From the chapter, I learned that firewalls are like security guards for computer networks, but they can’t stop all attacks. It explains that the imprecision in packet filtering arises due to various methods used for examining packets. These methods are: stateful packet inspection filtering, static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering.
Valid insight. Indeed, no firewall can catch every attack – tradeoffs exist between precision and performance. SPI provides the best balance but still passes suspicious packets. I’d emphasize the severity of overload dangers as well – dropping legitimate traffic creates denial-of-service. Also highlight log analysis to identify successful attacks despite imprecision. Multi-layered security remains critical, not just firewalls.
Firewalls being primary to network security makes them a significant tool in security architecture hence, the need for security professionals to develop competency in the use and configuration of this tool for the effectiveness of robust security architecture implementation.
Hello Eyup, that is very true about what you said that firewalls are like security guards. When they help prevent bad packets from entering the system it helps keep the system clean and running smoothly but if firewalls receive to many packets at once they drop everything including all the packets that actually might help the company. It might be wise to have a good firewall system to prevent all the packets from being dropped.
Firewall policies and access control lists need to be constantly reviewed and updated as new threats emerge. Effective firewall management requires clearly defined policies that drive configuration and vulnerability testing of firewalls. Log files also need to be frequently analyzed to identify attacks that made it past the firewall.
Yannick,
This is a great post; I agree with your analysis emphasizing the importance of proactive management and monitoring in maintaining the effectiveness of firewalls as a security measure..
Hello Yannick, access control lists do need to be reviewed and updated because you can’t keep the same control lists especially after when you been breached. It just means that you aren’t updating yourself so you can fall into the same hole again and again.
There are multiple firewalls with different core functions such as border, internal, and host firewalls which can also be used to create a defence-in-depth security architecture. If the other firewalls placed in the network architecture have an access control list configuration error, individual hosts will still be protected.
Firewalls work with defense in depth and can access a checkpoint to determine what goes through. It can also determine what doesn’t go through in some cases there can be more firewalls within an organization to pass through into the main database. Such as ingress filtering which is when the firewall examines packets from entering the network from the outside coming from the internet itself. Then there is also egress filtering which is a type of filtering that leaves the network which will prevent a firm’s infected host from attacking another firm’s host machine. There even is such a thing as traffic overload where there can be too much traffic to filter through so it will drop all packets if it becomes too excessive.
Hi Jon,
Your analysis was interesting.It gives a comprehensive overview of various aspects of firewall functionality and deployment within an organization’s network:
I agree addressing the challenge of traffic overload is crucial. The ability of firewalls to drop excessive packets under such circumstances is a practical measure to ensure the stability and efficiency of network operations. It’s essential to strike a balance between security and performance in high-traffic scenarios.
Through the chapter, I learned essential firewall operations. Firewalls support and enforce an organization’s network security policy. If the packet is a provable attack packet, the firewall will discard the packet. If the packet is not a provable attack packet, the firewall delivers the packet to its destination; this is called a pass/ deny decision. One thing that stood out to me as a concern was that the firewall will pass all attack packets that are not provable. This means it will pass any actual attack packets that are not provable. Therefore, it is imperative to harden hosts to protect them from attack packets that the firewall will not drop. Another key point I took from this reading was the various filtering mechanisms that firewalls use. Static packet filtering, stateful packet inspection (SPI) filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering .Static packet filtering was the earliest firewall mechanism, but because of its limitations, it is used as a secondary mechanism to supplement stateful packet inspection(SPI).
Inspecting packets and allowing or denying based on security rules. Important awareness of inherent imprecision in only stopping “provable” threats. Hardened hosts also vital. Good knowledge of diverse firewall filtering mechanisms as well, with SPI being dominant. I’d emphasize log analysis to catch incidents that get through despite limitations. Then stress layered security, not just relying on firewall guard.
Hi Celinemary,
Your concern about the firewall passing attack packets that are not provable highlights the importance of implementing additional security measures on individual hosts. This emphasizes the concept of defense in depth, where multiple layers of security are employed to safeguard against different types of threats.
I found it interesting that a firewall does not perform antivirus filtering, and instead, the firewall works with other servers that would be configured to perform the antivirus filtering. Traffic from the internet would typically come to the firewall first. Then it would be sent to the antivirus server. Where the traffic would be analyzed for suspicious behavior such as viruses, worms, etc. Then depending on the settings, it would either go to the firewall and destination host or it would directly go to the destination host.
Yes it was interesting.I agree with you that the firewall does not perform anti-virus filtering. This is a time when a firewall administrator should be looking at it daily or even more frequently to ensure that daily system security is maintained..
The firewall not only checks individual packets, but also tracks the state of the network connection. It maintains a connection status table that records the status information of each network connection, such as source IP address, destination IP address, source port, destination port, and so on. By analyzing the status information of the connection, the firewall can control the flow of packets more accurately and avoid the passage of illegal packets.
Hello Bo, thats interesting that the firewalls checks the state of the network connection. So if packets were coming from a weak network connection it might not receive the packet entirely to go through the firewall. Long distances might play a role in this as well as bandwidth when trying to send something.
The firewall’s ability to track connection states and monitor details like IP addresses and ports enhances its precision in controlling packet flow and blocking unauthorized traffic.
There are different logs generated by firewalls and security professionals need to identify and understand the different information in the logs for monitoring, auditing and incident response purposes.
Eyup Aslanbay says
From the chapter, I learned that firewalls are like security guards for computer networks, but they can’t stop all attacks. It explains that the imprecision in packet filtering arises due to various methods used for examining packets. These methods are: stateful packet inspection filtering, static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering.
Yannick Rugamba says
Valid insight. Indeed, no firewall can catch every attack – tradeoffs exist between precision and performance. SPI provides the best balance but still passes suspicious packets. I’d emphasize the severity of overload dangers as well – dropping legitimate traffic creates denial-of-service. Also highlight log analysis to identify successful attacks despite imprecision. Multi-layered security remains critical, not just firewalls.
Ooreofeoluwa Koyejo says
Firewalls being primary to network security makes them a significant tool in security architecture hence, the need for security professionals to develop competency in the use and configuration of this tool for the effectiveness of robust security architecture implementation.
Jon Stillwagon says
Hello Eyup, that is very true about what you said that firewalls are like security guards. When they help prevent bad packets from entering the system it helps keep the system clean and running smoothly but if firewalls receive to many packets at once they drop everything including all the packets that actually might help the company. It might be wise to have a good firewall system to prevent all the packets from being dropped.
Yannick Rugamba says
Firewall policies and access control lists need to be constantly reviewed and updated as new threats emerge. Effective firewall management requires clearly defined policies that drive configuration and vulnerability testing of firewalls. Log files also need to be frequently analyzed to identify attacks that made it past the firewall.
Celinemary Turner says
Yannick,
This is a great post; I agree with your analysis emphasizing the importance of proactive management and monitoring in maintaining the effectiveness of firewalls as a security measure..
Jon Stillwagon says
Hello Yannick, access control lists do need to be reviewed and updated because you can’t keep the same control lists especially after when you been breached. It just means that you aren’t updating yourself so you can fall into the same hole again and again.
Ooreofeoluwa Koyejo says
There are multiple firewalls with different core functions such as border, internal, and host firewalls which can also be used to create a defence-in-depth security architecture. If the other firewalls placed in the network architecture have an access control list configuration error, individual hosts will still be protected.
Bo Wang says
Yes, perhaps organizations can set up multiple firewalls to maximize protection.
Jon Stillwagon says
Firewalls work with defense in depth and can access a checkpoint to determine what goes through. It can also determine what doesn’t go through in some cases there can be more firewalls within an organization to pass through into the main database. Such as ingress filtering which is when the firewall examines packets from entering the network from the outside coming from the internet itself. Then there is also egress filtering which is a type of filtering that leaves the network which will prevent a firm’s infected host from attacking another firm’s host machine. There even is such a thing as traffic overload where there can be too much traffic to filter through so it will drop all packets if it becomes too excessive.
Celinemary Turner says
Hi Jon,
Your analysis was interesting.It gives a comprehensive overview of various aspects of firewall functionality and deployment within an organization’s network:
Edge Kroll says
Hi Jon,
I agree addressing the challenge of traffic overload is crucial. The ability of firewalls to drop excessive packets under such circumstances is a practical measure to ensure the stability and efficiency of network operations. It’s essential to strike a balance between security and performance in high-traffic scenarios.
Celinemary Turner says
Through the chapter, I learned essential firewall operations. Firewalls support and enforce an organization’s network security policy. If the packet is a provable attack packet, the firewall will discard the packet. If the packet is not a provable attack packet, the firewall delivers the packet to its destination; this is called a pass/ deny decision. One thing that stood out to me as a concern was that the firewall will pass all attack packets that are not provable. This means it will pass any actual attack packets that are not provable. Therefore, it is imperative to harden hosts to protect them from attack packets that the firewall will not drop. Another key point I took from this reading was the various filtering mechanisms that firewalls use. Static packet filtering, stateful packet inspection (SPI) filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering .Static packet filtering was the earliest firewall mechanism, but because of its limitations, it is used as a secondary mechanism to supplement stateful packet inspection(SPI).
Yannick Rugamba says
Inspecting packets and allowing or denying based on security rules. Important awareness of inherent imprecision in only stopping “provable” threats. Hardened hosts also vital. Good knowledge of diverse firewall filtering mechanisms as well, with SPI being dominant. I’d emphasize log analysis to catch incidents that get through despite limitations. Then stress layered security, not just relying on firewall guard.
Edge Kroll says
Hi Celinemary,
Your concern about the firewall passing attack packets that are not provable highlights the importance of implementing additional security measures on individual hosts. This emphasizes the concept of defense in depth, where multiple layers of security are employed to safeguard against different types of threats.
Edge Kroll says
I found it interesting that a firewall does not perform antivirus filtering, and instead, the firewall works with other servers that would be configured to perform the antivirus filtering. Traffic from the internet would typically come to the firewall first. Then it would be sent to the antivirus server. Where the traffic would be analyzed for suspicious behavior such as viruses, worms, etc. Then depending on the settings, it would either go to the firewall and destination host or it would directly go to the destination host.
Celinemary Turner says
Yes it was interesting.I agree with you that the firewall does not perform anti-virus filtering. This is a time when a firewall administrator should be looking at it daily or even more frequently to ensure that daily system security is maintained..
Bo Wang says
My friend once made a similar virus script on the computer and the firewall did not recognize it.
Bo Wang says
The firewall not only checks individual packets, but also tracks the state of the network connection. It maintains a connection status table that records the status information of each network connection, such as source IP address, destination IP address, source port, destination port, and so on. By analyzing the status information of the connection, the firewall can control the flow of packets more accurately and avoid the passage of illegal packets.
Jon Stillwagon says
Hello Bo, thats interesting that the firewalls checks the state of the network connection. So if packets were coming from a weak network connection it might not receive the packet entirely to go through the firewall. Long distances might play a role in this as well as bandwidth when trying to send something.
Eyup Aslanbay says
The firewall’s ability to track connection states and monitor details like IP addresses and ports enhances its precision in controlling packet flow and blocking unauthorized traffic.
Ooreofeoluwa Koyejo says
There are different logs generated by firewalls and security professionals need to identify and understand the different information in the logs for monitoring, auditing and incident response purposes.