By Shawn Byrne
One of the unsung heroes of the cybersecurity space are firewalls. Heroes because of their ability to maintain a network’s integrity. They provide a critical defense against unauthorized access, malware and cyberattacks. Because of cybersecurity’s ever-evolving landscape, firewalls serve the role as a primary guardian. All security measures, such as a firewall, provide a pivotal role in fortifying networks and protecting data from malicious adversaries. In this column, we will explore firewalls and their essential functions as that stalwart of the network.
Network firewalls are a security barrier that is positioned between internal networks and the rest of the Internet. The primary function is to control traffic flow based on predefined permission and security rules. This will permit or block data packets based on what the administrators of the firewall prefer. Firewalls accomplish this task by watching the ports that software use. In this way, it acts as a digital checkpoint that will inspect any data or information that enters the network from external sources. It is important to note that a firewall can also run in a computer. In addition to the network firewalls, which is a network hardware like a router, the host-based firewall directly protects an operating system. Whether network or host based, all firewalls perform the same role.
One may wonder where this role fits in on the Open Systems Interconnection (OSI) model. The firewall and its critical tasks involve monitoring the traffic at Layer 4, also known as the transport layer or port layer. This layer focuses on end-to-end communication and data flow control. Firewalls can and do leverage this layer as it is a critical layer for the passage of data packets and their avenues, more specifically communication ports.
Software communicated to other software on different hosts (e.g., computers) from IP address and port number to IP address and port number. Communication ports, or ports, serve as gateways through which data packets may enter or exit a host system through networks. Each port has a specific number, and each number corresponds to a specific application/service. A great and common example is port 80 which is associated with HTTP traffic, which is used for web browsing. For example, 142.251.16.139 is an IP for Google. Placing 142.251.16.139:80 in a web browser will bring up the website for Google’s search engine. Port 443 is a secure version of a website. At the time of writing this, my system will not work on 142.251.16.139:443, but will work on 142.251.16.139:80. This is because the software at that IP address is set to only respond to port 80. Firewalls can employ filtering that is based on certain ports to allow or deny traffic purely based on the port number. Because it is a standard number, a firewall knows that port 80 is for unsecured websites and port 443 is for secured websites. The firewalls, both on the host and on the network, understand the purpose of the transmission based on the port number used. This allows administrators to personally tailor firewall policies, all the while blocking malicious traffic and permitting secured data packets.
There are rules in firewalls that are fundamental for managing network traffic, respectively called egress and ingress rules. Ingress rules dictate what traffic is allowed to enter a network and prevents unauthorized access. On the other hand, egress rules control what traffic can leave a network. This prevents data from leaking or outbound malicious connections. Both rules utilize certain communication protocols called transmission control protocol (TCP) and user datagram protocol (UDP). TCP is more commonly used for web browsing, but its main purpose is for connection-oriented communication. UDP is based on connectionless communication, making it commonly used in applications like online video games. If egress and ingress rules are properly configured, only legitimate and necessary traffic will enter and exit a network, bolstering the overall network security. Modern firewalls have what’s called stateful inspection rather than simply filtering packets. This method considers the active connections and their states. By maintaining the record of each connection and their status, a firewall can ensure that incoming packets are a part of a legitimate connection. With this enhanced security, malicious malware and vulnerabilities can be prevented, specifically during and beyond the connection initiation process. In this way, a firewall can also consider the IP address destination and typical communications to that IP.
Many firewalls are also integrated into intrusion detection and prevention systems (IDPS) to bolster security even further. These types of systems will actively monitor the network flow for any suspicious patterns and more-known attack patterns, which further enhances the real-time protection that firewalls provide against threats. Evolutions of this thought include access control lists and unified threat management systems, such as Cisco ISE. More articles will follow on these subjects. For now, consider a firewall as a good first step in both system and network security.
In conclusion, firewalls provide a critical defense against unauthorized cyberattacks, malware and even general access. Port security allows firewalls to filter traffic with precision, allowing the proper safeguarding of networks and data in the ever-increasing Internet world. As cyberthreats continue to evolve and vulnerabilities continue to be exploited, firewalls are undoubtedly able to adapt to the new challenges and evolve right along-side them.
Shawn Byrne is a staff biomedical engineer at VHA North Texas-Dallas.
