Firewalls have been around for what seems a very long time now. Firstly, they were considered in theory at the end of the 80s as a simple packet filter, but they soon progressed within a decade to a stateful offering, pioneered by the likes of Check Point with a usable front end. It seems remarkable now that a Firewall that previously only inspected the first few packets of a connection to allow or deny was considered “next-gen”, but that’s just a measure of how far cybersecurity has moved on in the last twenty years.
Whilst Check Point and Cisco ruled the market for a while, until Palo Alto came in and disrupted the marketplace with their application-based policies; there has been a big shift in how the Firewalls inspect traffic, and how policies have moved from traditional IP based rules to being able to allow particular users access to particular applications, enabling much more granularity and control. Many more features have come (and in some cases gone) since then and of course now there’s an argument that there’s no perimeter any more, so what does that mean for the Firewall?
In this blog post, we’ll look at the function of modern firewalls and what’s in store for the future of firewall development and functionality.
Evolution of firewall and the perimeter
Life seemed much simpler when the corporate network was secured behind some kind of ISP provisioned router and all that was needed was a cluster of robust business firewalls to protect that network and the users on it. Remote working then came in and the perimeter started to expand as users took their devices outside the network. It then expanded again as data and services moved from on-premise to the Cloud. So how did the Firewall evolve to consider these changes?
The sift to remote working was (at the start at least) fairly simple to address. All that was needed was to add some Remote Access VPN functionality so that users could access the corporate network securely. This is a fairly simplistic view of the world now but it at least secured the transmission of the data and restricted access to it. However, the move to Cloud has been much more complex. Firewall vendors were behind the curve slightly when the initial move to Cloud started happening; there were some virtual Firewall offerings and despite a similar feature set to the on-premise appliances, there were challenges around some of the underlying technology such as clustering and the ability to use a tap interface.
It’s fair to say that the Firewall vendors as of today have a much more mature offering across the “perimeter-less” world, but these aren’t necessarily classed as a Firewall. Whilst there are Firewall vendor led integrations with Cloud services such as Office365, DropBox, SharePoint etc which will scan for confidential data and check configuration and permission settings, plus much more; in no way do they resemble a Firewall. This reflects the changing environments and the requirement for the vendors to cover these from a security perspective while retaining what for now is still considered their core Firewall technologies.
The future of firewall & business networks
What capabilities should a Firewall suitable for a business network have? Before, we get to the topic of firewall development , let’s just define a business network here, we’re specifically looking at office based corporate networks which extend out to remote users. Business networks have a different set of risks than on-premises or Cloud based Production Networks, however the same devices can use their range of features to cover both use cases.
Cyber security threats to business networks, and how to address them with firewall
LRQA are seeing a huge increase in Covid-19 based phishing-attacks, both around the medical and health care sectors, but also targeting home-users through phishing via delivery company status updates. These just add to the threats that we commonly witness with a client’s business on a usual day. We also see port scans,, exploits against public facing infrastructure (such as VPN access gateways) and many other attacks, but we need to consider outbound activity as well.
Firewalls can combat these with a number of features that are typically common across the leading vendors. These include:
- Anti-Spam – Firewalls do have the ability to filter emails, based on some fairly basic policies, however we see most people using an email spam solution prior to the traffic hitting the Firewall, or in the case of Office365, the Firewall won’t see it at all.
- Anti-Virus – Another feature that we might term “traditional”. This is mostly done away from the Firewall, but there are a number of security teams that prefer that this defence can take place at the perimeter as well as on the host.
- IDS/IPS – An essential feature of protecting any network with a Firewall. It enables the prevention of known attacks (signature based) that would usually be passed by an allow rule on the Firewall but contain malicious traffic to target resources on the network.
- Application and User control – Allowing a whole network access to the “Internet” to browse the web is how it used to be but now all Firewalls should be configured with more granularity. So, for example users in the “IT Group” can use a larger set of applications (IT, Email, Blogs, Collaboration etc) than the “Call Centre” users (Email only). Application control should also be capable of identifying malicious traffic such as Command and Control (C2) outbound or threats via DNS, again these would usually be blocked by default.
- Document Protection – Firewalls can now inspect Office and other documents for macros, with options to strip out anything suspicious and give the user options as to whether they continue to download or not based on policy control.
- SSL Decryption – Up to 70% of network traffic can be typically encrypted using SSL. Firewalls have been able to decrypt SSL for years but it is seen as invasive (technically as well as privacy concerns) and has historically had low adoption. But with such a large percentage of traffic going uninspected, users without this feature are missing a lot of traffic.
- Sandboxing – Designed to stop threats that have not been seen before “Zero Day Threats”, no signature is available for the IDS/IPS to recognise them. Anything that the Firewall classes as an unknown attachment or URL will be passed to an environment within the vendors Cloud. This environment “Sandbox” can then execute or open the URL and analyse the outcome for Indicators of Compromise which will result in a “good” or “bad” outcome and then can either block or inform the user of the analysis.
Improvements in Firewalls - What do they mean for businesses?
A lot of the vendors still use the “Next Gen” name across their product range, and it’s probably true now more than ever that the features on a Firewall cover a much larger range of threats. However, with these enhanced feature sets come increased complexity and management overhead.
Consistently, we see products being purchased and installed, only for “phase 2” (which is the rollout of the additional features) being delayed due to perceived disruption or just resourcing issues. Worse than that we are seeing configurations greatly out of step with current threats, IDS/IPS signatures out of date, temporarily over permissive rules becoming permanent etc. It is essential that Firewall configurations, policies and feature sets are enabled, configured properly and then maintained so that they are offering the best protection possible, while also matching the requirements of the people and technology they are protecting. After all, that’s what they were purchased to do.
For more information on implementing an effective firewall, please don’t hesitate to contact a member of the LRQA team.