A firewall is essential for protecting even the smallest networks against cyber attacks. But how do firewalls work, and how can they stop attacks and malware?
The fact of the matter today is that as soon as a company’s internal network is connected to the internet, it is potentially exposed to attacks. Practically from the very first moment, cybercriminals will try to infect the company’s infrastructure with viruses, trojans and other malware, causing damage ranging from business espionage to a complete paralysis of operations.
To prevent this from happening, you need defence – a sort of turnstile or bouncer for the corporate network. Access is only permitted for those truly deemed worthy; everyone else will hear ‘You’re not getting in here.’ These digital bouncers are called firewalls, and their role is to ensure that no unauthorized network traffic gets through the door. To do this, firewalls use rules to allow, block and constantly monitor the ingoing and outgoing traffic points – or ports – of the corporate network.
Firewalls are used in many different places. Operating systems like Windows and MacOS include a software firewall to protect individual computers. These are referred to as desktop firewalls or personal firewalls. Various providers of internet security solutions offer similar firewall features.
Small networks are often only connected to the internet via a router, which is also equipped with an integrated firewall. The line of defence is found one level up: the router analyses network traffic before it can reach the individual computers and blocks undesirable data packets. Larger networks usually have a dedicated hardware firewall that is more powerful and can handle extensive network traffic.
There are two types of dedicated firewall: if the firewall is managed by the company itself, it is referred to as an unmanaged firewall. If the company does not wish to deal with the complexities of firewall configuration it can use a managed firewall. A service provider will then take over all management-related tasks and usually leases the hardware to the customer as well. The firewall hardware can be located on the customer’s premises or in the provider’s data centre.
A cloud firewall or hosted firewall goes one step further. It is not a hardware device, but rather a firewall service offered by the provider in the form of shared infrastructure. The customer does not have to purchase or lease hardware, nor deal with maintenance or repairs, as they purchase only the exact level of firewall performance they currently need.
How does a firewall work?
Firewalls use a combination of various filtering functions, the most important of which is the packet filter. It analyses all network traffic and filters out any data packets it identifies as harmful. This can be done on several levels:
- Using pre-defined, static rules, it either routes or blocks data packets received via certain ports.
- Dynamic packet filtering, or ‘stateful inspection’, additionally monitors the connection status and only forwards data packets if the recipient is available and willing to accept the packet.
- A proxy firewall, or deep packet inspection, takes it one step further by performing packet filtering at the application level. Contents of the packets are scanned for identifying features, such as protocol violations, viruses, spam and other content.
As well as the packet filter function, firewalls offer additional filter features such as URL filters that block certain addresses based on a blacklist or content filters that scan the text of websites for dubious content.
‘Next generation’ firewalls, or unified threat management (UTM) firewalls, offer filter and analysis options that go beyond the basic firewall functions. These include intrusion detection and intrusion prevention systems (IDS/IPS) that scan network traffic for attempted attacks or other digital malfeasance and security breaches. When the system detects an attack it takes the necessary defence measures.
What can – and can’t – firewalls do?
Each firewall only monitors the connections that pass through it, but anything that bypasses it and makes its way onto the company network goes undetected. Nor will a central firewall positioned at the interface of the corporate network and the internet detect internal attacks originating from one computer and targeting another on the network. This is why it is also a good idea to enable the desktop firewall on individual PCs.
The basic features of conventional firewalls also help to guard against today’s most common attack methods. Phishing emails containing links to fake websites and malware-infected Office and PDF documents cannot be eliminated with a simple packet filter, because the connection exists between the computer and the email account and is therefore legitimate. The only solution for this is a UTM firewall, a security solution that includes additional services, such as web filters and anti-virus software that immensely improve security. In any case, it is always important to train employees to an appropriate level of security awareness.