor products might increase your security risks" (p. 15). In addition, the potential exists for a single-vendor firewall to fail in a spectacular fashion, disabling the entire network until the vendor can render on-site assistance, a process that could require a great deal of time (Andress, 2003).

One the decision to purchase or lease is made, the next step is selecting a firewall that is suitable to the needs of the organization. For this purpose, a wide range of firewalls is available, including those set forth in Table 1 below which provides a brief description of the firewall and its corresponding pros and cons.

Table 1

Types of Firewalls and Their Respective Pros and Cons

Firewall Type

Pros

Cons

Packet-Filtering Firewalls

The primary advantage of this type of firewall is that they are located in virtually every device on the network. Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and so on may all have the capability of being a packet-filtering firewall.

The challenge with packet-filtering firewalls is that access control lists (ACLs) are static, and packet filtering has no visibility into the data portion of the IP packet.

Application/Proxy Firewalls

Because application/proxy firewalls act on behalf of a client, they provide an additional "buffer" from port scans, application attacks, and so on.

This type of firewall needs to know how to handle specific applications. Web-based applications are very common, but if organizations have an application that is unique, its proxy firewall may not be able to support it without making some significant modifications. In addition, application firewalls are generally much slower than packet-filtering or packet-inspection firewalls because they have to run applications, maintain state for both the client and server, and also perform inspection of traffic.

Reverse-Proxy Firewalls

The function of a reverse-proxy server is very beneficial in distributing the processing function over multiple devices and by providing an additional layer of security between the client requesting information and the devices that contain the "real" data. Reverse-proxy firewalls aid in protecting and load balancing servers; they also provide a barrier between clients and critical applications through proxy services. Well-written proxy servers significantly reduce the risk of a security breach.

The same cons that apply to application/proxy firewalls apply to reverse-proxy firewalls, only to a much greater degree.

Packet Inspection

These types of firewalls are generally much faster than application firewalls because they are not required to host client applications. Most of the packet-inspection firewalls today also offer very good application or deep-packet inspection. This process allows the firewall to dig into the data portion of the packet and match on protocol compliance, scan for viruses, and so on and still operate very quickly.

None cited

Source: Adapted from Blair, 2009, para. 1-3

Proactive measures to harden a firewall

There are several measures that can be taken in advance of an attack on a computer system or network that can help to harden firewalls for extra protection, including the following:

1. Install redundant firewalls to create a perimeter defense to constrain external access to only those services required for functionality;

2. Configuring an operating system so that as many services and functions as possible are removed or disabled; and,

3. Physical security is improved when application servers are located in secure facilities (Andress, 2003).

In addition, by adding an intrusion detection system, Sequeira (2003) emphasizes that an added layer of security can be added to existing computer systems or networks. For instance, this authority reports that, "With the proliferation of sophisticated attacks and the discovery of new vulnerabilities, new methods are needed to protect precious data and network resources. Intrusion prevention systems (IPSs) use new proactive approaches that block attacks before damage is done" (Sequeira, 2003, p. 36). Although every computer system will be unique in some fashion, IPSs typically operate by identifying anomalous behaviors in a computer system and taking steps to prevent damage from being done. For instance, Sequeira advises that, "A successful intrusion protection system will combine approaches [including] stateful pattern matching, protocol decode analysis, traffic-based anomaly activities [and] protocol anomaly detection" (2003, p. 37).