Firewalls have advanced greatly in recent years. Firewall vendors are adding more and more features to their firewalls out of the box, making them able to handle many different types of attack scenarios. The line between Intrusion Detection Systems (IDS) and firewalls is becoming more and more blurred. Firewalls often now come built in with IDS.
There are many types of firewall available. The most basic version still in use works by comparing incoming and outgoing connections to a set of rules. Based on what is specified in these rules, it decides whether to allow the connection to be accepted or to deny it. An example of a firewall rule in this scenario would be the following:
In the above table, the firewall is specifying in the first line to allow connections through the IP protocol from any source going to the IP address 192.168.1.24 on port 80. These types of firewalls are the simplest and cheapest to implement but are also the easiest to get around.
For example, when a hacker is looking to attack a server, they will first perform enumeration using a network mapper like Nmap. Nmap provides a feature that allows you to scan a target and make it look like its coming from a service that allows a connection i.e. you can scan the above target through port 80, which allows connections, to see what service is running on port 53, which would not show this information if scanned directly.
There are different categories of firewall available. A stateless firewall is the most basic form of firewall in use and its firewall rules look similar to the table above. A stateless firewall follows the rules with regards the connection by taking information from the header of the packets being transferred. However, it will not analyse the contents of the packets for malicious content and if the packet is going to a destination that accepts connections, the malware will pass through.
An attacker can get around a firewall such as this by using security tools such as Hping, which is a security tool that allows you to forge and create your own packets. This allows for numerous attacks on firewalls such as IP address spoofing, source routing attacks, fragment attacks etc.
A stateful firewall uses deep packet inspection (DPI) to not only analyse the packet header but also the contents of the packet. It compares the contents of the packets to a database of malware signatures and if it finds a match it will not allow the packets to pass through. This prevents much more malware getting through to the network or system.
There are numerous types of firewall deployment methods in use today, namely:
- Packet-filtering firewalls
- Circuit-level gateways
- Stateful inspection firewalls
- Application-level gateways (a.k.a. proxy firewalls)
- Next-gen firewalls
- Software firewalls
- Hardware firewalls
- Cloud firewalls
Most Common Issues with Firewalls
In a survey called “State of the Firewall” conducted by Firemon in 2019, there were 5 common challenges faced by IT teams across the board when it came to firewall management. These challenges were:
- Complexity of firewall rules/policies
- Optimizing firewall rules
- Managing multiple vendors/types of firewalls
- Gaps in firewall enforcement
- Lack of automation
Organisations IT security teams are overwhelmed, with nearly one-third of the respondents reporting having more than 100 firewalls on their network, up from 26% in 2018. Each of these firewalls requires a huge amount of configuration and management, putting a lot on IT teams plates.
Lack of automation
A data breach is the most common cyber-attack conducted on organisations around the world. One of the most frequent causes of a data breach are firewall misconfigurations, which are a result of human error. Misconfigurations typically occur due to three main issues: improper use of native cloud provider security controls, organizations deploying misconfigured servers, storage systems and firewalls in the cloud and under-qualified staff.
According to the InfoSec Institute, the shortage of cybersecurity professionals has grown to three million globally as of last year, with approximately three 498,000 job openings in North America alone. On top of this, research from ESG found 51% of organisations believe that they currently have a problematic shortage of cybersecurity skills. This skills gap is a huge problem and the rising number of breaches worldwide is a testament to this.
Organisations are using under-qualified and under resourced IT staff to configure, monitor and manage their firewalls resulting in numerous mistakes being made and as a result breaches occur.
Automation is the change agent to addressing this problem by eliminating guesswork and errors stemming from manual tasks. Firemon’s 2019 State of the firewall report found that 65% of respondents are still not using any form of automation to manage their network environments. 38% also said their change management systems, meaning how they update their firewalls, are ad hoc and mainly rely on emails, spreadsheets and other outdated tools.
Organisations are relying heavily on the skills of their cybersecurity/IT teams to manually configure and manage their firewalls. In many cases, these teams are lacking the resources and skills necessary to properly do their job. Furthermore, 36% of respondents said that misconfigurations, inaccuracies or issues on the network account for 10 to 24% of the changes that require rework, highlighting the need for automation to free up their IT
resources. Zero touch automation is the idea that firewalls and its integrated security features would look after themselves, without any human interaction. The survey above clearly highlights that the idea of zero touch automation is just that an idea, and is rarely if ever seen in practise.
There is a huge amount of configuration and management required from the IT for each of these firewalls, resulting in human errors and mistakes. Multiple teams and vendors are required to manage firewall change processes across on premise, cloud and hybrid network environments making addressing security challenges increasingly complex. Two or more vendors are used for enforcement points on the network by 78% of participants. Managing multiple vendors and types of firewalls is the third-most cited challenge when it comes to firewall management. The solution to this is a dire need for consolidation, integration and automation in the space.
On top of this, 72% of respondents said they have two of more teams involved in processing or approving a typical change request, which could be automated to improve efficiencies. IT teams have a huge amount on their plate with regards maintaining firewalls alone.
Poor visibility limiting organisations compliance was another main point of the survey. A lack of visibility across the network causes additional issues and weakens the ability to comply with security and privacy regulations. 12% of respondents don’t even know when a misconfigured firewall causes an issue on the network. 34% of participants have less than 50 percent real-time visibility into network security risks and compliance. Finally, almost 20% of C-level executives are not sure if they failed a compliance audit in the last 12 months. Only 51.3% of respondents are 60-80% prepared for a compliance audit tomorrow.
This level of uncertainty is worrying for both organisations who hold millions of user’s personal data and customers who give away their data with the trust that it will be kept safe. Among executives, only 45.3% of C-level respondents feel ready for an audit.
The biggest challenge facing IT teams and causing all these problems and uncertainties is managing information security centrally. It is a big ask for IT teams who are already under resourced with a huge challenge of complexity and visibility into the data they hold.
A solution which normalizes data from disparate sources and gives a clear view into the hybrid network is critical to truly maximizing the power of an organisations firewalls and overall security strategy.
The Importance of the Firewall
Firewalls are needed more than ever in 2020. According to the University of Maryland, hackers attack every 39 seconds – on average 2,244 times a day. By 2025 there is expected to be 41.6 billion devices connected to the internet, meaning that the number of attacks on systems is only increasing. The director of the FBI, John Chambers, commented in a January 2015 post for the World Economic Forum titled “What does the Internet of Everything mean for security?” saying “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked”. This comment was made five years ago
and malware has only become more advanced and malicious. Advanced firewalls are a requirement in this day and age to keep attackers out and your data secure.
IT security Managers are facing compliance pressures like never before. The effects of GDPR continue to apply pressure to organisations struggling to become compliance. Reports of fines for non-compliance with security standards are rising putting further pressure on management to find suitable security solutions.
Firewalls play a critical part in becoming compliant, with 95% of organisations noting that firewalls are more critical than ever in their security architecture. This trend continues into the future also with 95% stating that this opinion will remain the same for the next 5 years. 48% of C-level respondents rated their firewalls more critical than ever.
Spending on firewalls is on the rise with 65% of organisations spending between 10% and 49% of their security budget on firewall technology in 2019. This is an increase in spending of almost 10% from the previous figure of 56% in 2018.
Modern Advanced Firewall Solutions
The best firewall solutions incorporate multiple features into one compact security solution.
Next generation firewalls (NGFW) are the latest advancement in firewalls security. Gartner defines a next generation firewall as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention and bringing intelligence from outside the firewall”.
There are numerous similarities between these more advanced firewalls and traditional firewalls. Like regular firewalls, NGFW use both static and dynamic packet filtering and VPN support, which ensures all connections between the network, internet and firewall are valid and secure.
There are a number of difference which make NGFWs stand out from their former selves. The biggest difference between the two is an NGFW’s ability to filter packets based on applications that it is able to identify using analysis and signature matching. They are able to incorporate whitelists or a signature-based Intrusion Prevention System (IPS) to distinguish between safe applications and unwanted ones, which are identified using SSL decryption.
NGFW’s also include a path through which future updates will be received from the manufacturer, unlike most traditional firewalls which need updates installed manually from the system administrator.
There are numerous benefits of using a NGFW in your organisations network or server.
NGFW’s have the ability to block malware from entering a network, something which would be impossible for a traditional firewall to achieve using basic firewall rules. They are better equipped to find, alert and contain Advanced Persistent Threats (APTs). NGFW’s incorporate many security solutions and often include antivirus, firewalls and other security applications in one solution. This makes them more affordable for companies looking to increase their security posture. The best firewalls include features such as application awareness, centralized management features, Deep Packet Inspection (DPI) and 100Gps threat protection as well as hybrid cloud security to help defend against the rise of malware, intrusion attempts bypassing perimeter protection and other Pts.
There are a number of leading vendors offering advanced NGFWs. I have described to top three along with some of their firewall solutions below.
One of the main vendors in firewall security is Cisco, who Gartner named a leader in the 2019 Magic Quadrant for Network Firewalls. Cisco’s Firepower NGFW is one of the leading and most advanced firewalls in the industry. It possesses a unique ability, yet to be seen among competitors.
Their latest firewall, The Cisco Firepower Next-Generation Firewall, has the ability to add signatures to its database when it discovers new forms of malware in real time. What this means is that, if Cisco’s firewall sees a new type of malware in the wild that has no signature and has never before been seen, the firewall has the ability to analyse the malware using deep packet inspection, determine how it works, remove it from the network and add its signature to its database.
It doesn’t stop there, this signature is then uploaded to a network where all Cisco NGFW’s are connected around the world, updating all of their databases with this new signature.
This feature is an incredible step in advancing the security and effectiveness of firewalls. Catching brand new versions of malware before it gets on a network is invaluable to organisations around the world.
Another leading vendor in this space is FortiGate. FortiGate has been recognised for the 10th time in the Magic Quadrant for Network Firewalls by Gartner. The FortiGate 60 series is one of the bestselling NGFW’s on the market.
FortiGate have a reliable name in the firewall market and their firewalls are high-performing appliances which offer improved network security. FortiGate provides prevention and detection capabilities for known and unknown threats as well as cloud security features such as integrations for multi-cloud environments, WAS Edge capabilities for enterprise branches and protection against malware, exploits and malicious websites.
FortiGate are good at providing one platform for end-to-end security across an organisations entire network, something which many organisations would benefit from.
Palo Alto has been recognized as an 8 time leader in Gartner’s Magic Quadrant for Network Firewalls. They have also earned the highest Security Effectiveness score in the 2019 NSS Labs NGFW test with 100% of evasions blocked. They have also earned two consecutive years at the top of Zero Trust leadership rankings Forrester Wave: ZTX Ecosystem Providers Report.
The achievement of so many certifications gives makes Palo Alto one of the most trusted brands on the market. Palo Alto’s latest and most advanced firewall is the PA-7080 Series. This line of firewalls have a variety of service offerings including physical appliances, virtualized firewalls and 5G-ready firewalls.
Main features offered by Palo Alto firewalls include secure access for all users irrespective of location, secure encrypted traffic, detection and prevention of APTs as well as WildFire, which detects unknown threats using data from a global community. Palo Alto recently acquired a company called Aporeto, which is a micro segmentation company using machine identities to restrict network traffic. This signifies their interest in moving to more cloud based products and service offerings.
In 2019, Check Point achieved the highest security effectiveness score in the NSS Labs Breach Prevention Systems group test in 2019. Check Points NGFW’s and Advanced Endpoint Security achieved a 100% block rate and is the 3rd leader in Gartner’s Magic Quadrant for Network Firewalls. Check Point offers 23 firewall models optimized for running all threat prevention technologies simultaneously.
Some of their service offerings include full SSL traffic inspection, application inspection and control and hybrid cloud support. Check Point offers firewall appliances and software as well as virtual appliances which can be deployed on VMware, AWS, Openstack and Microsoft Azure.
Check Point has the world’s fastest security gateway which is a new service offering for them. The 64000 is the most advanced NGFW offered by Check Point and is designed for large data centre and telco environments. It has a multi-bladed, chassis-based security system which scales to support the needs of growing network demands. It is one of the most reliable NGFWs on the market.
Organisations are constantly on the lookout for solutions that address the entire enterprise. Firewalls continue to be a big part of organisations security strategy now and well into the future, but it is critical for organisations to look at automation to further shore up defences and ensure misconfiguration mistakes do not make them the next big headline on data breaches. With the number of attacks on organisations data and networks increasing at an incredible rate, advanced firewalls have become a requirement in many organisations to protect their infrastructure and their customer’s data. Many organisations are using traditional firewalls with limited functionality and features for packet inspection and
blocking threats before they get on the network. NGFW’s are the latest advancement in firewall security and use advanced techniques such as deep packet inspection and APT detection and containment. With the rate of malware spreading and advancing in its malicious behaviour, organisations will need to increase their cybersecurity budget to
incorporate these NGFW’s if they want to remain both compliant and secure. Some of the leading vendors providing the most advanced NGFWs include Cisco, FortiGate and Palo Alto, who is currently the market leader.