A common question I hear after cleaning a client’s computer of malware is, “how did this happen, we have antivirus and a firewall?” This question has always intrigued me because it sheds some light on the fact that there are misconceptions about what firewalls actually do.
We know what the purpose of antivirus is. We see them running in our taskbars, diligently protecting us from the threats that exist on the web and notifying us of actions taken to protect our computers. It appears that almost everyone exhibits the correct interpretation (albeit limited sometimes) of what an antivirus actually does.
What about firewalls? Aside from the cool name, what benefits do they provide? We know from marketing materials that a firewall is supposed to protect us from internet threats, such as hackers, and botnets. We know from marketing materials that they can also provide content filtering, IDS and perimeter antivirus. Unfortunately, these features do not clearly explain the root function of a firewall.
The function of a firewall can be simply explained with two words, access control. Back in the infancy of the Internet there began a growing need for a centralized piece of software that could enforce whether or not one group of machines could communicate with another group of machines. These devices were known back then as “packet filters.” All traffic would flow through these filters and the filter would determine based on the source and destination addresses of each individual packet whether or not that traffic should be allowed.
This form of filtering evolved into what we know now as a firewall and for a long time firewalls only performed access control as their core function. So what if a firewall approved computer, tries to spread a virus to another firewall approved computer? The firewall passes that traffic happily because as far as it’s concerned, as long as the traffic satisfies its rules, the traffic is passed. A well trained Sys Admin will notice this and instruct the firewall to block this traffic in which case the traffic will be blocked but only after the damage has been done. This exposes a limitation of the core firewall component, reactive security.
The reactive approach to security these days has been proven ever so increasingly inadequate with every data breach, every exploited vulnerability, and every computer turned spambot or DDOS zombie. Our charge is to close the gap between exploitation and remediation, and to do this while more and more companies plug into the Internet.
We use a blended set of tools and strategies to deal with Internet security. Firewalls being one of them. However in order to become more useful, firewalls had to evolve significantly in order to meet this demand.
As you talk to your reseller or IT provider, you’ll notice that companies such as Cisco will list features such as: intrusion prevention and detection, stateful application inspection, and perimeter threat detection and remediation. All of these technologies supplement the core functionality of a firewall and build intelligence into the solution. Now all of a sudden your traffic not only is evaluated using a subset of static rules, but is also evaluated using signatures downloaded from the internet, and heuristics. Some solutions will automatically learn your network’s typical traffic patterns and alert, or block, when it discovers traffic that doesn’t fit your daily use pattern.
These features that supplement core functionality of a firewall is what makes the modern firewall “smart,” but how does this help you? Well a lot of companies do not have in house IT management and do not have the resources to examine firewall logs, monitoring logs, or to keep tabs on the general health of the network. Even if a company had the resources to do this, no human can out pace a smart firewall in identifying a threat and remediating it the moment the threat knocks on your door.
Along with the evolution of these smart features evolved the firewall’s ability to report. Reporting on a firewall is very important. Almost as important as proactively protecting your network is the ability of the firewall to report to you what its doing. In the early days of firewalls, the best you could get out of reporting was a long list of triggered firewall rules in a text file that a user had to scroll through and try to analyze. Nowadays, firewalls can produce realtime charts and graphs that help the end user find patterns more easily, firewalls can now report on traffic usage based on device, user, and session. Firewalls can also send their reports to a master server which allows users to view the reports for each firewall under a single pane of glass.
Despite all of the advanced features of the modern firewall, the solution by itself isn’t infallible. It is still possible to get infected, or successfully exploited while under the protection of the firewall. How is this possible? The answers vary by client and by situation. A common answer is that the client bought an expensive firewall solution, but did not opt to license any of its advanced features, such as IDS which is only effective if it can retrieve definition updates from the security provider. Another one is that they bought the firewall and the licensing, but never spent the time or money to configure it correctly. Lastly, a common answer to this question is that they bought the hardware, licensed the software and it ran great until they let their license expire, or they accidentally circumvented the protections of their firewall by other means (the list in this case is endless).
Some also assume that a top of the line ASA 5585X is going to protect their computers outside of their office. While in specific cases this can be true, most of the time it isn’t. A 5585X isn’t going to make your “Windows firewall” perform any better.
Finally, one dangerous assumption is that firewalls are turnkey all-in-one solutions for network security and endpoint protection. They aren’t. A firewall is a tool in a repertoire of hardware solutions, software solutions, and security practices and procedures designed as a whole to protect the entirety of your network, your computers, and your data.