Firewalls are one of the most important network security functions that everyone must have, whether you're operating a datacenter, or surfing the web on your phone during your public transit commute. Firewalls come in both hardware and software forms, for both consumers and enterprises. So what do firewalls do, and how do they work?
I’m sure you’ve seen firewall diagrams like this, but what’s really going on?
Firewalls filter network traffic so that you only receive data that you should be getting. No firewall works perfectly, and a lot of a firewall's effectiveness depends on how you configure it.
To get a basic grasp of how firewalls work, it's important to understand how TCP packets work.
The data that your computer sends and receives over the internet or an internal network is comprised of TCP packets and UDP packets. TCP packets can be more effectively filtered by firewalls because they contain more information in their headers.
TCP packets contain information such as source and destination addresses, packet sequence information, and payload. That information allows your network interface to deliver data properly, and a firewall can compare that information to the rules you configured it with. For example, all HTTPS data is transmitted through TCP packets. When HTTPS data is sent to your computer through your network interface while you surf the web, your operating system will know that it's data that's supposed to go to your web browser. The same applies if you are surfing the web - on your phone, on your PC, or even on a server machine in your datacenter. With the proliferation of the Internet of Things, you might even be surfing the web from a touchscreen embedded in your refrigerator. Your HTTPS data is used the same way regardless.
UDP packets can be filtered by port, but their headers lack the information that TCP packets have for more sophisticated filtering.
There are three basic types of firewalls.
- Stateless or packet filtering firewalls inspect each packet individually, without considering the trends of the data you're receiving. Imagine a bouncer at a nightclub. Each person lining up to get in will be considered on an individual basis. There might be people on their own, parties of one. There might be people trying to get in as a social group. The bouncer may be instructed to forbid kids who are below legal drinking age and people who are wearing criminal gang colors from entering the club, those are your firewall rules. Instead of looking at a high school kid in a group of high school kids and just excluding them as a collective, the bouncer will look at each individual high school kid and insist that they present their ID.
- Stateful firewalls do what stateless firewalls do, and they also consider the connection states of streams of data. This is the bouncer who may see one high school kid and then reject the whole group of high school kids, rather than asking each of them to prove their age. Stateful firewalls will collect a series of packets before it determines their connection state, and then compares those findings to the firewall rules, rather than applying the rules to each individual packet of data.
- Application firewalls generally do everything that stateful firewalls do, and they also analyze the actual data content of the packets, not just the headers. I suppose the nightclub bouncer becomes a TSA agent at the airport, making you go through a metal detector and a full body x-ray. Application firewalls allow you to set firewall rules for individual applications. That's how the software firewall I installed on my Android smartphone works. One of the ways I configure the firewall on my phone is I allow most of my apps to use the internet, and I block a few of them from using the internet.
Firewall rules can be designed to block, allow, or filter specific TCP/IP ports, block or allow specific IP addresses or address ranges (no class B addresses on our network, thank you very much!), block or allow packets for certain applications if you're using an application firewall, or drop traffic that fits a certain rule to a different port (all traffic from employee gateway IPs goes through port 22 SSH no matter where it comes from!)
Firewalls, especially those used by enterprises, are often subjected to distributed denial of service (DDoS) attacks. A DDoS attack is when a lot of cyber attacking computers coordinate their efforts to send so many packets to their target that it overwhelms the memory buffer on a network interface or firewall so that it stops being able to operate properly. Although firewalls are a must for network security, an enterprise really needs an IPS device in order to mitigate DDoS attacks.
A firewall can be an application built into an operating system, a separate application installed on an operating system, or a dedicated hardware device with specialized software installed on it. Consumers will usually have software firewalls whether or not they've configured it properly. Enterprises will have applications running in operating systems, and firewalls built into specialized network devices. An enterprise should also have their firewalls constantly produce logs, which go through a SIEM and can be checked by network and security administrators.
It is no longer the case that “I have a firewall, what else do I need for security?” – as you can see, firewalls are necessary in your network but a firewall on it’s own is not enough to secure your organization and rapidly detect and respond to threats.