Ashley Walker's Blog

Your firewall is a security gate into your network. The security guard is one, or multiple processes ensuring that only good traffic is allowed in.

Firewall as a Gated Community

, , ,

A firewall can be thought of as a literal firewall found in vehicles, buildings, or other places that need a mitigation to prevent the spread of a fire. In terms of cyber security, a firewall is a device, or service that attempts to stop the spread of a malicious actor. The problem with comparing contemporary digital firewalls with a mechanical firewall is, our digital firewall is now far fare more complex, and the levels of functionality cannot easily be expressed in the same way.

Basic Firewall

Imagine a basic firewall, like those found in low-end ISP-provided routers, as a security gate. The outbound gate is fully open, and the inbound gate, though somewhat flimsy, is down (unless you’ve misconfigured it or have a DMZ). The security guard at the checkpoint is primarily concerned with incoming traffic. They simply verify if the vehicle (or packet) has a valid destination and then wave it through.

Origin Filtering

The next level of firewall begins to incorporate origin filtering. Our security guard now has a clipboard and checks the registration of each incoming vehicle. If the vehicle’s registration is on a certain list, it’s not allowed through the gates. Most other traffic, however, is permitted.

Stateful Firewall

Moving up, we encounter the Stateful Firewall. Our security guard is now better paid and equipped with a clipboard for quick checks and a panel (akin to an air traffic controller’s panel) to record the comings and goings of packets. They’re on the lookout for any suspicious patterns. If an incoming vehicle isn’t on the clipboard or doesn’t correspond to a vehicle that left earlier, it’s not allowed in. However, there’s a limit to what a single guard can track manually.

Intrusion Detection/Prevention Systems (IDS/IPS)

The highest level of security involves Intrusion Detection/Prevention Systems (IDS or IPS). Here, our guard has several coworkers, each assigned specific tasks. One checks the vehicle’s registration details, another compares the registration to the actual vehicle, and another inspects the vehicle’s contents. Any discrepancies or contraband result in denial of entry. IDS/IPS systems can have static rule sets or ones that are regularly updated by your vendor. Once the rule set is in place, it generally doesn’t change, although more advanced systems (usually subscription-based) update their rule sets periodically or as new updates are published.

There are additional aspects that help make up a firewall security solution, some of these are optional features that may need to be licensed or configured on a case-by-case basis. Some of these may be security pantomime depending on the specifics of the implementation, or the threat that is being “mitigated”.

Additional Firewall Features

Inbound VPN

Think of an inbound VPN as a special lane at the security checkpoint. This lane is reserved for residents who have a special pass (VPN credentials). The guard verifies the pass and allows them to access the community resources securely. This lane also provides a more secure exit point, ensuring that the residents’ vehicles (data) are not tampered with during transit.

Encrypted DNS

Encrypted DNS can be likened to coded instructions given to the guard. Instead of openly declaring where they’re headed, the vehicles (DNS queries) give the guard a coded message (encrypted DNS request) which the guard then uses a special telephone to request the information on your behalf. This ensures that no one else can understand the vehicle’s destination, enhancing privacy.

Mesh VPN

A Mesh VPN is like having multiple interconnected security checkpoints. Each checkpoint (site) is connected to every other checkpoint, allowing vehicles (data) to move directly from one checkpoint to another without having to pass through a central hub.

VPN Exit Node on a Trustworthy ISP Hosted in a Cloud Service Provider

Finally, imagine a VPN exit node on a trustworthy ISP hosted in a cloud service provider as a highly secure, private tunnel that leads out of the community. The vehicles (data) exit the community (local network) through this tunnel and enter the highway (internet) from a trusted location (cloud service provider), ensuring a safe and secure journey. There are also other variations on this where data that is headed for a selection of SaaS applications is routed through these, while all other traffic hits the highway as soon as possible.

High Availability

High availability can be compared to having two separate checkpoints. If one checkpoint becomes too congested or is temporarily closed, vehicles (data) can be rerouted to the other checkpoint, ensuring a smooth flow of traffic at all times.

Failover

Failover is like having a main road and a secondary, less well-maintained road. If the main road is blocked or closed for any reason, traffic is diverted to the secondary road. While this road may not be as efficient as the main road, it ensures that traffic continues to flow.

Proxy Services with TLS Termination

Proxy services with TLS termination can be compared to a guard requesting information on behalf of the residents. The guard waits for a convoy to arrive, unloads the convoy, inspects the contents, then the guards make a copy of the contents of the convoy, with one copy being sent to a local warehouse for storage and cataloguing, and the other onto a new set of trucks before sending it to the resident. This ensures that the contents are safe and secure before they reach the resident.

The warehouse can serve a few purposes, if it is catalogued in one way, we can determine if the convoy was malicious at a later date because contents of the convoy match new well-known contraband patterns, an alert can be sent to the user or the administrator. An additional aspect may be to use the Proxy Service as a caching layer, and if an outbound request has been seen before, instead of waiting for the convoy to return from the internet, a convoy can be dispatched right away from the local warehouse.

Port Forwarding

Port forwarding is like having specific lanes for different types of vehicles. Each type of vehicle (data) is directed to a specific lane (port) based on its destination. This helps manage traffic efficiently and ensures that each vehicle reaches its destination quickly.