Dr Craig Valli and Dr Ian Martinus
Firewalls an oldy but still a goody. For the same reason we wear seatbelts in automobiles you should enable firewalls i.e safety and some security. Firewalls are technology that Cheswick and Bellovin circa 1988 are credited with inventing so yes they have been around a while in human years and eons in the Internet age.
Firewalls work by inspecting a network packet attempting to travel from one network to another network in particular direction either in(ingress) or out(egress). The packet is then checked for meeting certain pre-defined rules to allow the packet to flow past a point/gateway onto another network or be denied in that attempt to travel. Think of it as a virtual doorman i.e no tie = no entry. A TCP/IP packet has the basic header structure like this.
Basic TCP Header
So a simple rule is to check the Source Address is valid and that the Destination Address is valid/permitted. The more complex is multi-partite combination of the conditions using Boolean logic (> < = NOT AND OR) e.g IP from network 192.168.1.0/24 AND is going to some webserver on port 80.
There is also what is known as Deep Packet Inspection (DPI) that will look for instance into the actual packet data and look for malicious code. DPI as you can imagine is more intense and demands more memory and compute requirements of the actual firewall device to process the packets, in some cases it can cause noticeable performance hits on network throughput. DPI currently is increasing being less of a problem as code becomes more efficient and also some of the systems use customised hardware to accelerate this function.
A strength of firewalls are that they are good at following logic/protocols using basic Boolean logic and they does this well and at speed. A weakness of a firewall is that are good at the prior statement i.e attackers can use “protocol” or “valid logic” to break a firewall and make it “pass” the packet.
Less is more and plan to succeed
A case example taken from our consulting experience is that a large organisation had recently spent almost 1 million dollars on 2 state of the art high speed gateway firewall boxes. But upon installation the network performance was noticeably degraded and the longer the use of the firewall went on the performance continued to downgrade. The devices diagnostics showed no functional issues except high CPU utilisation. There was no disk or throughput issues when the devices were tested with standard performance tests. Extraction however, of the “ruleset” saw in excess of 15000 rules enabled which in of itself should not have been a problem as the boxes were powerful, however, there was some significant issues in the ruleset execution, the overall diagnostic setup and a complete lack of any type of system optimisation.
First things first The rules for web and email (the most widely used services) were at the end of these rules. So every rule had to process first before allowing web and email around 14000 plus rules each taking a CPU cycle and memory.
Takeaway – know your most used protocols/services and allow them first!
Second – Know what your systems ares There were rules for technologies in the set that were simply not present or even used by the organisation for example AppleTalk and Apple technology simple solution should not have been deployed. Takeaway – know your environment and cut your rules to suit. The rules once modified were only initially only 40 rules long down from a deployed 14000 plus!
Thirdly – Log it
They had a 8MB rotating logfile for a 1000 plus seat organisation it lasted 90 secs to 2 minutes during peak operation. There was no significant ability to diagnose anything on the systems Takeaway – Logfiles are important as a recovery or diagnostic tool you should store them for at least 6 months. If you are dealing with government in WA check WA State Records Act and if you have European nationals as users or employees EU GDPR requirements for openers.
Fourth – Slice and Dice
There was no segregation or separation of the network or user types they treated the network as a flat entity with the same type of users. So in this business that had financial and engineering elements critical to the business each user had the same privileges. So why would a normal corporate user need access to the accounting services/servers? Why would the accountants need access to an “engineering” part of the network? These are all standard business rules that need to be incorporated into your firewall policy to enable least privilege to the user.
Takeaway – Make your firewall reflects your business flows and functional job requirements i.e. allow access to only necessary functions for staff to do their job.
Enabling your firewall
On your devices this is one of most simple and effective tools at reducing the potential for harm. What ever you do do not switch if off!
Windows It is relatively easy thing to do for Windows 11 or 10 or 8 (seriously you need to upgrade) Turn on Windows 11, 10, 8 Firewall
Linux (Ubuntu, Debian)
UFW (Uncomplicated FireWall) apt-get install ufw -y
then ufw allow 80 (if you have a web server) ufw allow 443 (if you have secure web server) ufw allow ssh (allows remote access to your machine you will have to secure SSH separately) ufw logging on (logs any UFW actions to a log file) ufw enable (make the UFW start on reboot)
Phones and Tablets
Android (Samsung, Oppo…)
Bad news no native firewall built in to most Android variants on phones. You will have to install one good thing is most viral protection suites have this included.
Almost 30 years on it is still a must have
Firewalls are old and reliable at stopping a lot of malicious activity. Sure they can be in some cases defeated but several things:
The protection it gives is almost infinitely more safe than nothing.
When bypassing a firewall typically the attacker leaves significant evidence of it occurring. In addition their “intent” is no longer able to be considered a non-deliberate act under the law.
It is available as a free utility on most modern systems we use in our businesses so not deploying it is simply inexcusable.
Comments