In an earlier article, I talked about the six building blocks of cybersecurity that every organization should have. One of these “building blocks” is having one or more network inspection devices (a.k.a. firewalls) to filter traffic on the network. The purpose of network inspection tools is to check all of the data packets that are entering or leaving a network asset (such as a router, computer terminal, or even an app) for signs of abnormal or malicious data (or requests that could have malicious purposes).
But, why do businesses need network inspection devices? Additionally, what should they look for in their firewalls?
Why Network Inspection Devices Are a Must for Cybersecurity
For many organizations, the firewall is the first line of defense against outside attacks. They help to automate the process of rejecting “bad” traffic by checking data packets for abnormalities and blocking those packets that are identified as malicious. This is particularly crucial for ensuring that a business remains cyber secure.
However, network inspection devices are useful for more than perimeter security. They can be configured to filter traffic between individual assets on the network—creating defense in depth and slowing the breakout speed of attack that begins on the network itself.
Finally, firewalls can act as a final point of defense for keeping sensitive data from leaving the network by checking outgoing traffic. Network inspection of outgoing data packets can help identify abnormal requests and prevent them from being completed. This, in turn, can help to prevent data breaches—though attackers often try to find ways to prevent the firewall from blocking this outgoing traffic.
Firewalls are a valuable addition to any network security architecture. They help to create a simple, yet effective, way to control the flow of traffic from one part of a network to another. In fact, anything that makes it harder for attackers to get what they want while remaining undetected can be a worthwhile addition to a business’ cybersecurity measures.
The Evolution of Network Inspection Devices
Network inspection devices have changed significantly over the years, resulting in a variety of architectures. The first few types of firewalls were highly simplistic, checking only IP addresses for senders and destinations. Later firewalls added more functionality and tests to eventually inspect the contents of each data packet as it passes through. The lineage of network security devices includes these five firewall types:
- Packet Filtering Firewalls. These are the most basic forms of network inspection, and the oldest. They tend to do a very basic, high-level check of a data packet’s identification information (destination and origination IP address, packet type, port number, etc.) that is relatively easy to fool for a skilled attacker. However, they also consume little in the way of resources, making their impact on network performance minimal.
- Circuit-Level Gateways. Another simple firewall type, these network inspection devices work by verifying the transmission control protocol (TCP) handshake to make certain the session is legitimate. While efficient, there is no inspection of the data packet itself—so packets containing malware with the right TCP handshake could easily get through.
- Stateful Inspection Firewalls. This firewall type could be considered a hybrid of packet filtering and circuit-level gateways. These network inspection devices provide a greater level of security than either of the previous two devices could alone but also have a larger impact on network performance.
- Application-Level Gateways (Proxy Firewalls). Also known as layer 7 firewalls, these network inspection devices operate at a different level than the firewalls listed above. Instead of letting traffic connect directly, these firewalls act as a proxy between the network and the traffic source. By connecting the firewall to the source before letting the traffic hit the network at all, they can provide a level of anonymity to the network and make it harder to crack. These security devices also frequently make use of deep packet inspection to check the contents of a data packet for signs of malware code. The drawback here is that, because of the extra handling steps, these firewalls may significantly impact network performance.
- Next-Generation Firewalls. This is a catch-all term often used to describe newer network inspection devices that have specialized capabilities that may not be found in other firewall types. It’s hard to generalize about the capabilities of “next-gen” firewalls because there is no real consensus on what makes a firewall “next-gen” as opposed to being a proxy or stateful inspection firewall. However, common features include deep packet inspection, TCP handshake checks, and surface-level packet inspection. The impact on network performance that these firewalls can have will vary from one product to the next depending on its features.
Few, if any, modern firewalls work using only packet filtering, circuit-level gateways, or stateful inspection. The vast majority of network security devices now apply deep packet inspection and other next-gen security measures to prevent potentially malicious traffic requests from completing.
What to Look for in a Network Security Device
When choosing a network inspection device, it’s important to consider the following:
- How Will the Firewall Affect My Network? Different types of firewalls will have varying levels of impact on a network’s performance. A network with limited resources or where a drop in performance may negatively impact business operations may find it better to use a simpler firewall for their perimeter—saving the more resource-intensive network inspection tools for their most sensitive assets.
- What Level of Cyber Threat Sophistication Can I Expect to Face? Considering past threat information and the most likely threat sources a business faces is important for choosing a network inspection device. If a business routinely encounters sophisticated attack strategies, it will benefit more from a robust and capable form of network inspection than it would if the majority of attacks were simple ones that less sophisticated firewalls could easily block.
- What Compliance Requirements Do I Need to Meet? Some companies may have to utilize a specific type of network inspection device based on a specific regulatory requirement. For example, when working with web applications, Payment Card Industry Data Security Standard (PCI DSS) specifies a requirement for a “web application firewall” rather than typical network firewalls that “are implemented at the perimeter of the network or between network segments (zones).” This is because “network firewalls usually are not designed to inspect, evaluate, and react to the parts of an Internet Protocol (IP) message (packet) consumed by web applications.” Checking the language of all applicable regulations can be crucial when picking a network inspection device meant to promote compliance.
Keeping these three questions in mind can be enormously useful for choosing the right type of firewall (or firewalls) to meet your business’ needs.
Need more help choosing and configuring network inspection devices for your business’ network? Contact the cybersecurity experts at Compuquip today for more information.