Firewalls, your security perimeter
So what is a firewall? In simplest terms, it's a device (hardware and/or software) that blocks network traffic.
Why are they important? A firewall protects your network home or office, from the internet. If you were to place a computer directly onto the internet without a firewall to protect you, your computer would be infected with a virus within seconds to minutes.
These days, your desktop/laptop operating systems (Windows 7, 8, 10 and Mac OSX, iPhone, iPad, Android) have built-in software firewalls. These software firewalls are effective, but only to a degree and any computer left connected directly to the internet would be eventually become hacked or infected.
If my computer has a firewall, why do I need one at home? Because all your other home devices, smart TV, Streaming Media devices, smart fridge, typically do not have security or firewall capabilities.
Hardware firewalls are the defacto standard for any office regardless of size. Depending on the organisation's needs/requirements, will depend on how complex a firewall setup will be and can get, and this can be a very complex world indeed. The needs of a bank are significantly more complex than say a medium-sized company selling salt.
This article is aimed at SOHO to Medium sized businesses and as such won't deal with the complexities of larger corporate firewall needs. However, the principles of network and data protection are the same.
NATs (network address translation)
The most basic of hardware firewalls are NAT routers (network address translation). A NAT router is what every ADSL/Cable/Fibre/NBN connection comes with as standard. Your internet provider will send you a router or require you to provide a compatible router for their service.
These routers create a private network on the inside of the router and typically have 1 connection to the internet. By default, they allow data flow in one direction only, Private Network -> Internet. Internet traffic is blocked by the device. See diagram below. However, these are entry-level devices and many have been shown to be hacked or have significant flaws that they can be relatively easily hacked.
Above is a typical home network setup and
sadly many businesses are setup in a similar way, just more devices on the private network.
The more advanced brands of NAT Routers allow you create holes into your network. The holes are used for network communication or access to internal resources. Unfortunately, these devices are not capable of doing what is called stateful inspection of packets i.e. they are NOT monitoring the traffic that is coming through the hole to determine if it's friendly or malicious.
Firewalls that acts as router
A better way to construct a network is to ensure that your edge devices are Firewalls that can route traffic, nearly all firewalls can act as a router (direct traffic from 1 location to another).
Below is a simple of example of what this might look like
The fundamental difference is that a firewall typically (not always) is inspecting each packet of data that flow through the firewall and will flag or block packet that could be malicious. However they are not perfect and still a relatively dumb device, meaning that it has little smarts to detect and deflect hacking attempts. Any hole through the firewall (e.g. to an internal mail server) could still be hijacked by a hacker, or worse you or your employees go to a website with malicious code and download a virus or malware.
Just 10 years ago, the ability to monitor traffic across a series of devices (firewall, intrusion detection, intrusion prevention, content filtering devices) would cost a business $250,000. I purchased this sort of equipment for various organisations I worked for over the years.
Today, however, 1 Device, can provide an array of features for a fraction of the cost, $1000-$5000 dollars.
A smart firewall should be able to do the following;
- Stateful packet inspection (standard firewall capability)
- Content filtering - e.g. prevent accessing to porn or social media sites
- Malware detection - preventing the downloading of malware and virus
- Intrusion Detection - detecting if a hacking attempt is taking place and alert someone
- Intrusion Prevention - methods to protect traffic flow to attempt to prevent an intrusion in the first place
Over the last couple of years, we have been deploying smart firewalls for all our clients, I've even deployed one on my home network.