If you’re not filtering your internet traffic, you have a router, not a firewall. The good news is that most firewalls have features that can go a long way to protecting your IT and business resources.
Let’s start with the different kinds of firewalls and their use-cases.
- A “packet filter” firewall (operating at layer 3 of the OSI model) is used to separate subnets. It helps segment the networks and gives you a lever to pull when you have an incident. Ie, you can block all networks but allow the phones or WIFI to continue working without impacting on servers.
- A “circuit level” firewall (operating at layer 5 of the OSI model) is used at the perimeter (the WAN) of the network. This should have intrusion detection and prevention (IDPS) services, GEO filtering, heuristic analysis, etc.
- An “application layer” firewall (operating at layer 7 of the OSI model) is used to protect servers that are in some way exposed (to the Internet, untrusted networks, and even potentially trusted networks) and can terminate the SSL/TLS sessions, analyze the traffic, filter out attacks such as cross-site scripting and SQL injections. This is usually placed as close as possible to the server it’s protecting.
Some networks have a single firewall that does all of those (the above) tasks. There’s nothing wrong with that provided that it meets the design and objectives requirements. You could imagine how this would look. You have a firewall with either many network ports that connect to your switches, or a trunk from your firewall to your switch(s). A good firewall has high-speed ports such as SFP+ ports (10G+) or 10G Ethernet or even fiber which us usually for connecting to internal switches rather than the WAN device (perhaps the ISPs router/switch), unless you’re lucky enough to have a 10G Internet connection.
Most firewalls these days can be used in hot/cold HA. Ie, there are two firewalls of identical models that synchronize their settings/config. If the primary goes off line, the secondary assumes the primary role.
Features that really help prevent cyber incidents are IDPS (intrusion detection and prevention system), DNS filtering and GEO restrictions. They’re simple and low-cost or even free.
Features that help with retrospective analysis are logs and SSL/TLS termination (for detailed traffic analysis). They’re how one can form a theory.
If you do nothing else, add the GEO restrictions and DNS filtering. Together they will do so much to prevent terrible things from happening. Here’s how. GEO restrictions can be used in blacklist or whitelist mode. Ie,
- Whitelist=allow only these countries and block everything else.
- Blacklist=deny only these countries and allow everything else.
If you only allow connections from your country, you block direct connections from hackers in other countries. You can still allow your computers (or your proxy server) to establish connections out. You can even block connections in both directions which prevents a virus on your computer (or ransomware) from connecting back to the hackers computer (in another country).
DNS filtering helps prevent your computer(s) from connecting to untrusted computers on the Internet. DNS names with bad reputations or in categories such as drugs, porn, etc, can be blocked. It can also helps prevent viruses, bots and malware from connecting to command and control servers.
I recommend the Netgate pfSense appliances because:
- They have an exceptional reputation.
- They have the advanced features most businesses need.
- They are “very” low cost and requires no license fees.
- They can function as a VPN server (roaming and site2site), SSL/TLS termination, HA, IDPS, Geo filtering, DNS filtering, captive portals for guests and WIFI, trunking and VLAN’ing, web front-end (and CLI if you want), etc.
- They are built on probably the most secure operating system available to the public.
- They’re peer reviewed – actively.
- They supports VPN’s of OpenVPN, IPSec and is highly customisable with hardware crypto-offloading. Ie, most crypto work is assisted by a dedicated chip. Note that the hardware must support this feature.
- Upgrades are easy and, if done correctly within a HA environment, can be done with little to no down time.
- There’s plenty of support both paid and online documentation, forums and guru’s sharing their knowledge through technical articles.
- They are extremely expandable. Not just hardware (which can be expanded in many cases) but the software is truly expandable.
- They are used by defence, government, private and public and large and small businesses.
- The TCO (total cost of ownership) is considerably lower than the other big names in the firewall space.