E-Book: Top 50 Cybersecurity Threats
Get a complete look at the top most critical security threats of the year.
Guilty until proven innocent. This is the principle behind firewall systems, which are designed to monitor and filter network traffic based on predefined policies.
Network security is a hard problem, but the goal of a firewall system is simple: reject all network traffic unless explicitly allowed. This seems a straightforward approach to eliminate anomalous traffic from infiltrating your IT network — while allowing a free flow of legitimate traffic.
This simple concept is a challenge to implement. Enterprise IT networks consist of thousands of devices continuously communicating between each other. How do you create a security policy that encompasses all rules representing all forms of legitimate traffic requests? A variety of firewall systems allow you to filter unwanted traffic requests.
Let’s take a look.
Firewall systems filter network traffic across several layers of the OSI network model. The most common applications cover:
A high-level language may be used to describe the policy rules for filtering network traffic across these levels. The firewall filter acts as a boundary between two networks, with the assumption that the internal network devices are safe and must be protected from the outside network unless explicitly allowed to transfer.
All information transfer takes place through the firewall and is tested against the firewall policy.
Let’s review how different types of firewall systems help achieve this network security goal:
A simple firewall system that checks:
All traffic that complies with the predefined rules is allowed to transfer through the device. In the case of Dynamic Packet Filtering, these rules may apply for specific time duration, also known as Stateful inspection firewall. The system only evaluates the protocols and not the message data in the network packets itself. Filtering rules are only applied based on the information available in current packets, which means no contextual knowledge is available.
This system works at the Session Layer of the OSI model and determines whether the TCP handshaking between trusted servers and untrusted parties complies with the particular security rules of the session.
It acts as a proxy server between the external source and the internal destination server, creating a new connection with the remote host. For this connection, the gateway also changes the IP address to reflect its own instead of using the destination IP address.
This system inspects traffic at the Application layer of the TCP/IP stack. It works as a separate host with its own IP address, which intercepts the traffic request received by the network. The proxy firewall responds with the Synchronize-Acknowledge (SYN-ACK) packet from the message source IP address.
The transmission is divided in two steps: source-to-proxy and proxy-to-destination. At each stage, predefined rules are analyzed for security compliance. Unlike the circuit-level gateway, the Application Gateway does not change the source IP address with its own when acting as a proxy.
This system combines multiple firewall functions of stateful inspection devices, antivirus and spyware services, and intrusion prevention devices at the gateway. A central command controls traffic flow rules with a high-level visibility and control, bandwidth management and Quality of Service monitoring.
The advanced level of firewall mechanism that includes intelligence-based access control systems using:
These are further enhanced by Threat-Focused NGFW systems that provide more control, contextual awareness, and intelligent automation, and reduce the complexity associated with enforcing security policies in large scale networks.
Unlike traditional firewall which assumes that one side of the network is trustworthy, distributed firewall systems define a central policy and enforce it at each endpoint, irrespective of the network topology.
It uses a policy language that describes the connection rules for devices and network states, translated into internal format using a compiler. The policy is distributed to all network hosts by a system management tool. Network-level encryption is used to verify the identity of a traffic source. This means that there is no longer a single checkpoint for network security. The network is not limited by the throughput, latency and speed performance of firewall devices.
These systems monitor the traffic streams for anomalous behavior by evaluating signatures in the traffic. If these signatures include contents of a known cyberattack, it is filtered. Like any antivirus system…
An evolution of this technique is the Rules-Based Detection mechanism, which not only evaluates the signatures but also the patterns within those signatures. Advanced AI algorithms may be used to establish deductive reasoning capability of the firewall system.
So, which one of these techniques is the most effective firewall mechanism? While this may be a difficult question, an important property of a fully secure firewall system is that it offers security without compromising flexibility for the network to scale while maintaining compliance with the strict security policies.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.