Blog / Good Things to Look for in Firewalls – Some Protect us from Bad Traffic Better than Others
The term ‘Firewall’ is similar to the word ‘Vehicle.’ It’s an umbrella term given to network devices that sit at the edge of your network. Their purpose is to keep unwanted traffic from getting past them (this applies to traffic coming in, AS WELL AS traffic going out.
Every network has a person or outfit in charge of IT. For a home network, the responsible party tends to be the one with the most IT skills. At a business, a person or people are paid to be in its’ care. For smaller firms, this may very well default to the owner.
The Internet is a network that you don’t control. This means you (and I can’t stress this strongly enough) need to have a firewall between your network and the Internet. That’s all well and good; most people even understand and accept this. The problem is that unless you are reasonably tech-savvy, looking for and buying a “good” firewall can be difficult.
As such, I figured I’d put together a list of Firewall Features and talk a little about what each one does and why they can be useful. This should provide practical information for anyone looking to purchase a firewall:
In my humble opinion, this is something every Firewall should have, in some capacity. In simple terms, ‘SSL Inspection’ means the firewall is capable at looking into the contents of encrypted traffic. Encryption is used in many different forms of communication, so if the Firewall has no means of looking inside the encryption, it means that none of the other features it may have will work on that traffic.
Now then, enabling a feature like this and having it work seamlessly, is a different story altogether. Encryption is designed to make it difficult for anyone other then the 2 computers involved to decode the traffic. This is good because it means it’s very difficult for an attacker to compromise your encrypted communications. It also means it’s very tough for you to do it as well. I could do multiple blogs about this and still only scratch the surface; just accept that getting this to work properly isn’t as clear-cut as enabling a checkbox.
This means the firewall has a built-in virus scanner that can be used to scan the traffic. This is pretty much a staple for any firewall, so if it can’t do this, it’s not worth very much. Now, virus code changes and updates over time, so for a feature like this to remain relevant, it means you will need to have a kind of support/update agreement as part of purchasing the firewall. If you don’t get the updates, it doesn’t mean this will stop working; just that it will become less effective over time.
When looking into a feature like this, it’s useful to consider which protocols the firewall can perform a virus scan on. In order to figure out if a virus might be hidden in the traffic, the firewall needs to be able to understand the traffic. Finding out exactly which protocols the Firewall can understand and perform virus-scanning on is very important, since it will help you understand its limitations.
IPS (not IDS)
IPS stands for Intrusion Protection System; IDS, Intrusion Detection System. The difference between the two is straightforward: Protection means it will stop the traffic that is considered bad; Detection means it will report that bad traffic was found (but not stop it.) The reason there are two different systems is that in the early days of firewalls, the need for identifying someone performing an attack was very clear. However, the added strain caused by the system that looked at the traffic meant the firewall would be unable to keep up with traffic at a certain point. These systems were not deployed in line of traffic, so they would usually be connected by mirroring traffic and sending a copy of it to a Detection system, which would scan the traffic and generate alerts when it found something bad.
These days you don’t see IDS setups very often. CPU’s are cheaper now, so manufacturers can usually afford to put enough horsepower into a Firewall to handle doing IPS. The reason I bring up IDS is because that is often the default setup for an IPS system on a Firewall. By default, I mean that many of them will detect the bad traffic and generate an alert; not block it. Just because it has an IPS system, doesn’t mean it’s been configured to behave like IPS. A default configuration of IDS means the Firewall is far less likely to cause any sort of a traffic disruption, when a new customer first installs it.
IP addresses are numbers. From the smallest to the largest, they cover a wide range. Certain ones can be linked to specific countries and global areas. While you can’t get anything as accurate as GPS, you can identify the country of origin with a high degree of confidence.
When you connect services to the Internet, it is often possible to gain additional Security by limiting access to certain territories. For example: A small municipality with an online payment portal has very little reason to allow an IP address outside of Canada to connect to it. A lot of external services can have their Security improved by applying similar logic. Even if it’s not used in any of the Firewall policies, having a feature like this means that logs and statistics generated by the Firewall should include country information. This can help your IT team identify unwanted or unusual traffic.
A common feature these days is web-filtering. Simply put it’s a system that looks at the URL of the website you are visiting, checks for a category in its system and then blocks or allows the website, based on your settings. It’s uncomplicated enough, as you just need to make sure to test that the settings you choose, allow your staff to visit whatever websites are necessary for them to work with.
The firewall should allow you to configure this to apply to both encrypted and non-encrypted web traffic (HTTP and HTTPS.) The way this usually works is the Firewall needs to send the URL back to a service that will return a rating. So, a feature like this also needs some form of subscription to keep working. If you drop it, your Firewall won’t do lookup’s anymore, so the feature will completely stop working.
I haven’t seen this on very many firewalls, and that’s disappointing. The way it works is the device keeps a list of known Botnet commands and control servers. It then prevents any attempts to connect with those IP addresses and generates an alert. It’s a great way of detecting that one or more devices have been compromised.
IPSec VPN and SSL VPN
Having both is a standard feature on most firewalls these days. IPSec VPNs are great for setting-up permanent connections between different firewalls. This allows you to link different locations together across the Internet, safely. You can also use IPSec VPNs to connect a firewall and PC, although this often requires additional software. SSLVPNs can be connected to, simply by pointing your browser to the website. This makes it a useful tool for setting-up remote access where you don’t have entry to your users’ home computers.
Regardless of which flavour of VPN you make use of, the only big ‘gotcha’ has to do with the maximum number of connections that are allowed. Some vendors set that limit based on the model that you buy, while others have a licensing system. Either way, you need to make sure that the maximum number of connections can support your intended usage.
Traditionally, when a method of communications was designed like web pages, or encrypted web pages, the protocol used for that was assigned its own port to use. There are so many different applications that use different methods to communicate with each other, that doing this is no longer possible. Also, this method made it simple for network administrators to block methods of communication that they didn’t want in their network. These days, plenty of applications make use of common communication ports, because the designers know that ports like 80 and 443 can’t be blocked or even restricted that heavily, in most networks. Application control gives the administrators a chance to find traffic from applications they may want to block.
This feature operates in much the same way as Anti-Malware scanning. The firewall contains a database that gets updated. If you drop your support contract, the feature will probably continue to operate, but the lack of updates means it will become less effective over time.
After this is all said and done, there’s one last thing you need to consider:
What is the maximum amount of traffic the Firewall can handle with all the features you want turned on, enabled?
Allowing or denying traffic based on the source and/or destination is easy and doesn’t require any significant effort for the hardware. If that’s all you’re going to do, your firewall will not be a bottleneck for your traffic. However, the more features you turn on, the more work the CPU on your firewall is going to need to do. If you don’t size your firewall properly, it will not be able to handle doing everything you have configured it to do. It’s one thing to have a slow Internet connection. It’s another thing entirely to have a slow firewall.
I think that’s enough information to give you a running start. If in doubt, it’s always best to look for someone with more qualifications or experience than yourself. At the same time, we all need to start somewhere.
If you have questions about purchasing/upgrading your firewall, please reach out to your TRINUS Account Manager for stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.