I enjoyed this chapter on firewalls and one new thing I learned about is intrusion detection systems. An intrusion detection system monitors a network or system for any suspicious or malicious activity. What I found interesting is that when it comes to this malicious activity, an IDS’ goal is to spot the activity but not stop it. Some of the components of an intrusion detection system include a protected system, sensor, decision engine, database knowledge, and database configuration. The systems that also take part in stopping the malicious activity are called intrusion prevention systems. IPS have the power to stop malicious behavior once analyzing that the activity is malicious.
I found this section interesting as well. I’ve been thinking about when to use an IDS vs IPS and the value they provide. I thought this article from Okta provided a good summary- https://www.okta.com/identity-101/ids-vs-ips/ Using both can add value as they can complement each other and confirm active attacks. With Okta, they offer a combined IDS/IPS solution that aims to minimize false positives while providing the automation to address active threats. I use this in my work and it’s been helpful when detecting issues.
Firewall is something that people are familiar with in computers, including people who don’t know much about computers. This chapter describes the basic operation of the firewall in detail. The firewall will inspect every data packet that passes through it, just like passing a security inspection. When the firewall proves that the packet is an attack packet, the firewall will drop the packet, and Record dropped packet information in the log file. When the firewall is overloaded, it drops all packets it cannot handle. This mechanism has a technical term called “Filtering”. Several methods of firewall filtering: stateful package inspection filtering, static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering. Also, modern firewalls also provide egress filtering to prevent outgoing attacks from infected computers. As mentioned in the article, firewalls are like electronic gates guarding a site’s network. Although firewalls cannot provide comprehensive protection, firewalls are still the main security element of an enterprise.
I found the discussion about intrusion prevention system filtering very interesting. I found it interesting that an IDS’ goal is to spot the activity but not stop it. IPS, on the other hand, have the power to stop malicious behavior once analyzing that the activity is malicious. Firewalls and these different prevention systems are essential in guarding a system or network. I agree that they are the main security element of an enterprise, and I believe in the comparison of a firewall to an electronic gate.
In section 6.10. The authors discuss the death of the perimeter, which is a challenge facing many firms in their firewall implementation. These challenges were exacerbated with the transition to remote work as employees were forced to work beyond the perimeter of the firm, often on devices that were not managed by IT. This introduces risk as security teams do not have insight into home firewall rules or personal devices. Internal threats are also a concern as employees can use personal devices and connect them to the corporate network. This bypasses the perimeter and provides opportunities for attackers to spread malware, exfiltrate data, and move laterally.
Defense in depth is important when considering how to defend against these challenges. Properly configured firewalls can provide excellent perimeter defense, but they cannot be the only protection. Network segmentation, user permissioning, and monitoring must be in place. In addition, adopting a zero trust strategy, see NIST SP 800-207, will also help with addressing these challenges. Finally, advances in VPN technology may allow for the network to be extended to home users through “always on” policies. Palo Alto’s Global Protect product offers this. Recent advances have made this service much faster and more manageable.
I agree with you that working remotely makes more challenge to many entities in firewall implementation. My firm has added more policies and tools to protect the system from threats. Defense in depth and security management are considered seriously.
The key point that I took from this chapter is the Defense in depth strategy. It is a strategy that leverages multiple security measures to protect an organization’s assets. The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.
Today’s cyber threats are growing rapidly in scale and sophistication. Defense in depth is a comprehensive approach that employs a combination of advanced security tools to protect an organization’s endpoints, data, applications, and networks. The goal is to stop cyber threats before they happen, but a solid defense-in-depth strategy also thwarts an attack that is already underway, preventing additional damage from taking place.
Antivirus software, firewalls, secure gateways, and virtual private networks (VPNs) serve as traditional corporate network defenses and are certainly still instrumental in a defense-in-depth strategy. However, more sophisticated measures, such as the use of machine learning (ML) to detect anomalies in the behavior of employees and endpoints, are now being used to build the strongest and most complete defense possible.
Chapter 6 reading breaks down Firewalls. I believe most people have a basic understanding of what a firewall does and why its needed but chapter 6 gives us a very detailed breakdown of Firewalls and how they work, it explains the different methods that a firewall can use to be effective, the figures/diagrams in this chapter are very key, arguably more so than any chapter we have read so far. Because in my opinion it is one thing to explain what a firewall is doing, but I believe a person needs to also see the figure in order to fully understand the functions of a firewall, and this chapter did a great job of that. For this particular chapter I dont have a section that jumped out to me because I honestly found each section to be a very interesting read, definitely the best chapter in the book for me so far. Even with 20 years experience I found myself learning something new in this breakdown, I actually went back and read chapter 6 twice, that is how interesting chapter 6 was for me.
I felt the same way about the figures and diagrams. I consider myself more of a visual learner and it’s important to understand how these environments are conceptually setup so I found these figures and diagrams really helpful. I found the diagrams in sections 6.5, 6.7, and 6.8 particularly helpful.
I found section 6.6 interesting when the author broke down the differences between firewalls, IDSs and IPSs. Traditionally, firewalls block/drop provable attack packets as they are identified. IDSs on the other hand allow the potential attack packet traffic to pass through the network but ultimately log the activity for review. However, IDSs produce many false positives when it comes to identifying potential attacks so organizations typically have a hard time trusting the results of the monitored IDS system. IPSs were created to combine the functionality capabilities of Firewalls and IDSs. For instance, IPSs can be used to simply block network traffic, like a firewall, but this method typically isn’t encouraged as it could greatly impact business processing. Also, IPSs can monitor attributes such as bandwidth limitations, which subsequently block traffic once the configured network traffic threshold has been met/exceeded.
I also found that section interesting. IPSs do seem substantially more useful than IDSs when it comes to mitigating potential attacks. In fact, companies will want to prevent the attacks, not just know they are happening. IDSs do not appear to be all that helpful for a company. Only in a defense in depth situation would they serve a purpose. If a company were to implement an IDSs in addition to other safeguards then that would be the most useful scenario.
Although IPS blocks network traffic, the ASIC and confidence spectrum capabilities of IPS allow for faster filtering and identification of offenses when traffic is heavy. IPS is a solid filtering method, and it works as a good control to prevent attacks I think.
I think the important take away from this reading is about the importance of the layers of security firewall provides, if properly implemented for effective monitoring of packets. Firewall tracks active Ingress (inbound) packets entering from the outside network and egress (outbound) packets leaving the connections on a network. The pass/deny decision of active packets before getting to the destination is one of the functionality of security measures.
Its stateful packet inspection and monitoring capabilitity of a firewall is usally to record information about each dropped packet in a log file.
The prevention would be to use the intrusion prevention. False positive maybe another proven issues organization are challenged with and to address such scenarios by investigation.
Great summary on this lecture! Now we do have a better understanding on how firewalls work. Before, especially people with no IT skills including me knew that we just need firewalls to see what’s coming in and out of the network. Now, we know that there are different firewall filters that companies use for their information systems. Static Filter Firewall is the least used as it does not guarantee strong security protection .
Great Ornella,
I like that this reading has equipped us all with more indepth understanding of the capabilities of a the Firewall security system which helps in the prevention of unauthorized network connections and unauthorized malicious software from entering the network. Firewall could be hardware and software or a combination of both to prevent malicious attack. It is particularly compulsary for every business should have firewall, regardless of the size of the business.
Some key points that I took away from the chapter are that firewalls are like guards at the gates to site networks. They don’t provide total protect of incoming attacks or potential outbound attacks from infected computers. There are four types of firewalls companies can use, main border firewalls, screen border routers, internal firewalls, and host firewalls. I also found it interesting that firewalls don’t directly filter with antivirus filtering but there is a strong connection between firewalls and antivirus servers.
It is important to understand what traffic and protocols are expected to and the firewall is a network security system that you can monitor. And control incoming and outgoing traffic logs based on predetermined security rules. A firewall act as a network security filtering between local area networks and external networks and controls incoming and outgoing traffic to maintain a safe enterprise. Palo Alto firewall is a next-generation firewall that provides the least privileged secure remote access to applications and services. It provides web filtering and log collector to ensure proper firewall rules can be applied to provide protection. https://www.paloaltonetworks.com/sase/ztna https://live.paloaltonetworks.com/t5/general-articles/protecting-panorama-and-log-collector-inbound-and-outbound/ta-p/454071
Exactly, a lot of people mistakenly think that the firewall is the end-all solution to attackers getting into networks. Boundary defense is extremely important – but there are still some threats that a firewall cannot cover which this chapter discusses. Furthermore, by looking at the evidence over a historical period – there are ways to bypass a firewall which is why other security controls are just as important.
From this chapter I noticed that none of the firewalls or filtering really provide a perfect solution for securing networks. However, since defense in depth allows for different layers of protection, it ensures that if one countermeasure fails, the others remain in place. Nevertheless, meaningful planning is necessary before implementing different layers of defense to ensure there is a right balance between effective protection and data transmission efficiency.
Hi Elizabeth,
There is not a perfect security solutions. Security countermeasures are controls used to protect the confidentiality, integrity and availability of data and information systems. Here, the firewall system are put in place to manage and inspect packets that pose threats. Firewalls are integrated protection to the first layer security mechanism required to control with inspection packets moving through the connections. The logs recorded from the stateful firewall helps in the identification of malicious packets flooded on the network connections.
I agree with you both, indeed there is no such thing as 100% security. However, Elizabeth made a valid point when she elaborated on defense in depth and how multiple layers of security is integral when we are talking about protecting an organization’s information systems and assets / data. I also can appreciate Oluwaseun’s insight of what a firewall can be used for, the example he gave, and he even mentioned which layer of the OSI model the firewall works on. Good job to you both!
This chapter is the continuity of network security to help us understand filters that are used to allow packets in and out of a network. I found interesting how firewalls has different filtering packets that are allowed internally and prohibit externally. For example, Stateful Packet Inspection is what most organizations use today because it provides authenticity between two states and stronger than Static Packet Filtering. It also focuses on connections between programs on different hosts.
Ornella,
What I found interesting about the Stateful firewall inspection is that it collects and analyze data regarding every connection made through the network system. This in clear fact, is a security system that checks subsequent network connections against list of attributes (packets) collected by the stateful firewall system to see the contents of the packet if it pose a threat to the security system.
This chapter talks about Firewall rules, packet filtering, inspections, and the perimeter firewall architecture design for sites of large organizations. A firewall is an access control equipment that looks at packet filtering, compares with user-based policy rules, and decides whether to allow or deny the packets. A firewall device is used for network security to verify the packet filtering, state-full inspection, proxy, and Nat rules. In addition, the State inspection firewalls inspect and maintain the record of a table of each state of each connection that passes through the firewall and is verified with a TCP connection table. It explains about Proxy firewall, all users SYN and ACK packets travel through a proxy server, there is no direct connection between a client and the server. Chapter 6.8 sections the gateway routers that stop high-risk attacks and ensure that the reply to external scanning probe reaches. It reduces the load on the perimeter firewall.
The following are Firewall key objectives:
Network resolution address, Stateful packet inspection, Application proxy, content proxy,
Host firewall, Demilitarized zones, and firewall management.
This was a very good summary of the chapter. Your post is well written and very concise. I only talked about one topic in the chapter, and you managed to provide a lot of information in a brief amount of words. In my opinion it was a lot of information to take in as I read this chapter. That is why I think your post is impressive.
A common theme with this chapter is that the more in-depth the security is, the more processing power is required. Since the more in depth some of the methods for firewalls use to check packets can be taxing on processing power. For example, application proxies examine packets at the application layer and requires more in depth then using SPI. Another problem with this is that only certain applications can be filtered since there are no specific patterns can be filtered, or protocols that can be enforced. It’s interesting to compare each Firewall method as they have pros and cons – and some methods are niche for their situation.
Great point about the processing power, its something that I believe gets lost in all of the activities involved in the Firewall world, but it is very crucial to a successful setup, like mentioned, the more in depth you go, the more taxing on the processing
Good points. Because using firewalls to protect data and systems is a good choice for cost-benefit analysis, many entities invest on building firewalls. Each firm has its own niche and each firewall method has pros and cons, the firm needs to choice some of firewalls methods to fit with its situation.
I like your perception on the theme of the chapter. I also appreciate the examples you’ve provided in talking about processing power. Also, the fact that you mentioned the application layer in the OSI model. Good post!
I found the part of the chapter on stateful packet inspection to be the section that stood out to me the most while reading this chapter on Firewalls. Previously I was unaware of the specifics on how stateful firewalls operated, specifically regarding the connection table that the firewall refers to when inspecting the packets. Most packets are not attempting to establish a connection, and the ones that are can be examined by the firewall to see where the connection attempt originated from. By default, all attempts internally would be allowed and all external attempts would be blocked. A stateful packet inspection firewall is low cost due to this simple table lookup when inspecting the packets. I had a previous understanding that the firewalls had a reputation for being more secure, but I had not heard that they are also inexpensive due to their ability to drop or pass most packets quicker than other firewall types.
One key point that I enjoyed from chapter 6 was section 6.10.2 on attack signature filtering vs anomaly detection. Attack signature filtering scans for patterns from known attacks. This method is more accurate in detecting malicious traffic in that it does not produce many false positives but it offers no protection against zero-day attacks. Anomaly detection on the other hand looks for anything out of the ordinary and can produce many false positives. With anomaly detection, the normal/baseline operations have to be tracked and set before anomalies can be detected. Anomaly detection is necessary for many environments as new attacks come out frequently but it does require more time, effort, and money to implement.
Even firewalls stand like guards at the “gates” to site networks, they are one of the prime elements in any company’s security. Firewalls provide both ingress and egress filtering to stop attack packets from getting into the firm and prevent outgoing attacks by infected computers. Therefore, companies must plan their firewall architectures carefully. Although there are many firewall filtering mechanisms, most companies’ firewalls do not provide antivirus filtering directly instead using strong connections between firewalls and antivirus servers.
Good post! I learned a lot from this reading and still continuing to learn. There are different firewalls filters which I did not know about and also since they do not provide antivirus filtering, IDS and IPS are created to detect if something happens in the system.
Something that peaked my interest in this chapter was NAT (Network Address Translation). This is a topic I am slightly familiar with from studying CompTIA’s A+ & Security+ certifications. NAT is a way to map multiple local private addresses to a public one before transferring the information. NAT can also provide security and privacy. Moreover, it can prevent something from accessing a private device. NAT has many uses, for instance; NAT can also allow you to display a public IP address while on a local network, helping to keep data and user history private. This chapter mentions how a NAT firewall can utilize several methods “to make pass/deny decisions about arriving packets.” I definitely want to capitalize on the information they provided for Network Address Translation, I know it is an important topic in dealing with Information Security.
I found section 6.7 ” Antivirus Filtering & Unified Threat Management” to be particularly interesting in our reading this week. Firewalls do not perform antivirus filtering, but instead work closely with antivirus filtering severs. They do this by passing a packet onto an antivirus server if they have a rule stating to do so for the type of packet. The antivirus server then filters the virus (or worm, spam, etc.) and passes it back to the firewall to pass on to the receiver if it does not drop the object itself. I thought this was pretty cool because most anti-virus software on home computers usually include a firewall as well, so I always just assumed they were one in the same. This is some times the case with UTM firewalls, which perform firewall/antivirus filtering, but usually the duty is separated.
In the security model, firewalls are being used as guards. No one guarantee that they are protecting networks fully, but they are still a prime element in security. Some of the challenges that firewalls experience are the death of perimeter where attackers do not reach through Internet border, and long used signature detection when there is no signature on attackers (zero-day attack). So, to make the best out of the firewalls, strong management is essential where the company defines policies for configuration and vulnerability testing.
Michael Galdo says
I enjoyed this chapter on firewalls and one new thing I learned about is intrusion detection systems. An intrusion detection system monitors a network or system for any suspicious or malicious activity. What I found interesting is that when it comes to this malicious activity, an IDS’ goal is to spot the activity but not stop it. Some of the components of an intrusion detection system include a protected system, sensor, decision engine, database knowledge, and database configuration. The systems that also take part in stopping the malicious activity are called intrusion prevention systems. IPS have the power to stop malicious behavior once analyzing that the activity is malicious.
Matthew Bryan says
I found this section interesting as well. I’ve been thinking about when to use an IDS vs IPS and the value they provide. I thought this article from Okta provided a good summary- https://www.okta.com/identity-101/ids-vs-ips/ Using both can add value as they can complement each other and confirm active attacks. With Okta, they offer a combined IDS/IPS solution that aims to minimize false positives while providing the automation to address active threats. I use this in my work and it’s been helpful when detecting issues.
Hang Nu Song Nguyen says
Thanks for sharing. Absolutely, we need both IDS a IPS for detecting and protecting to minimize malicious attacks automatically.
Yangyuan Lin says
Firewall is something that people are familiar with in computers, including people who don’t know much about computers. This chapter describes the basic operation of the firewall in detail. The firewall will inspect every data packet that passes through it, just like passing a security inspection. When the firewall proves that the packet is an attack packet, the firewall will drop the packet, and Record dropped packet information in the log file. When the firewall is overloaded, it drops all packets it cannot handle. This mechanism has a technical term called “Filtering”. Several methods of firewall filtering: stateful package inspection filtering, static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering. Also, modern firewalls also provide egress filtering to prevent outgoing attacks from infected computers. As mentioned in the article, firewalls are like electronic gates guarding a site’s network. Although firewalls cannot provide comprehensive protection, firewalls are still the main security element of an enterprise.
Michael Galdo says
Hi Yanguan,
I found the discussion about intrusion prevention system filtering very interesting. I found it interesting that an IDS’ goal is to spot the activity but not stop it. IPS, on the other hand, have the power to stop malicious behavior once analyzing that the activity is malicious. Firewalls and these different prevention systems are essential in guarding a system or network. I agree that they are the main security element of an enterprise, and I believe in the comparison of a firewall to an electronic gate.
Matthew Bryan says
In section 6.10. The authors discuss the death of the perimeter, which is a challenge facing many firms in their firewall implementation. These challenges were exacerbated with the transition to remote work as employees were forced to work beyond the perimeter of the firm, often on devices that were not managed by IT. This introduces risk as security teams do not have insight into home firewall rules or personal devices. Internal threats are also a concern as employees can use personal devices and connect them to the corporate network. This bypasses the perimeter and provides opportunities for attackers to spread malware, exfiltrate data, and move laterally.
Defense in depth is important when considering how to defend against these challenges. Properly configured firewalls can provide excellent perimeter defense, but they cannot be the only protection. Network segmentation, user permissioning, and monitoring must be in place. In addition, adopting a zero trust strategy, see NIST SP 800-207, will also help with addressing these challenges. Finally, advances in VPN technology may allow for the network to be extended to home users through “always on” policies. Palo Alto’s Global Protect product offers this. Recent advances have made this service much faster and more manageable.
Hang Nu Song Nguyen says
I agree with you that working remotely makes more challenge to many entities in firewall implementation. My firm has added more policies and tools to protect the system from threats. Defense in depth and security management are considered seriously.
Shubham Patil says
The key point that I took from this chapter is the Defense in depth strategy. It is a strategy that leverages multiple security measures to protect an organization’s assets. The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.
Today’s cyber threats are growing rapidly in scale and sophistication. Defense in depth is a comprehensive approach that employs a combination of advanced security tools to protect an organization’s endpoints, data, applications, and networks. The goal is to stop cyber threats before they happen, but a solid defense-in-depth strategy also thwarts an attack that is already underway, preventing additional damage from taking place.
Antivirus software, firewalls, secure gateways, and virtual private networks (VPNs) serve as traditional corporate network defenses and are certainly still instrumental in a defense-in-depth strategy. However, more sophisticated measures, such as the use of machine learning (ML) to detect anomalies in the behavior of employees and endpoints, are now being used to build the strongest and most complete defense possible.
Jason Burwell says
Chapter 6 reading breaks down Firewalls. I believe most people have a basic understanding of what a firewall does and why its needed but chapter 6 gives us a very detailed breakdown of Firewalls and how they work, it explains the different methods that a firewall can use to be effective, the figures/diagrams in this chapter are very key, arguably more so than any chapter we have read so far. Because in my opinion it is one thing to explain what a firewall is doing, but I believe a person needs to also see the figure in order to fully understand the functions of a firewall, and this chapter did a great job of that. For this particular chapter I dont have a section that jumped out to me because I honestly found each section to be a very interesting read, definitely the best chapter in the book for me so far. Even with 20 years experience I found myself learning something new in this breakdown, I actually went back and read chapter 6 twice, that is how interesting chapter 6 was for me.
Bryan Garrahan says
I felt the same way about the figures and diagrams. I consider myself more of a visual learner and it’s important to understand how these environments are conceptually setup so I found these figures and diagrams really helpful. I found the diagrams in sections 6.5, 6.7, and 6.8 particularly helpful.
Bryan Garrahan says
I found section 6.6 interesting when the author broke down the differences between firewalls, IDSs and IPSs. Traditionally, firewalls block/drop provable attack packets as they are identified. IDSs on the other hand allow the potential attack packet traffic to pass through the network but ultimately log the activity for review. However, IDSs produce many false positives when it comes to identifying potential attacks so organizations typically have a hard time trusting the results of the monitored IDS system. IPSs were created to combine the functionality capabilities of Firewalls and IDSs. For instance, IPSs can be used to simply block network traffic, like a firewall, but this method typically isn’t encouraged as it could greatly impact business processing. Also, IPSs can monitor attributes such as bandwidth limitations, which subsequently block traffic once the configured network traffic threshold has been met/exceeded.
Ryan Trapp says
Hi Bryan,
I also found that section interesting. IPSs do seem substantially more useful than IDSs when it comes to mitigating potential attacks. In fact, companies will want to prevent the attacks, not just know they are happening. IDSs do not appear to be all that helpful for a company. Only in a defense in depth situation would they serve a purpose. If a company were to implement an IDSs in addition to other safeguards then that would be the most useful scenario.
Yangyuan Lin says
Hi Bryan,
Although IPS blocks network traffic, the ASIC and confidence spectrum capabilities of IPS allow for faster filtering and identification of offenses when traffic is heavy. IPS is a solid filtering method, and it works as a good control to prevent attacks I think.
Oluwaseun Soyomokun says
I think the important take away from this reading is about the importance of the layers of security firewall provides, if properly implemented for effective monitoring of packets. Firewall tracks active Ingress (inbound) packets entering from the outside network and egress (outbound) packets leaving the connections on a network. The pass/deny decision of active packets before getting to the destination is one of the functionality of security measures.
Its stateful packet inspection and monitoring capabilitity of a firewall is usally to record information about each dropped packet in a log file.
The prevention would be to use the intrusion prevention. False positive maybe another proven issues organization are challenged with and to address such scenarios by investigation.
Ornella Rhyne says
Hi Oluwaseun,
Great summary on this lecture! Now we do have a better understanding on how firewalls work. Before, especially people with no IT skills including me knew that we just need firewalls to see what’s coming in and out of the network. Now, we know that there are different firewall filters that companies use for their information systems. Static Filter Firewall is the least used as it does not guarantee strong security protection .
Oluwaseun Soyomokun says
Great Ornella,
I like that this reading has equipped us all with more indepth understanding of the capabilities of a the Firewall security system which helps in the prevention of unauthorized network connections and unauthorized malicious software from entering the network. Firewall could be hardware and software or a combination of both to prevent malicious attack. It is particularly compulsary for every business should have firewall, regardless of the size of the business.
Corey Arana says
Some key points that I took away from the chapter are that firewalls are like guards at the gates to site networks. They don’t provide total protect of incoming attacks or potential outbound attacks from infected computers. There are four types of firewalls companies can use, main border firewalls, screen border routers, internal firewalls, and host firewalls. I also found it interesting that firewalls don’t directly filter with antivirus filtering but there is a strong connection between firewalls and antivirus servers.
Mohammed Syed says
It is important to understand what traffic and protocols are expected to and the firewall is a network security system that you can monitor. And control incoming and outgoing traffic logs based on predetermined security rules. A firewall act as a network security filtering between local area networks and external networks and controls incoming and outgoing traffic to maintain a safe enterprise. Palo Alto firewall is a next-generation firewall that provides the least privileged secure remote access to applications and services. It provides web filtering and log collector to ensure proper firewall rules can be applied to provide protection.
https://www.paloaltonetworks.com/sase/ztna
https://live.paloaltonetworks.com/t5/general-articles/protecting-panorama-and-log-collector-inbound-and-outbound/ta-p/454071
Michael Duffy says
Corey,
Exactly, a lot of people mistakenly think that the firewall is the end-all solution to attackers getting into networks. Boundary defense is extremely important – but there are still some threats that a firewall cannot cover which this chapter discusses. Furthermore, by looking at the evidence over a historical period – there are ways to bypass a firewall which is why other security controls are just as important.
Elizabeth Gutierrez says
From this chapter I noticed that none of the firewalls or filtering really provide a perfect solution for securing networks. However, since defense in depth allows for different layers of protection, it ensures that if one countermeasure fails, the others remain in place. Nevertheless, meaningful planning is necessary before implementing different layers of defense to ensure there is a right balance between effective protection and data transmission efficiency.
Oluwaseun Soyomokun says
Hi Elizabeth,
There is not a perfect security solutions. Security countermeasures are controls used to protect the confidentiality, integrity and availability of data and information systems. Here, the firewall system are put in place to manage and inspect packets that pose threats. Firewalls are integrated protection to the first layer security mechanism required to control with inspection packets moving through the connections. The logs recorded from the stateful firewall helps in the identification of malicious packets flooded on the network connections.
Joshua Moses says
Hello Elizabeth and Oluwaseun
I agree with you both, indeed there is no such thing as 100% security. However, Elizabeth made a valid point when she elaborated on defense in depth and how multiple layers of security is integral when we are talking about protecting an organization’s information systems and assets / data. I also can appreciate Oluwaseun’s insight of what a firewall can be used for, the example he gave, and he even mentioned which layer of the OSI model the firewall works on. Good job to you both!
Ornella Rhyne says
This chapter is the continuity of network security to help us understand filters that are used to allow packets in and out of a network. I found interesting how firewalls has different filtering packets that are allowed internally and prohibit externally. For example, Stateful Packet Inspection is what most organizations use today because it provides authenticity between two states and stronger than Static Packet Filtering. It also focuses on connections between programs on different hosts.
Oluwaseun Soyomokun says
Ornella,
What I found interesting about the Stateful firewall inspection is that it collects and analyze data regarding every connection made through the network system. This in clear fact, is a security system that checks subsequent network connections against list of attributes (packets) collected by the stateful firewall system to see the contents of the packet if it pose a threat to the security system.
Mohammed Syed says
This chapter talks about Firewall rules, packet filtering, inspections, and the perimeter firewall architecture design for sites of large organizations. A firewall is an access control equipment that looks at packet filtering, compares with user-based policy rules, and decides whether to allow or deny the packets. A firewall device is used for network security to verify the packet filtering, state-full inspection, proxy, and Nat rules. In addition, the State inspection firewalls inspect and maintain the record of a table of each state of each connection that passes through the firewall and is verified with a TCP connection table. It explains about Proxy firewall, all users SYN and ACK packets travel through a proxy server, there is no direct connection between a client and the server. Chapter 6.8 sections the gateway routers that stop high-risk attacks and ensure that the reply to external scanning probe reaches. It reduces the load on the perimeter firewall.
The following are Firewall key objectives:
Network resolution address, Stateful packet inspection, Application proxy, content proxy,
Host firewall, Demilitarized zones, and firewall management.
Joshua Moses says
Hello Mohammed,
This was a very good summary of the chapter. Your post is well written and very concise. I only talked about one topic in the chapter, and you managed to provide a lot of information in a brief amount of words. In my opinion it was a lot of information to take in as I read this chapter. That is why I think your post is impressive.
Michael Duffy says
A common theme with this chapter is that the more in-depth the security is, the more processing power is required. Since the more in depth some of the methods for firewalls use to check packets can be taxing on processing power. For example, application proxies examine packets at the application layer and requires more in depth then using SPI. Another problem with this is that only certain applications can be filtered since there are no specific patterns can be filtered, or protocols that can be enforced. It’s interesting to compare each Firewall method as they have pros and cons – and some methods are niche for their situation.
Jason Burwell says
Hello Michael,
Great point about the processing power, its something that I believe gets lost in all of the activities involved in the Firewall world, but it is very crucial to a successful setup, like mentioned, the more in depth you go, the more taxing on the processing
Hang Nu Song Nguyen says
Good points. Because using firewalls to protect data and systems is a good choice for cost-benefit analysis, many entities invest on building firewalls. Each firm has its own niche and each firewall method has pros and cons, the firm needs to choice some of firewalls methods to fit with its situation.
Joshua Moses says
Hello Michael,
I like your perception on the theme of the chapter. I also appreciate the examples you’ve provided in talking about processing power. Also, the fact that you mentioned the application layer in the OSI model. Good post!
Ryan Trapp says
I found the part of the chapter on stateful packet inspection to be the section that stood out to me the most while reading this chapter on Firewalls. Previously I was unaware of the specifics on how stateful firewalls operated, specifically regarding the connection table that the firewall refers to when inspecting the packets. Most packets are not attempting to establish a connection, and the ones that are can be examined by the firewall to see where the connection attempt originated from. By default, all attempts internally would be allowed and all external attempts would be blocked. A stateful packet inspection firewall is low cost due to this simple table lookup when inspecting the packets. I had a previous understanding that the firewalls had a reputation for being more secure, but I had not heard that they are also inexpensive due to their ability to drop or pass most packets quicker than other firewall types.
Amelia Safirstein says
One key point that I enjoyed from chapter 6 was section 6.10.2 on attack signature filtering vs anomaly detection. Attack signature filtering scans for patterns from known attacks. This method is more accurate in detecting malicious traffic in that it does not produce many false positives but it offers no protection against zero-day attacks. Anomaly detection on the other hand looks for anything out of the ordinary and can produce many false positives. With anomaly detection, the normal/baseline operations have to be tracked and set before anomalies can be detected. Anomaly detection is necessary for many environments as new attacks come out frequently but it does require more time, effort, and money to implement.
Hang Nu Song Nguyen says
Even firewalls stand like guards at the “gates” to site networks, they are one of the prime elements in any company’s security. Firewalls provide both ingress and egress filtering to stop attack packets from getting into the firm and prevent outgoing attacks by infected computers. Therefore, companies must plan their firewall architectures carefully. Although there are many firewall filtering mechanisms, most companies’ firewalls do not provide antivirus filtering directly instead using strong connections between firewalls and antivirus servers.
Ornella Rhyne says
Hi Hang,
Good post! I learned a lot from this reading and still continuing to learn. There are different firewalls filters which I did not know about and also since they do not provide antivirus filtering, IDS and IPS are created to detect if something happens in the system.
Joshua Moses says
Something that peaked my interest in this chapter was NAT (Network Address Translation). This is a topic I am slightly familiar with from studying CompTIA’s A+ & Security+ certifications. NAT is a way to map multiple local private addresses to a public one before transferring the information. NAT can also provide security and privacy. Moreover, it can prevent something from accessing a private device. NAT has many uses, for instance; NAT can also allow you to display a public IP address while on a local network, helping to keep data and user history private. This chapter mentions how a NAT firewall can utilize several methods “to make pass/deny decisions about arriving packets.” I definitely want to capitalize on the information they provided for Network Address Translation, I know it is an important topic in dealing with Information Security.
Alexander William Knoll says
I found section 6.7 ” Antivirus Filtering & Unified Threat Management” to be particularly interesting in our reading this week. Firewalls do not perform antivirus filtering, but instead work closely with antivirus filtering severs. They do this by passing a packet onto an antivirus server if they have a rule stating to do so for the type of packet. The antivirus server then filters the virus (or worm, spam, etc.) and passes it back to the firewall to pass on to the receiver if it does not drop the object itself. I thought this was pretty cool because most anti-virus software on home computers usually include a firewall as well, so I always just assumed they were one in the same. This is some times the case with UTM firewalls, which perform firewall/antivirus filtering, but usually the duty is separated.
Miray Bolukbasi says
In the security model, firewalls are being used as guards. No one guarantee that they are protecting networks fully, but they are still a prime element in security. Some of the challenges that firewalls experience are the death of perimeter where attackers do not reach through Internet border, and long used signature detection when there is no signature on attackers (zero-day attack). So, to make the best out of the firewalls, strong management is essential where the company defines policies for configuration and vulnerability testing.