Blog / Do you have a next generation firewall?
Although it’s a technical and challenging topic, there are certain things about cyber security that are considered common knowledge. The easiest example involves antiviral software; everyone knows they should always have antiviral software installed on their computers. This is virtually universally understood (though it’s somewhat less accepted wisdom for Apple or Linux devices). Something else that’s common computer knowledge (or should be) is that you also need a firewall protecting your network.
Now, “firewall” is another word that’s almost universally recognizable, but also terribly misunderstood. That is to say, we’ve all heard of firewalls, but few of us know what they really do. Then it gets even more complicated. For example, did you know that there are types of firewalls? It’s not surprising when you think about it though. Firewalls have been around for longer than most expect, so, like everything else in the world of computers, over time they’ve evolved. That means there are now have different types of firewalls so you need to make sure you use the right type.
But rather then jumping straight into firewalls, we’re going to talk about networking equipment first. We’ll start with the most simple kind of networking device, called a hub. Hubs are simple as networking gets. There are no rules to setup or configure; any packet received on one interface is automatically rebroadcast on ever other interface. They’re basically just repeaters and aren’t particularly smart at all.
A step up from the hub is the router. It’s basically a smart hub that tracks and understands IP addresses. So it’s got a “brain” that looks at incoming packets and decides which interface to send them through. A router is even smart enough to allow for configuring basic rules for transmitting packets (essentially a list of where to send packets for various different IP addresses). All a router cares about are are the source and the destination addresses for network traffic. It doesn’t see anything else.
Now we’re getting into the world of firewalls. We’ll start with the traditional firewall. It’s a step up from before because unlike routers, a firewall understand a lot more about the traffic. It understands the source address, destination address, protocol and port. It can also make decisions about traffic based on that information. Although a firewall can’t read information in the packets like the URL of a website, it still allows for a great deal of control while setting up rules for what traffic to allow and where to send it.
Next, let’s take a look at next generation firewalls. They can do all the things a regular firewall can do, with advanced features like virus scanning, web filtering, intrusion protection, and more. The difference is huge. For example, web filtering requires the firewall to understand how the HTTP and HTTPS protocols work. The firewall needs to actually understand and read that traffic so it can find where the important information is stored. Rather then just looking at packets, it needs to be able to read the information inside them.
This is an order of magnitude more difficult. Things like fragmented packets and information processing speeds become important because those scans take time. While it may only add milliseconds of delay, that’s an eternity when you look at the world in terms of data packets. It also increases your hardware costs because your firewall needs more memory and a better CPU just to keep up.
There are times where a traditional firewall is fine and times where a next gen firewall is needed and it’s easy to tell the difference. If you’re setting up a border between your network and the internet then a next gen firewall is a must. On the other hand., if you’re building an internal border that’s not on the internet (like between different internal networks) then a traditional firewall is cheaper and perfectly fine.
So don’t simply assume that because you have a firewall it’s capable of everything a next gen firewall can do. Make sure that it has advanced features like web filtering, antivirus scanning, and intrusion protection (at a bare minimum). Also, make sure you are making good use of those features. All of them have a different purpose (web reputation, application control, geographic IPs, and more) and they are all intended to help improve your security by detecting malicious traffic. Make sure you investigate each defensive feature of your firewall and properly evaluate if turning it on will cause a problem. Just because you don’t have an immediate need a particular next-gen firewall doesn’t mean you should ignore it, especially if turning it on doesn’t negatively impact you. If the only thing it does is make an attackers life more difficult, then it’s worth it.
Shakespeare’s play Henry V contains this week’s quote which is also a valuable cyber security principle: “In cases of Defense ‘tis best to weigh The Enemy more mighty than he seems.”
If you have any questions about Next Gen Firewalls, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.