Firewall

Firewall, or firewall, is a term for hardware and software that handles incoming and outgoing network traffic. Passing data is checked for compliance with a set of specified rules and can be blocked from further transmission^[1].

Both names were borrowed from foreign languages ​ ​ and mean the same thing: "fire shield/wall" - translated from English ("firewall") and German ("brandmauer"), respectively.

As stems from the original wording, the firewall is designed to protect the internal information environment or its individual parts from some external flows, and vice versa, prevents individual packets from passing outside - for example, to the Internet. Firewalls allow you to filter out suspicious and malicious traffic, including stopping attempts to hack and compromise data.

When configured correctly, the network shield allows network users to have access to all necessary resources and discards unwanted connections from hackers, viruses and other malware that are trying to break into the protected environment.

The next-generation firewall has been identified by Gartner analysts as a network security technology for large enterprises, incorporating a full suite of tools for penetration verification and prevention, application-level validation, and policy-based precision management.

If an organization is exploring a next-generation firewall, then the most important thing is to determine whether such a screen will provide the ability to safely deploy applications for the benefit of the organization. At the first stage, you will need to get answers to the following questions:

• Will a next-generation firewall increase transparency and understanding of application traffic on the network?
• Can you make the traffic management policy more flexible by adding additional options other than permission and prohibition?
• Will your network be protected from threats and cyber attacks, both known and unknown?
• Can you systematically identify and manage unknown traffic?
• Can you implement the necessary security policies without compromising performance?
• Will the effort of your firewall management team be reduced?
• Will this facilitate risk management and make this process more efficient?
• Will policies be implemented to improve the profitability of the enterprise?

If you answer the questions above, you can take the next step and justify the transition from old firewalls to next-generation firewalls. After selecting a vendor or a narrow range of vendors performed with a bid, there will be a step of evaluating the physical functions of the firewall, performed using traffic of various types and combinations, as well as objects and policies that accurately convey the features of the business processes of the organization.

The main task of the firewall is to protect computer networks or individual nodes from unauthorized access. Also, network screens are often called filters, since their main task is not to skip (filter) packets that do not fit the criteria defined in the configuration.

Enterprise network protection is based on firewalls, which now must not only filter information flows by port, but also control the data transmitted by the most popular of them. Sophos experts estimate that up to 80% of attacks are carried out using a web browser using HTTP or HTTPS protocols, but the problem cannot be solved by simply filtering these protocols. Thus, there are new requirements for a new generation of firewalls combined with intrusion detection systems.

Next-generation firewalls are recommended for:

• Monitoring individual web applications
• intrusion detection by the most popular protocols, such as HTTP, SMTP, and POP3;
• Create VPN connections for mobile users to connect remotely
• optimization of network interaction.

It should be noted that intrusion detection systems are also required when processing personal data, protecting banking and payment systems, as well as other complex information infrastructures. Combining them with firewalls is very convenient and beneficial for users.

Other names

Brandmauer is a German term that is an analogue of the English firewall in its original meaning (a wall that separates adjacent buildings, preventing the spread of fire). Interestingly, in the field of computer technology, the word "firewall" is used in German.

Firewall, firewall, firewall, firewall - formed by transliteration of the English term firewall, equivalent to the term firewall, is currently not an official borrowed word in Russian [the source is not indicated for 169 days].

Firewall History

A firewall can be either a software tool or a complex of software and equipment. And at first they were purely iron, as well as the fire-fighting structures that gave them their name.

In the context of computer technology, the term began to be used in the 1980s. The Internet was then at the very beginning of its application on a global scale.

It is believed that before the name of the firewall came into real life, it sounded in the film "War Games" in 1983, where the main character is a hacker who infiltrated the Pentagon network. Perhaps this influenced the borrowing and use of just such naming of equipment.

The first firewalls can be called routers that protected networks in the late 1980s. All transmitted data passed through them, so it was logical to add the ability to filter packets to them.

Network Display Features

The modern corporate network is not a closed information space. It is often a distributed network associated with an external data center, using clouds and peripherals consisting of many segments. A modern enterprise firewall must have the appropriate functions to protect it. What exactly companies need from the firewall, says the infographic^[2].

Variations of Network Displays

Network displays are divided into different types depending on the following characteristics:

• whether the screen provides a connection between one node and a network or between two or more different networks;
• whether the data flow is monitored at the network layer or higher layers of the OSI model;
• whether the status of the active connections is monitored or not.

Depending on the coverage of the monitored data streams, network displays are divided into:

• traditional network (or firewall) screen - a program (or an integral part of the operating system) on a gateway (server transmitting traffic between networks) or a hardware solution that controls incoming and outgoing data flows between connected networks.
• personal network screen - a program installed on a user computer and designed to protect only this computer from unauthorized access.

A degenerate case is the use of a traditional firewall by the server to restrict access to its own resources.

Depending on the level at which access control occurs, there is a division into network screens operating on:

• network layer, when filtering is based on the addresses of the sender and recipient of the packets, port numbers of the transport layer of the OSI model and static rules set by the administrator;
• session level (also known as stateful) - tracking sessions between applications that do not allow packets that violate TCP/IP specifications, often used in malicious operations - resource scanning, hacks through incorrect TCP/IP implementations, connection break/deceleration, data injection.
• application layer, filtering based on analysis of application data transmitted within a packet. These types of screens allow you to block the transfer of unwanted and potentially dangerous information, based on policies and settings.

Some application-level firewall solutions are proxy servers with some firewall capabilities, implementing transparent proxy servers with protocol specialization. Proxy server capabilities and multi-protocol specialization make filtering much more flexible than on classic network screens, but such applications have all the disadvantages of proxy servers (for example, traffic anonymization).

Depending on the tracking of active connections, network displays are:

• stateless (simple filtering), which do not track current connections (for example, TCP), but filter the data stream based solely on static rules;
• stateful, stateful packet inspection (SPI) (context-sensitive filtering), with monitoring of current connections and skipping only such packets that satisfy the logic and algorithms of the corresponding protocols and applications. These types of network displays allow you to more effectively combat various types of DoS attacks and vulnerabilities of some network protocols. In addition, they ensure the functioning of protocols such as H.323, SIP, FTP, etc., which use complex data transfer schemes between destinations, poorly described by static rules, and, often, incompatible with standard, stateless network screens.

Chronology of events

2024: Palo Alto Networks admitted to having a critical hole in its OS. Tens of thousands of firewalls hacked around the world

On April 12, 2024, Palo Alto Networks announced the discovery of a critical zero-day vulnerability in its Pan-OS firewalls. The breach, which is actively exploited by cybercriminals, allows you to seize full control of the device and then penetrate the victim's IT infrastructure. Read more here.

2023: Russian web application firewall market grows to RUB 4.6 bln

The Russian market for web application firewalls (WAF) in 2023 grew to 4.6 billion rubles. This is evidenced by the data of MTS RED, published in mid-February 2024.

MTS RED analysts call the main drivers of the WAF market development a constant increase in the number of developed web applications (by about 11% per year) and an increase in the number, intensity and complexity of attacks implemented through them. So, according to researchers, in 2023, attacks through web resources accounted for more than 46% of the total attacks on companies, which is 14% more than in 2022. The most common targets for such attacks are the financial sector and retail.

Unsplash

Back in 2022, foreign manufacturers of WAF solutions dominated the Russian market, but then domestic vendors began to show a rapid rise. Thus, in 2023, the total revenue of Russian solution providers of this class increased by 147%. The competition prompted domestic developers of firewalls for web applications to improve their products, and new Russian players and strong solutions began to appear on the market, experts say.

Monitoring and responding to cyber incidents, protecting against DDoS attacks and attacks on web applications are the most popular services - they account for more than half of the total demand for information security services. In fact, this is a minimal set of "hygienic" measures of cyber protection of companies, - said Savva Livchin, head of business analytics at MTS RED.

According to analysts' forecasts, the volume of the Russian WAF-class software market will grow by an average of 22% per year and will reach 7.2 billion rubles by 2026. At the same time, the volume of the entire information security solutions market will grow by 24.6% annually, MTS RED expects.

2020:53% of information security experts consider firewalls useless

On October 29, 2020, it became known that information security specialists (IS) began to refuse to use firewalls. Most motivate this by the fact that in the modern world they can no longer provide the required level of protection, CNews reported on October 29, 2020.

The loss of information security specialists' trust in firewalls was confirmed by a study by the Ponemon Institute, which has been working in the field of information security since 2002, conducted in conjunction with Guardicore from the same industry. Its employees interviewed 603 information security specialists in American companies and found that the vast majority of respondents speak negatively about the firewalls currently used in their companies. 53% of them are actively looking for other options for protecting networks and devices in them, simultaneously partially or completely abandoning firewalls due to their inefficiency, high cost and high complexity.

According to the survey, 60% of its participants believe that outdated firewalls do not have the necessary capabilities to prevent attacks on critical business applications. The same number of respondents considered that outdated firewalls demonstrate their inefficiency in creating zero trust networks.

76% of specialists in the Ponemon Institute survey complained that when using outdated firewalls, they take too long to protect new applications or change configurations in existing programs.

62% of experts surveyed believe that access control policies in firewalls are not detailed enough, which limits their ability to protect the most valuable information. 48% of respondents also emphasized that the implementation of firewalls takes too long, which increases their total cost and payback time.

According to the report, while 49% of respondents have implemented the Zero Trust security model to some extent, 63% believe that outdated firewalls of their organizations cannot provide zero trust in the corporate network. 61% of respondents noted that the firewalls of their organizations cannot prevent hacking of the company's data servers, while 64% believe that outdated firewalls are ineffective against many modern types of attacks, including ransomware attacks. Most of the surveyed specialists said that firewalls are useless when the question concerns cloud security. 61% are confident of their inefficiency in protecting data in the cloud, and 63% believe that there is no point in trying to use it to secure critical cloud applications.

The results of the survey show that firewall users are worried about the number one: whether they can actually make next-generation protection technologies work in their environments. Legacy firewalls are not scalable, flexible, or reliable for security, "said Larry Ponemon, founder of the Ponemon Institute

The results of the study reflect what many information security Chief information officers already know - digital transformation has made firewalls outdated. As organizations deploy the cloud, the Internet of Things, and DevOps to become more flexible, legacy network security solutions are not only ineffective at preventing attacks on their networks - they even hinder the desired flexibility and speed of operation that companies hope to achieve.

^[3]

2012: Foreshadowing the early demise of firewalls - the growing popularity of cloud technology

The evolution IT infrastructures and emergence of even more ingenious threats was the impetus for the ongoing concern that firewalls are becoming obsolete and failing to cope with their tasks. For the first time, such opinions were heard in the late 90s, when laptops and remote access were increasingly used in corporate environments, and conversations began among users about the growing vulnerability of networks. The forecasts were repeated a few years later, when popularity began to grow SSL VPN and the use smartphones of personal devices for accessing the network boomed. The latest omen for the early death of firewalls is the growing popularity of cloud technologies^[4]

The functionality of firewalls has expanded significantly these days, and now it is not just a means of monitoring certain ports, IP addresses or packet activity between addresses and making resolution and rejection decisions. Initially, these systems included the functions of inspecting packages taking into account the status of the protocol, monitoring data flows, matching with a template and analysis. Now firewalls check in detail a certain activity of applications and users. Firewalls that can identify the applications used are often called next-generation firewalls, but this name is not entirely correct, since this functionality has been used for more than ten years.

In any case, the most pressing problem for firewalls today is studying the Internet traffic passing through them and identifying the corporate and web applications used, as well as their users. Pinpointing the type of traffic and those who request it is a vital need for organisations as it allows them to optimize and manage the use of sub-apps (such as Facebook, YouTube, Google Apps and other Web 2.0 apps). With this knowledge, IT departments are able to tailor the use of applications on the network to meet the needs of each user and the needs of the organization.

Modern firewalls not only evolve in terms of traffic verification and management, but also provide additional security capabilities that organizations can activate to serve their needs. These features include URL filtering, antivirus, spam and bot protection, data loss prevention, mobile access control, and many others that make the firewall a multi-service security gateway. With a software-driven modular approach, you can add and deploy these features, enhancing network security and solving new problems as they arise.

So, today firewalls not only protect the perimeter of the network, as they always did, but also allow you to add such security capabilities that could not have been dreamed of 20 years ago. Despite regular predictions of the inevitable loss of popularity, now firewalls are in the midst of their development.

Notes