The Firewall: Thou Shalt Not Pass
In a previous blog, where I discussed the need to identify your organization’s vulnerabilities before somebody else does, I mentioned that there is a trade off when implementing security practices- any service offered also represents a potential vulnerability.
Today we will talk about how we mitigate that risk by ensuring that we offer services in the most secure way possible. Today we discuss the Firewall.
A firewall is an essential piece of network equipment – its function is to be the first line of defense between your internal network and the vast sprawl of the internet. In theory the principal is simple: only allow traffic into the local network that is a response to a request that started inside the network. Never allow external parties to initiate communications into the local network unless it is specifically authorized.
External attackers cannot launch probes or exploits against the machines on our local network because those machines cannot be seen from outside the local network. All traffic to and from them is masked at the firewall such that from the perspective of the internet, the firewall is the source of all the requests. Of course, the firewall knows where the requests originated within the local network and knows how to direct the responses appropriately, but that information is known only to the firewall. There is no way to trace the communication back to the systems behind the firewall from outside. The firewall makes it so that to the outside world, the local network of our business is a black box. All features of our network are scrubbed by the firewall, vastly reducing our potential exposure.
Although some traffic from outside is desirable. For example, if we are running a website from a server within our network, we would want to keep it isolated behind the firewall also. But, we need to allow external parties to initiate contact to it otherwise the site would simply be down. In this case we specifically authorize that traffic by forwarding it across the firewall to the server hosting the site. In technical terms this is called a “port forward”. The server itself remains isolated from the external world, but the traffic – in this case http requests over port 80 – is forwarded by the firewall to the internal server which fulfills the request and responds by serving up web pages. The firewall ensures that those pages are delivered to the original requester while keeping the server isolated from direct exposure to the internet. Only a hardened system like the firewall should be exposed. Any attempt to scan the webserver for vulnerabilities becomes a scan of the firewall, and if the firewall is clever this scan is noticed and logged.
Firewalls are good at their job – it is extremely rare to discover an instance of an unauthorized intrusion where the intruder managed to defeat the firewall. Honestly, I can’t think of an example. In just about every case what we find is that either the security rules were ignored, or the intruder managed to bypass the protection of the firewall by exploiting a human weakness. That is basically what phishing is all about. We allow email into our organizations because our users rely upon it to do their work, so email becomes a means of intrusion that will not be stopped by the firewall because blocking it leaves us without email. If we told the firewall to not allow email in or out, we could hardly do our jobs. However, now that we have online cloud-based email services like Office365 and Gmail, this may no longer be a good example – but those services also utilize firewalls to secure their mail servers. The benefit is that utilizing such a service offloads the risk of protecting the mail servers to the the mail provider, but it does little to prevent the risk of phishing.
Today, a firewall need not be an actual physical device; a firewall may be implemented simply by means of software. Truly, most physical firewalls are simply computers with such software already loaded that are dedicated to the specific role of being the firewall. All you need to create your own firewall is a spare PC, a couple of network cards, a suitable distribution of Linux, and the knowledge of the requisite software such as iptables. When an organization buys a firewall what they are buying is the service of experts putting all those pieces together in a reliable way with an interface that allows easy configuration. There is no magic to it.
Today, most home cable modems are combination devices that also serve as routers and firewalls. They have a variety of ways of setting them up but most all of them now have a web interface that can be reached from the internal side of the network for easy configuration. Along with that, Windows 10 comes pre-loaded with the Windows Defender Firewall – a software firewall of the non-Linux variety – so now they are ubiquitous.
Firewalls are common and essential – it is not an exaggeration to say that any system directly connected to the internet will come under attack within the first 15 minutes of connection. Without some form of firewall – either a software implementation or a dedicated device – the system will not last long. Properly secured, it can run for years without incident.
In fact, firewalls are so successful that techniques such as phishing have arisen to try to circumvent them. Phishing makes no attempt at all to defeat the security of the firewall. Instead, it relies upon the gullibility of the end user to step outside of the protection the firewall offers. Most firewalls are configured to allow the internal network users full access to most external sites. So, while a firewall may prevent an external actor from reaching into the network to inject a virus, it will also stand by helplessly while a user within the network clicks on a bad link to download a virus to their PC. Sometimes this can be prevented by having a known list of dangerous sites and instructing the firewall not to allow any communication to them, but that’s not reliable since the site names change quickly. Also, the clever phishing scams use links to sites with SSL encryption, https, so the firewall cannot see what the user is getting from the site. People are simply much easier to exploit than firewalls – so in addition to the firewall, end users need to ensure that they practice good internet safety hygiene in order to work alongside the firewall to keep their networks secure.