Firewall for dummies – or, what do we mean by a next-generation firewall?

Faulty firewallThe term next-generation firewall is not well defined, so it’s worth clarifying a little before we proceed.

Put simply, a next-generation firewall offers more protection than a traditional firewall as it can look inside content, rather than just blocking based on sources and destination.

A useful analogy is the postal service. A traditional firewall just looks at the address on the envelope and uses simple rules to decide what’s permitted.

A next-gen firewall can look inside the envelope to check it also doesn’t contain dangerous content. Likewise, it can have smarter rules so you can say “block all known dodgy addresses” rather than having to explicitly state “don’t allow mail from Joe the scammer at number 23 Spam Lane.”

The great thing about these smart rules is that you can transfer the responsibility for keeping an updated list of dodgy addresses to your firewall vendor rather than maintaining them manually yourself.

The firewall is your gatekeeper, your first line of defense, shielding you from the bad stuff on the outside world of the internet. It stops unsolicited traffic from accessing your network and only allows responses to traffic originating from the inside back through.

When firewalls first came into use, it meant thinking about port numbers, like port 25 for email and port 80 for web traffic. But those port numbers were arbitrarily assigned to be well-known places where we can look for certain services.

Today’s firewalls are no longer just barriers with a few holes drilled through them, as Naked Security writer Chester Wisniewski pointed out in a recent article called “There is no inside – How to get the most from your firewall“:

They are intelligent gatekeepers, more like the border patrol of a nation. Neither side is really inside or out, rather one area and another.

You want the ability to do email scanning, to catch bad things coming in like links to malicious websites, boobytrapped attachments, or phishing emails that trick users into divulging information about themselves like their passwords.

Yet you can also see if there is suspicious email going out, and that tells you if bots are on your network that need to be cleaned up. Bots borrow your computing capacity to send spam – a single infected laptop can send as much as 5 million emails per week, as our SophosLabs researchers found.

You have a second chance to catch people on the way out and block a lot of attacks, because they rely on being able to get out again to ask for instructions – whether to send out another 5 million spams, or perhaps to download another type of malware like CryptoLocker.

CryptoLocker will seek out all the files on the computer and connected drives, scramble them with uncrackable encryption and then demand a ransom. CryptoLocker also relies on being able to use public-private key encryption to lock your files – a good firewall can catch it when it’s going out to ask for the keys to encrypt them in a way that only the crooks can reverse.

But it’s possible that the crooks could get around your firewall rule preventing certain traffic from going out by running a mail server on port 80 so it will look like web traffic.

Next-generation firewalls look at not what these packets claim to be but at what’s really inside of them to see if there’s anything malicious. A next-gen firewall will see if this is actually web traffic, because if it’s impersonating something it’s not, we might not want to let this go out.

Rules also authenticate who is actually doing the communicating, so you can allow Paul to connect to a website of a customer, but not go to his Facebook page to watch a cat video. Different rules for different groups of people can help prioritizing bandwidth for corporate applications while stopping bandwidth sapping video streaming.

Focusing on inside and out is not enough, however. You need to have more firewalls inside of your network – so if your website gets compromised, or if there’s a compromised laptop inside the network, the attacker with access to your public-facing web server can’t also get to your mail server or customer database.

As pointed out by the well-regarded Verizon data breach report, a lack of internal segmentation is regularly cited as a contributing factor in many data breaches.

Next-generation firewalls can also boost your defences by adding packet filtering between servers and additional defences such as intrusion prevention systems (IPS) and web application firewalls (WAF).

Configuring smart filtering features of this sort is more complex than simply enabling or blocking network traffic by IP address or port number. Different protocols, and different applications using the same protocol, need different sorts of scrutiny. A one-policy-fits-all network approach isn’t going to serve you well.

But, even though it’s not as easy as clicking accept or deny against a list of port numbers, the trend toward feature consolidation onto a single appliance can help.

Delivering packet filtering, intrusion prevention, web application protection, load balancing, virtual private networks (VPN) for users, Wi-Fi management and more on a single box, a good next-gen firewall can give you the defence in depth you need.

Firewalls Demystified

Get more insight from Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin in the “Firewalls Demystified” podcast below.

They explain in practical terms how next-gen firewalls can help you combine traditionally separate security services and manage them together in one place.

(Audio player above not working? Download, or listen on Soundcloud.)

7 Deadly IT Sins

Faulty firewall is one of Sophos’s 7 Deadly IT Sins. Find resources including videos and whitepapers about these sins on the Sophos website here.