Even small networks need a firewall
Companies on a tight budget often do not have a firewall. But this is not what they should do if they care about the security of their network. Smaller companies usually have a limited budget. In practice, it is therefore often the case that Internet access simply takes place via a router provided by the provider, which only masters Network Address Translation (NAT) and does not filter and examine data traffic. We explain why such a router cannot provide a sufficient level of security and why a firewall should also be used in smaller environments.
NAT translates local IP address into public IP address
NAT routers are used between the local network and the Internet or the provider’s network. The NAT function translates the local IP addresses of the components in the LAN that are not routed to the outside into the public
IP address provided by the provider. This implies that a client PC in the LAN makes a request to a server in the Internet. The router then replaces the IP address of the client, while it forwards the associated data packets to the outside world, with the public IP address. The Internet server then also sends its response to this public IP address. Once the response is received
by the router, it replaces the IP address with the LAN address of the relevant client and forwards it to it. In order to know which data packets go to which computers in environments with several computers, it stores the port numbers of the TCP connections in a NAT table.
NAT router is not a filter
This procedure ensures that the ports and addresses in the local area network are not visible to the outside world, only the public IP address of the router. Of course, this does not apply if the administrators have set up port forwarding on the router, which, for example, automatically forwards all incoming traffic on port 22 to a specific Linux computer in the LAN to enable remote administration via SSH. If such port forwarding exists, the corresponding ports are accessible from the Internet on the corresponding target devices and must be secured separately.
But why is it not enough from a security point of view if the internal addresses and ports cannot be reached from the Internet? The reason for this is that a NAT router does not filter and examine the transmitted traffic. If, for example, a computer in the LAN makes a request to any server on the Internet, the response is made via the response port belonging to the corresponding session.
In order to ensure security here, a security solution must be used that checks that this port is only used by the server concerned and not by any attacker who pretends to be this server and, for example, wants to execute a DoS attack. This works using stateful packet inspection (SPI) technology.
SPI examines whether data packets arriving on the network are related to the previously sent data packets or not and discards unsuitable transmissions. Ordinary NAT routers do not provide such security features. They simply filter out anything that has not been requested from them. However, the boundaries are sometimes fluid, as there are some routers with certain SPI features.
Control data transmission with a firewall
The SPI function is included with many firewalls. In principle, firewalls examine all transmitted data packets during operation and determine whether the transmission of these packets is permissible based on previously defined rules. The simplest form is so-called packet filter firewalls, which have been around for a long time. During their configuration, the responsible employees create policies that determine which data transfers are permitted and which are not. These rules usually consist of the data source, the transmission target, the port used, the protocol and – on powerful systems – the users as well as the time. This allows, for example, the above-mentioned SSH accesses to the LAN from certain computers on the Internet and not from all. In addition, it is also possible to allow this access only at certain times or to allow it only to certain users. Using similar rules, administrators can, for example, allow only certain computers to send and receive mails and allow web surfing only outside working hours. Firewalls therefore provide IT managers with very powerful tools to control their data transfers.
SPI-enabled firewalls go even further than this. As already mentioned, they not only analyse whether the respective data transmission is permissible, but also determine whether the packets belong to a permissible connection.
Modern firewalls can distinguish between web pages and mails
The packet filters mentioned above, which examine the data transmissions based on source, destination and port, form the basis of the firewalls. Today, however, they are no longer enough to ensure a sufficient level of security. Most data transfers now take place via ports 80 and 443 for HTTP and HTTPS. These are open in almost all firewalls so that users can surf the Internet. Unfortunately, these ports are no longer used only for surfing, but also for many other services, such as messengers and webmail, which are often used to distribute malware.
Next Generation Firewalls (NGFW) are used to secure these transmissions. These firewalls not only examine data transmissions based on packets, sources, destinations and ports, but also consider the applications being transmitted. They therefore work on layer 7 of the OSI layer model. This enables them to find out whether a data transfer via port 443 is a transmitted web page or a mail. If the NGDWs have a current anti-virus license and this function is active, they can also immediately check whether malware has been included in the mail and block the data transfer in this case.
NGFWs also work with rules. In the application policies, administrators specify, for example, that access to web mail systems from the workplace is prohibited, or that employees may only tweet during lunch breaks. Modern NGFWs usually have additional functions, such as an intrusion protection system, VPN features and the like.
UTM systems as a package solution
Firewalls and NGFWs typically operate as appliances or virtual appliances. It makes sense not only to implement the above-mentioned firewall functionalities on such a solution, but also other measures to protect against threats. This results in so-called Unified Threat Management (UTM) products. In addition to firewall functions, they usually also include spam and content filters, VPNs, antivirus products, intrusion detection and intrusion protection systems. The boundaries between UTM solutions and NGFW appliances are fluid, as there are also NGFWs with antivirus and
intrusion protection functions. In general, it can be said that UTM products claim to manage all the features offered from a central location while making management as simple as possible, for example with many configuration wizards and dashboards for monitoring the system.
NGFWs do not make this claim, but rather focus on functionality instead of simplicity of operation. In practice, UTM products are therefore mainly aimed at small and medium-sized companies without dedicated security specialists, while NGFWs are used in large environments. This is also reflected in the performance of the hardware.
The protection required today from a firewall or UTM appliance includes more than simply sealing off internal services. The security solution is supposed to protect everything under one roof. Thus, certain UTMs could also encrypt, certify and forward e-mails as mail servers and decrypt incoming e-mails. Because of this the administrator does not have to make
complicated installation of the certificates on the workstations. Thus, an Internet router with NAT capabilities does not provide a sufficient level of security to protect corporate networks. Only security appliances that enable administrators to define rules for exactly which services and applications should be allowed from which stations at which point in time can help combat the spread of malicious code, manage data streams correctly and protect data in the company. A router is therefore not an alternative to a security appliance.
The router is a door chain, the firewall a high-security door.
Typical manufacturers of firewall appliances for small and medium-sized networks include Sophos, Barracuda, Watchguard and Zyxel. Firewalls have long ceased to work as simple packet filters. Rather, they recognize and categorize the application independently of the port. In the case of simple HTTP or HTTPS traffic, these protocols or ports can be used to handle everything possible. The bandwidth ranges from cloud applications, Office 365, music and video streaming or telephony to Internet surfing. In order to separate desired from unwanted, i.e. malicious data traffic, the firewall must recognize what is happening within the protocol. The router can be compared to a chain instead of a front door. A modern firewall, on the other hand, is like a high-security door – to put it in this context – through which the responsible persons control exactly who gets access. In order to guarantee GPDR conformity, sufficient protection of all stored data and sensitive information must be guaranteed. UTM is essential in meeting these requirements.
The configuration of the firewall may be complex but is important.
Finally, let’s look at how to best configure firewalls: In practice, it makes sense to take the time to configure the rulesets so that they only let through the traffic that is really needed.
Standard rules, such as many firewalls bring with them, such as “Allow all access from inside to outside, prohibit all data traffic from outside to inside”, are not sufficient for secure operation, as they offer only insignificant advantages over pure NAT environments. Normally it is relatively easy to define the rule set for incoming traffic. In small environments, it is often the case that only a few services need to be accessible from the outside, perhaps a web server or a computer that needs to be remotely maintained by a service provider via SSH or a comparable protocol. The policies that allow these services and the associated port forwarding can be set up quickly.
It is more complicated and more important to identify the services and applications that require access to the Internet from the LAN. A rule set that allows all outgoing traffic opens the door for Trojans and other malware that downloads additional malware or components from the Internet. If a computer is identified, for example by a malicious mail attachment opened by a user, it is in the network. This means that the outgoing data connections come from the inside to the outside and would all be permitted with a firewall configured in this way.
The malware would therefore not put any obstacles in the way of this configuration. It is therefore important to ensure that only legitimate connections are allowed access to the outside world. In this way, the packet filters prevent, for example, that a malware reloads further components via TFTP, i.e. the Trivial File Transport Protocol, or that a malware attempts to contact its control servers externally via access via port 80.
It takes a certain amount of time and effort to identify all the services that need to be allowed in the company. Most firewall solutions offer a monitoring mode for this purpose. If this mode is activated, the responsible employees can create their policies without these being directly effective. However, the firewall shows which connections would be interrupted by the policies that have just been set up and which would not.
Usually it makes sense to let a firewall run in this transparent monitoring mode for some time after it has been put into operation and to gradually modify the rules so that there are no unpleasant surprises later when the system is armed. As already mentioned, this procedure is associated with a certain amount of effort, but in any case, it increases the security level.